ISO 31000 Risk management, Uncategorized
ISO 31000 Risk management
Courtesy: ISO 31000 Risk management
One of the key paradigm shifts proposed in ISO 31000 is a controversial change in how risk is conceptualised and defined. Under both ISO 31000:2009 and ISO Guide 73, the definition of “risk” is no longer “chance or probability of loss”, but “effect of uncertainty on objectives” … thus causing the word “risk” to refer to positive consequences of uncertainty, as well as negative ones. In order that ISO 31000 completes this controversial change, the historical origin and meaning of the word risk would cease to exist. It follows that it would be better for ISO to invent a new term such as Risk, Opportunity Management to describe their definition than to place incorrect meaning on an historical definition that relates to the origins of a word.
A similar definition was adopted in ISO 9001:2015 (Quality Management System Standard), in which risk is defined as, “effect of uncertainty.” Additionally, a new risk related requirement, “risk-based thinking” was introduced there.
Likewise, a broad new definition for stakeholder was established in ISO 31000, “Person or persons that can affect, be affected by, or perceive themselves to be affected by a decision or activity.” It is the verbatim definition given for the term “interested party” as defined in ISO 9001:2015
ISO 31000:2009 has been developed on the basis of an existing standard on risk management, AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009). Whereas the initial Standards Australia approach provided a process by which risk management could be undertaken, ISO 31000:2009 addresses the entire management system that supports the design, implementation, maintenance and improvement of risk management processes.
Implementation
The intent of ISO 31000 is to be applied within existing management systems to formalize and improve risk management processes as opposed to wholesale substitution of legacy management practices. Subsequently, when implementing ISO 31000, attention is to be given to integrating existing risk management processes in the new paradigm addressed in the standard.
The focus of many ISO 31000 ‘harmonization’ programmes have centered on:
- Transferring accountability gaps in enterprise risk management
- Aligning objectives of the governance frameworks with ISO 31000
- Embedding management system reporting mechanisms
- Creating uniform risk criteria and evaluation metrics
- While adopting any new standard may have re-engineering implications to existing management practices, no requirement to conform is set out in this standard. A detailed framework is described to ensure that an organization will have “the foundations and arrangements” required to embed needed organizational capabilities in order to maintain successful risk management practices. Foundations include risk management policy, objectives and mandate and commitment by top management. Arrangements include plans, relationships, accountabilites, resources, processes and activities.
