ISO 31000
Encyclopedia
ISO 31000 is intended to be a family of standards relating to risk management
codified by the International Organization for Standardization
. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.
Currently, the ISO 31000 family is expected to include:
standard that accommodates multiple ‘silo-centric’ management systems.
The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.
Accordingly, ISO 31000:2009 is intended for a broad stakeholder group including:
approach provided a process by which risk management could be undertaken, ISO 31000:2009 addresses the entire management system
that supports the design, implementation, maintenance and improvement of risk management processes.
The focus of many ISO 31000 'Harmonisation' programmes have centred on:
organisation will need to be cognisant of the implication for adopting the standard and be able to develop effective strategies for implementing the standard across supply chains and commercial operations.
Certain aspects of top management accountability, strategic policy implementation and effective governance frameworks, will require more consideration by organisations that have previously used now redundant risk management methodologies.
In some domains that concern risk management, particular security and corporate social responsibility, which may operate using relatively unsophisticated risk management processes, more material change will be required, particularly regarding a clearly articulated risk management policy, formalising risk ownership processes, structuring framework processes and adopting continuous improvement programmes.
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
codified by the International Organization for Standardization
International Organization for Standardization
The International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management. ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.
Currently, the ISO 31000 family is expected to include:
- ISO 31000:2009 _ Principles and Guidelines on Implementation
- ISO/IEC 31010:2009 - Risk Management - Risk Assessment Techniques
- ISO Guide 73:2009 - Risk Management - Vocabulary
Introduction
ISO 31000 was published as a standard on the 13th of November 2009, and provides a standard on the implementation of risk management. A revised and harmonised ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000:2009 is to be applicable and adaptable for "any public, private or community enterprise, association, group or individual." Accordingly, the general scope of ISO 31000 - as a family of risk management standards - is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management.Scope
ISO 31000:2009 provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. This approach to formalizing risk management practices will facilitate broader adoption by companies who require an enterprise risk managementEnterprise Risk Management
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...
standard that accommodates multiple ‘silo-centric’ management systems.
The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.
Accordingly, ISO 31000:2009 is intended for a broad stakeholder group including:
- executive level stakeholders
- appointment holders in the enterprise risk management group
- risk analysts and management officers
- line managers and project managers
- compliance and internal auditors
- independent practitioners.
Risk Conceptualisation
One of the key paradigm shifts in ISO 31000 is how risk is conceptualised, under the ISO 31000:2009 and a consequential major revision of the terminology in ISO Guide 73, risk with respect to the "effect of uncertainty on objectives".ISO 31000 Framework approach
ISO 31000:2009 has been received as a replacement to the existing standard on risk management, AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009). Whereas the Standards AustraliaStandards Australia
Standards Australia was established in 1922 and is recognised through a Memorandum of Understanding with the Australian government as the peak non-government standards development body in Australia. It is a company limited by guarantee, with 72 members representing groups interested in the...
approach provided a process by which risk management could be undertaken, ISO 31000:2009 addresses the entire management system
Management system
A management system is the framework of processes and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives....
that supports the design, implementation, maintenance and improvement of risk management processes.
Implementation
The intent of ISO 31000 is to be applied within existing management systems to formalise and improve risk management processes as opposed to wholesale substitution of legacy management practices. Subsequently, when implementing ISO 31000, attention is to be given to integrating existing risk management processes in the new paradigm addressed in the standard.The focus of many ISO 31000 'Harmonisation' programmes have centred on:
- Transferring accountability gaps in enterprise risk management
- Aligning objectives of the governance frameworks with ISO 31000
- Embedding management system reporting mechanisms
- Creating uniform risk criteria and evaluation metrics
Implications
Most implications for adopting the new standard concern the re-engineering of existing management practices to conform with the documentation, communication and socialisation of the new risk management operating paradigm; as opposed to wholesale re-orientation of management practice throughout an organisation. Accordingly, most senior position holders in an enterprise risk managementEnterprise Risk Management
Enterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...
organisation will need to be cognisant of the implication for adopting the standard and be able to develop effective strategies for implementing the standard across supply chains and commercial operations.
Certain aspects of top management accountability, strategic policy implementation and effective governance frameworks, will require more consideration by organisations that have previously used now redundant risk management methodologies.
In some domains that concern risk management, particular security and corporate social responsibility, which may operate using relatively unsophisticated risk management processes, more material change will be required, particularly regarding a clearly articulated risk management policy, formalising risk ownership processes, structuring framework processes and adopting continuous improvement programmes.
See also
- Enterprise Risk ManagementEnterprise Risk ManagementEnterprise risk management in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives...
- International Organization for StandardizationInternational Organization for StandardizationThe International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...
- ISO 9000:2000
- ISO 14001
- ISO/PAS 28000 - Specification for security management systems for the supply chainISO/PAS 28000 - Specification for security management systems for the supply chainISO 28000:2007 - Specification for security management systems for the supply chain is the International Organization for Standardization standard on requirements of a security management system particularly dealing with security assurance in the supply chain....
- PDCAPDCAPDCA is an iterative four-step management method used in business for the control and continuous improvement of processes and products...
- RiskRiskRisk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
- RiskAoARiskAoARiskAoA is a United States Department of Defense project Risk Management tool, allowing the instantaneous review of portfolio , proposal or alternatives Risk. It was designed by Air Force Research Laboratory Headquarters to perform predictive risk analysis for the Analysis of Alternatives ...
- Risk ManagementRisk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
- Risk management toolsRisk management toolsRisk Management is a non-intuitive field of study, where the most simple of models consist of a probability multiplied by an impact. Even understanding individual risks is difficult as multiple probabilities can contribute to Risk total probability, and impacts can be "units" of cost, time, events...
- Security riskSecurity riskSecurity Risk describes employing the concept of risk to the security risk management paradigm to make a particular determination of security orientated events.According to CNSS Instruction No...