What is ISO 31000?
ISO 31000 is an international standard developed to help organizations of any size and type to manage risk effectively. Touted as a practical document to help organizations develop their own approach to risk, ISO 31000 provides the principles, framework and generic process for managing any type of risk in a transparent and systematic manner. ISO 31000 can be applied" to any public, private or community enterprise, association, group or individual."
Risks affecting organizations can have consequences in terms of economic performance and professional reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively helps organizations to perform well in an environment full of uncertainty.
ISO 31000:2009, Risk management - Principles and guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.
Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.
How does ISO 31000 define risk?
Although risk often is defined in terms of negative impact or hazard, ISO 31000 views risk as exposure to the consequences of uncertainty -- positive or negative. Risk management is about identifying the variations from what is planned or desired, and managing those risks to maximize opportunities, minimize losses, and improve decisions and outcomes.
How does ISO 31000 relate to specific risks?
ISO 31000 should not be seen as a replacement for established international standards that are used successfully to manage specific risks in such sectors as machinery safety, transportation, energy, IT and the environment, Rather, it should be viewed as a top-level document that supports those existing standards.
Can my business become ISO 31000-certified?
ISO 31000 is not a standard in which organizations can seek to be certified. By implementing ISO 31000, organizations can compare their risk management practices with an internationally recognized benchmark that provides sound principles for effective management. The ISO Guide 73 ensures that everybody is using the same terms and definitions when talking about risk.
For risk management to be effective, an organization should at all levels comply with the principles below.
- Creates and protects value;
- Is an integral part of all organizational processes;
- Is part of decision making;
- Explicitly addresses uncertainty;
- Is systematic, structured and timely;
- Is based on the best available information.. and is tailored;
- Facilitates continual improvement of the organization.
ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.
ISO 31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or negative consequences. Although ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.