Every organization that is determined to get serious about risk management should know about ISO 31000. This set of risk management guidelines from the International Standards Organization sets out a smart, easy-to-implement framework that organizations of all types can use to help them in anticipating and mitigating the risks confronting them in today’s volatile world.
Related on BCMMETRICS: Driving Blind: The Problem with Skipping the Threat and Risk Assessment
Getting Serious About Risk Management
In the past, only the largest companies concerned themselves with enterprise risk management.
These days, organizations of all sizes are recognizing the need to implement a formal risk management program. Some are arriving at this point on their own, others are being asked to set up risk management programs by their clients.
The decision to get serious about risk management is a no-brainer. The threat landscape today is uniquely challenging, with threat piling on threat in a way we have rarely seen.
I only have to mention the pandemic, the supply chain crunch, the worker shortage, inflation, and the Ukraine situation (a client of ours just lost a critical software development supplier located there) for you to know exactly what I’m talking about.
In this environment, it’s no surprise that more and more companies are setting up risk management programs.
The Inadequacy of a Check-the-Box Approach
That’s the good news. The bad news is, many organizations that have implemented risk management have done so in a check-the-box manner.
At one company I know of, the risk management effort is limited to someone sending around a questionnaire asking the departments what their top threats and mitigations are then putting the responses in a drawer.
Such a program is more noteworthy for what it lacks than what it has.
What programs like this lack is an oversight group, wide-ranging discussion, synthesis of the questionnaire results, the numerical scoring of risks, identification of the organization’s five or six top risks, the formal adoption of strategies to mitigate those risks (risk acceptance, risk avoidance, risk transference, etc.), production of an enterprise risk report, and follow up.
Meet the ISO 31000 Risk Management Guidelines
Regular readers of the blog will know I am not a big fan of the ISO’s business continuity standard, ISO 22301. I think it is too vague to be very useful, in contrast with other BC standards such as NFPA 1600. (ISO recently created a supplemental BC standard, ISO 22332.)
However, the ISO’s risk management guidelines—ISO 31000—are excellent. They set forth a sound, easy-to-implement framework that organizations of all types and sizes can leverage to help them anticipate and mitigate risk.
To go to the source for ISO 31000, click here (the link is to the ISO’s page for the guidelines). To see why I think ISO 31000 is so good, read on.
7 Key Components of the ISO’s Guidelines
Below are seven of the key components of ISO 31000—and seven aspects of the guidelines that, in my view, are especially valuable. (BCM professionals will see a lot of overlap between sound risk management concepts and the best BCM practices.)
- Integration. The guidelines stress the importance of integrating the risk management program across all of the critical services and activities.
- Structure and comprehensiveness. The guidelines recommend that the organization’s risk management program be structured and comprehensive. The program should be centrally coordinated and managed. Complexity can vary with size but every organization should follow the same approach with all its units in order to get consistent, comparable results.
- Customization. The guidelines allow for and encourage customization. Every organization is different in the amount and distribution of its assets. ISO 31000 directs every organization to tailor its risk management program to its unique profile and needs.
- Inclusiveness. The guidelines recommend an inclusive approach to company conversations about threats and mitigation strategies. Many companies prefer that only senior-level people receive information about organizational vulnerabilities. ISO 31000 recommends that threat and mitigation discussions be inclusive. The guidelines recognize that effective risk identification and mitigation requires input from people at all levels. Usually, it is the people in the trenches who are the most knowledgeable about past events and current threats.
- Dynamism. One of ISO 31000’s smartest elements is its recognition of the need for a risk management program to be dynamic to keep up with a fast-changing world. Check-the-box risk management sees only the same tired old risks each time out. Dynamic risk management is highly attuned to the threats of the present and future.
- Information. The guidelines stress the importance of having quality intelligence about the threat environment. It’s critical to know what’s going to happen today and also what’s likely to happen six months or a year from now.
- People and culture. Lastly, ISO 31000 recognizes the importance of human and cultural factors in risk management. Each company’s unique culture should be considered in setting up its risk management program. Rather than forcing the company to adapt to the program (which it won’t do), the program should be adapted to the culture of the company in regard to risk appetite, risk tolerance, and similar factors.
Collectively, these seven concepts show great insight into what it takes for an organization to practice risk management effectively. They’re a key component of what makes ISO 31000 valuable to any company that is determined to get better at identifying and mitigating the threats in its environment.
Doing Risk Management the Right Way
In the past, formal risk management programs existed only at large organizations. Now companies of all sizes are recognizing the importance of assessing and mitigating the risks they face—a fortunate development considering the unique challenges of the current environment.
Organizations that are committed to doing risk management right should get to know ISO 31000, the standards organization’s risk management guidelines. These guidelines have a sound conceptual basis and feature an easy-to-implement framework suitable for organizations of all sizes and types.
For more information on enterprise risk management and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
- The Risk Management Process: Manage Uncertainty, Then Repeat
- Don’t Just Hope: Choosing Strategies to Mitigate Risk
- Driving Blind: The Problem with Skipping the Threat and Risk Assessment
- Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
- A Sample Threat and Risk Assessment: The Case of Acme Widget Corp.
- Every Single Day: Make Risk Management Part of Your Company’s Culture