Much of modern economics is based on risk; the stock market, credit cards, insurance, loans, and so on. You’d think by now we would have all of our risks assessed and under control.
You’d be wrong.
In the last three years, 62% of organizations have experienced what’s deemed as a “critical risk event”, with more than half of those taking the biggest hit to their employees’ productivity (62%) and operational efficiency (59%).
Without a robust risk management system like that laid out by ISO 31000 standards, you’ll also be yet another figure suffering from critical risk events.
That’s why this article will take you through everything you need to know about ISO 31000 (the expert guidelines for risk management). We’ll cover:
- What is ISO 31000?
- What are the benefits of ISO 31000?
- ISO 31000 principles
- ISO 31000 framework
- ISO 31000 process
- Kickstarting your risk management
It’s time to kick your risks to the curb.
What is ISO 31000?
The International Organization for Standardization (ISO) produces industry-leading guidelines on a wide array of topics. All are vetted by its members from over 100 standards organizations. When it comes to standardizing something against a universal measure, you go to the ISO.
For example, ISO 9001 is all about quality management. ISO 14001 covers environmental management. Meanwhile, ISO 27001 spans IT, security techniques, and information security management systems.
ISO 31000 is a set of guidelines designed to help you set up an effective risk management system for your environment.
It doesn’t matter whether you’re in manufacturing or environmental protection. ISO 31000 guidelines are always useful because they don’t relate to the risks of a specific industry. Instead they serve as effective foundations for literally anyone to assess the risks that they’re being exposed to, process the likelihood of their happening and how to minimize the chance of them happening, and systematically deploy those safety measures.
However, it’s worth noting that ISO 31000 is different from many other ISO standards in one way. You can’t get certified in it.
If your company is ISO 9001 certified, that proves that you have quality management measures in place that meet ISO 9001 standards. ISO 31000 provides guidelines for risk management, so there is nothing to be measured (or certified) against.
What are the benefits of ISO 31000?
ISO 31000 guidelines give you an easy way to reliably create a risk management system that’s tailored to your specific needs. As such it brings a wealth of benefits to your team and to your customers.
Let’s start with the most obvious one; everyone will be working in a safer environment.
This means that your team can carry out their duties with confidence. They know that every appropriate safety measure has been factored into their work. Thus, they don’t have to constantly second-guess their safety.
Speaking of safety, this naturally reduces the number of accidents that your team will have. Fewer accidents mean greater operational continuity, which itself has several benefits. Your reputation as a business that meets demands will grow. In turn, this leads naturally to more customers.
Similarly, your ability to deal with more and bigger customers will increase. This is because your team will more reliably be able to get their work done and get it done faster.
Fewer accidents means you’re spending less money replacing equipment. You’ll also be earning more than if your team’s time was spent dealing with the aftermath.
Beyond the base benefits of having any kind of functional risk management program, ISO 31000 in particular benefits from being compiled and vetted by over 100 member organizations. This means that the measures suggested are guaranteed to be the best way to go about organizing your efforts.
Ready to get started? Great! There’s just one thing we need to cover first…
ISO 31000 principles
ISO 31000 is based on a set of principles that need to be applied to any and every risk management system you build. These are that such systems need to be (or utilize):
- Integrated
- Structured and comprehensive
- Customized
- Inclusive
- Dynamic
- Best available information
- Human and cultural factors
- Continual improvement
That might sound like a lot of jargon, but let’s break it down.
First, your risk management system should be an integral part of your organization, and every activity should have relevant consideration in it. By being structured and comprehensive such a system should be able to produce consistent results which resemble the other times your system is consulted.
To do this, your risk management system needs to be customized to suit the context relating to your company’s objectives. If there is external pressure or elements which contribute to risks in any way, you need to consider them. Similarly, your system should be able to predict, recognize, deal with, and adapt to any new or developing risks in a dynamic fashion, otherwise your company will be blindsided by new risks.
Inclusivity in this case refers to looping your stakeholders into the creation of this system and the actions you lay out to be taken. This lets you take advantage of their expertise and make sure that the entire company is accountable for the involved risks.
Continual improvement is achieved by iterating based on your team’s growing experience and the best available information at the time. This information should also be made available to stakeholders in a clear and timely manner to allow them to take action and adjust your risk management system.
Finally, your system needs to acknowledge the human and cultural elements of all risks. That is, it needs to accommodate variance in behavior and how the team and company culture could affect the actions taken and outcome.
You’re all set, so let’s get to applying the framework of ISO 31000 to start overhauling your risk management system.
ISO 31000 framework
The ISO 31000 framework is designed to help you adapt, apply, and integrate your risk management system into current activities. To do this it’s split into the following sections:
- Leadership and commitment
- Integration
- Design
- Implementation
- Evaluation
- Improvement
Leadership and commitment
This section is all about what upper management is responsible for, namely:
- Customizing the framework to suit your organization
- Establishing a risk management policy and/or plan to carry out
- Assigning the resources required to manage your risks
- Delegating and assigning authority, responsibility, and enforcing accountability down through your organization
By doing this your leadership should be able to align risk management with your company’s values and mission, identify and acknowledge the commitment required throughout your organization to manage risk, and grow a culture of risk management among the rest of the team.
Integration
Integration is one of the most important elements of risk management and ISO 31000. To cut to the chase, here is where you tackle how risk management is integrated into your organization in all ways.
Yes, everywhere.
This means that any new processes should be created with risk management policies in mind. As such, that risk management needs to be built into the very culture of your teams. It should tie into your organization’s purpose, leadership, strategy, and operations.
Whether you’re printing your checklists from a master word document (which comes with a whole host of risks in and of itself) or you’re utilizing software such as FAT FINGER to supercharge your safety reporting, risk needs to be considered everywhere.
Design
This section is all about the internal and external context that needs to be considered when designing your risk management system. This can include:
- Industry trends relevant to your organization
- Stakeholder expectations
- Political, technological, environmental (and so on) factors
- External dependencies (eg, logistics networks)
- Company mission and values
- Your organizational structure
- Contractual relationships
- Organizational and team capabilities
First, these influences need to be detailed and acknowledged by key stakeholders and leadership. Then they can then create a risk management policy that shows why risk management measures are being taken, what the team’s intentions are for introducing this system, who will be responsible for what, what resources will be required, and how the system will be reviewed and improved over time.
Once your stakeholders have the policy and the appropriate people have been put in authority, it’s time to assign resources. This includes employees and assets required to give authority figures the ability to follow up on their commitments.
Finally, lay out the communication methods and chains that will be used to operate this new system. These need to be robust enough to handle stressful situations and everyone needs prioritize open and fast communication.
Implementation
After designing is finished, it’s time to plan how to implement the risk management system and carry out that plan.
Your implementation plan should include estimates of how long it will take to fully execute the new measures, who will be responsible for making decisions surrounding specific sections of the system (eg, managers), and making sure that everyone clearly knows what to do (and is doing it).
Again, this is where process management software really comes in handy. It’s a life-changing method for making sure that your team is getting everything done up to ISO 31000 standards every time.
Evaluation
After your team has had time to adjust and start putting your risk management practices into action you need to have a plan for evaluating the success of your measures.
By measuring your performance against your plan and expectations, you will see how successful you were in achieving your goals. For example, workplace accidents may have decreased, productivity and/or morale could have gone up, and so on.
Improvement
Finally, it’s vital to continually improve and adapt your framework based on new information, new risks, and your performance evaluations.
It’s key here that you don’t need to have a plan for every situation in advance. Instead you need to have a plan for assessing your system and making adjustments based on your findings.
ISO 31000 process
ISO 31000 considers the risk management process to look like the diagram above; the activity of risk assessment (influenced by scope, context, and criteria, and influencing risk treatment) taking elements from relevant communication and reviews of the system as a whole.
Phew, that sounds like a mess, but don’t worry! It’s simple once you break it down.
Communication and consultation
These play a role in ISO 31000 risk management by providing all relevant information to key stakeholders and decision-makers, and bringing their expertise in as much as possible.
Doing this lets you cover as wide a range of risks as possible while also building ownership into your system. After all, if someone gives input into the risk management system, they’re more likely to care about upholding it.
Scope, context and criteria
Without a set scope you’d never stop finding new risks. That’s why it’s important to lay out:
- What your objectives are with this system
- What outcomes you expect from implementing it
- The tools and techniques used to carry it out
- Any times, locations, and/or specific elements that are included and excluded from the system
- The required resources to carry out the system
- Responsibilities of team members
- How efforts and results will be recorded
- How the system will relate to and interact with other processes and projects
These should be detailed while also stating the context (internal and external) that the system is being created and deployed in. This is so that any future reference to the system can be considered in relation to how the context surrounding it has changed.
Finally, the criteria of your risk management system need to be recorded. This includes any elements which may affect your desired performance and outcomes, how the level of risk is determined, how compounding risks are accounted for, how consistent your measurements are, and how outcomes will be recorded.
Risk assessment
Risk assessment itself is broken into three parts in ISO 31000:
- Risk identification
- Risk analysis
- Risk evaluation
These three should be performed in order for each risk posed to your organization, so long as those risks are within your system’s scope.
Identification involves recognizing and describing the risks posed whether or not the sources of those risks are under your control. You should also consider (and record) factors of those risks, such as sources, causes, indicators of future risks, changes in context, knowledge limitations, time factors, and potential biases of those involved.
ISO 31000 states that risk analysis involves assessing “uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness” (ISO 31000:2018, 6.4.3 Risk analysis). In other words, you need to break each risk down into how likely it is to occur, the results of it happening, the severity of it happening, how complex and volatile the situation is, how effective existing risk control measures are, and how sensitive the situation is to change.
Finally, risk evaluation is all about deciding whether or not extra measures need to be taken to mitigate or control the risk. The outcome of this evaluation (even if it’s “no action required”) should be documented clearly and communicated to all relevant parties.
Risk treatment
If it’s decided that something needs to be done following risk evaluation you’ll need to move on to risk treatment. This is where your team figures out what the best course of action to take is, and iteratively assesses the situation to see if your actions improve things.
The action that’s taken will depend on how valuable the activity that the risk is related to is, how severe and likely the risk is, and the difficulty of the various actions you can take in that specific situation.
For example, one option would be to remove the source of the risk, but if the source is a piece of irreplaceable equipment then that can’t be done.
Whether you decide to leave the risk as it is, attempt to influence the likelihood or consequences of the risk, insure against it happening or even halt the activity entirely if the risk is great enough, treatment should continue in a cycle until a final decision is reached. That decision can only be to entirely eliminate the risk somehow, halt the activity related to the risk, or accept the current level of risk in your operations (with justification such as the outcome being worth the potential consequences).
However, note that in treating your current risk you should always be wary of introducing new risks. They might be worth dealing with to treat the current risk, but they will need separately assessing and evaluating.
Monitoring and review
Monitoring and reviewing should take place during all stages of risk management, hence why they take a similar role in the diagram at the start of this section as communication and consultation. By monitoring the effectiveness of your organization’s performance during each active step of risk management, you can find where the entire system can be improved for quality, ease of use, performance, or a combination of all three.
As with every other step, monitoring and reviewing your system needs to be clearly assigned to a specific team member (or members). That way it’s clear who is accountable for checking on the relative health and effectiveness of the system.
Recording and reporting
Much like monitoring and reviewing, the entire process of risk management needs to be recorded and reported to key stakeholders in detail. This is to make sure that all relevant parties know exactly what is going on, provide them with the information they need to make decisions, improve risk management in general by showing what is currently being done, and demonstrate to stakeholders who is accountable for the many elements of risk management.
However, when it comes to reporting you can’t just create a one-size-fits-all document – you need to consider your audience.
That means that your reports should vary based on what the person you’re reporting to needs to know, how often they need a report, and how relevant specific pieces of information are to them. For example, your CEO won’t have time to be taught the ins and outs of how you’re managing every risk; they would benefit more from a simple summary of how effective your program is and what’s being done to improve it.
Kickstarting your risk management
Sound overwhelming? Let’s just say that there’s a reason that ISO standards (including ISO 31000) are globally recognized.
But that doesn’t mean you have to be left in the dust.
FAT FINGER provides you with an easy-to-use, no-code form builder that lets you document your processes to perform everything correctly on time, every time. From risk management to electrical safety, we even have a library of premade templates that are ready for you to use right now.
Don’t believe us? Check out the video below to see how easy FAT FINGER makes job safety analysis.
Start documenting your risk management procedures and deploying them in your team at the click of a button. Start using FAT FINGER today.