ISO 31000, Principles of Risk Management, is a set of guidelines drafted by the International Organization for Standardization to help organizations implement better risk management practices.
The standard is designed to be used by any organization in any industry, and there is no certification associated with it (which is the case for other ISO standards).
ISO 31000 is intended to help companies understand and manage risks such as damage to equipment, injury to staff or customers, cybersecurity breaches, financial losses, and many other threats. The standard doesn’t replace an organization’s business plan per se. Rather, ISO 31000 helps to embed risk management into that plan.
What is the purpose of the ISO 31000 Framework?
The standard has two primary pieces:
- A risk management framework, which provides the foundation for designing and implementing risk management mechanisms (policies, procedures, and controls) throughout the organization.
- A risk management process, which guides the organization as it applies those policies, procedures, and controls in a systematic way.
In other words, ISO 31000 helps businesses to formalize their risk management practices across the entire enterprise, rather than leave risk management practices to evolve in a more siloed fashion, differing from one part of the organization to the next.
Elements of the ISO 31000 Framework
The ISO 31000 framework has six “components”—the basic steps every organization would need to work through to implement the standard and embed risk management principles into daily operations.
- Leadership and commitment: senior executives and the organization’s governing body (typically the board of directors) would need to adopt a policy that enterprise risk management is an objective the organization wants to achieve, and then assign responsibility for that objective to specific individuals.
- Integration: executives should clarify that risk management must happen throughout the whole organization and that everyone has responsibility for helping the business to manage risk.
- Program design: outline specific steps that the business will take to manage risk, and design that program so that it reflects items such as the organization’s core values, its business strategy, regulatory obligations, contractual obligations to third parties, and so forth.
- Implementation: develop a plan to implement the risk management program, and be sure that plan has the appropriate time and resources to execute the implementation effectively.
- Evaluation: periodically review the risk management program to assess how well it achieves its originally stated goals, and to see whether any new risks have emerged that require attention.
- Improvement: take any new steps as necessary either to improve parts of the program that don’t meet expectations, or to implement new program elements to address emergent risks.
ISO 31000 and Risk Assessments
Another application for ISO 31000 is risk assessment. A risk assessment is how an organization evaluates potential threats in the business environment: anything from the risk of connecting a server to the Internet, to the risk of employees suing over sexual harassment.
Every risk assessment should strive to identify the likelihood and severity of an adverse event. Risk management executives can perform risk assessments in several ways, but the most common forms are qualitative and quantitative assessments.
Qualitative risk assessments rely considerably on a subjective human judgment about possible risks. A qualitative risk assessment still seeks to identify potential threats and their severity, but might only categorize those risks on a simple low/medium/high scale or some other pre-determined metric.
Qualitative risk assessments are often useful to help prioritize risks, and the attendant risk management mechanisms an organization might then put in place.
Quantitative risk assessment tries to produce a more data-driven estimate of a risk’s likelihood and potential damage. For example, an organization might review historical data and estimate that climate disasters have a 5 percent chance of striking, but one week of a data center knocked off-line would result in $100 million in lost sales.
That precision can help executives understand what risk-reduction measures are or aren’t worth pursuing.
Responding to Risks
The ISO 31000 standard is an operational framework of planning, organizing, executing, and monitoring risk. It’s also premised on the understanding that risk is something that can be clearly defined, measured, and managed.
Based on these assumptions, once the company performs a risk assessment, it must then determine a course of action to remediate and monitor risk. Those choices can be:
- Accept the risk to pursue an opportunity
- Avoid the risk by not pursuing the activity that creates it
- Share the risk with another party (such as through contracts or risk financing)
- Mitigate the likelihood of the risk happening (say, adding security measures to avoid cybersecurity risk)
- Mitigate the potential damage (creating backup data archives to recover quickly from a cybersecurity risk)
Once the organization decides how to treat the risk, it can then determine the specifics of how to achieve that goal.
In cybersecurity, for example, the organization might take steps such as improving patch management and firewall design, conducting more malware scans, and monitoring access controls.
The process doesn’t end at remediation, however. According to ISO 31000, risk management should include a process of continual improvement to the risk management system. That means revisiting the six elements of the framework periodically, to identify those improvements and implement them promptly.
How ZenGRC can help with Risk Assessment and Mitigation
While ISO 31000 is an excellent standard for guiding the development of more risk-aware operations, implementing the standard to improve business continuity, cybersecurity, regulatory compliance, and strategic decision-making is easier said than done.
ZenGRC works with other tools and technologies to collect and store data on your vulnerabilities and works as a penetration tester by telling you what’s needed to resolve the vulnerabilities.
It tracks tasks so you always know what’s being done and by whom; shows your compliance (including for ISO certification) and risk management posture on user-friendly dashboards; allows unlimited self-audits in a few clicks, and much more.
Worry-free risk management is the Zen way. Contact us today to learn more.