ISO 31000 is an international standard for risk management. It’s intended to help organizations (of any industry) with their decision making, risk analysis, and risk treatment.
Fundamentally, the risk management process endeavors to identify risk and then implement a management system to minimize the chance of that risk occurring—or, if the risk does occur, to minimize its harm and assure a speedy recovery. ISO 31000 provides a framework for organizations to assess their current risk management processes and then make improvements as necessary.
There are two scopes associated with risk management. ISO 31000 describes them as:
A risk management framework. This provides the foundations and organizational arrangements for designing, implementing, monitoring, continually improving risk management throughout the organization.
A risk management process. This is the set of management policies, procedures, and practices that are meant to assure risk management is effective. Ideally, the risk management process is guided by the risk management framework.
In other words, ISO 31000 offers a set of best practices so an organization can formalize its risk management practices. This approach is intended to facilitate broader adoption of enterprise risk management by companies that currently struggle with multiple, “silo-centric” risk management systems.
Several major elements of ISO 31000 attempt to help businesses integrate the ISO standard into their existing business plans. It’s important to note that ISO 31000 isn’t meant to replace an organization’s business plan, but rather, to integrate risk management principles into that plan. Risks such as damage to equipment, injury to staff or customers, and financial losses, are all examples of what a business might seek to prevent.
The risk management process typically begins with a risk assessment. Included in the risk assessment is the identification of risk, an analysis of the risk, and an evaluation of that risk.
Following the risk assessment, an organization will decide what risk treatment to approach, and then monitor and review the risk and results. Establishing the context of the risk and then deciding the communication and consultation surrounding the risk are also important steps to a sound risk management process.
Risk Management in More Detail
Establish the context of the risk. This step selects a basic risk and places it within some specific part of your enterprise; then you can apply risk management principles. For example, you could decide to assess the risk of fraud, and then specifically examine the potential for fraud within the accounting and financial reporting functions. The more precisely you can identify the corporate level, division, or business unit that will go through the risk management process, the better.
Risk Identification. Identifying risk can be challenging, especially for risks that are difficult to predict—such as a zero-day malware attack or a natural disaster. (This is often described as the effect of uncertainty; you know what the risk is, but have little sense of how probable it is.)
ISO 31000, as an international standard, addresses this by collecting an enormous amount of perspective from various organizations, which may have experiences other organizations do not. The ability to compare experiences helps companies identify risk that they may not have previously understood.
Risk analysis. An analysis of the potential risk is necessary to figure out what the risk actually is, and assists in implementing effective risk management. For example, if an organization has a backup power generator, executives will need to decide where the fuel for that generator will be stored. Keeping combustible material close to the generator might be unwise. An analysis of that decision would point out that the spark plugs of the generator have a chance of igniting fumes of closely stored fuel and cause an explosion.
Risk evaluation. This step is essentially assigning a grade to the risk: Is it high, medium, low, or something else? Using our fuel generator example: if the fuel is stored in a tank five feet away from the generator, that could put the fuel at high risk of being ignited and exploding.
Usually one part of the risk evaluation is including the potential physical and financial damages the threat poses to the business. In our generator’s case, the chance of an explosion would be high, and the likelihood of bodily harm and structural damage would be high too. Executives could model those costs (lost revenue, pain and suffering lawsuits, repair costs) to estimate the total potential damage from the risk.
Risk treatment. Deciding how to treat certain threats is a crucial part of risk mitigation, and usually the decision is made by a team of risk managers or consultants.
The generator and fuel example would depend upon the expertise of a fire chief inspecting the site and determining the safe distance to store the fuel. The chief may recommend that the fuel be stored in an underground tank, or that the organization use an alternative fuel source, or propose other mitigation steps.
Communication and consultation. We see examples of communication and consultation about risk throughout daily life. Warning signs around the generator and fuel tank would be one way to communicate the danger and risk surrounding that specific asset. Assigning a periodic inspection from a certified professional to ensure the assets are functioning safely is an example of a consultative step in the risk management process.
Monitoring and review. A periodic inspection and certification of safety equipment is a consultative action, but it is also a monitoring step. That is a crucial part of risk management too: revisiting your risk management efforts, to assure that they still effectively address the risk in question.
For example, if technology changes and combustible fuels are no longer needed, the risk of storing those fuels would no longer be necessary. The fuel could be removed and the annual inspections discontinued.
How ZenGRC Can Improve Risk Management
Meeting the standards of ISO 31000 is no easy task. It requires significant coordination across the enterprise, with extensive demands for documentation of risks, controls, testing, and remediation work.
With ZenGRC, you can leverage one platform for all your control, compliance preparedness, risk, governance, and policy management needs. ZenGRC provides your business with a single, integrated experience that reveals all risk across your business; and provides for an easier, more automated path toward ISO 31000 implementation.
ZenGRC simplifies internal audits and preparation for external auditing with complete views of control environments, easy access to information necessary for program evaluation, and continual compliance monitoring to address critical tasks at any time.
Worry-free risk management is the Zen way! Learn more by scheduling a free demo today.