Risk Management

ISO 31000
PRINCIPLES and GUIDELINES

Jojo P. Javier
Doctor of Business Administration
Letran Graduate School of Business
About ISO
ISO (International Organization for Standardization) is an independent, non-
governmental membership organization and the world’s largest developer of
voluntary international standards.

It is made up of 165 member countries that are the national standards bodies
around the world, with a Central Secretariat that is based in Geneva, Switzerland.
What are standards?
International Standards make things work. They give world-class specifications
for products, services and systems, to ensure quality, safety and efficiency. They
are instrumental in facilitating international trade.

ISO has published more than 19,500 International Standards covering almost
every industry, from technology, to food safety, to agriculture and healthcare.

ISO International Standards impact everyone, everywhere.

What is the ISO 31000 Standard?
The global financial crisis in 2008 demonstrated the importance of adequate risk
management. Since that time, new risk management standards have been
published, including the international standard, ISO 31000 ‘Risk management –
Principles and guidelines’.

There are many opinions regarding what risk

management involves, how it should be implemented
and what it can achieve. ISO 31000 was published in
2009 and seeks to answer these questions.
What is the ISO 31000 Standard?
The Committee of Sponsoring Organizations of the Treadway Commission
(COSO) published an Enterprise Risk Management (ERM) standard in 2004. The
COSO ERM cube is well known to risk management practitioners and it provides a
framework for undertaking ERM. It has gained considerable influence because it is
linked to the Sarbanes-Oxley requirements for companies listed in the United
States.
ISO 31000 was published in 2009 as an
internationally agreed standard for the
implementation of risk management principles.

It is the natural successor to AS/NZS

4360:2004 – the generic guide to Risk
Management.
 What is the ISO 31000 Standard?

Currently, the ISO 31000 family includes the following:

• ISO 31000:2009 - Principles and Guidelines on Implementation
• ISO/IEC 31010:2009 - Risk Management - Risk Assessment Techniques
• ISO Guide 73:2009 - Risk Management - Vocabulary
Risk Management Principles
Risk management is a process that is underpinned by a set of principles. Also, it
needs to be supported by a structure that is appropriate to the organization and its
external environment or context. A successful risk management initiative should be
proportionate to the level of risk in the organization (as related to the size, nature
and complexity of the organization), aligned with other
corporate activities, comprehensive in its scope,
embedded into routine activities and dynamic by being
responsive to changing circumstances.
Risk Management Principles
This approach will enable a risk management
initiative to:

• Deliver outputs for more efficient operations, effective

tactics and efficacious strategy.
• Compliance with applicable governance
requirements.
• Assurance to stakeholders regarding the
management of risk improved decision making.
• Provide measurable and sustainable benefits.
Risk, Risk Management and ISO 31000
1. Nature and impact of risk.
2. Principles of risk management.
3. Review of ISO 31000
4. Achieving the benefits of ERM
Risk, Risk Management and ISO 31000

Risks can impact an organization in the short, medium and

Nature long term. These risks are related to operations, tactics and
and strategy, respectively.
Impact of Strategy sets out the long-term aims of the organization, and
Risk the strategic planning horizon for an organization will typically
be 3, 5 or more years. Tactics define how an organization
intends to achieve change.

Therefore, tactical risks are typically associated with projects,

mergers, acquisitions and product developments.
Risk, Risk Management and ISO 31000

The definition set out in ISO Guide 73 is that risk is the “effect
Risk of uncertainty on objectives”.
Defined
An effect may be positive, negative or a deviation from the
expected, and that risk is often described by an event, a
change in circumstances or a consequence.

This definition links risks to objectives. Therefore, this

definition of risk can most easily be applied when the
objectives of the organization are comprehensive and fully
stated.
 Risk, Risk Management and ISO 31000
Risk assessment involves the identification of risks followed by their
Recording and evaluation or ranking.
Classifying The objective of this exercise is to enable the information to be
Risk recorded in a table, risk register, spreadsheet or a computer-based
Assessments system.
The consequences of a risk materializing may be negative (hazard
risks), positive (opportunity risks) or may result in greater uncertainty.
Organizations need to establish appropriate definitions for the
different levels of likelihood and consequences associated with these
different risks.
Risk ranking can be quantitative, semi-quantitative or qualitative in
terms of the likelihood of occurrence and the possible consequences
or impact.
 Risk, Risk Management and ISO 31000
An important part of analyzing a risk is to determine the nature,
Recording and source or type of impact of the risk. Evaluation of risks in this way
Classifying may be enhanced by the use of a risk classification
system.
Risk
Assessments Risk classification systems are important because they enable an
organization to identify accumulations of similar risks. A risk
classification system will also enable an organization to identify
which strategies, tactics and operations are most vulnerable.

However, there is no risk classification system that is universally

applicable to all types of organizations.
 Risk, Risk Management and ISO 31000

Recording and
Classifying
Risk
Assessments
Risk, Risk Management and ISO 31000
Risk management is a central part of the strategic management of
Principles of any organization. It is the process whereby organizations
Risk methodically address the risks attached to their activities.
Management A successful risk management initiative should be proportionate to
the level of risk in the organization, aligned with other corporate
activities, comprehensive in its scope, embedded into routine
activities and dynamic by being responsive to changing
circumstances.

It increases the probability of success and reduces both the

probability of failure and the level of uncertainty associated with
achieving the objectives of the organization.
Risk, Risk Management and ISO 31000

What is our mission?

What is our strategy to achieve it?
What risks might derail us?
How is the organization set-up to deal with such risks?
How are we managing risks?
 Risk, Risk Management and ISO 31000

7Rs and 4Ts of 1. Recognition or identification of risks

the Risk 2. Ranking or evaluation of risks
Management 3. Responding to significant risks
1. Tolerate
Process
2. Treat
3. Transfer
4. Terminate
4. Resourcing controls
5. Reaction planning
6. Reporting and monitoring risk performance
7. Reviewing the risk management framework
Risk, Risk Management and ISO 31000

Risk 1. Recognition or identification of risks

Assessment 2. Ranking or evaluation of risks
3. Responding to significant risks
1. Tolerate
2. Treat
3. Transfer
4. Terminate
4. Resourcing controls
5. Reaction planning
6. Reporting and monitoring risk performance
7. Reviewing the risk management framework
Risk, Risk Management and ISO 31000

1. Recognition or identification of risks

2. Ranking or evaluation of risks
3. Responding to significant risks
Risk 1. Tolerate
Treatment or 2. Treat
Response 3. Transfer
4. Terminate
4. Resourcing controls
5. Reaction planning
6. Reporting and monitoring risk performance
7. Reviewing the risk management framework
 Risk, Risk Management and ISO 31000

Business Continuity 1. Recognition or identification of risks

Planning 2. Ranking or evaluation of risks
Disaster Recovery 3. Responding to significant risks
Planning 1. Tolerate
Information Security
2. Treat
Incident Management 3. Transfer
Policy and 4. Terminate
Procedures 4. Resourcing controls
Information Security
5. Reaction planning
Policy and 6. Reporting and monitoring risk performance
Procedures 7. Reviewing the risk management framework
Risk, Risk Management and ISO 31000

ISO 31000 describes a framework

for implementing risk management,
rather than a framework for
supporting the risk management
process. Information on designing
the framework that supports the risk
management process is not
set out in detail in ISO 31000. An
organization will describe its
framework for supporting risk
management by way of the risk
architecture, strategy and protocols
for the organization.
Risk, Risk Management and ISO 31000

The risk architecture, strategy and

protocols represent the internal
arrangements for communicating
risk issues.

It also sets out the roles and

responsibilities of the individuals
and committees that support the
risk management process.
Risk, Risk Management and ISO 31000

The risk strategy should set out

the objectives that risk
management activities in the
organization are seeking to
achieve.

Finally, the risk protocols describe

the procedures by which the
strategy will be implemented and
risks managed.
Relationship
between the
principles,
framework
and process
Mandate and Commitment - Clause 4.2
Business Principles Approach AS/NZS ISO 31000:2009 Principles (Clause 3)

1. Create value
2. Be an integral part of organizational processes
3. Be part of decision making
4. Explicitly address uncertainty
5. Be systematic and structured
6. Be based on the best available information
7. Be tailored
8. Take into account human factors
9. Be transparent and inclusive
10. Be dynamic, iterative and responsive to change
11. Be capable of continual improvement and enhancement
Mandate and Commitment - Clause 4.2

Risk management should create value

• RM contributes to the achievement of objectives.
• Protects value – minimize downside risk, protects people, systems and processes.

Risk management should be an integral part of organizational processes

• RM is not a stand-alone activity from the management system of the organization.
• RM is part of the process - not an “additional” compliance task.

Risk management should be part of decision making

• Risk management helps decision makers make informed choices, prioritize actions
and distinguish among alternative courses of action.
• Helps allocate scarce resources.
Mandate and Commitment - Clause 4.2
Risk management explicitly addresses uncertainty
• Risk management explicitly takes account of uncertainty, the nature of that
uncertainty, and how it can be addressed.
• RM addresses uncertainty, no matter the level of uncertainty.

Risk management should be systematic and structured

• A systematic, timely and structured approach to the management of risk contributes
to efficiency and to consistent, comparable and reliable results.
• The more aligned – the more effective and efficient.

Risk management should be based on the best available information

• The inputs to the process of managing risk are based on information sources such as
historical data, experience, stakeholder feedback, observation, forecasts and expert
judgment.
Mandate and Commitment - Clause 4.2

Risk management should be tailored

• Risk management is aligned with the organization's external and internal context and
risk profile.
• Different risk appetites & different measurements.
• Context remains one of the most difficult areas.
Risk management should take into account human factors
• The management of risk recognizes the capabilities, perceptions and intentions of
people that make every organization different.
Mandate and Commitment - Clause 4.2

Risk management should be transparent and inclusive

• Appropriate and timely involvement of stakeholders at all levels of the organization,
ensures that the management of risk remains relevant and up-to-date.
• The management of risk must be clearly set out in job profiles/employment
contracts and annual appraisals.

Risk management should be dynamic, iterative and responsive to change

• External and internal events happen, context and knowledge change, monitoring and
review take place, new risks emerge, some change, and others disappear.
• Must keep RM relevant and accurate so as to support decisions and strategies.
• Regular reviews of risk register and framework.
• Internal audit program informed by corporate risk register.
Mandate and Commitment - Clause 4.2

Risk management should be capable of continual improvement and enhancement

• Organizations should develop and implement strategies to improve the maturity of
their management of risk alongside all other aspects of their management system.
• RM maturity and improvement strategies should be included in the RM Plan.
Mandate and Commitment - Clause 4.2

The framework in Clause 4 of AS/NZS

ISO 31000:2009 is not intended to
describe a management system; but
rather, it is to assist the organization
to integrate risk management within
its overall management system.
Therefore, organizations should adapt
the components of the framework to
their specific needs.
PDCA – Starting Point of any Management System
Clause 4.3 through
4.6 Within the PDCA 4.2 Mandate and Commitment
Framework

4.3 Design of framework

4.3.1 Understanding the organization and its context
4.3.2 Establishing risk management policy
4.3.3 Accountability
4.3.4 Integration into organizational processes
4.3.5 Resources
4.3.6 Establishing internal communication and reporting mechanisms
4.3.7 Establishing external communication and reporting mechanisms

4.6 Continual improvement of the 4.4 Implementing risk management

framework 4.4.1 Implementing the framework for managing risk
4.4.2 Implementing the risk management process

4.5 Monitoring and review of the framework

4.3 Design of the Framework

4.3.1 Understanding the organization and its context

External Context such as business trends and key drivers, perceptions/values of key
stakeholders and PESTLE factors.
Internal Context such as:
• Governance structures
• Objectives, strategies and policies
• Knowledge, skills and resources
• Organizational culture
• Contractual relationships
4.3 Design of the Framework

4.3.2 Establishing the Risk Management Policy

• Must be simple, achievable, understandable and auditable with the clear
mandate and commitment of top management
• Aligned to the organization’ s culture with the risk makers and the risk takers the
risk owners.
• Document components:
• Rationale and policy links
• Accountability and responsibility
• Management of conflicts of interest
• Measurement of RM performance
• Reporting processes
• Policy review process/cycle
4.3 Design of the Framework

4.3.3 Accountability
• All accountable risk owners are clearly identified and provided with authority &
resources to manage risk
• Board accountability for framework implementation
• Accountability of risk owners at all levels of the organisation clearly identified
• Performance measurement processes in place
• Reporting and escalation processes clearly established
4.3 Design of the Framework

4.3.4 Integration into the organizational processes

• The management of risk should be part of routine organizational processes
• Policy development
• Business/strategic planning
• Change management
• Decision-making processes
• Risk Management Plan
• Organization-wide
• Linked to or integrated in to other plans: strategic plans, implementation
plans, operational plans etc.
4.3 Design of the Framework

4.3.5 Resources
• Expenditure on the management of risk is an investment
• Good RM will make an organization more effective, but it requires dedicated
resources
• Resources include:
• People: skills, experience and competence
• Time and funds: to execute the process
• Defined processes, methods and tools
• Information systems
• Awareness, education and training programs
4.3 Design of the Framework

4.3.6 & 4.3.7 Establishing Internal & External Communication and Reporting
Mechanisms
• Internal
• Ongoing awareness, education and training
• Framework performance reporting and outcome reviews
• Information management
• Stakeholder engagement
• External
• Stakeholder engagement
• Regulatory reporting requirements
• Use reporting to build confidence
• Business continuity (management of disruption related risk) communication
4.4 Implementing Risk Management

4.4.1 Implementing the framework

Ensure
• Appropriate timing
• Alignment with organizational strategy and processes
Compliance with regulation
• Apply to organizational processes
• Train and educate staff
• Communicate and consult
4.4.2 Implementing the risk management process
• Define the process for the organization
• Implement at all levels (appropriate processes)
• Establish a monitoring process
Risk Management Process - Clause 5

• Should be an integral part of

management, be embedded in
culture and practices and tailored to
the business processes of the
organization.

• Includes five activities:

communication and consultation;
establishing the context; risk
assessment; risk treatment; and
monitoring and review.
 5.3 ESTABLISHING THE CONTEXT
Risk Management 5.3.2 External Context
Process - Clause 5 5.3.3 Internal Context
5.3.4 Risk Management Process Context
5.3.5 Developing Risk Criteria

5.4 RISK ASSESSMENT

5.4.2 RISK IDENTIFICATION

What can happen, when, where, how and why?

5.4.3 RISK ANALYSIS

5.2 COMMUNICATION & Determine existing controls
5.6 MONITOR and REVIEW
CONSULTATION Determine likelihood and consequences
Estimate level of risk

5.4.4 RISK EVALUATION

Compare against criteria
Identify and assess options.
Decide on response
Establish priorities

5.5 RISK TREATMENT

5.5.2 Selection of risk treatment options
5.5.3 Preparing and implementing risk treatment
plans.
Step 1 - ESTABLISHING THE CONTEXT Step 2 - RISK IDENTIFICATION
• external context Step 3 - RISK ANALYSIS
• what can happen, when, where and
• internal context • identify controls
how
• risk management context • determine likelihood
• identify key processes, tasks, activities
• risk criteria (i.e. threshold levels) • determine consequence/impact
• recognize risk areas
• define the structure • determine level of risk
• define risks
• categorize risk

Step 6 - MONITOR and REVIEW

• process Step 4- RISK EVALUATION
• environment 5.2 COMMUNICATION & • identify tolerable/unacceptable risks (referring
• organization CONSULTATION risk rating against risk criteria)
• strategy • prioritize risks for treatment
• stakeholders

Accept/Retain Share
Step 5 - RISK TREATMENT
• based on judgment or Selection of risk treatment options
• insurance
documented procedures/policy Preparing and implementing risk treatment plans. • outsourcing

Avoid Reduce likelihood

• consider discontinuing or • controls
avoiding activity Reduce consequence
• process improvement
• consult • Business Continuity Plans
• training & education
• risk treatment preferable to • contractual arrangements
• policies and communication
risk aversion • public relations
• audit and compliance
 5.3 ESTABLISHING THE CONTEXT
Risk Management 5.3.2 External Context
Process - Clause 5 5.3.3 Internal Context
5.3.4 Risk Management Process Context
5.3.5 Developing Risk Criteria

5.4 RISK ASSESSMENT

• Objectives and environment
• Relevant Legislation
• Stakeholder identification &
analysis
• Government
5.2 Policy&
COMMUNICATION
• CONSULTATION
Corporate Policy
• Management Structures
• Community Expectations
• Criteria
• Consequence criteria
5.4.2 RISK IDENTIFICATION
What can happen, when, where, how and why?
5.4.3 RISK ANALYSIS
Determine existing controls
5.6 MONITOR and REVIEW
Determine likelihood and consequences
Estimate level of risk
5.4.4 RISK EVALUATION
Compare against criteria
Identify and assess options.
Decide on response
Establish priorities

5.5 RISK TREATMENT

5.5.2 Selection of risk treatment options
5.5.3 Preparing and implementing risk treatment
plans.
 5.3 ESTABLISHING THE CONTEXT
Risk Management 5.3.2 External Context
Process - Clause 5 5.3.3 Internal Context
5.3.4 Risk Management Process Context
5.3.5 Developing Risk Criteria

5.4 RISK ASSESSMENT

• Personnel/human behavour. 5.4.2 RISK IDENTIFICATION
• Management activities and What can happen, when, where, how and why?
controls.
• Economic circumstances. 5.4.3 RISK ANALYSIS
• Natural and unnatural
5.2 COMMUNICATION & events. Determine existing controls
5.6 MONITOR and REVIEW
• CONSULTATION
Political circumstances. Determine likelihood and consequences
Estimate level of risk
• Technology/technical issues.
• Commercial and legal 5.4.4 RISK EVALUATION
relationships. Compare against criteria
• Public/professional/product Identify and assess options.
Decide on response
liability. Establish priorities
• The activity itself.
5.5 RISK TREATMENT
5.5.2 Selection of risk treatment options
5.5.3 Preparing and implementing risk treatment
plans.
 5.3 ESTABLISHING THE CONTEXT
Risk Management 5.3.2 External Context
Process - Clause 5 5.3.3 Internal Context
5.3.4 Risk Management Process Context
5.3.5 Developing Risk Criteria

Where possible confidence limits 5.4 RISK ASSESSMENT

placed on estimates and the best
5.4.2 RISK IDENTIFICATION
available information sources are What can happen, when, where, how and why?
used.
Purpose: 5.4.3 RISK ANALYSIS
5.2 COMMUNICATION & Determine existing controls
• Separate minor risks from 5.6 MONITOR and REVIEW
CONSULTATION Determine likelihood and consequences
major. Estimate level of risk
• Provide data to assist in
evaluation. 5.4.4 RISK EVALUATION
Compare against criteria
Preliminary analysis: Identify and assess options.
Decide on response
• Excluded Risks where possible Establish priorities
should be listed.
5.5 RISK TREATMENT
5.5.2 Selection of risk treatment options
5.5.3 Preparing and implementing risk treatment
plans.
 5.3 ESTABLISHING THE CONTEXT
Risk Management 5.3.2 External Context
Process - Clause 5 5.3.3 Internal Context
5.3.4 Risk Management Process Context
5.3.5 Developing Risk Criteria

5.4 RISK ASSESSMENT

Consider the following:
5.4.2 RISK IDENTIFICATION
• Objectives of projects and What can happen, when, where, how and why?
opportunities
• Tolerability of risks to others
5.4.3 RISK ANALYSIS
• Whether a risk needs&
5.2 COMMUNICATION Determine existing controls
5.6 MONITOR and REVIEW
treatment
CONSULTATION Determine likelihood and consequences
Estimate level of risk
• Deciding whether risk can be
tolerated 5.4.4 RISK EVALUATION
• Whether an activity should be Compare against criteria
undertaken Identify and assess options.
Decide on response
• Priorities for treatment Establish priorities

5.5 RISK TREATMENT

5.5.2 Selection of risk treatment options
5.5.3 Preparing and implementing risk treatment
plans.

Risk Management
Process - Clause 5
• Reduce likelihood &
consequence
• Continuity planning
• Sharing in full or part&(this
5.2 COMMUNICATION
CONSULTATION
creates a new risk)
• Avoid (but not because of
aversion)
• Retain residual
5.3 ESTABLISHING THE CONTEXT
5.3.2 External Context
5.3.3 Internal Context
5.3.4 Risk Management Process Context
5.3.5 Developing Risk Criteria
5.4 RISK ASSESSMENT
5.4.2 RISK IDENTIFICATION
What can happen, when, where, how and why?
5.4.3 RISK ANALYSIS
Determine existing controls
5.6 MONITOR and REVIEW
Determine likelihood and consequences
Estimate level of risk
5.4.4 RISK EVALUATION
Compare against criteria
Identify and assess options.
Decide on response
Establish priorities
5.5 RISK TREATMENT
5.5.2 Selection of risk treatment options
5.5.3 Preparing and implementing risk treatment
plans.

Risk Management
Process - Clause 5
• What may be of minor
significance today may be the
5.2 COMMUNICATION &
disaster of tomorrow.
CONSULTATION
• Review is an integral part of
the risk management process.
5.3 ESTABLISHING THE CONTEXT
5.3.2 External Context
5.3.3 Internal Context
5.3.4 Risk Management Process Context
5.3.5 Developing Risk Criteria
5.4 RISK ASSESSMENT
5.4.2 RISK IDENTIFICATION
What can happen, when, where, how and why?
5.4.3 RISK ANALYSIS
Determine existing controls
Determine likelihood and consequences
5.6 MONITOR and REVIEW
Estimate level of risk
5.4.4 RISK EVALUATION
Compare against criteria
Identify and assess options.
Decide on response
Establish priorities
5.5 RISK TREATMENT
5.5.2 Selection of risk treatment options
5.5.3 Preparing and implementing risk treatment
plans.
Positive and Valuable Attributes of ISO 31000
• A pronounced emphasis on continuous improvement in risk management through the
setting of organizational performance goals, measurement, review and the
subsequent modification of processes, systems, resources and capability/skills.
• Comprehensive, fully defined and fully accepted accountability for risks, controls and
treatment tasks. Named individuals fully accept, are appropriately skilled and have
adequate resources to check controls, monitor risks, improve controls and
communicate effectively about risks and their management to interested parties.
• All decision making within the organization, whatever the level of importance and
significance, involves the explicit consideration of risks and the application of the risk
management process to some appropriate degree.
Positive and Valuable Attributes of ISO 31000
• Continual communications and highly visible, comprehensive and frequent reporting
of risk management performance to all “interested parties” as part of a governance
process.
• Risk management is always viewed as a core organizational process where risks are
considered in terms of sources of uncertainty that can be treated to maximize the
chance of gain while minimizing the chance of loss. Critically, effective risk
management is regarded by senior managers as essential for the achievement of the
organization’s objectives. The organization’s governance structure and process are
founded on the risk management process.
Benefits of ISO 31000
• Organizations need not re-invent the wheel
• Allows all to benefit from proven best practice
• Provides a universal benchmark
• Reduces barriers to trade
• Advises exactly what you need to do and how you need to do it – no wasted effort
and no false starts
• Scalable and works for all sizes of organization
• Allows the organization to make optimal decisions in the face of uncertainty

The Greatest Risk of All Is to Take No Risk At All!

 Jojo P. Javier
Doctor of Business Administration
Letran Graduate School of Business