What is ISO 31000?

When faced with a risk, you must assess the probability of a bad outcome in addition to its impact.
When faced with a risk, you must assess the probability of a bad outcome in addition to its impact. | Source

Introduction

One way to define risk management is the process of identifying risks, analyzing them and then responding to them proactively.

Risk management can include prevention, mitigation of the possible effects and risk acceptance. ISO 13000 is the ISO standard for enterprise risk management, including procedures to systematically assess risks, determine their odds and decide what to do about each risk.

Overview of ISO 31000

ISO 31000 defines the risk management process as the systematic application of management policies, procedures and practices to the tasks of communicating, establishing the context, monitoring and reviewing the risk. The risk management policy should result in risk identification, risk assessment and risk analysis.

Risk identification is the identification of risks that could affect an organization, such as fire or late part deliveries impacting a schedule. What assets do you need to protect, and what are the threats against them? What are your existing controls to protect them, such as keeping valuable tools in a locked tool crib at night? What are your vulnerabilities, be they physical security or a poorly performing supply chain? What are the consequences of the risk, whether it is a delayed schedule or plant shut down? Identified risks are listed in a risk register.

Risk analysis involves reviewing the risk register and deciding the appropriate response, such as making minor changes to current plans or taking drastic steps to mitigate it. Do you pay an expedite fee to accelerate delivery of parts, install sprinklers to reduce the risk of fire or increase your company's insurance policy coverage to prevent the losses from a disaster from wiping out the business financially? Risk aversion is the process of averting a risk. You either mitigate it, seek to avoid it, transfer the risk or accept it.


Risks should be monitored for their potential damage and changing probability. As the project progresses and schedule milestones are completed, some risks can drop off the risk register because they did not come to pass. New risks may emerge, such as a minor schedule slippage in a critical path activity or a new flaw is discovered in a design.
Risk evaluation is the comparison of the risk analysis against the risk criteria. This creates a risk matrix. The enterprise must then decide whether the risk is acceptable and accepted (risk acceptance), tolerated or averted. Accepting the risk may include communicating it to the customer or deciding that the impact is minimal and any losses for bad parts can be paid out of the project's cash flow.


Risk treatment is the process of developing, selecting and implementing measures to modify risk. These measures include accepting the risk, mitigating it, controlling the risk, risk sharing and risk avoidance. You can also transfer the risk to other parties. Will you build in penalties with suppliers who fail to meet your schedule? Will you move your data to the cloud for backup, shifting the obligation to protect it and keep it available to the outsourced IT group?
Risk likelihood are the odds of a risk occurring. The magnitude of a risk is the severity or size of its impact. Risks that are both likely and costly must be mitigated or eliminated. Those that are unlikely but severe should be mitigated or managed. Risks with a low magnitude may be tolerated or accepted.

Related Standards and Risk Assessment Methodologies

COSO Enterprise Risk Management or COSO ERM is a competing American risk management standard to ISO 31000. The English has British Standard BS 31100. Australia replaced its standard AS 4360 with ISO 31000.

ISO 27001, an information security standard, discusses the need for an information security management system or ISMS. An ISMS can include a risk assessment and risk management plan for IT networks such as data leak protection against internal data theft or anti-virus software and firewalls against external threats. ISO 14971 gives the ISO standard for the application of risk management to medical devices.

More by this Author


Comments 1 comment

pringoooals profile image

pringoooals 4 years ago from Edinburgh

This was very interesting to read. It's well explained and pictured. I always thought that ISO is about standards required rather than risk management. Thank you for sharing!

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working