(This is Part 1 of a two-part series on examining how to ensure that your risk management programs are in compliance...
with the ISO 31000 risk management standard.)
If your organization has a risk management function, you are aware of ISO 31000, Risk Management -- Principles and Guidelines on Implementation, a standard released by the International Organization for Standardization (ISO) in 2009. But the question is: Are you sure your risk management initiatives adhere to this standard?
A helpful exercise is to take a closer look at the nature of its key components, and then offer some suggestions on how to blend them into your existing programs. If you don’t have a risk management program, this examination can offer guidance.
Briefly, ISO 31000 comprises three basic elements: risk management principles, risk management process and a risk management framework. ISO 31000 states that risk management:
- Creates and protects value.
- Is an integral part of all organizational processes.
- Is part of decision making.
- Explicitly addresses uncertainty.
- Is systematic, structured and timely.
- Is based on the best available information.
- Is tailored.
- Takes human and cultural factors into account.
- Is transparent and inclusive.
- Is dynamic, iterative and responsible to change.
- Facilitates continual improvement of the organization.
The risk management framework serves as the basis for the development of risk management processes -- that's simple enough.This framework creates an environment to facilitate the development and implementation of risk management processes within an organization. Let's take a closer look at each framework element.
Mandate and commitment. The success of any risk management effort requires senior management support and approved funding. If you have risk management initiatives, make sure senior management is fully supportive of your efforts. If you plan to develop a program, prepare a proposal to senior management that shows how identifying, mitigating or eliminating risks can ensure the organization’s continued operations.
Design a framework for managing risk. Before designing the framework, make sure you fully understand your organization: how it works, its critical activities, the internal and external risks and threats, and its vulnerabilities. It’s good to have a policy that clearly states what the risk management function is and defines its scope and value to the organization.
The success of any risk management effort requires senior management support and approved funding. If you have risk management initiatives, make sure senior management is fully supportive.
It is critical to define how risk management initiatives tie into existing organizational programs. Since it may be difficult to get an IT staff to change how it operates, it’s essential that senior management's support is part of the process. Resources needed to implement a risk management program can range from locating experienced staff to training programs. Finally, creation of internal and external reporting mechanisms is essential to ensure that the program’s results are known to everyone associated with a risk management initiative.
Impelement risk management. In the case of an existing risk management program, the ISO 31000 risk management standard is as fundamental as benchmarking the program against the standard’s provisions. Identification of variances can be translated into opportunities for improvement. For new risk management programs, consider ISO 31000 as an essential development tool.
Monitor and review the framework. Well-managed organizations have processes to examine how well the organization is running -- or not running. These can range from routine operating-unit status reports to internal or external audits. The message here is that risk management, like any other business function, must be regularly monitored and reviewed.
Continual improvement of the framework. The notion that business processes are static is no longer relevant. Continuous improvement is an admission that virtually everything an organization does can be improved, and so should be reviewed regularly to identify those opportunities. This is no different with risk management.
Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years' experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter. Write to him at firstname.lastname@example.org.