(This is the conclusion of a two-part series on examining how to ensure that your risk management programs are in compliance with the ISO 31000 standard. Part one
Almost any business activity involves risk. Acceptance of risk in concert with a structured risk management approach suggests that shrewd business leaders want to focus on a risk-based way to approach things. This doesn’t mean avoiding risk -- it means using a process that helps identify and minimize risk, while allowing the firm to focus on its core competencies. This is where compliance plays an important role.
While the ISO 31000 standard is only a year old, it’s already accepted as one of the primary strategies for risk management. Other notable risk management standards, such as the National Institute of Standards and Technology’s SP 800-30, should also be considered when developing a risk management program.
Leveraging ISO 31000 in your organization
Many factors make up a risk-based enterprise. Identification and recognition of risks and vulnerabilities are important. Assuming you are either reviewing your risk management program or starting a new one, the following steps can make the transition easier:
• Understand your business: Make sure you know what you want to achieve by understanding your risks, threats and vulnerabilities. As part of that effort, make sure that minimizing interruptions to activities that generate sales, provide better customer service and reduce delivery times to customers are on that list.
• Understand your culture: Knowing your organization, its culture and value set are essential building blocks in creating a successful risk management initiative. Your culture typically means support for generally accepted behaviors, such as honesty, integrity and high ethical standards.
• Energize your leadership: Organizations that embrace risk management principles and policies obtain their energy, attitude and approach from the top. Executives who don't have a firm grasp on risk management processes could see that lack of discipline filter down to key business units.
• Assess and benchmark risk management: How does your firm know it’s keenly focused on identifying and managing risk? Organizations must actively develop risk management programs that examine risks at all levels of the business. In doing this and by leveraging established benchmarks like ISO 31000, organizations can proactively assess their overall risk readiness.
Organizations embracing risk management principles get their energy and attitude from the top. Executives who don't could see that lack of discipline filter down to key business units.
• Identify enabling standards: Support for risk management standards like ISO 31000 and NIST SP 800-30 demonstrate a commitment to building a risk-focused organization. Investing time and resources to stay current with risk management developments as well as improving compliance programs not only helps companies mitigate potential risks, but also uncovers opportunities for performance improvement and brand enhancement.
ISO 3100 is not envisioned by the ISO as a tool for risk management accreditation, which differs from its other well-known standards, such as ISO 9000 and ISO 14000. The ISO hopes this particular strategy gives risk management professionals the flexibility to implement the guidelines in ways that best suit the needs and objectives of their organizations.
Paul F. Kirvan, FBCI, CBCP, CISSP, has more than 20 years' experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter. Write to him at firstname.lastname@example.org.
This was first published in November 2010