ISO 31000, an international standard published in 2009, provides guidelines and principles to help with effective risk management. It is a framework to guide risk management. This method can be used in every area of risk (financial as well as security and project risks). It gives a consistent language and concepts for discussing risks management. It provides guidelines and principles which can be utilized to analyze your organization's risk management program. It doesn't give specific guidelines or guidelines on how to handle specific risks.
Comparable to older standards for risk management 31000 is more creative than other standards:
ISO 31000 defines risk as uncertainty that affects the likelihood of an organization achieving its objectives. The new definition stresses the importance of setting objectives prior to attempting to manage risk and emphasizes the significance of uncertainty.
ISO 31000 introduces a controversial concept known as risk appetite. It is the risk level that an organization takes on in return to the expected value.
ISO 31000 defines a risk management framework that includes different organizational procedures and roles in the management of risk
ISO 31000 outlines a management approach to risk management that is considered to be an integral component of strategic decision-making as well as the management of the effects of See Guidelines for the management of legal risk for info.
The ISO 31000 standard
These actions are part of the ISO 31000 standard's risk management process.
Identification of risks: Recognizing what can hinder us from reaching our goals.
Risk analysis: Understanding the cause and sources of identified risk. Examining probabilities and consequences of current controls to identify the risk that remains.
Risk evaluation is the procedure of comparing results from risk analysis and risk criteria to determine if the residual risk can be tolerated.
Risk treatment involves the modification of the probability and severity of positive and negative effects to maximize net benefits. See ISO 19011 for more.
Setting the context: This activity has not been covered in earlier descriptions of risk management. It is about defining and documenting the objectives of the organization as well as the criteria for evaluating risk. The context covers both external elements (regulatory environments and markets, stakeholder expectations) and the internal elements (organization's governance and culture, standards, rules and capabilities information systems, expectations, etc. This is the context.
Monitoring and reviewing: This task involves monitoring and reviewing risk management's performance against the indicators. They are periodically examined to make sure they are adequate. It involves checking the risk management strategy to identify any deviations, and then assessing whether the policy, framework and plan is still appropriate in light of both the internal and external context.
Consultation and communication. This helps in understanding the concerns of stakeholders and ensure that the process of risk management is focusing on the right aspects. he standard includes a number of principles which risk management should be able to verify:
ISO 31000 protects and creates value
ISO 31000 is based on the most accurate information available.
ISO 31000 is an integral component of organizational processes
ISO 31000 has been tailored
ISO 31000 can be used in the process of making decisions
ISO 31000 considers human and cultural factors
ISO 31000 explicitly addresses uncertainty
ISO 31000 is inclusive and completely transparent.
ISO 31000 is systematic, organized, and on time.
ISO 31000 is responsive, dynamic, and continuously iterative.
ISO 31000 facilitates the continuous advancement of your business