ISO 31000:2018, Risk management – Guidelines, provides principles, a framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.
ISO 31000:2018 provides a common approach to managing any type of risk and is not industry or sector specific.
The main changes to ISO 31000:2018 include:
- Review of the principles of risk management, which are the key criteria for its success
- Focus on leadership by top management who should ensure that risk management is integrated into all organizational activities, starting with the governance of the organization
- Greater emphasis on the iterative nature of risk management, drawing on new experiences, knowledge and analysis for the revision of process elements, actions and controls at each stage of the process
- Streamlining of the content with greater focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts
The revised version of ISO 31000 focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of business.
ISO 31000 provides a risk management framework that supports all activities, including decision making across all levels of the organization. The ISO 31000 framework and its processes should be integrated with management systems to ensure consistency and the effectiveness of management control across all areas of the organization.” This would include strategy and planning, organizational resilience, IT, corporate governance, HR, compliance, quality, health and safety, business continuity, crisis management and security.
Principles of risk management:
- Framework and processes should be customised and proportionate.
- Appropriate and timely involvement of stakeholders is necessary.
- Structured and comprehensive approach is required.
- Risk management is an integral part of all organizational activities.
- Risk management anticipates, detects, acknowledges and responds to changes.
- Risk management explicitly considers any limitations of available information.
- Human and cultural factors influence all aspects of risk management.
- Risk management is continually improved through learning and experience.
Structure of ISO 31000:2018
- Executive summary
- Nature of management systems
- Changing risk context for organisations
- Structure and approach of ISO 31000
- Guidance provided by ISO 31000 – principles
- Guidance provided by ISO 31000 – framework
- Guidance provided by ISO 31000 – process
- Comparison of ISO 31000 against Annex SL
- Relevance of ISO 31000 for risk professionals