Three Steps Starting Effective and Efficient Risk Management according to ISO 31000

Author: Dr. Frank Herdmann

In a thin book of 70 pages, the author explains ISO31000 in both English and German. Yet another handbook you will say. Yes, but this time it is about version 2018 and in this booklet there is some emphasis on small and medium-sized organizations. In the end, it should not be forgotten that implementing an ISO standard such as ISO 31000 for a small or medium-sized organization is a relatively much greater effort than for a large organization that can set up a FTU (Full Time Unit) or a whole team. That is why some simplifications are necessary, without however touching the core of the message of the norm. With this, this approach is suddenly a Quick start for the bigger ones. The Quick Start is realized in three steps that the company must take:

“Establishing the Framework”

“Establishing the Process”

“Implementing and Executing the Risk Management Loop”

But why do we have to do this? The aim of risk management according to this new standard is value creation and value protection. You read that correctly. Risk management can be regarded as an added value and not as a cost. Also as a protection factor, among others by avoiding costs or minimizing it, it yields. That added value can be enormous. Also due to the obligations and liabilities of the management for negligence of the organization, for example by supporting good, correct governance.

The booklet starts with a fairly extensive introduction, starting with the ISO 31000 version 2009 and the success that came with it.

The aim of the book is not to give a detailed description of the implementation of ISO 31000 as it has to be elaborated by the large organizations (with its three pillars: framework, principles and process).

The principles, in fact, are the success factors or success criteria of risk management and serve the ultimate goal: creating and protecting value.

According to the author, the two most important principles are “Integrated” and “customized”.

The intention is to make the first acquaintance with ISO 31000 more accessible for small and medium-sized organizations. There is therefore no extensive or detailed advice. However, a number of issues that need to be elaborated in order to be able to speak of a full risk management, but often with the knowledge, skills and resources are already present in the organization. This makes this project bearable for a small organization. For them, this manual is therefore already a first step towards a tailor-made approach method.
Let us look at these three steps.

Setting up the Framework: This piece is perhaps the part of the standard that is most open to customization.

After all, the framework must be tailored to the organization, that goes without saying. The author emphasizes two pillars of this, namely leadership (effectiveness requires a strong and persistent commitment of all levels of management by means of a policy document or something, that makes clear what the objectives of the oranization are, as well as its commitment) and organizational culture. The so-called ETTO principle is important here. ETTO stands for “Effectivity – Thoroughness Trade Off”. There must be a balance between effective business and how well-considered risk management is. If there is too much “thinking through” according to the risk management map, this is detrimental to the effectiveness of the business. If, however, the business draws too much of an effective and efficient action, for example by exaggerating with “lean”, this can harm the risk handling and prevention. E.g. by eliminating any form of redundancy. Trade Off actually means that a golden mean must be found. Risk management must therefore be brought within the boundaries of the ETTO principle in the organization, in all its processes and at all levels in a supported manner. So it must be tailored to the organizational needs and culture.

Furthermore, the author motivates that risk management can also be mapped on all organizational activities as a plug-in dongle.

Setting up the Risk Process: The risk management process must be an integral part of all structures and activities. I.e. of the organization chart, the operations, the business model, and the processes. The framework must therefore, in principle, be reviewed with each change to a business process. However, the core of the risk management process is risk assessment and implementation of the measures: risk identification, risk analysis, risk assessment and risk treatment. This happens in an iterative process. In fact, it consists of two processes: the PDCA cycle for adapting the risk management process on the one hand and the operational risk management that must take place in all organizational processes and projects on the other.

This risk assessment is further discussed in detail in terms of possible technologies in ISO 31010: 2009. The decisions that can then be made can be summarized by:

Avoid the risk
Take or increase the risk
Remove the risk cause
Changing the probability
Changing the consequences
Share the risk with one or more other parties
Retain the risk with an informed decision

Parallel to these cycles, reporting takes place, where too many details can cause confusion or a false sense of security. Here, therefore, “less is more” applies.

Implementing and Executing the Risk Management Course: It is best for several reasons to use the risk management course during the design and implementation of the (core) processes of an organization: lower costs, less effort, and synergy between the processes and the risk loop. Ideally these processes have already been brought together in a manual of the organization. This risk loop is best integrated into the processes at the start of the process using information or estimates. It is best repeated when new information is added, whether new estimates are made, or changes to the process. The risk owner for this process or this part of the process is best considered before executing the first steps of the business process or when an uncertainty influences or can influence the process and its outcomes and objectives.

A first level of maturity of risk management by introducing the risk management course using check lists will be a gigantic first step to start effective and efficient risk management. An equally large step is possible by integrating risk management of a silo activity that simply registers risks on a regular basis to a proactive and integrated risk management according to ISO 31000: 2018.

Internal Audit must also be integrated, or in other words, aligned, with risk management and that in all areas: all activities and all processes. This also affects the planning of projects and processes and operations. It monitors the execution of the risk management course within the business processes and activities. Conversely, the results of risk management can influence the planning of Internal Audit.

A risk register is a commonly used method for monitoring, revising, registering and reporting risks.

Continuous Improvement

Applying the PDCA cycle, also known as the Deming cycle, will improve and refine the risk management course over time. As a result, it will eventually achieve a higher level of maturity. Risk management, like all skills, also requires training, experience, knowledge and expertise and is also open to continuous improvement, precisely because of the PDCA cycle. This will systematically improve skills by using more complex but better-suited assessment techniques from ISO 31010: 2009. (10000 Hours of Malcolm Gladwell: Outliers The Story of Success, New York 2008)

 

Manu Steens

Manu works at the Flemish Government in risk management and Business Continuity Management. On this website, he shares his own opinions regarding these and related fields.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Posts