Risk Management (RM)
A major enhancement to ISO 31000 is the addition of eleven explicit principles to guide Risk Management. These principles are effectively the “essential qualities” needed for RM to be effective. Although they are not “new” per se as many organisations recognise these principles, formal recognition in the Standard is welcomed.
The principles of risk management are:
1) RM creates and protects value:
One of the greatest challenges for risk managers is to demonstrate that RM adds value. This principle recognises that RM helps the organisation achieve its objectives Once an organisation has set goals and established policy and processes, applying RM thinking helps to maximise the opportunities and minimise downside risks. The introduction lists 18 benefits of managing the risk that includes increasing the likelihood of achieving objectives, improving stakeholder confidence, minimising losses, improving operational effectiveness and efficiency and establishing a reliable basis for decision making and planning.
2) RM is an integral part of organisational processes:
Risk management activities should not be separate from the main activities and processes of the organisation. RM activities should be incorporated into business processes, and management controls at all levels and should be part of management’s responsibilities.
3) RM is part of decision making:
Every time a manager makes a decision, there is exposure to risk. This principle recognises that good risk management helps managers make better decisions to minimise risk and optimise every opportunity.
4) RM explicitly addresses uncertainty:
Uncertainty is inherent in every business, and by identifying and analysing a range of risks, risk owners are better able to implement controls and treatments to mitigate the likelihood and consequence of uncertainty and establish a more resilient organisation.
5) RM is systematic, structured and timely:
Like other management systems, risk management should be planned and controlled to ensure efficiency. The standard itself promotes a structured and systematic risk management process and RM framework to achieve a consistent and reliable result.
6) RM is based on the best available information:
Closely linked to the principle of addressing uncertainty, this principle reads a little like a disclaimer. It recognises the fact that information is often limited, costly and imperfect. However, good risk management will consider information from many sources including observation, experience, forecasts and experts.
7) RM is tailored:
While organisations in an industry have similar risks and opportunities, this principle recognises that every organisation is unique, risk management is not proscriptive, it must be appropriate to the organisation and risk management should consider the organisation’s stakeholders, context and risk profile.
8) RM takes human and cultural factors into account:
This principle is closely linked to the principle that risk management is tailored whereby the organisation’s risk management framework should consider cultural elements and both internal and external people…particularly their skills, capabilities, perceptions and intentions. This principle is effectively about addressing the “what’s in it for me?” question for stakeholders and risk owners and ensuring risk management activities are appropriate.
9) RM is transparent and inclusive:
Internal and external stakeholders can have a major impact on the organisation. This principle recognises the need to include stakeholders throughout the risk management process including when establishing context and determining risk criteria.
10) RMt is dynamic, iterative and responsive to change:
In an ever-changing world, an organisation will need to respond to changes to the internal and external environment. Amending business strategy, management plans, financial plans and organisational structures are essential. Similarly, an organisation’s RM framework and processes need to respond to these changes.
11) RM facilitates continual improvement and enhancement of the organisation:
This principle builds on the last principle that RM is dynamic and iterative. It encourages organisations to be flexible and continually improve their risk management maturity framework along with other elements of their organisation to build resilience and capacity to maximise opportunities