Every organization that is determined to get serious about risk management should know about ISO 31000. This set of risk management guidelines from the International Standards Organization sets out a smart, easy-to-implement framework that organizations of all types can use to help them in anticipating and mitigating the risks confronting them in today’s volatile world.
Related on MHA Consulting: Weighing the Danger: The Continuing Value of the Threat and Risk Assessment
In the past, only the largest companies concerned themselves with enterprise risk management.
These days, organizations of all sizes are recognizing the need to implement a formal risk management program. Some are arriving at this point on their own, others are being asked to set up risk management programs by their clients.
The decision to get serious about risk management is a no-brainer. The threat landscape today is uniquely challenging, with threat piling on threat in a way we have rarely seen.
I only have to mention the pandemic, the supply chain crunch, the worker shortage, inflation, and the Ukraine situation (a client of ours just lost a critical software development supplier located there) for you to know exactly what I’m talking about.
In this environment, it’s no surprise that more and more companies are setting up risk management programs.
That’s the good news. The bad news is, many organizations that have implemented risk management have done so in a check-the-box manner.
At one company I know of, the risk management effort is limited to someone sending around a questionnaire asking the departments what their top threats and mitigations are then putting the responses in a drawer.
Such a program is more noteworthy for what it lacks than what it has.
What programs like this lack is an oversight group, wide-ranging discussion, synthesis of the questionnaire results, the numerical scoring of risks, identification of the organization’s five or six top risks, the formal adoption of strategies to mitigate those risks, production of an enterprise risk report, and follow up.
Regular readers of the blog will know I am not a big fan of the ISO’s business continuity standard, ISO 22301. I think it is too vague to be very useful, in contrast with other BC standards such as NFPA 1600. (ISO recently created a supplemental BC standard, ISO 22332.)
However, the ISO’s risk management guidelines—ISO 31000—are excellent. They set forth a sound, easy-to-implement framework that organizations of all types and sizes can leverage to help them anticipate and mitigate risk.
To go to the source for ISO 31000, click here (the link is to the ISO’s page for the guidelines). To see why I think ISO 31000 is so good, read on.
Below are seven of the key components of ISO 31000—and seven aspects of the guidelines that, in my view, are especially valuable. (BCM professionals will see a lot of overlap between sound risk management concepts and the best BCM practices.)
Collectively, these seven concepts show great insight into what it takes for an organization to practice risk management effectively. They’re a key component of what makes ISO 31000 valuable to any company that is determined to get better at identifying and mitigating the threats in its environment.
In the past, formal risk management programs existed only at large organizations. Now companies of all sizes are recognizing the importance of assessing and mitigating the risks they face—a fortunate development considering the unique challenges of the current environment.
Organizations that are committed to doing risk management right should get to know ISO 31000, the standards organization’s risk management guidelines. These guidelines have a sound conceptual basis and feature an easy-to-implement framework suitable for organizations of all sizes and types.