ISO 31000:2009 - Using Structure to Address Uncertainty

Mark Warner
Our clients operate in an uncertain world and the objectives of the projects that we assist them to deliver are influenced by these uncertainties.

This effect is the globally accepted definition of risk as defined by ISO 31000:2009 Risk Management – Principles and Guidelines. Today, and perhaps tomorrow, these uncertainties range from changes in political will, pan global economics, and environmental pressures through to potential constitutional change.

It is against this backdrop of uncertainty that the standard ISO 31000:2009 has been produced. This standard provides guidance and advice on managing risk in line with our client’s attitude to risk in an effective and efficient manner to help maximise the likelihood of successfully achieving their objectives. This standard has been adopted by over 40 countries worldwide and translated into 30 languages. The ISO Technical Management Board Working Group on risk management intend that the standard should be used to harmonise risk management processes in existing and future standards.

The ISO Technical Management Board Working Group on risk management intend that the standard should be used to harmonise risk management processes in existing and future standards.

Where our clients wish to utilise the guidelines within the standard to assist in managing risk, then our team of certified ISO31000 risk managers are well placed to provide leadership and organisation to the deployment of a risk management framework within an organisation or project environment. We recognise that the adoption of the principles, that the standard recommends for risk management to be effective, is a vital first step in the adoption of this framework. These principles form an integral part of the client's organisational decision making process which should be based on the best available information to address uncertainty.

By adopting these principles we can formulate a framework that is appropriate for both the internal and external environment...

By adopting these principles we can formulate a framework that is appropriate for both the internal and external environment within which the client’s objectives are to be delivered. ISO31000 advises that this framework should articulate the client's risk management policy, establish organisational accountability and responsibility, allocate the resources required and establish the communication and reporting mechanisms to be adopted.

The processes and procedures established through the framework can then be systematically applied to the risk management process and captured within the risk management plan that we formulate to comply with the our client’s governance requirements. 

Our risk managers utilise the guidance in ISO31000 and its accompanying standard, ISO31010 (Risk Assessment Techniques), to deploy tools and techniques for risk identification, analysis and evaluation that are appropriate to the context within which our clients operate. The identification techniques that we utilise range from facilitated workshop events through to targeted interviews aimed at capturing a true picture of the risks faced by our client. Our analysis approach is tailored to meet our clients attitude to risk and include detailed quantitative analysis as well as qualitative analysis. The final element of the assessment stage is to evaluate the level of risk calculated during the analysis against the assessment criteria formulated to be consistent with the client's risk management policy.

Evaluation of the level of risk, when compared against the risk criteria, assists in the decision making process when considering which risks to treat through the use of risk control measures and which risks to tolerate. ISO31000 advises that the monitoring and review of risk control measures are important in maintaining the suitability, adequacy and effectiveness of those control measures.

ISO31000 advises that the monitoring and review of risk control measures are important in maintaining the suitability, adequacy and effectiveness of those control measures.

We recommend to clients that the monitoring and review cycle is also applied to the risk management framework to help ensure it continues to be relevant and compliant with the risk management policy.

In this world of uncertainty, our team of certified ISO31000 risk managers are equipped to support clients in the management of risk using the guidelines provided by ISO31000 and the assessment techniques described in ISO31010. Key to this approach is the adoption of a risk management methodology that forms an integral part of the organisational decision making process and is based on the best available information to address uncertainty.

Written by