Demystifying IS031000 & ERM

We all are faced with risks – in our daily lives pre Covid, during Covid and certainly post-Covid (if such a time comes). Risk management has been with us for as long as we can remember. Over time, it has developed into a specialised field that requires a structured approach to identifying and ‘’treating’ risk to a level that we are comfortable with.

Risk is the effect of uncertainty on objectives, which can be either negative or positive. Our modern-day world is very different from world of yester-year. Today’s businesses face a host of internal and external factors that influences whether an organisation will achieve its objectives. The approach to being simply aware of these risks is simply not enough in today’ day and age. Organisations need to do more to stay ahead of the risk that they identify and those that newly arise..it is an ongoing challenge.

What is risk management really?

Risk management is simply a set of coordinated activities to direct and control an organisation with regard to risk. Risk management can be applied to an entire organisation at any times, at any level, whether it is a function, project, activity or a simple task.

ERM or Enterprise Risk Management is a holistic, disciplined approach to identifying, addressing, and managing an organization’s risks. ERM looks at risk management strategically and from an enterprise-wide perspective. ERM moves away from the silo-approach to risk management as it adopts a holistic approach to risk management for the entire organisation with a central head (‘top-down’).

Managing risk is not a once-off event, it is iterative and assists organisations in many ways including setting strategy, achieving objectives and making informed decisions. Adopting a ‘top-down’ approach ensures that the managing of risk forms part of governance and the leadership function of the organisation and becomes a fundamental part of ho9w the organisation is managed (internally and externally).

The international standard ISO31000 has proved its worth in the market (since 2009) with the guidance of how to design, implement and maintain risk management in organisations. Through a structured approach this ISO standard has enabled a systematic and logical process to be adopted thereby allowing organisations to manage risk by identifying it, analysing and then evaluating whether the risk should be modified to meet the organisations risk criteria/appetite. In 2018, this standard was updated to allow for better application and easier adoption (The second edition- 2018- cancels and replaces the first edition (ISO?31000:2009) which has been technically revised)

According to the ISO, the main changes are (2009 to 2018):

• Review of the principles of risk management, which are the key criteria for its success
• Focus on leadership by top management who should ensure that risk management is integrated into all organizational activities, starting with the governance of the organization
• Greater emphasis on the iterative nature of risk management, drawing on new experiences, knowledge and analysis for the revision of process elements, actions and controls at each stage of the process
• Streamlining of the content with a greater focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts

“The revised version of ISO?31000 focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of business.”

These changes led to a revision of the ISO 31000 model as well (image below).

The ISO31000 standard is not for any specific industry/sector, meaning it can be applied to any organisation whether private, public, non-profit, group or individual. This allows for flexibility as it allows for the application of the standard throughout the life of the organisation and across a wide array of activities whether they be processes, operations, projects, activities, functions, tasks even physical assets.

“Risk is now defined as the “effect of uncertainty on objectives”, which focuses on the effect of incomplete knowledge of events or circumstances on an organization’s decision making. This requires a change in the traditional understanding of risk, forcing organizations to tailor risk management to their needs and objectives – a key benefit of the standard.”

How is ISO31000 Structured?

It is important to understand the workings and structure of this Risk Management Standard as this will facilitate a better use/application of it. The ISO?31000 framework and its processes should be integrated with management systems to ensure consistency and the effectiveness of management control across all areas of the organization. This aligns to the ERM philosophy of moving away from the ‘silo-approach’ and having a ‘top-down’ approach with executive buy-in to ensure success from the very beginning. ISO31000 has 3 main or key components (see diagram below):

·??????Risk Management Principles (section/clause 4)

·??????Risk management Framework (section/clause 5)

·??????Risk Management Process (section/clause 6)

Risk Management Principles

The creation and protection of value is a key principle of risk management. This leads to performance improvements, enhances innovation and drive the achievement of organisational objectives. The principles are the foundation for managing risk.

Effective risk management requires the elements of the Risk Management Principles?to be present to achieve the creation and protection of value. The key Risk Management Principles?are -

• Integrated - Risk management is an integral part of all organizational activities.
• Structured and comprehensive - structured and comprehensive approach to risk management contributes to consistent and comparable results.
• Customised - The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives.
• Inclusive - Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management.
• Dynamic - Risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner.
• Best available information - The inputs to risk management are based on historical and current information, as well as on future expectations. Risk management explicitly takes into account any limitations and uncertainties associated with such information and expectations. Information should be timely, clear and available to relevant stakeholders.
• Human and cultural factors - Human behaviour and culture significantly influence all aspects of risk management at each level and stage.
• Continual improvement - Risk management is continually improved through learning and experience.

Risk Management Framework

Following a ‘top-down’ approach in risk management will ensure buy-in from the most senior levels within the organisation. This will facilitate better integration into the organisation’s governance and thereby allow the risk management framework to work more efficiently in assisting the organization in integrating risk management into significant activities and functions, including areas of decision making.

The key components of the Risk Management Framework are -

Leadership and commitment

• ?Aligning risk management with strategy, objectives and culture of the organization
• Issuing a statement or policy that establishes a risk management approach, plan or course of action
• Making necessary resources available for managing risks
• Establishing the amount and type of risk that may or may not be taken

Integration

• Determining management accountability and oversight roles and responsibilities
• Ensuring risk management is part of, and not separate from, all aspects of the organisation

Design

• Understanding the organization and its context
• Articulating risk management commitment
• Assigning organizational roles, authorities, responsibilities and accountabilities
• Allocating resources
• Establishing communication and consultation

Implementation

• Developing an appropriate implementation plan including deadlines?
• Identifying where, when and how different types of decisions are made, and by whom?
• Modifying the applicable decision-making processes where necessary

Evaluation

• Measuring framework performance against its purpose, implementation and behaviours ?
• Determining whether it remains suitable to support achievement of objectives

Improvement

• Continually monitoring and adapting the framework to address external and internal changes
• Taking actions to continually improving the value of risk management
• Improving the suitability, adequacy and effectiveness of the risk management framework

Risk Management Process

Implementing anything in life needs structure and a systematic approach. The Risk Management Process is a systematic application of policies, procedures and practices that involves identifying, monitoring, and managing potential risks and their negative impacts on the organisation. The RM Process is not a stand-alone function. It should be an integral part of management and decision-making and integrated into the structure, operations and processes of the organization. It can be applied at strategic, operational, programme or project levels.

The key components of the Risk Management Process are –

Communication and consultation

• Scope, context and criteria
• Defining the scope
• External and internal context
• Defining risk criteria
• Risk assessment
• Risk identification
• Risk analysis
• Risk evaluation

Risk treatment

• Selection of risk treatment options
• Preparing and implementing risk treatment plans

Monitoring and review

Recording and reporting

With the Covid-19 pandemic, the ever-rising cost of living, the rapid adoption of technology, the changing in working conditions and remote working, the world of risk management is ever changing and becoming more challenging. Risk management allows an organisation, regardless of its size and focus, to ensure that it knows and understands the risks it faces.

Through a proactive and effective adoption of a risk management process using ISO31000, organisations are able to follow a more structured approach to identifying, analysing, evaluating and treating risks.

?

?References:

• International Organisation for Standardisation (ISO) – ISO31000
• reciprocity.com
• pecb.com