The International Standard Family ISO 31000 describes principles and generic guidelines on risk management. Furthermore, it provides a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions [https://en.wikipedia.org/wiki/ISO_31000]. The first editions of the documents ISO 31000 “Risk management – Guidelines”, IEC 31010 “Risk management – Risk assessment techniques” and ISO Guide 73 “Risk Management – Vocabulary” were published in 2009. Recently a second edition of ISO 31000 was published by the International Organisation for Standardization (ISO) [https://www.iso.org/iso-31000-risk-management.html]. ISO 31000 is applicable to all organizations, regardless of type, size, activities and location, and covers all types of risk. It was developed by a range of stakeholders and is intended for use by anyone who manages risks, not just professional risk managers.
The main changes highlighted in the document are as follows:
- review of the principles of risk management, which are the key criteria for its success;
- highlighting of the leadership by top management and the integration of risk management, starting with the governance of the organization;
- greater emphasis on the iterative nature of risk management, noting that new experiences, knowledge and analysis can lead to a revision of process elements, actions and controls at each stage of the process;
- streamlining of the content with greater focus on sustaining an open systems model to fit multiple needs and contexts.
Risk is defined in the standard as “effect of uncertainty on objectives”. It is noted that an effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats. Risk management is the “coordinated activities to direct and control an organization with regard to risk.” Its purpose is the creation and protection of value, it may improve performance, encourage innovation and support the achievement of objectives.
The ISO 21500:2012 “Guidance on project management” refers to the ISO 31000. All risk management related activities of project management are building on the process of ISO 31000, which “involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, estalishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk…. The risk management process should be an integral part of management and decision making and integrated into the structure, operations and processes of the organization. It can be applied at strategic, operational, programme or project levels.” Therefore, project-related standards such as ISO 21500 , ISO 21503, ISO 21504 and ISO 21505 refer to ISO 31000.
Several principles are high-lighted in the second edition of ISO 31000, including but not limited to “Integrated” (Integral part of all organizational activities), “Customized” (the framework and processes are customized to the needs and the context), “Inclusive” (Appropriate and timely involvement of stakeholders) and “Human and cultural factors” (The Standard acknowledges that human behaviour and culture significantly influence all aspects of risk management).
The integration of risk management may be organised through a risk management framework, which encompasses integrating, designing, implementing, evaluating and improving all risk-related activities across the organisation. The top management and governing bodies should ensure that risk management is fully integrated and demonstrate leadership and clear commitment. This includes customizing and implementing all components of the risk management framework; issuing a statement or policy that establishes a risk management approach, plan or course of action; ensuring that the necessary resources are allocated to managing risk, and assigning authority, responsibility and accountability at appropriate levels within the organisation.