ISO 31000 Compliance and Auditing Services

ISO 31000 compliance graphicISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000 is to provide principles and generic guidelines on risk management. ISO 31000 is a universally recognized paradigm for practitioners and companies employing risk management processes and replace the myriad of existing standards, methodologies and paradigms that differ between industries, subject matters and regions. Currently, the ISO 31000 family includes: ISO 31000 – Principles and Guidelines on Implementation, ISO/IEC 31010 – Risk Management and Risk Assessment Techniques, and ISO Guide 73:2009 – Risk Management and Vocabulary.

Risk Conceptualization

One of the key paradigm shifts in ISO 31000 is a controversial change in how risk is conceptualized. Under ISO 31000 and ISO Guide 73, the definition of “risk” is no longer “chance or probability of loss”, but “the effect of uncertainty on objectives” … thus causing the word “risk” to refer to positive possibilities as well as negative ones.

Implementation

The intent of ISO 31000 is to be applied within existing management systems to formalize and improve risk management processes as opposed to wholesale substitution of legacy management practices. Subsequently, when implementing ISO 31000, attention is given to integrating existing risk management processes in the new paradigm addressed in the standard.

The focus of many ISO 31000 harmonization programs have centered on:

  • Transferring accountability gaps in enterprise risk management
  • Aligning objectives of the governance frameworks with ISO 31000
  • Embedding management system reporting mechanisms
  • Creating uniform risk criteria and evaluation metrics

Implications

Most implications for adopting the new standard concern the re-engineering of existing management practices to conform to the documentation, communication and socialization of the new risk management operating paradigm, as opposed to wholesale re-orientation of management practice throughout a company. ISO31000-ISO14001-services Accordingly, most senior management in an enterprise risk management company will need to be cognizant of the implication for adopting the standard and be able to develop effective strategies for implementing the standard across supply chains and commercial operations. Certain aspects of top management accountability, strategic policy implementation and effective governance frameworks, will require more consideration by companies that have previously used now redundant risk management methodologies.

Managing Risk

ISO 31000 gives a list in order of preference on how to deal with risk:

  1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
  2. Accepting or increasing the risk in order to pursue an opportunity
  3. Removing the risk source
  4. Changing the likelihood
  5. Changing the consequences
  6. Sharing the risk with another party or parties (including contracts and risk financing)
  7. Retaining the risk by informed decision

Contact us to learn more about our ISO 31000 compliance and auditing services.