OVERVIEW OF ISO 31000
The diagram below shows how the three main sections are
interrelated and how each of these three sections are, in turn,
organized. The standard starts by listing a set of risk management
principles. Use these principles to guide the establishment of
your
risk management framework. Then use the framework to
guide the
establishment of your risk management process.
Together these three
sections make up what ISO 31000 calls a risk
management architecture.
The following material discusses each of these three sections.
|
OVERVIEW OF PART 3: RISK MANAGEMENT PRINCIPLES
Part 3 of ISO 31000 discusses risk
management principles. These
principles provide a pragmatic
conceptual foundation for the rest of the
standard. Part 3 says that
your approach to risk management should be
an integral part of your
organization’s processes (especially its decision
making process),
should be tailored to its environment, should create and
protect
value, and should support
and encourage continual improvement.
It also says that your approach
should not only be structured, systematic,
and
iterative, it should also be dynamic,
responsive, and inclusive. In
addition,
your approach should not only address the human and cultural
factors
that influence the achievement of your organization’s objectives,
it
should also deal with the many uncertainties that threaten your
organization’s success.
In general, these risk management
principles should influence how
you design and implement your
organization’s risk management
framework (Part 4) and process (Part
5).
|
OVERVIEW OF PART 4: RISK MANAGEMENT FRAMEWORK
Part 4 discusses ISO’s risk management framework. It starts
by
asking you to make risk management part of your organization’s
general
management system and to use this risk management framework
to support
your risk management process (Part 5). Then, in Part 4.2,
it asks you to make
a commitment to risk management by establishing a
risk management policy,
by formulating risk management objectives,
and by assigning risk
management responsibilities.
Part 4 is an iterative (cyclical) process. This iterative
process starts by
asking you to make a commitment to risk
management. It then asks you to
design, implement, monitor, and
improve your risk management framework,
and to do it in that order.
Repeat this iterative process whenever you need
to change your risk
management policy, modify your risk management
objectives, or improve
your framework.
|
OVERVIEW OF PART 5: RISK MANAGEMENT PROCESS
Part 5 explains how to apply a risk management process. It
starts by
asking you to make risk management an integral part of
your organization’s
management approach. It then emphasizes the need
to communicate and
consult with both external and internal
stakeholders and to continuously
monitor and review your
organization’s risk management process.
The risk management process itself starts by establishing
your
organization’s unique context. Once you understand both your
external
and internal context, you’re ready to carry out your risk
assessment process,
which involves identifying, analyzing, and
evaluating risks. Once you know
what your risks are, you’re ready to
formulate and implement risk treatment
plans. Repeat this process
every time you have a risk that needs to be
assessed and controlled.
|
