ISO 31000

from Wikipedia, the free encyclopedia

The ISO 31000: 2018 is an ISO standard that deals with risk management busy. The standard defines guidelines that describe the handling of risks in an organization . The specific application of these guidelines can be customized for each company in its specific environment. The standard provides a very general approach that is not industry or sector specific and at the same time applicable to any type of risk . In addition, the standard can be used throughout the life cycle of a company and can be implemented at all company levels and in the decision-making process.

General

The 31000 standard is published in three languages: English, French and German. The German translation was prepared by the technical committee ISO / TC 262 "Risk Management". According to the resolution of 12/2017 of NA 175-00-04 AA, ISO 31000: 2018 will be adopted in the German DIN standards . The previous standard was withdrawn without replacement after the two-year draft standard had expired. The ISO standard 31000 was expressly not created for certification purposes. Rather, the standard states that “ISO 31000 provides recommendations that can or must be adapted to the specific organizations and that do not specify any requirements.” ONR49001 provides a legal basis for certification.

Goals of the standard

Reputation or brand damage, cybercrime, political risks and terrorism are just a few of the risks that private and public organizations of all types and sizes around the world are increasingly concerned about. The latest version of ISO 31000 has been introduced to help deal with these uncertainties. ISO 31000: 2018 provides clearer, shorter and more concise guidance that helps organizations use risk management principles and improve planning and implementation so that they can make better decisions. ISO 31000 helps organizations develop a risk management strategy that effectively identifies and mitigates risk, increasing the likelihood that an organization will achieve its goals and protect its assets. The overarching goal is to develop a risk management culture in which employees and stakeholders are aware of the importance of risk management. Implementing ISO 31000 also helps organizations see both the positive opportunities and negative consequences that come with risks, and enables more informed, and therefore more effective, resource allocation decisions . In addition, it can be an active component in improving corporate governance and ultimately its performance.

particularities

A total of five special features of ISO standard 31000: 2018 can be described.

Top-down approach

Risk management follows the top-down approach. This means that the main risks of a company are identified, analyzed and dealt with, whereby the details are not the focus from the outset. Rather, it is a matter of dealing with the general important aspects. This approach differs from the regulators of the financial sector, such as Basel III or Solvency II. These are also used to identify risks, but are more likely to be classified as a bottom-up approach.

Risk management is a comprehensive management task with a given control loop

Dealing with risks is iterative and helps organizations define strategies, achieve goals and make informed decisions. Dealing with risks is part of the management and leadership and determines how this organization is run at all levels. It is a top management obligation to implement the risk management system. The Deming circle is followed iteratively . This can be summarized according to the "Plan - Do - Check - Act" principle.

Cross-industry approach

Since organizations of all types and sizes are subject to external and internal factors and influences that can make the achievement of their goals uncertain, the ISO standard 31000 can in principle be applied to all types of organizations. It can be used, for example, for companies in the manufacturing industry and the service sector . An implementation for companies of public administrations or non-governmental organizations is also possible.

Cross-functional

The ISO standard 31000: 2018 goes beyond the concept of the internal control system and rather contributes to the improvement of management systems. Dealing with risks is part of all activities of an organization and includes the interaction with stakeholders . In addition, the standard takes into account the handling of risks in the external and internal context of the organization, including human behavior and cultural factors, and is therefore cross-functional.

Internationally broad-based concept

Developed by the ISO association based in Geneva, on which experts from Europe, America and Asia participated, the standard has a special weight and international attention.

Structure and content of the standard

Dealing with risks is based on the principles, the framework and the risk process. In addition, the standard defines essential terms of risk management.

Definition of terms

The ISO standard 31000 defines a total of eight terms from the context of risk management. These are just the most important terms. In the previous standard, 29 terms were still defined, which resulted in a significant reduction in this area due to the revision. The following terms are defined and, if necessary, annotated.

1.)   Risk = "Effect of uncertainty on goals". An effect represents a deviation in a positive or negative direction as well as in both directions. Usually, risk is represented on the basis of the cause of the risk, the potential events, their effects and their probability.

2.)   Risk management = "Coordinated activity for steering and controlling an organization with regard to risks".

3.)   Stakeholder = "Person or organization who can influence a decision or activity, can be influenced by it or can have the impression that it is influenced by it". Alternatively, the term “interested party” can be used.

4.) Source of risk / cause of risk = "element that alone or together with other factors potentially leads to risks".

5.)   Event = "occurrence or change of a certain combination of circumstances". An event can occur once or several times and have several causes and effects.

6.)   Impact = "Result of an event that affects the goals". An impact can be certain or uncertain and can be described qualitatively or quantitatively.

7.)   Probability = "possibility that something will happen". A probability does not have to be described in mathematical terms, but can also be identified in general.

8.) Control = "Measure that maintains and / or changes the risk".

Principles

The ISO standard 31000 defines principles that are intended to help achieve the purpose of risk management (creating and maintaining values). The principles should form a basis for how to deal with risks and should therefore be taken into account when developing the framework and the processes of a risk management system.

In accordance with the principles, effective risk management should therefore be integrated, structured, comprehensive, tailor-made, inclusive and dynamic. In addition, the best available information should be used, human and cultural factors should be taken into account, and risk management should be continuously improved.

Framework

The effectiveness of risk management depends on how successfully it is implemented in the internal activities of an organization, especially by the management. The risk management framework promotes the integration of risk management into the key functions and processes of the organization. The existing risk management procedures and processes, including any gaps, are also recorded, dealt with and assessed in a framework.

The framework includes the following components of risk management:

1) Integration
2) Design
3) Implementation
4) Assessment
5) Improvement

These must be adapted to the needs of the organization.

The tasks of the organizational management and the internal supervisory bodies are the integration of risk management into the organizational activities as well as the proof of a successful implementation . This includes adapting the components of the framework to the needs of the organization, establishing a plan that includes all the required resources, and assigning the tasks to all levels of the organization. The management is in principle responsible for setting the general strategy for dealing with risks, while the supervisory bodies are more concerned with overseeing risk management.

integration

An important prerequisite for the successful integration of risk management is an understanding of the company's internal organization. The parts of the organizational structure of the company differ according to purposes, goals and complexity. However, risk is dealt with in every part. The company management defines the general strategy for dealing with risks, the individual guidelines and the accountability and supervisory obligations. The integration of risk management is a dynamic process that must be constantly adapted to the company's goals and processes.

layout

Both internal and external company-specific factors must be taken into account when designing the framework.

External factors include all social, legal, financial and economic disputes on a local, national and international level that affect the goals of the organization. In addition, external key factors and trends must be taken into account. The relationships with external persons, contractual obligations, the complexity of the networks and the dependencies of the organization are also among the external factors.

Internal factors are the vision, mission and values ​​as well as the culture of the organization and its internal structure. The distribution of management and supervisory functions, the adopted and applied standards, guidelines and models as well as available resources and capital (including human capital) are also relevant internal factors. In addition, the standard names the information and data systems, the relationships with internal stakeholders and the implementation of contractual relationships and obligations.

The organizational management or the supervisory bodies must commit themselves to long-term risk management by writing clearly defined goals, needs, accountability, necessary resources, procedures as well as measures for reviewing and further improving the risk management system in the company and writing these within the organization and with the external company owners communicate.

The relevant roles with regard to risk management must be distributed at all levels in the organization and clearly communicated to the responsible employees. The resources, skills, competencies, processes, methods and tools required to deal with the risks accordingly must also be ensured and allocated at the highest level, taking into account the scarcity of resources.

In order to ensure the effectiveness of the risk management system in the organization, the appropriate communication and consultation channels must be set up to efficiently and timely exchange general information, specific tasks as well as the feedback and expectations of stakeholders at all levels of the organization. The information, which is efficiently communicated, sorted, condensed and analyzed within the organization, helps to ensure that all activities can be adapted, co-designed and improved.

implementation

The implementation of the risk management framework must start with the development of a suitable plan with concrete measures and taking into account the necessary resources. The most important decisions must determine when, where, how and by whom the processes to be applied must be changed.

For the successful implementation, the commitment of the stakeholders is necessary so that the occurrence of uncertainties can be addressed during the decision-making process.

A properly planned and implemented risk management framework ensures that the risk management process becomes part of the activities of the entire organization and can be adapted to changes in the internal and external context.

rating

In order to adapt the risk management framework as closely as possible to the activities and internal and external factors of the organization, its effectiveness must be regularly assessed. The services provided must be compared with the planned purposes and implementation plans in order to determine whether the framework is still suitable for realizing the organizational goals or whether a revision has to take place taking into account the changed conditions.

improvement

The risk management framework must be continuously monitored and its suitability, appropriateness and effectiveness adapted to the external and internal changes. If there are significant gaps or opportunities for improvement, the organization must develop new specific plans and tasks for improvement and identify the persons responsible for their implementation. After the risk management system has been improved and optimized, it must be better adapted to the needs of the organization and contribute to risk management .

Risk management process

definition

The risk management process is understood to mean the systematic application of principles, procedures and processes to the activities of communication and consultation as well as setting up the context and assessing, handling, monitoring, reviewing, recording and reporting.

Communication and consultation

While communication serves to promote stakeholders with regard to their risk awareness, stakeholders receive information through consultation to support their decision-making. Communication and consultation can, among other things, a. Combine interdisciplinary specialist knowledge in every step of the risk management process and take into account the different perspectives when defining the risk criteria and assessing the risks.

Scope, context and criteria

The scope of the risk management activities can be determined by the organization. Relevant goals and adjustments to the goals of the organization play an important role, because the risk management process has to be applied at different levels. Accordingly, external and internal contexts of the environment must be taken into account when setting the goals. Understanding the two contexts and how they relate to their risk management process is important to organizations as the purpose and scope of the risk management process can be related to the overall goals of the organization. The definition of risk criteria should be coordinated with the risk management framework and adapted to the respective purpose and scope of the activities. In addition, the risk criteria should reflect the values, goals and resources of the organization, as they are to be determined under the obligation of the organization and the perspectives of the stakeholders.

Risk assessment

Risk assessment includes the systematic, iterative and collaborative process of risk identification, risk analysis and risk assessment using the knowledge and views of stakeholders. The organization uses risk identification to provide the most complete possible overview of possible risks. Each risk is assigned to a risk officer depending on the respective area. The identification of risks occurs in all areas and processes of an organization. Both internal and external data sources are used for risk identification. Because the risk analysis carries out a detailed consideration of uncertainties, causes of risk, effects, probability, events, scenarios, controls and their effectiveness, it includes the determination of the type of risk, its properties and, if applicable, the risk level. The risk analysis provides a contribution to the risk assessment and to decisions about whether and how risks are to be treated. The risk assessment enables the identified risks to be weighted and thus a risk-oriented approach: Risks threatening the existence of the company require different control measures than insignificant risks. As part of the assessment, all identified risks are analyzed and their probability of occurrence and extent of damage are assessed.

Risk management

Risk mitigation or risk control takes measures to reduce the potential amount of damage and / or the probability of occurrence of the risks.

Risk treatment options consist of:

  1. Avoidance : Leaving activities if control measures are not cost-efficient and / or the benefits are in an unfavorable proportion to the risk
  2. Transfer : Transfer of risk control and / or the financial impact of the risk to third parties
  3. Mitigation : Early development and implementation of measures to reduce the probability of occurrence and / or the extent of damage
  4. Acceptance : Consciously taking risks

Risk monitoring

Regular monitoring of the control measures in all phases of the process ensures the effectiveness of the risk management system. With the help of risk-specific early warning indicators, risks can be compared with measures in good time.

Risk reporting

The reporting ensures that relevant risk information is forwarded to the correct addressee in good time. These can be internal or external report recipients. Different forms of reporting can be found in organizations. These can be classified as follows:

  1. Basic reporting : uniform report, but with limited options for evaluating the data
  2. Targeted reporting: hierarchy-dependent reporting with a distinction between management board reports and departmental reports
  3. Integrated reporting : individualized reports and possible quantitative evaluation

Revision of the standard and differences to ISO 31000: 2009

All ISO standards are reviewed every five years and revised if necessary. This helps ensure relevance to the market. Yesterday's risk management practices are no longer sufficient to deal with today's threats, which is why they need to evolve. An example of this is the increased complexity of economic systems and emerging risk factors such as the digital currency. Both can present new and different types of risk to an organization.

A revision of ISO 31000 was published in early 2018 and replaces the first edition (ISO 31000: 2009). ISO 31000: 2018 offers more strategic guidelines and places more emphasis on the involvement of senior management and the integration of risk management into the organization. The overriding goal is to develop a risk management culture in which employees and stakeholders are aware of the importance of monitoring and controlling risks. The resulting standard is not just a new version of ISO 31000. It goes beyond a simple revision, because it is about the way risk will be dealt with tomorrow.

The most important changes compared to the previous edition are as follows:

"Review of the principles of risk management, which are the most important criteria for its success."

The revised standard now recommends that risk management should be part of the organizational structure , processes, goals, strategy and activities. It focuses more on creating value as a key driver of risk management and other related principles, such as continuous improvement, stakeholder involvement, organizational adaptation and consideration of human and cultural factors.

"Emphasis on the leadership by top management and the integration of risk management, starting with the management of the organization."

This includes a recommendation to develop a policy that supports commitment to risk management. This involves assigning authority , responsibility and accountability at the appropriate levels within the organization and ensuring that the necessary resources are made available to manage risk.

"More emphasis on the iterative nature of risk management."

It should be noted that new experiences, knowledge and analyzes in every phase of the process can lead to a revision of the process elements, actions and controls.

"Streamlining the content with a stronger focus on maintaining an open system model that meets multiple needs and contexts."

The main goal is to make things clearer and simpler, using simple language to define the fundamentals of risk management in a way that the reader can more easily understand.

history

year description
2009 ISO 31000 (1st edition)
2018 ISO 31000 (2nd edition)

literature

  • ISO standard 31000: 2018.
  • Werner Gleißner: Fundamentals of risk management. 3. Edition. Vahlen, 2017, ISBN 978-3-8006-3767-6 .

See also

Individual evidence

  1. ISO Norm 31000: 2018, Chapter 1: Scope
  2. ISO Norm 31000: 2018 Chapter: National Foreword
  3. Brühwiler and Romeike: Practical Guide to Risk Management . Erich Schmidt Verlag, Berlin 2010, p. 83-87 .
  4. Brühwiler Romeike: Practical Guide to Risk Management . Erich Schmidt Verlag, Berlin 2010, p. 84 .
  5. ISO Norm 31000: 2018, Chapter 3: Terms
  6. ISO Norm 31000: 2018, Chapter 4: Principles
  7. ISO Norm 31000: 2018, Chapter 5: Framework
  8. ISO Norm 31000: 2018, Chapter 6: Risk management process
  9. ISO News. Retrieved July 5, 2018 .
  10. ISO Norm 31000: 2018, foreword