FINAL MODULE
LESSON 3 - INTERNATIONAL ORGANIZATION FOR STANDARDIZATION
Competencies:
1. Define ISO
2. Recognize the importance of ISO in the workplace
3. Determine the different standards related to ISO 31000
The long-term success of an organization relies on many things, from continually assessing
and updating their offering to optimizing their processes. As if this weren’t enough of a
challenge, they also need to account for the unexpected in managing risk. That’s why we’ve
developed ISO 31000 for risk management.
In addition to addressing operational continuity, ISO 31000 provides a level of reassurance
in terms of economic resilience, professional reputation and environmental and safety outcomes.
In a world of uncertainty, ISO 31000 is tailor-made for any organization seeking clear
guidance on risk management.
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO)
The organization began in 1926 as the International Federation of the National Standardizing
Associations (ISA)
It was suspended in 1942 during World War II, but after the war ISA was approached by the
recently formed United Nations Standards Coordinating Committee (UNSCC) with a proposal
to form a new global standards body.
It is an international standard-setting body composed of representatives from various
national standards organizations.
It was founded on February 23, 1947, the organization promotes worldwide proprietary,
industrial and commercial standards.
Its headquarters is in Geneva, Switzerland, and works in 162 countries.
Risk is a necessary part of doing business, and in a world where enormous amounts of data
are being processed at increasingly rapid rates, identifying and mitigating risks is a challenge for
any company. It is no wonder then that many contracts and insurance agreements require solid
evidence of good risk management practice.
ISO 31000 provides direction on how companies can integrate risk-based decision making
into an organization’s governance, planning, management, reporting, policies, values and
culture. It is an open, principles-based system, meaning it enables organizations to apply the
principles in the standard to the organizational context.
ISO 31000
It provides principles, a framework and a process for managing risk. It can be used by any
organization regardless of its size, activity or sector.
It can help organizations increase the likelihood of achieving objectives, improve the
identification of opportunities and threats and effectively allocate and use resources for risk
treatment.
It cannot be used for certification purposes, but does provide guidance for internal or
external audit program. Organizations using it can compare their risk management practices
with an internationally recognized benchmark, providing sound principles for effective
management and corporate governance.
What are its benefits for businesses?
ISO 31000 helps organizations develop a risk management strategy to effectively identify
and mitigate risks, thereby enhancing the likelihood of achieving their objectives and increasing
the protection of their assets. Its overarching goal is to develop a risk management culture
where employees and stakeholders are aware of the importance of monitoring and managing
risk.
Implementing ISO 31000 also helps organizations see both the positive opportunities and
negative consequences associated with risk, and allows for more informed, and thus more
effective, decision making, namely in the allocation of resources.
The ISO 31000 Standard: Scope
Includes:
definitions and terms relevant to risk management
a set of principles that inform effective risk management
THC102_Page 1|6
� recommendations for establishing a risk management framework
recommendations for establishing a risk management process
Does not include:
detailed instructions/guidance on how to manage specific risks
advice relevant to any specific domain
any elements related to certification
The classical definition of risk:
It is a combination of the probability and scope of the consequences. - ISO risk management
vocabulary, 2002
More precisely, after Kaplan and Garrick, we ask:
What can go wrong?
How likely is it to go wrong?
If it does go wrong, what are the consequences?
A new definition of risk:
The effect of uncertainty on an organization’s ability to meet its objectives.
An effect is a deviation from what was expected, which can be positive or negative.
Safety risks are generally negative (losses, deaths, pollution).
This definition is relevant for safety, financial risks, strategic risks, project risks.
The standard includes a number of principles that risk management should verify:
it creates and protects value
is based on the best information
is an integral part of organizational processes
is tailored
is part of decision-making
it takes human and cultural factors into account
it explicitly addresses uncertainty
is transparent and inclusive
is systematic, structured and timely
is dynamic, iterative and responsive to change
it facilitates continual improvement of the organization
IMPORTANCE OF ISO CERTIFICATION
ISO certification certifies that a management system, manufacturing process, service, or
documentation procedure has all the requirements for standardization and quality assurance.
ISO certifications exist in many areas of industry, from energy management and social
responsibility to medical devices and energy management. ISO standards are in place to ensure
consistency. Each certification has separate standards and criteria and is classified numerically.
Continuous improvement is another significant concept to understand for ISO 31000.
Without a company culture strongly aligned with principles of continuous
improvement, organizations will struggle to implement, let alone maintain successful risk
management programs.
This can be challenging in practice, as cultivating a risk management attitude within a
company involves aligning risk initiatives with existing company values, policies, and, to put
it simply, convincing everyone involved that risk management is worthwhile.
THC102_Page 2|6
� However, improving risk culture is possible and, like many things, it becomes a lot
easier when you have a process for it.
Such a process can be separated into three stages:
Cultural awareness
Cultural change
Cultural refinement
PHASE ONE: BUILDING AND STRENGTHENING CULTURAL AWARENESS
The first stage is the building of cultural awareness; this will take the form of
communications, training, and general education initiatives within the organization.
Here is where companies set risk management expectations and objectives, define
roles and responsibilities, and clearly communicate all of these things with their employees.
You shouldn’t expect your employees to conform to your ideals about risk management
without first taking the time to educate and inform them, whether through formal training or
access to knowledge base material or similar.
Successfully building and strengthening cultural awareness about continuous
improvement includes:
Establishing a common risk management vocabulary
Making sure communications are consistent with said vocabulary, and that everyone in
the organization has clear access to all relevant documents
Being clear about risk management responsibilities and accountabilities.
Launching and maintaining training programs, providing training support and guidance
where needed and as required by different roles and responsibilities within the
organization
Making sure onboarding processes adequately cover risk management.
Making sure recruitment processes adequately cover risk management.
PHASE TWO: CHANGING THE WAY THE ORGANIZATION OPERATES
Once a firm foundation of cultural awareness regarding continuous improvement has
been established, it’s time to start thinking about how to gradually begin changing the ways
the organization operates to reflect these values.
This phase begins by starting to recognize and reward employees for paying attention
to risk, and responding to risk in a way that challenges the previously established status
quo.
These kinds of motivational systems, rewarding and penalizing behavior according to
the established ideals of continuous improvement outlined in the early planning stages, will
result in the gradual but certain shift towards a proliferation of continuous improvement-
conscious company culture.
Another important element is being able to recognize talent that conforms to the
desired vision of continuous improvement, and capitalizing on this alignment by placing
them accordingly in relevant, optimized positions of responsibility or seniority. It’s getting
people in the right place, to drive the right kind of results.
Some important considerations for this phase:
Utilizing challenge as a motivator for driving cultural change
Quantifying risk performance metrics, and rewarding/penalizing behavior accordingly.
Considering risk management and continuous improvement culture in talent
management approaches.
PHASE THREE: OPTIMIZING AND REFINING THE CULTURAL ECOSYSTEM
The third and final stage of cultural adoption of continuous improvement takes place
once the company culture has already matured to the point of widespread adoption and
desired values are already well-entrenched.
At this point, the focus shifts to monitoring performance versus expectations, and
attempting to tweak and refine the system to further improve cultural adoption.
The expectations can and will be influenced by a wide range of stakeholders, not just
top management; employees, board of directors, analysts, customers, investors – they all
have a say in the definition of cultural expectations, because these expectations should
directly reflect the whole entity that is the organization, made up of all its constituent
stakeholder parts.
Steps taken during this phase might include:
THC102_Page 3|6
� Iterating feedback and observations from risk management into training, education,
resources, and communications.
Making sure stakeholders are held responsible for their actions
Making sure any risk performance metrics or quantifiers are adjusted to reflect
changes in risk strategy, goals, and objectives
The capacity to redeploy and reassign individuals within an organization according to
desired risk culture goals
Continually reflecting on and refining risk culture in accordance with continually
changing business goals, objectives, and strategies.
BENEFITS OF ISO 31000
Why use ISO 31000? What can it do for your business? Aside from streamlining the
implementation of a risk management framework by doing most of the structural and
conceptual heavy lifting for you, it can also help with:
Giving you a competitive advantage because ISO is an internationally recognized
symbol for quality standards
Increasing employee awareness of organizational risks by including them in the
management framework and giving them responsibility for the processes they
commonly use
Reduce the frequency of, and ultimately eliminate risks by educating employees
and stakeholders on identified risks
Improve trust of stakeholders by maintaining transparency and communicating risks
Foster forward-thinking mentalities by encouraging employees to envision all
potential outcomes of a given situation
Improve company culture by bringing disparate departments together to exchange
fresh perspectives, and consider how they might work together more effectively
Improve success rate in all business operations by focusing on the process, thinking
preemptively instead of reactively, and giving employees ownership of their work
responsibilities
ISO 31000 can be invaluable for preparing a business for all eventualities; by
understanding the worst-case scenario, a business is better equipped to make the most of
the resources and opportunities currently available to them.
While ISO 31000 is certainly one of many guideline documents for implementing risk
management, one of its stand-out strengths is its concise format. You’d have a hard time
finding a more comprehensive document that succeeds in condensing so much information
into such a coherent and concise set of guidelines.
Without a doubt, ISO 31000 is one of the foremost documents for those who want to
waste no time in getting started with risk management, without sacrificing quality or
integrity.
RISK MANAGEMENT — VOCABULARY
1. SCOPE
This International Standard provides principles and generic guidelines on risk management.
This International Standard can be used by any public, private or community enterprise,
association, group or individual. Therefore, this International Standard is not specific to any
industry or sector.
NOTE For convenience, all the different users of this International Standard are referred to by
the general term “organization”.
This International Standard can be applied throughout the life of an organization, and to a
wide range of activities, including strategies and decisions, operations, processes, functions,
projects, products, services and assets.
This International Standard can be applied to any type of risk, whatever its nature, whether
having positive or negative consequences.
It is intended that this International Standard be utilized to harmonize risk management
processes in existing and future standards. It provides a common approach in support of
standards dealing with specific risks and/or sectors, and does not replace those standards.
This International Standard is not intended for the purpose of certification.
2. TERMS AND DEFINITIONS
THC102_Page 4|6
�For the purposes of this document, the following terms and definitions apply.
Risk- effect of uncertainty on objectives
Risk Management- coordinated activities to direct and control an organization with regard
to risk
Risk Management Framework- set of components that provide the foundations and
organizational arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organization.
Risk Management Policy- statement of the overall intentions and direction of an
organization related to risk management
Risk Attitude- organization's approach to assess and eventually pursue, retain, take or turn
away from risk
Risk Management Plan- scheme within the risk management framework specifying
the approach, the management components and resources to be applied to the management
of risk
Risk Owner- person or entity with the accountability and authority to manage a risk
Risk Management Process- systematic application of management policies, procedures
and practices to the activities of communicating, consulting, establishing the context, and
identifying, analyzing, evaluating, treating, monitoring and reviewing risk.
Establishing the context- defining the external and internal parameters to be taken into
account when managing risk, and setting the scope and risk criteria for the risk
management policy
External context- external environment in which the organization seeks to achieve its
objectives
Internal context- internal environment in which the organization seeks to achieve its
objectives
Communication and Consultation- continual and iterative processes that an organization
conducts to provide, share or obtain information and to engage in dialogue
with stakeholders.
Consultation- a process which impacts on a decision through influence rather than power;
an input to decision making, not joint decision making.
Stakeholder- person or organization that can affect, be affected by, or perceive themselves
to be affected by a decision or activity
Risk Assessment- overall process of risk identification , risk analysis and risk
evaluation
Risk Identification- process of finding, recognizing and describing risks
Risk Source- element which alone or in combination has the intrinsic potential to give rise
to risk
Event- occurrence or change of a particular set of circumstances
Consequence- outcome of an event affecting objectives
Likelihood- chance of something happening
Risk Profile- description of any set of risks
Risk Analysis- process to comprehend the nature of risk and to determine the level of
risk
Risk Criteria- terms of reference against which the significance of a risk is evaluated
Level of Risk- magnitude of a risk or combination of risks, expressed in terms of the
combination of consequences and their likelihood
Risk Evaluation- process of comparing the results of risk analysis with risk criteria to
determine whether the risk and/or its magnitude is acceptable or tolerable
Risk Treatment- process to modify risk; taking or increasing risk in order to pursue an
opportunity; removing the risk source; changing the likelihood; changing
the consequences; sharing the risk with another party or parties (including contracts and
risk financing); retaining the risk by informed decision.
Control- measure that is modifying risk
Residual Risk- remaining after risk treatment
Monitoring- continual checking, supervising, critically observing or determining the status
in order to identify change from the performance level required or expected
Review- activity undertaken to determine the suitability, adequacy and effectiveness of the
subject matter to achieve established objectives.
THC102_Page 5|6
�THC102_Page 6|6
