Jump to content

ISO 31000: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
ce
 
(4 intermediate revisions by 3 users not shown)
Line 4: Line 4:
{{External links|date=January 2022}}
{{External links|date=January 2022}}
}}
}}
'''ISO 31000''' is a family of international standards relating to [[risk management]] codified by the [[International Organization for Standardization]].<ref name=Purdy>{{cite journal|last1=Purdy|first1=G|year=2010|title=ISO 31000:2009--Setting a New Standard for Risk Management|journal=Risk Analysis|volume=30|number=6|pages=881–886}}</ref> The standard is intended to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the historic ambiguities and differences in the ways risk are described.<ref name=Purdy/>
'''ISO 31000''' is a family of international standards relating to [[risk management]] codified by the [[International Organization for Standardization]].<ref name=Purdy>{{cite journal|last1=Purdy|first1=G|year=2010|title=ISO 31000:2009--Setting a New Standard for Risk Management|journal=Risk Analysis|volume=30|number=6|pages=881–886|doi=10.1111/j.1539-6924.2010.01442.x|pmid=20636915|bibcode=2010RiskA..30..881P}}</ref> The standard is intended to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the historic ambiguities and differences in the ways risk are described.<ref name=Purdy/>


== Introduction ==
== Introduction ==
ISO 31000 was published as a standard on 13 November 2009, and provides a standard on the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000 is to be applicable and adaptable for "any public, private or community enterprise, association, group or individual."<ref>ISO 31000 catalogue http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170</ref> Accordingly, the general scope of ISO 31000 – as a family of risk management standards – is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management. It began the process for its first revision on May 13, 2015.<ref>{{Cite web|url=http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1963|title=The revision of ISO 31000 on risk management started 2015-05-13 |website=ISO|date=13 May 2015 |language=en|access-date=2017-02-23}}</ref> A draft International standard (DIS), which was open for public comment, was published on February 17, 2017.<ref>{{Cite web|url=http://www.iso.org/iso/catalogue_detail?csnumber=65694|title=ISO/DIS 31000 – Risk management – Guidelines|website=ISO|language=en|access-date=2017-02-23}}</ref> The ISO 31000 has been criticized for lack of solidness and misleading language.<ref>Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?." Reliability Engineering & System Safety 189 (2019): 279-286.</ref>
ISO 31000 was published as a standard on 13 November 2009, and provides a standard on the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000 is to be applicable and adaptable for "any public, private or community enterprise, association, group or individual."<ref>ISO 31000 catalogue http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170</ref> Accordingly, the general scope of ISO 31000 – as a family of risk management standards – is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management. It began the process for its first revision on May 13, 2015.<ref>{{Cite web|url=http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref1963|title=The revision of ISO 31000 on risk management started 2015-05-13 |website=ISO|date=13 May 2015 |language=en|access-date=2017-02-23}}</ref> A draft International standard (DIS), which was open for public comment, was published on February 17, 2017.<ref>{{Cite web|url=http://www.iso.org/iso/catalogue_detail?csnumber=65694|title=ISO/DIS 31000 – Risk management – Guidelines|website=ISO|language=en|access-date=2017-02-23}}</ref> The ISO 31000 has been criticized for lack of solidness and misleading language.<ref>Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?." Reliability Engineering & System Safety 189 (2019): 279-286.</ref>


An update to ISO 31000 was added in early 2018. The update is different in that it "provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization."<ref>https://www.iso.org/files/live/sites/isoorg/files/store/en/PUB100426.pdf {{Bare URL PDF|date=March 2022}}</ref>
An update to ISO 31000 was added in early 2018. The update is different in that it "provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization."<ref>https://www.iso.org/files/live/sites/isoorg/files/store/en/PUB100426.pdf {{Bare URL PDF|date=March 2022}}</ref> The new version (ISO 31000:2018) was approved and became the new standard. It was last reviewed and confirmed in 2023. Therefore this version remains current.<ref>{{Cite web |last=ISO |date=7 May 2024 |title=ISO 31000:2018 |url=https://www.iso.org/standard/65694.html |access-date=7 May 2024 |website=ISO.org}}</ref>


== Scope ==
== Scope ==
Line 101: Line 101:
== External links ==
== External links ==
* Standard [http://www.iso.org/iso/home/standards/iso31000.htm International Organization for Standardization]
* Standard [http://www.iso.org/iso/home/standards/iso31000.htm International Organization for Standardization]
* Standard [http://infostore.saiglobal.com/store/Details.aspx?ProductID=1378670 AS/NZS ISO 31000:2009 Risk management – Principles and guidelines]
* Discussion : [https://web.archive.org/web/20110404055517/http://www.linkedin.com/groups/ISO-31000-2009-Risk-Management-1834592?mostPopular=&gid=1834592 LinkedIn discussion forum on ISO 31000:2009 Risk management – Principles and guidelines]
* Discussion : [https://web.archive.org/web/20110404055517/http://www.linkedin.com/groups/ISO-31000-2009-Risk-Management-1834592?mostPopular=&gid=1834592 LinkedIn discussion forum on ISO 31000:2009 Risk management – Principles and guidelines]
* Article [https://www.scribd.com/doc/30749128/Strategic-Risk-IsO-31000-The-Gold-Standard-CAJL-AD-15-Sept-09 ISO 31000 : The Gold Standard, Alex Dali and Christopher Lajtha, Strategic Risk, September 2009]
* Article [https://www.scribd.com/doc/30749128/Strategic-Risk-IsO-31000-The-Gold-Standard-CAJL-AD-15-Sept-09 ISO 31000 : The Gold Standard, Alex Dali and Christopher Lajtha, Strategic Risk, September 2009]
* Article [http://radar-risk.com/news/ISO31000standard ISO 31000 standard: a different perspective on risk and risk management]
* Article [http://radar-risk.com/news/ISO31000standard ISO 31000 standard: a different perspective on risk and risk management]
* Article Guidance about [https://riskprofs.com/iso-31000-lead-risk-manager-training/ ISO 31000 Lead Risk Manager Training and risk management]


{{ISO standards}}
{{ISO standards}}

Latest revision as of 20:56, 30 October 2024

ISO 31000 is a family of international standards relating to risk management codified by the International Organization for Standardization.[1] The standard is intended to provide a consistent vocabulary and methodology for assessing and managing risk, resolving the historic ambiguities and differences in the ways risk are described.[1]

Introduction

[edit]

ISO 31000 was published as a standard on 13 November 2009, and provides a standard on the implementation of risk management. A revised and harmonized ISO/IEC Guide 73 was published at the same time. The purpose of ISO 31000 is to be applicable and adaptable for "any public, private or community enterprise, association, group or individual."[2] Accordingly, the general scope of ISO 31000 – as a family of risk management standards – is not developed for a particular industry group, management system or subject matter field in mind, rather to provide best practice structure and guidance to all operations concerned with risk management. It began the process for its first revision on May 13, 2015.[3] A draft International standard (DIS), which was open for public comment, was published on February 17, 2017.[4] The ISO 31000 has been criticized for lack of solidness and misleading language.[5]

An update to ISO 31000 was added in early 2018. The update is different in that it "provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization."[6] The new version (ISO 31000:2018) was approved and became the new standard. It was last reviewed and confirmed in 2023. Therefore this version remains current.[7]

Scope

[edit]

ISO 31000 provides a set of principles, guidelines for the design, implementation of a risk management framework and recommendations for the application of a risk management process. The risk management process as described in ISO 31000 can be applied to any activity, including decision-making at all levels.

The difference between the terms risk management framework and risk management process is described by ISO as in the following:

Risk management framework - set of components that provide the foundations and organizational arrangements for designing, implementing, mentoring, reviewing and continually improving risk management throughout the organization. With the help of the PDCA cycle, the system can be improved on an ongoing basis.[8]

Risk management process - systematic application of management policies, procedures and practices to the activities of communication, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk. In other words, what ISO 31000 does is that it formalizes risk management practices, and this approach is intended to facilitate broader adoption by companies who require an enterprise risk management standard that accommodates multiple ‘silo-centric’ management systems.[9]

The scope of this approach to risk management is to enable all strategic, management and operational tasks of an organization throughout projects, functions, and processes to be aligned to a common set of risk management objectives.

Accordingly, ISO 31000 is intended for a broad stakeholder group including:

  • executive level stakeholders
  • appointment holders in the enterprise risk management group
  • risk analysts and management officers
  • line managers and project managers
  • compliance and internal auditors
  • independent practitioners.

Definitions

[edit]

One of the key paradigm shifts proposed in ISO 31000 is a change in how risk is conceptualised and defined. Under both ISO 31000 and ISO Guide 73, the definition of "risk" is no longer "chance or probability of loss", but "effect of uncertainty on objectives" ... thus causing the word "risk" to refer to positive consequences of uncertainty, as well as negative ones.

A similar definition was adopted in ISO 9001:2015 (Quality Management System Standard[10]), in which risk is defined as, "effect of uncertainty." Additionally, a new risk related requirement, "risk-based thinking" was introduced[11] there.

Likewise, a broad new definition for stakeholder was established in ISO 31000, "Person or persons that can affect, be affected by, or perceive themselves to be affected by a decision or activity." It is the verbatim definition given for the term "interested party" as defined in ISO 9001:2015.

Framework approach

[edit]

ISO 31000:2009 has been developed on the basis of an existing standard on risk management, AS/NZS 4360:2004 (In the form of AS/NZS ISO 31000:2009). Whereas the initial Standards Australia approach provided a process by which risk management could be undertaken, ISO 31000:2009 addresses the entire management system that supports the design, implementation, maintenance and improvement of risk management processes.

Implementation

[edit]

The intent of ISO 31000 is to be applied within existing management systems to formalize and improve risk management processes as opposed to wholesale substitution of legacy management practices. Subsequently, when implementing ISO 31000, attention is to be given to integrating existing risk management processes in the new paradigm addressed in the standard.

The focus of many ISO 31000 'harmonization' programmes[12] have centered on:

  • Transferring accountability gaps in enterprise risk management
  • Aligning objectives of the governance frameworks with ISO 31000
  • Embedding management system reporting mechanisms
  • Creating uniform risk criteria and evaluation metrics

Implications

[edit]

While adopting any new standard may have re-engineering implications to existing management practices, no requirement to conform is set out in this standard. A detailed framework is described to ensure that an organization will have "the foundations and arrangements" required to embed needed organizational capabilities in order to maintain successful risk management practices. Foundations include risk management policy, objectives and mandate and commitment by top management. Arrangements include plans, relationships, accountabilities, resources, processes and activities.

Accordingly, senior position holders in an enterprise risk management organisation will need to be cognisant of the implications for adopting the standard and be able to develop effective strategies for implementing the standard, embedding it as an integral part of all organizational processes including supply chains and commercial operations.[13] In domains that concern risk management which may operate using relatively unsophisticated risk management processes, such as security and corporate social responsibility, more material change will be required, such as creating a clearly articulated risk management policy, formalising risk ownership processes, structuring framework processes and adopting continuous improvement programmes.

Certain aspects of top management accountability, strategic policy implementation and effective governance frameworks including communications and consultation, will require more consideration by organisations that have used previous risk management methodologies which have not specified such requirements.

Managing risk

[edit]

ISO 31000 gives a list on how to deal with risk:

  1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
  2. Accepting or increasing the risk in order to pursue an opportunity
  3. Removing the risk source
  4. Changing the likelihood
  5. Changing the consequences
  6. Sharing the risk with another party or parties (including contracts and risk financing)
  7. Retaining the risk by informed decision

Accreditation

[edit]

ISO 31000 has not been developed with the intention for certification. (2009)

History

[edit]
Year Description
2009 ISO 31000 (1st Edition)
2018 ISO 31000 (2nd Edition)

See also

[edit]

References

[edit]
  1. ^ a b Purdy, G (2010). "ISO 31000:2009--Setting a New Standard for Risk Management". Risk Analysis. 30 (6): 881–886. Bibcode:2010RiskA..30..881P. doi:10.1111/j.1539-6924.2010.01442.x. PMID 20636915.
  2. ^ ISO 31000 catalogue http://www.iso.org/iso/catalogue_detail.htm?csnumber=43170
  3. ^ "The revision of ISO 31000 on risk management started 2015-05-13". ISO. 13 May 2015. Retrieved 2017-02-23.
  4. ^ "ISO/DIS 31000 – Risk management – Guidelines". ISO. Retrieved 2017-02-23.
  5. ^ Aven, Terje, and Marja Ylönen. "The strong power of standards in the safety and risk fields: A threat to proper developments of these fields?." Reliability Engineering & System Safety 189 (2019): 279-286.
  6. ^ https://www.iso.org/files/live/sites/isoorg/files/store/en/PUB100426.pdf [bare URL PDF]
  7. ^ ISO (7 May 2024). "ISO 31000:2018". ISO.org. Retrieved 7 May 2024.
  8. ^ "Standardized Risk Management: ISO 31000". IONOS Start up guide. 6 August 2020. Retrieved 2022-06-16.
  9. ^ "optaresystems.com". www.optaresystems.com.
  10. ^ "ISO 9001:2015 – Just published! (2015-09-23)". ISO. 23 September 2015. Retrieved 2017-02-23.
  11. ^ "Risk and the ISO 9001 Revision". Retrieved 2017-02-23.
  12. ^ "optaresystems.com". www.optaresystems.com.
  13. ^ Implications for ISO adoption http://www.optaresystems.com/index.php/optare/publication_detail/iso_31000_update_what_it_will_mean_for_a_cso/
[edit]