MANAGEMENT & ACCOUNTING

ISO 31000 and the Principles for

Managing Risk
Patrick Ow

The International Standard ISO 31000 “Risk management – principles and guidelines on
implementation”1 is the first generic international standard on risk management that clearly
and explicitly sets out the principles and framework for managing risk, so that risk manage-
ment can be an integral part of the organisation’s overall governance, management, report-
ing processes, policies, philosophy and culture, thereby helping organisations comply with
legal and regulatory requirements as well as improve their performance.

T
his international standard can
be applied to any public, private
and community enterprise, as-
sociation, group or individual
and throughout the life of an organisation,
and to a wide range of activities, process-
es, functions, projects, services and opera-
tions. It provides a common approach
in support of other international and
local standards dealing with specific
areas of risks and/or sectors, and
does not replace them.
It is not the intent of this standard to
impose uniformity of risk management
to organisational activities and processes. tices (Principle 1), whereby quantifiable
In order to demonstrate that risk man- measures and targets tell us whether
agement does create value for the organi- risk management activities have indeed
sation, we should be able to demonstrate created value for the organisation
that risk management: n helps decision makers to make informed
n is not a standalone, compliance or tick-of- choices, prioritise actions and distin-
box activity that can be separated from the guish among alternative courses of action
Principles for managing risk Framework for managing risk Process for managing risk Attributes of
(Clause 4) (Clause 5) (Clause 6) enhanced risk
management
1. Creates value
2. Integral part of Mandate and (Annex A —
organisational processes commitment Informative)
Establishing the Context
3. Part of decision-making
4. Explicitly addresses Risk
Communication and Consultation

uncertainty Assessment
Design of
across organisations as the design and

Monitoring and Review

5. Systematic, structured framework for Risk Identification
implementation of risk management and timely managing risk
will depend on the varying needs of or- 6. Based on the best
available information Risk Analysis
ganisations and their specific context. 7. Tailored
Therefore, ISO 31000 is not intended Continual Implementing
8. Takes human and cultural improvement of risk
factors into account Risk Evaluation
to be used for the purpose of certifica- the framework management
tion (or standardisation). 9. Transparent and inclusive
10. Dynamic, iterative and Risk Treatment
The relationships between the key responsive to change
parts of ISO 31000 are shown in the 11. Facilitates continual Monitoring and
diagram. improvement and review of the
enhancement of the framework
organisation
Risk management programme
must create value for the main activities and processes of the organ- (Principle 3), all based on the best avail-
organisation isation - but instead, as an integral and in- able information to these decision makers
The most important principle is for your tegrated part of organisational processes, (Principle 6) through the organisation’s
risk management programme to create including all project and change manage- reporting and governance structure and
value for the organisation (Principle 1). ment processes (Principle 2) processes
Risk management should contribute to the n drives a demonstrable and measurable
demonstrable and measurable achievement achievement of objectives and improve- 1 Currently in draft and is expected to be issued
of objectives, which includes improvements ment of organisational processes/ prac- later this year.

 ACCOUNTANTS TODAY s-AY


n has dealt with those aspects of
decision-making that are un-
certain, considered the nature
of that uncertainty and how it
can be addressed (Principle
4), and whether risk treat-
ment plans will be adequate 1%#
and effective
2 Translate the Strategy
n contributes to the efficiency,
consistency, and reliability of
*,!#"
0!-/#!/"
the organisation’s performance
results over time (Principle 5)
n facilitates the continual im-
provement and enhancement
of all aspects of the organisa-
tion (including risk manage- 1%#
ment maturity) (Principle 11
3 Plan Operations
and Annex A).
Risk management is all about
helping organisations achieve
their objectives and create
value by:


,ecute the process and initiatives
n clarifying what are these strate-
gic and operational objectives,
measures and action plans
n articulating, documenting and commu-
nicating these strategic and operational
objectives, measures and action plans
n effectively managing those uncertainties
(or risks) that are linked to objectives
and the achievement of these strategic
and operational objectives, measures
and action plans
n aligning individual performance to have
a clear line-of-sight towards achieving
the organisation’s objectives, measures
and action plans.
Risk management is an integral part
of the organisation’s processes
Organisations can integrate or embed
risk management into their culture, and
existing structures and processes by:
n tailoring or customising risk manage-
ment for the organisation by taking into
account human and cultural factors,
especially when we recognise that the
capabilities, perceptions and intentions
of external and internal people can fa-
cilitate or hinder the achievement of or-
ganisational objectives (Principle 8)
n aligning risk management with the or-
ganisation’s external and internal con-
text, risk profile (Principle 7), and risk
appetite and risk tolerance
n carrying out an implementation approach
ACCOUNTANTS TODAY s-AY
1%#
1 Develop the Strategy
.

Define strategic objectives
and themes
.

Select strategic indicators
targets and initiatives
#02*10
.

cascade and define operational
objectives, indicators and targets
.

Develop plans and budgets
.

Align staff performance
(A".1#"
$/-+


.*,


-/1-,
01#/',%
1&#
,%#+#,1
601#+

Harvard Business Review article
,2/6

.

.
#reat Risks
1%#
4
that is simple, consistent, systematic,
timely and structured (Principle 5)
n involving the relevant stakeholders ap-
propriately in a timely manner, and be-
ing transparent to them, so that risk
management remains relevant and up-
to-date (Principle 9)
n being dynamic, iterative and responsive to
change, whereby the organisation should
ensure that risk management continually
senses and responds to change as new
risks emerge and others disappear due to
changes in internal and external events,
context and knowledge change, and moni-
toring and review activities (Principle 10).
General roles, responsibilities and ac-
countabilities for risk management
should be incorporated into:
n individual’s job or position descriptions
or responsibilities (for paid employees
and volunteers/unpaid employees)
n committees or teams’ terms of reference
or charters
n reporting format, with a risk management
section featured in all reports produced
n meeting agendas, with risk management
featured as a standing agenda item in eve-
ry meeting held within the organisation.
These inclusions ensure adequate un-
derstanding, commitment and communica-
tion of risk. They also promote awareness
ISO 31000 and the Principles for Managing Risk
.

Define mission, vision and values:
clarity of purpose
.
Conduct strategic analysis
.
F$&")!()%(
'(&(-
.
Understand context
1/1#%'!
*,
Test and Adapt Strategy 1%#
6
.

Conduct profitability analysis
.
Conduct strategy correlation
7
1/1#%'!
- (#!1'3#0 analysis
7
1/1#%6
+.
.
Examine emerging strategies
#/$-/+,!#

7

+#1/'!0
7
W-/)$-/!#
.*,,',%
'0)
#%'01#/
Operational Plan
.
'$rds
Monitor and Learn
.

Hold strategy reviews
5
1%#
.
!#'
#
)(' .
Hold operational reviews
7
/-
$-/+
0
.
Hold individual performance reviews
.
Monitor and Review Risk and
#/$-/+,!#
Risk Register
+#1/'!0
#02*10
of responsibilities and accountabilities,
and harness the required actions.
To be successful, risk management should
function within an overarching risk manage-
ment framework which provides the neces-
sary foundations and organisational arrange-
ments that will embed risk management
throughout all organisational levels and in-
tegrate the risk management process within
overall governance, management, reporting
processes, policies, philosophy and culture.
Because ISO 31000 stipulates that the risk
management framework is not intended to
describe a separate management system,
but rather to assist organisations to integrate
risk management within the context of the
overall management system, organisations
must therefore adapt and customise the
framework components according to their
specific needs and circumstances.
For a start and as an example, risk manage-
ment can be integrated into an organisation’s
strategic planning process, as shown in the di-
agram above. Whatever technique or frame-
work is used to manage risks, it is essential
that it is related directly to the objectives of
the organisation, business unit / department,
programme and services. Therefore, the first
step in evaluating risk is often the confirma-
tion (or setting) of objectives. AT
Contact the writer at patrickow@gmail.com.