ISO 31000: Monitor, review and report (Part #10)

Posted by Atheal Alwash on Wed, May 10, 2017

The final stage of a successful risk management strategy that follows the ISO 31000 framework is to continuously monitor and review the appropriateness of the risk criteria, analysis, treatment, and the framework itself.

A comprehensive risk strategy involves continuous evaluation as the organisation evolves. It could be that reviews are performed annually, monthly, or weekly – it’s up to the leadership to determine the review and reporting requirements of the accountable individuals involved in delivering and monitoring risk processes.




Clause 6.6: Monitor and Review

As with all Standards within the higher Annex SL framework, the concept of Plan, Do, Check, Act applies to the risk management strategy an organisation creates under ISO 31000. An integral part of ensuring continuous quality and improvement in process, efficiency, and output is to monitor strategic goals and performance on a regular basis.


Plan Do Check Act.png

When a risk has changed, for example, an external factor such as the exchange rate has impacted upon trade, the risk treatment needs review. But the whole risk strategy needs to be considered as a constantly evolving element as the objectives of an organisation change over time.

A review process should include all stakeholders, internal and external, to ensure a holistic input into the ongoing shaping of the risk management processes.

Clause 6.7: Recording and Reporting

The full risk management process needs to be recorded and reported to:

  • Ascertain the organisation’s stance on risk culture, appetite, and tolerance
  • Communicate effectively to all stakeholders at key stages
  • Deliver clear data on the effectiveness of risk treatment plans
  • Improve engagement with stakeholders and draw on feedback
  • Provide valuable information for decision making across the organisation

Reporting timeframes and performance metrics are to be determined at an early stage of the strategy development, to manage expectations of stakeholders and ensure timely and appropriate information gathering.

Reports should consider information such as the audience type, data sensitivity, and how the data relates to overall objectives and goals of the organisation.

That’s it! You’ve come to the end of your ISO 31000 Toolkit. Don’t worry – there are plenty more resources available here: Business Case Toolkit.

If you’d like to find out how EQMS Risk Manager can help you deliver ISO 31000, alongside several other Standards such as ISO 27001, request a free no-obligation demonstration here. 


Reducing business risk

Tags: ISO 31000

ISO 31000: Developing your risk treatment strategy (Part #8)

Posted by Chris Owen on Wed, May 03, 2017

Once risks have been identified, analysed, and evaulted, the appropriate risk treatment should be applied to reduce, remove, or retain each risk depending on a range of factors.

An organisaiton might choose to retain a risk if it is inevitable, unavoidable, or lies within the risk tolerance level of the business as defined earlier in the scoping of the risk management strategy. The risk tolerance and risk appetite of an organisation will have a strong impact on the risk treatment, as some may choose to retain more significant risks than others if the potential positive outcomes are worth the balance.

Risk treatment involves a range of processes, including:

  • The formulation and selection of risk treatments
  • The implementation of the required action for each risk
  • An assessment of residual risk
  • Determining further controls if the residual risk is still too high
  • Assessing the effectiveness of the risk treatment in the long term.

Risk treatment options are not universal and may also change as the objectives or context of the strategy or the organisation evolve.


Types Of Risk Treatment

There are a range of risk treatment options, including but not limited to:

  • Remove the risk altogether
  • Change the likelihood (such as move servers to a higher floor to reduce risk of flood damage)
  • Change the consequences
  • Share the risk through agreements, partnerships, further insurance etc
  • Retain and mitigate the risk by informed decision

It is up to the organisation to determine the balance between the benefits of retaining a risk (such as a competitive advantage) against the potential cost, adverse impact, and disadvantage of implementation.

Residual risk should be considered in all cases where a risk has been determined as essential or unavoidable. There may be several options to mitigate risk to reduce the likelihood, consequence, or severity of a risk incident, and these may flow one to another for continuous risk mitigation.

For example, an unavoidable risk could be that of fire damage to paper files. This is mitigated by filing in metal cabinets, which are mitigated further by storage in a specified room, mitigated further by the implementation of sprinklers. Alternatively, an organisation could see this risk and choose to become a paperless organisation, removing the risk of lost data held on paper – but then would have to consider back-up and storage security of digital data.

Clause 6.5.3: Preparing And Implementing Risk Treatment Plans

Once risks have been identified, evaluated, and a risk treatment course of action determined, the next step is to communicate this information to key shareholders.

A treatment plan should be concise, accurate, and deliver information in a timely and clear manner. It needs to outline the risk criteria, analysis, and treatments, and also identify who is accountable for ensuring listed controls are applied.

A good risk treatment plan will demonstrate what the risk is, how it is mitigated, who is responsible, the required timeframe for action, and reporting requirements for accountable individuals.

A risk treatment plan is useful for communicating on a broad level the current risk management strategy, the rationale behind decisions made regarding removed, mitigated, or retained risks, and how responsibility is divided. This ties in well with Clause 5.2, Leadership and Commitment, and Clause 6.2, Communication and Consultation.

These plans need to be integrated into overall business performance objectives and reviews, with full commitment from management if it is going to be continuously effective and drive improvement and efficiency across the organisation.

Next in the series: Clause 6.6 – Monitoring and Review

ISO 31000 Risk Management Toolkit

Tags: ISO 31000

ISO 31000: Establishing the context (Part #6)

Posted by Chris Owen on Wed, Apr 26, 2017

When creating, developing, and implementing a risk framework such as ISO 31000, it is essential to establish the context of the risk strategy in terms of internal and external factors, risk type, measurement plans, and appropriate processes.

Clause 6.3.1 in ISO 31000 begins as a general introduction to establishing the context – something already covered in Clause 5.3 in more depth. It is essential that the context of the organisation is developed to be confident in establishing the context of the risk strategy within it.



The context of the risk management strategy is to be defined in line with the context of the organisation’s activities and objectives as established in the context of the organisation. It must also be considered that a risk management strategy is not standalone from other activities of the organisation – it should be an integral part to each area of the business for effective risk management.

The context should consider:

  • Time, location, specific inclusions/exclusions
  • Business objectives and activities
  • Resources, including accountability and responsibilities
  • Records, including where they are kept and a standard reporting process


Clause 6.3.4: Defining Risk Criteria

The risk criteria will define the risk management process. Identifying and defining the risk criteria enables and organisation to deliver a concise, efficient, and standard process to realising and mitigating risk.

Considerations when defining risk criteria may include:

  • The nature and type of uncertainties affecting the outcomes of risks and objectives
  • Legal, regulatory, contractual, and voluntary commitments of the organisation
  • The likelihood of a risk and the impact of its consequence
  • Timeframes of risk cause and risk treatment
  • Complex and multiple risks – chain of risk impacts
  • How to determine the severity of a risk

All risks should be defined within the context of the organisation, in relation to the objectives and activities of the business, to be most effective. The above list is not exhaustive and you may find other factors or considerations to bring into account when defining how to identify risk criteria for your risk management strategy. This is where the ISO 31000 framework is particularly useful, as the flexibility within the framework allows organisations to define their own approach and scope of risk according to the business objectives and goals.

Next in the series: Clause 6.4 Risk Assessment Process

ISO 31000 Risk Management Toolkit

Tags: ISO 31000

ISO 31000: Risk assessment (Part #7)

Posted by Liam Pollard on Wed, Apr 26, 2017

Once the context of the organisation and the scope of the risk management strategy are defined, the risk criteria are identified and developed (Clause 6.3). These criteria are designed to establish the way risks are recognised and recorded.


The next step of the framework, Clause 6.4, is risk assessment. This is the overall process of identifying risks, analysis, and the evaluation of risk criteria effectiveness. The whole process is designed to be systematic, iterative, and collaborative so that a comprehensive and integrated risk management strategy is developed. At all stages of risk assessment it is vital to communicate with and involve key internal and external stakeholders where required, to make the most of broad experience and knowledge to develop a strong strategy.

Clause 6.4.2: Risk Identification

The first step in risk assessment is the identification stage. You are required to find, understand, and describe risks. Remember that a risk is considered as something that could hinder, prevent, or even help, an organisation to achieve its strategic objectives.

During the risk identification stage it is vital to use the latest information available: factual, timely, and accurate data will enable you to develop the most relevant strategy.

Factors to consider when identifying a risk to your organisation may include:

  • Tangible and intangible sources
  • Causes / events
  • Threats and opportunities (even positive risks need to be assessed)
  • Existing capabilities for handling risk, and any vulnerabilities
  • Contextual changes, such as alteration to an external factor
  • Resources available, the nature and value of such
  • The likelihood and consequences of a risk
  • The severity of a risk should it occur
  • Knowledge gaps (the known unknowns)
  • Time resources and allocation of risk management team
  • The bias, experiences, and assumptions of stakeholders involved in risk assessment

When identifying a risk, it’s important to note that there may be more than one outcome to a risk occurrence – and that this may impact upon further identified risks.


Clause 6.4.3: Risk Analysis

The risk analysis phase allows for decisions to be made regarding risk treatment, and to further identify and define the organsation’s risk appetite. The risk type, level, and likelihood are all taken into consideration alongside detailed factors such as available resource and internal/external influences.

There may be multiple outcomes possible from one risk incident, and this may impact on further risks – the domino effect of a risk should also be considered within the context of the organisation’s objectives.

The techniques used to analyse risk are plenty and varied, and it is up to the organisation to define the ones used. Some of this is covered in Clause 6.3, as the context of the risk strategy includes the definition of risk criteria and measuring capabilities. You may choose to use a qualitative, semi-quantitative, or quantitative approach, or a combination of all three, in order to determine how to analyse risks.

Remember that risk is very subjective. While communication with key stakeholders at all stages of risk management strategy development and implementation is vital, an approach must be taken where bias it mitigated in some way. One person may perceive a risk as highly likely and severe, while another may consider it moderately likely and less severe. It’s up to your organisation to determine how to define the measurement of the level of risk, and this will impact how you measure and analyse risks.


Clause 6.4.4 Risk Evaluation

The final stage in the risk assessment process is risk evaluation. The idea behind evaluation is to allow an organisation to make decisions regarding risk treatment and the prioritising of risk mitigation with ease.

Risk evaluation takes the risk criteria and measures against the risk analysis to determine:

  • Effectiveness of criteria definition
  • Which risks are highest priority
  • How to approach the next steps (risk treatment)
  • Success of risk analysis process (are there any knowledge gaps remaining?)

The outcome of a risk evaluation could result in several actions: you will either need to assign further analysis, maintain your existing controls, or reconsider the objectives of the risk strategy in alignment with the organisation objectives.

Regular evaluation allows you to develop a comprehensive and mature risk management strategy, as changes to risk factors, impact, consequence, and objectives can be addressed in a reasonable time frame.

Next in the series: Clause 6.5 – Risk Treatment

ISO 31000 Risk Management Toolkit

Tags: ISO 31000

ISO 31000: Understanding the context of the organisation

Posted by Michael Ord on Wed, Apr 05, 2017

As part of ISO 31000, leadership need to demonstrate an understanding of the organisation and its context in regards to internal and external influences.

Being able to demonstrate the context of the organisation helps a business to properly align its risk management strategy with its overall risk appetite and risk tolerance in order to gain a competitive edge without compromising business continuity.



Considering PESTLE – Your External Contributors To Risk

Common factors to consider when understanding your organisation’s context in relation to external factors can be assessed using the PESTLE acronym:

  • Political
  • Economic
  • Social
  • Technological
  • Legal
  • Environmental

There are, of course, further factors which will influence the risk elements of an organisation, but it is these which are key to understand for any business.

With each element of the PESTLE acronym, it is important to consider: trends, external stakeholder relationships or impact, drivers affecting the organisation’s objectives, and contractual relationships and agreements.



Assessment Of Internal Context

Understanding the internal context could include the mission, vision, values and the alignment of strategic goals and objectives; standards or regulations adopted by the organisation (which are not required by legislation – that falls under external); and impact of resource.

Internal context can also cover:

  • Complexity of networks
  • Knowledge resource, sharing, and management
  • Contractual agreements and internal dependencies, and
  • Information systems including technological resource or reliance


Wistia video thumbnail - EQMS Risk Manager

Thanks for reporting a problem. We'll attach technical data about this session to help us figure out the issue. Which of these best describes the problem?

Any other details or context?


The Role Of Leadership In Understanding The Context

When leaders have recognised the influence of external and internal factors which may impact on risk, it is up to them to use this information – the context of the organisation – to assess the severity and likelihood of risks posed within these parameters.

As part of the risk management strategy, once the context is defined it is helpful to the progress of an organisation adhering to an ISO 31000 framework to communicate definitions and understanding to key stakeholders.

Next in the series: Clauses 5.4, 5.5, and 5.6 – Implementation, Evaluation, and Improvement

ISO 31000 Risk Management Toolkit

Tags: ISO 31000

ISO 31000, clause 5.2: Leadership and commitment – 11 essential requirements

Posted by Gemma Baldan on Wed, Mar 29, 2017

Within ISO 31000, as in all ISO Standards following the new Annex SL higher framework, leadership is an essential consideration in applying the framework. The ability to communicate the what, why, and how of a risk management process is crucial to on-boarding all stakeholders in their commitment to contributing to continuous improvement.


Leadership is required to follow eleven essential requirements set out within ISO 31000, including:


#1: Align with the strategies and objectives of the organisation

Leaders need to identify the overall business strategies and objectives and align the approach of risk management with such. By doing so, leadership can more accurately assess the risk appetite and culture of the organisation in order to create a focused and integrated risk strategy.


#2: Ensure alignment with risk management and risk culture

The risk culture of an organisation is set at a strategic level, but is the responsibility of leadership to communicate this to all individuals in the business. This ensures that the approach to risk is completely aligned at every level, and that risk management processes are appropriately delivered in accordance with overall business goals.


#3: Define and endorse the risk management policy

The leadership are required to set out the risk management policy, and ensure that this is endorsed across the organisation. Without all-level involvement and understanding, the risk management process can be undermined and not provide a strong enough structure to mitigate risks.


#4: Allocate resources to risk management

Depending on the risk appetite of an organisation, and the perceived level of risk, leadership are able to use a comprehensive risk management strategy to appropriately allocate resource where required. Understanding where the greatest resource is required helps to mitigate ongoing risk. It may be that the lower-level risks require greater resource as the likelihood is higher. For example, customer service failures could be a risk to company reputation – so a greater resource is required on an ongoing basis to prevent incidents than for a potentially severe risk with low probability (such as an earthquake on a non-fault line area). 


#5: Assign accountability, responsibility, and authority at appropriate levels

Risk management only works if there is accountability across an organisation: it cannot lie with one person alone. Leadership must align the risk management strategy and identify who needs to take responsibility for each area of risk, and ensure these people are accountable for reporting on their aspect of the risk management process on a regular basis.


#6: Recognise and address contractual obligations and voluntary commitments

Risk involves external parties and influencers as well as internal processes and stakeholders. Leaders must make sure that any contractual obligations (such as downtime SLAs for a hosting company) are assessed and met within the risk management system. An orgnaisation committed to improving quality on a continuous basis, such as those accredited to ISO 9001:2015 are also wise to ensure voluntary agreements – internal and external – are assessed also.




#7: Establish risk criteria, risk appetite, and risk tolerance and ensure they are understood and communicated

Leadership must ensure that the risk management strategy applied using ISO 31000 is clearly and comprehensively communicated to all staff. This includes the risk appetite and tolerance, and ensuring an understanding of those concepts in the context of managing risk on a day-to-day basis within individual roles.



#8: Ensure risk management performance indicators are included as the performance indicators for the whole organisation

Risk management is required to be an integrated part of the organisation in order to be effective. As such, leadership responsible for risk management reporting must be able to represent the risk performance indicators in relation to their impact on overall business performance, goals, and strategies. This includes managing those responsible for risk at a granular level within departments to deliver an overview of the impact on the organisation as a whole.


#9: Communicate the value of risk management to the organisation and key stakeholders

Communication is the most effective strategy for implementing an integrated, comprehensive, and effective risk management process. It is up to leadership to devise and implement a communication plan regarding risk management, incorporating internal staff and any relevant external stakeholders.


#10: Promote the systematic monitoring of risk

A risk management strategy is only effective if it’s applied, monitored, and reviewed on a regular basis. This enables leadership to identify knowledge gaps, or problematic areas of risk which need further attention – as well as illustrate where the risk management process is a success.

 risk register.png

#11: Continuous review of appropriateness of the framework and risk management processes

As an organisation grows, merges, is acquired, or takes on new sectors or opportunities, so the risk strategy will need to be redefined. The same applies for the political, environmental, and economical influences on an industry or organisation: if these change, it is likely the risk register requires a review. At each stage of change, leadership must review the appropriateness of the ISO 31000 framework and ensure the processes laid out are relevant, proactive, and clear.


Next in the series: Clauses 5.3 – Design: Understanding Organisation And Context

ISO 31000 Risk Management Toolkit

Tags: ISO 31000

ISO 31000: Risk management principles

Posted by Michael Ord on Wed, Mar 22, 2017

ISO 31000 relies on the application of some core risk management principles. These are designed to illustrate the importance of risk within the context of the organisation, and will help you to understand why risk management is vital to business success.


Core Risk Management Principles

Core risk management principles PNG.png

Assessing risk enables you to create and protect value within your organisation. Identifying risks allows you to illustrate areas for improvement, align business goals with a more refined scope, and protect your assets (physical and intellectual).


How Risk Management Creates And Protects Value

Risk is often approached in a haphazard manner, when frameworks such as ISO 31000:2009 are not yet in place. This leads to higher costs associated with failures, which reduces the overall value of the organisation. Failures caused by poorly managed risks can also damage the reputation of an organisation, with the impact spreading much further than the initial risk failure.

For example, a manufacturer that does not check the quality of materials from a supplier could unknowingly create a sub-standard product. The far-reaching cost of this poorly managed risk extends to recall processes, replacements, refunds, machine downtime, delay in re-supply, and ongoing costs to reputation which could result in less new business and lost existing customers.

When risks are identified, action can be put in place to mitigate the damage should the risk occur. Risks can be more easily managed, and risk treatment plans will reduce the long-term cost of a risk occurrence.




More Efficiency, Greater Profit

Risk management creates value by helping an organisation to identify not only potential hazards to the business, but also possible opportunities.

A more efficient risk management process will impact on business operation: workplace risks can be removed to create a safe environment, or data controls put in place to simplify document access and reduce risk to stolen or corrupted data.

Creating a more efficient environment will naturally increase the profit margin of a smooth-running business. However, opportunities identified during risk management can also be implemented to further create value in an organisation.

For example, the understanding that sharing knowledge via a document hub is less risky than relying on one person to hold the knowledge for a process will lead to a more collaborative working environment. This knowledge share could open further innovative discussion for future profit opportunities, and will at the very least enable the organisation to maintain business continuity.


Next In The Series: Clause 5.2 – Leadership and Commitment: 11 Essential Steps

ISO 31000 Risk Management Toolkit

Tags: ISO 31000

Introduction to ISO / DIS 31000:2017

Posted by Emily Hill on Thu, Mar 16, 2017

ISO 31000 is the risk management framework designed to provide any organisation in any sector the guidelines to create a comprehensive risk assessment process.

You cannot achieve ISO 31000 accreditation as there is no certificate for this standard. It is, however, a useful Standard to adhere to for comprehensive risk management, and will also assist in the process for accreditation for further Standards such as ISO 9001:2015 and ISO 27001.



Why Manage Risk?  

Every week, there are countless examples of organisations who have hit the headlines because they have not effectively managed risk. United AirlinesVolkswagen, and Tesco are but a few examples from the past few years who have failed to effectively manage weaknesses and threats. Failure to effectively manage risk is not only expensive and damaging to your reputation, it also means your organisation is missing out on many opportunities. 

Read more on this: Opportunities & Risks 




A Common Language

ISO 31000 provides an outline to risk principles, including an introduction to common vocabulary experienced in risk management processes.

By using the Standard as a guide to creating your risk management processes, the common language used will prevent miscommunication at any point, and create a greater strength of overall understanding.

ISO standards such as ISO 9001:2015 have changed the mindset of organisations towards risk-based thinking as a cultural issue rather than just the role of the quality team. This means a cultural shift including the responsibility of individuals across an organisation towards a risk aware culture. A common language improves the communication between staff regarding risk management and introduces the concept of risk as the responsibility of all rather than a small team.


A Framework, Not A Process

ISO 31000, like other Standards, addresses the ‘what’ far more than the ‘how’ and the ‘why’ of implementing a Standard. The idea behind 31000 is to create a framework from which to build your risk management process: it is not an instruction on how to assess risk.

The flexibility of this framework means that it applies to any organisation, anywhere in the world, and of any size.


Benefits of ISO 31000

Key benefits of implementing ISO 31000 include:

  • Identify business, operational, external, internal, and workplace risks in a standardised process
  • Common understanding of risk principles across key stakeholders in an organisation
  • Realise potential opportunities
  • Identify risk appetite and risk culture of the organisation
  • Align business objectives based upon risk appetite
  • Introduce risk management concepts for transition to other Standards such as ISO 27001 and ISO 9001:2015
  • Allocate resources more efficiently aligned with perceived risk levels
  • More efficient business operation

There are many more individual benefits to implementing ISO 31000 depending on an organisation’s particular needs, environment, and lifecycle stage.


Coming Up In The Toolkit Series

You will learn the risk management principles, and discover how each key clause in ISO 31000 work together to deliver a comprehensive framework.

Next up in the series is Clause 4: Risk Management Principles For Value Creation And Protection.


ISO 31000 Risk Management Toolkit




Tags: ISO 31000