Within ISO 31000, as in all ISO Standards following the new Annex SL higher framework, leadership is an essential consideration in applying the framework. The ability to communicate the what, why, and how of a risk management process is crucial to on-boarding all stakeholders in their commitment to contributing to continuous improvement.
Leadership is required to follow eleven essential requirements set out within ISO 31000, including:
#1: Align with the strategies and objectives of the organisation
Leaders need to identify the overall business strategies and objectives and align the approach of risk management with such. By doing so, leadership can more accurately assess the risk appetite and culture of the organisation in order to create a focused and integrated risk strategy.
#2: Ensure alignment with risk management and risk culture
The risk culture of an organisation is set at a strategic level, but is the responsibility of leadership to communicate this to all individuals in the business. This ensures that the approach to risk is completely aligned at every level, and that risk management processes are appropriately delivered in accordance with overall business goals.
#3: Define and endorse the risk management policy
The leadership are required to set out the risk management policy, and ensure that this is endorsed across the organisation. Without all-level involvement and understanding, the risk management process can be undermined and not provide a strong enough structure to mitigate risks.
#4: Allocate resources to risk management
Depending on the risk appetite of an organisation, and the perceived level of risk, leadership are able to use a comprehensive risk management strategy to appropriately allocate resource where required. Understanding where the greatest resource is required helps to mitigate ongoing risk. It may be that the lower-level risks require greater resource as the likelihood is higher. For example, customer service failures could be a risk to company reputation – so a greater resource is required on an ongoing basis to prevent incidents than for a potentially severe risk with low probability (such as an earthquake on a non-fault line area).
#5: Assign accountability, responsibility, and authority at appropriate levels
Risk management only works if there is accountability across an organisation: it cannot lie with one person alone. Leadership must align the risk management strategy and identify who needs to take responsibility for each area of risk, and ensure these people are accountable for reporting on their aspect of the risk management process on a regular basis.
#6: Recognise and address contractual obligations and voluntary commitments
Risk involves external parties and influencers as well as internal processes and stakeholders. Leaders must make sure that any contractual obligations (such as downtime SLAs for a hosting company) are assessed and met within the risk management system. An orgnaisation committed to improving quality on a continuous basis, such as those accredited to ISO 9001:2015 are also wise to ensure voluntary agreements – internal and external – are assessed also.
#7: Establish risk criteria, risk appetite, and risk tolerance and ensure they are understood and communicated
Leadership must ensure that the risk management strategy applied using ISO 31000 is clearly and comprehensively communicated to all staff. This includes the risk appetite and tolerance, and ensuring an understanding of those concepts in the context of managing risk on a day-to-day basis within individual roles.
#8: Ensure risk management performance indicators are included as the performance indicators for the whole organisation
Risk management is required to be an integrated part of the organisation in order to be effective. As such, leadership responsible for risk management reporting must be able to represent the risk performance indicators in relation to their impact on overall business performance, goals, and strategies. This includes managing those responsible for risk at a granular level within departments to deliver an overview of the impact on the organisation as a whole.
#9: Communicate the value of risk management to the organisation and key stakeholders
Communication is the most effective strategy for implementing an integrated, comprehensive, and effective risk management process. It is up to leadership to devise and implement a communication plan regarding risk management, incorporating internal staff and any relevant external stakeholders.
#10: Promote the systematic monitoring of risk
A risk management strategy is only effective if it’s applied, monitored, and reviewed on a regular basis. This enables leadership to identify knowledge gaps, or problematic areas of risk which need further attention – as well as illustrate where the risk management process is a success.
#11: Continuous review of appropriateness of the framework and risk management processes
As an organisation grows, merges, is acquired, or takes on new sectors or opportunities, so the risk strategy will need to be redefined. The same applies for the political, environmental, and economical influences on an industry or organisation: if these change, it is likely the risk register requires a review. At each stage of change, leadership must review the appropriateness of the ISO 31000 framework and ensure the processes laid out are relevant, proactive, and clear.
Next in the series: Clauses 5.3 – Design: Understanding Organisation And Context