A risk management strategy requires a comprehensive implementation and continuous monitoring in order to be a successful approach for an organisation. For ISO 31000, you are advised to follow three key steps in delivering your risk management plan: implement, evaluate, improve.
The cyclical nature of clauses 5.4 – 5.6 are reflective of ‘Plan Do Check Act’, seen in several forms within the Higher Annex SL framework. The drive for continuous improvement is seen in other standards, such as ISO 9001:2015, so using a similar process for the risk management strategy makes sense for an organisation wishing to have cohesive strategies across the company.
Step One: Clause 5.4 - Implement
The first step to any risk management strategy is, of course, the plan – which should also consider the timings required at each phase of the process.
Once a plan is defined, taking into account the internal and external context of the organisation and the various risk factors involved in the business operation, it needs to be rolled out.
Communication is a vital part of this step. Leadership should define the who, what, when, and how of the communication plan for the risk management strategy:
- Who needs to know about the strategy?
- What do they need to know (what actions are required from individuals)?
- When should they be told/when do they need to act?
- How will this be communicated to the people involved?
Then the roll out of the risk management strategy can begin, with relevant individuals feeding in to the risk register and communicating to departments how their role sits within a risk aware environment.
Step Two: Clause 5.5 - Evaluate
Once a risk management strategy has been implemented, it’s important to make sure that it is working and staff are adhering to the plans provided to them.
An evaluation may take the form of interviews or surveys, or a quantitative review of reports from the risk management software an organisation is using.
The evaluation stage is recurrent: it does not only happen on an annual basis, for example. A regular evaluation of the risk management strategy enables organisations to react in real-time to knowledge gaps, new risk opportunities, or changes in external factors that impact upon the risk to an organisation.
Evaluation is designed to ensure the risk strategy remains appropriate, and that the framework in use (in this case, ISO 31000) is still appropriate to the organisation’s requirements.
Step Three: Clause 5.6 - Improve
Continuous improvement is a benefit for any organisation. Ongoing evaluation allows for the planning and implementation of changes to a process in order to make it more efficient.
Review of a risk management strategy evaluation will highlight areas in which your organisation can improve. Acting on improvements will increase the resilience of the business as you adapt the risk strategy against the framework and the ever-changing context of the organisation.
Where the need for change is identified during the evaluation process, leadership are then required to implement the change and assign accountability for the new element in the risk strategy to relevant individuals. This ensures a continuously improving, maturing, and advanced risk management strategy will develop with ease.