CHAPTER 3: BEFORE YOU READ ISO 31000, READ THIS!

In the last chapter, we looked at how risk management principles can, actually, be very generic, even in risk-based specifications that are more sector driven, such as HACCP.

Before looking at ISO 31000 itself in more detail, we are going to consider a document that provides an overview of ISO 31000’s principles and, more importantly, how they can be applied: IWA 31:2020.

Guidelines or nomenclatures to international standards sound a dull place to start. But with IWA 31:2020 it is quite the reverse. It is a goldmine of exposition as well as a reference before one reads ISO 31000 in any detail. This can also apply, to some extent, to the risk and opportunity based principles of Annex SL.

Risk management — Guidelines on using ISO 31000 in management systems¹¹ not only suggests specific information on how ISO 31000 can be interpreted within management systems, but also gives an example, with an imaginary business, of how ISO 31000 might be integrated into other risk-based management systems. It does this by comparing this with the ISO 31000 requirements within the high level structure (HLS) of Annex SL (pages 3-4 of IWA 31:2020). Those familiar with these documents will see this is presented in a similar way to, for example, ISO 9001:2015, where it shows how the clauses of that Standard can be aligned with other ISO standards if the organisation is integrating or combining management systems, e.g. ISO 9001 with ISO 14001.¹²

Equally, pages 3-4 of IWA 31:2020 can be used to inform how the broader risk management principles can be applied to an integrated management system and their alignment with HLS principles, which also applies to the IMS.

IWA 31:2020 explains how ISO 31000 has “the eight principles of risk management” and how these “act as a foundation for the creation and protection of value.” It goes on to explain that it provides guidance on risk management systems “communicating its value.” This can be interpreted in a number of ways, and these include the concepts of interested parties and communication and consultation, which appear in all Annex SL standards.

It is key to realise that if we see risk management as creating and protecting value, communicating what that value is and how it can be protected or nurtured is a wider concept than just compliance.

One practical example of this would be dynamic risk assessments, where people are trained to react in a risk based way, according to the circumstances presented at any given time, but only within agreed parameters. For example, don’t become a victim yourself in any intervention – be it changing a leaking valve or rescuing someone from a burning building. Firefighters and mobile engineers are just two typical examples. However, it could equally apply to much wider definitions of protecting value than just matters of safety and compliance, e.g. the way business prospects are sifted for the opportunities and risks they present to the organisation. Different conflicting values may present themselves, but understanding what these values are is the starting point to identifying risk as well as controlling it. It also helps inform opportunity cost (which we will discuss later).

IWA 31:2020 also points out that “it needs to be remembered that although the risk management process is often presented as sequential, in practice it is iterative.” This is an interesting reminder. It is often argued that Annex SL standards preach conformity. Even if this is true, it doesn’t mean all processes are necessarily sequential. Some processes will require constant re-work or repetition to get them to an acceptable level – this could be a design process or a new way of making something, or achieving an adequate, cost-effective repair, for example. Some textbook process models assume a sequential approach, and this can impact the effectiveness of looking at processes in a risk-based way. To counter this view, some methodologies, such as Six Sigma and Lean, directly (or sometimes indirectly) assume iterative processes, and if you are familiar with them, then this will inform your view of risk. It is always worth remembering that an unidentified vulnerability or risk could change the sequential nature of risk. This can apply to two or more process failures occurring at or near the same time that then leading to a more serious incident than the sequential nature of risk might anticipate.

Opportunities and risk lie at each cycle or stage of an iterative process, and to have a defined risk framework is one way of minimising risk. The risk to value might be opportunity cost, e.g. time being spent on further tweaks to a process that could be assigned more profitably elsewhere.

Opportunity might be seen as a standalone enhancement that strengthens an organisation’s reputation or something that gives it a competitive advantage. Equally, the notion of opportunity might be seen as something that is opposite to the same coin called risk; opportunity can mitigate risk. One example of this would be the opportunities created by a new automated process that means fewer safety risks to workers as well as other potential advantages such as, perhaps, more consistent outputs. Some also view successful opportunities as paying for their failures – it is the end-of-year accounts that might reflect success, not individual entries that make them up. Whatever one’s view, opportunity and risk are inextricably linked in many scenarios.

IWA 31:2020 gives a case study to explain this in practical terms. The fictional organisation ‘XYZ’ comes with a description of how it implemented ISO 31000 principles in its existing Annex SL management systems, chiefly focusing on ISO 9001. Even if XYZ’s circumstances do not align with your organisation then, of course, principles of how decisions relating to value within their management system probably do.

There are two particular points to look at. Firstly, on page 6 of IWA 31:2020 there is an integrated policy statement for ISO 9001 and ISO 31000. Again, although some of the specifics may not apply to your organisation, it does indicate how a wider definition of risk could be utilised in other Standards , e.g. “we are committed to managing all risk in a proactive and effective manner”,¹³ not just RBT that applies to quality objectives but all risk.

Secondly, there is a description of how individual ISO 9001 requirements can be enhanced by using ISO 31000 principles. Again, because of the HLS, at least some of this could be read in terms of ISO 14001 and ISO 27001 requirements, or the examples given could inspire greater thought, e.g. a working party or brainstorming session to see how the specific requirements of these standards might be enhanced with what the case study has outlined. For some standards, such as ISO 27001, where a number of specified controls have to be considered, this will also impact on the interpretation. As is always the case with documents such as IWA 31:2020, they should provoke discussion, debate and reflection, rather than provide any temptation simply to accept them or, conversely, to say none of these circumstances apply to us.

Also, very importantly, IWA 31:2020 states the core approach of what the Standard is about: “ISO 31000 provides a common approach to managing any type of risk faced by an organization throughout its life.” Understanding that common approaches are more powerful than simply relying on siloed approaches to managing risk – this is a key thread throughout this pocket guide.

One interpretation of this IWA 31:2020 statement is that specialised approaches to risk management, quite rightly, operate within their specialised requirements, e.g. credit control risks and fire safety risks are totally different but both protect value.

Or to put it another way, risk is no different to any other organisational policy or process, in that tactical management is often completely different to strategy. In other words, there needs to be an agreed strategy towards protecting and promoting value that the credit control manager and the fire safety manager (in our example) can operate their specialist requirements within. Arguably, Annex SL doesn’t explicitly promote this approach – it is the risk-based, consistent suite of processes to quality management, information security management, environmental management or whatever Annex SL standard we are talking about.

The generic approach of ISO 31000 to risk is a strength to a strategy. In later chapters, we will see how ISO 31000 also contributes to strategy as well as informing the way you implement other Annex SL standards.

¹¹ IWA 31:2020, Risk management – Guidelines on using ISO 31000 in management systems, www.iso.org/standard/75812.html.

¹² A separate pocket guide on integrated management systems is available from ITGP: Implementing an Integrated Management System (IMS) – The strategic approach by Alan Field, www.itgovernancepublishing.co.uk/product/implementing-an-integrated-management-system-ims.

¹³ ISO 31000:2018.