CHAPTER 4: USING ISO 31000 TO ASSIST RISK-BASED THINKING

In this chapter we will look more at ISO 31000 itself and how it can be used to influence RBT for any of the Annex SL standards. We have chosen ISO 27001:2022 just as one example, along with some references to ISO 9001.

Although ISO 31000 wasn’t written with the express intention of directly assisting the understanding of Annex SL standards such as ISO 9001, it can certainly inspire better practice with such implementations. This is because the whole subject matter is risk and risk management, whereas with, for example, ISO 9001 or ISO 27001, RBT is just a component, albeit a very fundamental one in a whole host of other requirements.

When you read ISO 31000 – and it is worth doing – you will see the basic structure falls under a number of headings. We have already touched upon some of Clause 6 – Process. The first key heading, for our purposes, is Clause 4 – Principles.

ISO 31000 Clause 4 – Principles – starts with a key statement in terms of understanding what RBT can mean: “The purpose of risk management is the creation and protection of value.”¹⁴ The Clause goes on to say that risk management supports innovation and the achievement of objectives. It is worth remembering that defining and then striving to achieve objectives falls within the philosophy of all Annex SL management systems.

ISO 31000 doesn’t explicitly state that it aligns with this PDCA but does, within Clause 4, refer to continual improvement (which is a key element of a circular approach to management). Also, if we move to Clause 5 Leadership, a circular approach is referred to in figure 2. So, not only do we monitor processes, but the lessons learned are integrated back into process design, which are subject to policies and priorities decided by leadership.

Under ISO 31000, design is seen in terms of designing a risk management process, just the same as we should be considering RBT as a fundamental element in process design in, for example, quality management. But do we always explicitly consider this? Or do we just focus on the mechanics of the process itself or the desired outputs? Even with health and safety, do we think about that as just a series of risks to assess and treat, or do we explicitly understand that the way a process is designed and delivered can create – or minimise – such risks rather than seeing risks as something that arises during the process itself? A simple example would be if we design a building that requires a lot of working at height to carry out maintenance. Wouldn’t it be better to design the building to minimise the need to do any maintenance at all or, where it is necessary, for the maintenance to be done at ground level or other controlled conditions? This is something that would be considered in the UK as part of the Construction (Design and Management) Regulations 2015 (as well as the earlier The Work at Height Regulations 2005). Good design cand minimise the need to work at height, rather than simply defining controls for working at height. Although all Annex SL standards require RBT, it is worth being self-critical and thinking about how often we design our processes to minimise risk and maximise opportunities – this can apply to all sectors, services and products.

ISO 31000 encourages us to look at risk in the widest possible sense. This can include looking critically at what falls within risk controls. A practical example of this is ISO 27001, where controls over risks associated with external factors, such as natural disasters, etc. should be established. Standards can, in the simplest terms, encourage organisations to look at what the suite of processes to be risk managed actually encompasses. This is over and above the usual definition of continual improvement within the existing process sphere.

All these points lead to two key outcomes. Firstly, if ISO 31000 informs your organisation’s adopted RBT, for example ISO 27001 or ISO 9001, then its thinking must also be compatible with the management system's process approach, be that PDCA or another model that leads to continual improvement. Secondly, it informs your organisation that risk appetite, risk identification and risk controls – among the other processes defined in ISO 31000 – are compatible with PDCA, which we will discuss further in the next chapter.

In any risk universe, data arising from implementing risk-based decisions should feed back into future leadership decisions about individual risks and how these impact on the wider organisation’s business objectives. The process doesn’t just end with looking at data and deciding, in isolation, if the risk process needs changing. A PDCA approach to risk encourages, literally, a circular process of business improvement, not just an interesting basket of problems resolved in different silos of technical decisions. Rather, it feeds into the continual process of planning and design.

ISO 31000 also refers to, under Clause 5, “oversight bodies.” This is governance. It could be a supervisory board, a board of trustees or a regulator, etc.

It should also be remembered that although oversight bodies don’t immediately appear to align with Annex SL standards, there are many similarities in principle. For example, if you have ISO 27001 or ISO 9001, not only do you have to comply with the law but you may also be a regulated business. You may have also voluntarily accepted trade or sector rules, or simply be part of a wider group of companies whose policies you have to follow and report upon. In a unionised business, there may be workforce agreements to follow. In other words, all are examples of oversight bodies, whether voluntarily accepted or imposed by law or regulation. It should be remembered that oversight bodies do not impact on existing risks but can generate new ones (i.e. risk of non-compliance to their requirements). Of course there may also be opportunities to exploit new opportunities through interaction and good practice.

We referred to this idea earlier of “doing things consistently right” rather than just doing things right and, of course, PDCA when properly deployed, encourages a critical review of decisions and their eventual outcome in terms of any impacts on deliverables. Process improvement can sometimes actually mean desisting from a course of action, just as much as trying to improve upon it.

Clause 6

Although we looked at Clause 6 earlier, we focused more on the outputs of risk management rather than the fundamentals they are based on (expressed earlier on in Clauses 6.1-6.4).

In fact, these sub-clauses are pretty much unique. ISO 9001 refers to risk a number of times, but doesn’t explain the process of how one determines the effect of uncertainty or how to analyse the different approaches to deal with it. ISO 27001 does define information security controls and ISO 22000 is more precise on the process of risk management – just as two examples. So, Clauses 6.1 through to the end of 6.4 should be read in detail.

One of the early statements in Clause 6.1 is that “The risk management process should be an integral part of management and decision-making.” Seemingly obvious but, of course, we have already established that it is all too easy to inadvertently silo risk as something divorced from business decision making. It goes on to discuss the impact of human behaviour and culture and, again, is an interesting departure from standards where human factors may be implied. ISO 31000 expresses the need for these to be considered. Risk is not just about statistical probabilities or process flows – human factors impact risk, the way it is controlled and the way it can evolve and emerge..

Clause 6.2 relates to Communications and Consultation. Arguably, it is a little wider than some clauses in other standards, such as ISO 9001, but one notable from this is that effective risk management is supported by ensuring all experiences and opinions are sought and outcomes communicated. Does your organisation say that risk assessment is purely a management issue? If so, considering the implications of this clause is important.

For example, control does not mean consultation is less important. For example, we can look at just one of a number of assurance methodologies in use – CoCo, which was a framework developed, back in 1992, by the Canadian Institute of Chartered Accountants (now CPA Canada). It outlines some 20 control criteria that a leadership team can use to manage company performance and improve decision making.

Although it was written for financial audit and corporate governance purposes, it has a number of interesting insights that can be applied to a much wider basket of risks, e.g. the notion of control includes ensuring that all staff understand the ethical values of the organisation and that there are no grey areas in terms of reporting lines and accountability. This notion of control relates to the way the process is designed and then operated on a day-to-day basis, and how routine outputs are verified to control standards or procedures by appropriate levels of authority. These are not only fundamental to the narrower definition of control in risk management, i.e. how we prevent a risk occurring and/or mitigate its impact if it does. CoCo also assumes wider implications, e.g. ethical awareness, agreed processes for communications and consultation with all staff. Decisions – and their ongoing impact – are part of internal control.

There is another way of visualising how internal controls (or what another framework, Committee of Sponsoring Organizations (COSO), describes as a “control environment”) can help focus risk management design and communication. Consider the 114 controls required for information security management. Although on the face of it this may sound prescriptive, it allows each leadership team to define and implement these as they see fit (within the needs to meet legal, regulatory and, in some cases, industry technical requirements). All of this requires communication and consultation, as well as providing opportunities for continual improvement simply through the process of looking critically at a process and deciding how such a control is appropriate. In other words, can we do it better, can we really get it right first time and, if so, with less chance of unplanned outcomes arising?

In the next chapter we will look at the remaining elements of Clause 6, particularly risk assessment and treatment. Our discussion will move from process risks and opportunities to considering areas such as risk appetite and the wider considerations of a risk universe that Annex SL assumes is in place but might not specifically define.

¹⁴ ISO 31000:2018, Clause 4.