Risk Management and ISO 31000: A pocket guide

By Alan Field and Alistair (Male Synthesized Voice)

Risk management is a primary concern for any organisation. Its significance has only increased since the start of the COVID-19 pandemic. Organisations need to prepare for all types of threats, both probable (a server breaking down) and improbable (the office being flooded), to ensure that their operations can survive and adapt to continue with BAU (business as usual) in the face of a disaster.

Yet risk management isn’t solely about preventing negative outcomes, it is also about an organisation taking a known risk to uncover new opportunities to improve the organisation. For example, the transition of employees to remote working could risk an organisation’s security as an employee could connect their laptop to an unsecure Wi-Fi connection. However, as demonstrated in the pandemic, remote working helped protect employees as the risk of infecting one another with COVID-19 was reduced.

Read this pocket guide to understand how:

• Risk-based management can prepare your organisation for future threats and therefore help the success of a BCP (business continuity plan);
• To identify whether the opportunities gained from a ‘risky’ decision can outweigh the perceived threat;
• The principles of ISO 31000 can help your organisation develop a framework for its approach to risk management;
• The guidelines of ISO 31000 can be interwoven with controls in other standards such as ISO 27001 and ISO 9001; and
• The organisation must continually review its approach to risk management to stay prepared for the latest threats.

• Language: English
• Publisher: itgovernance
• Release date: Mar 14, 2023
• ISBN: 9781787784178

Alan Field

Alan Field, LL.B (Hons), PgC, MCQI CQP, MIIRSM, AIEMA, GIFireE, GradIOSH is a Chartered Quality Professional, an IRCA Registered Lead Auditor and Member of The Society of Authors. Alan has particular expertise in auditing and third party assessing Anti-bribery Management Systems (ABMS) to BS10500 and counter fraud systems in the public sector to ISO 9001 requirements. Alan has many years’ experience with Quality and Integrated Management Systems in the legal, financial, property services and project management sectors in auditing, assessment and gap analysis roles.

Book preview

INTRODUCTION

This pocket guide isn’t written for experts on risk management or, necessarily, experts on management systems. However, it does assume the importance of risk management to all organisations – big and small – and recognises that not having a formal process to identify, assess and control risk can lead to many issues, including difficulties in implementing management systems based on ISO standards. The ISO 9000 family of standards are process based, and this pocket guide will focus on how this broad approach works in a wider arena than a process focus would normally involve.

The absence of a risk-based approach to management might also lead to opportunities being missed or simply not being exploited to their full potential. Risk management is not just about managing negative or catastrophic events, decisions on competing research and development possibilities is one example of a positive. A risk-based approach to management may reduce unnecessary expense or divert resources to better controls. For example, ISO 27002 provides 'attributes' to controls (identifying control type, operational capabilities, security domains, cybersecurity concepts and information security properties), helping the risk assessor to make more informed decisions about which controls might best respond to a given risk.

To achieve all these in effectively, we may require a management system that understands risks and opportunities in a strategic way in terms of leadership priorities. It might be tempting to look at these requirements as something tactical or operational but the leadership’s attitude towards risk and the priorities for dealing with risks will always impact an organisation’s attributes.

This pocket guide is intended to be of interest to those whose experience of risk or management systems has always been very sector based. A life spent looking at financial or governance risk could be surprisingly helpful in understanding how different policies and approaches to risk can be developed.

Annex SL is the structure implemented by ISO standards such as ISO 9001 and ISO 27001. Its purpose is to be a platform for these and other ISO’s risk-based management system requirements, so that any size of organisation can create better systems across multiple standards by having a common format of clauses and goals. Even if you never intend to implement something like ISO 27001, reading Annex SL is like reading the UK’s HSG65 for health and safety management systems; it contains much food for thought.

This pocket guide will often use the terms ‘strategic’ and ‘tactical’, and this will mean different things to different organisations. Annex SL assumes that top management and the wider leadership team take a key part in risk policy and decision making, and this is always useful to be aware of when considering the points made in this pocket guide.

The main focus of this pocket guide will be looking at ISO’s Annex SL (sometimes referred to as Annex L) and how it requires a risk-based approach to management to be adopted by other international standards in the ISO 9000 family, e.g. ISO 9001:2015 and ISO 27001:2022. Although risk is referred to regularly in these standards, there isn’t much of a practical definition of what risks and opportunities actually mean in practice to an individual organisation; as we will see, one advantage of IS0 31000 is that it can inspire the creation of an infrastructure to achieve a risk universe.

This pocket guide will also discuss how risk can be defined within a management system, i.e. what isn’t written in international standards about defining risk and the implications of a risk-based approach to management.

This approach means our focus will be on risk management