ISO 31000 was specifically developed to help organizations effectively cope with unexpected events while managing risks. Besides mitigating operational risks, ISO 31000 supports increased resilience across all risk management categories, including the most complicated group to manage effectively - digital threats.
Whether you’re considering implementing ISO 31000 or you’re not very familiar with this framework, this post provides a comprehensive overview of the standard.
What is ISO 31000?
ISO 31000 is an international standard outlining a risk management structure supporting effective risk management strategies. The standard is divided into three sections:
The objective of all of the principles of ISO 31000 is to simultaneously increase the value and protection aspects of a management system.
The 11 principles of ISO 31000 are as follows:
- Risk management creates and protects value - Risk management should support objective achievement and performance improvements across various sectors, including human health and safety, cybersecurity, regulatory compliance, environmental protection, governance, and reputation.
- Risk management is an integral part of all organizational processes - Risk management shouldn't be separated from the main body of a management system. It should be integrated into an organization’s processes to create a risk-aware culture. Management teams should champion this cultural change.
- Risk management is systematic, structured, and timely - Risk management should cover the complete scope of systemic risk. It shouldn't be focused on a single business component prone to risks, like the sales cycle.
- Risk management is tailored - A risk management program should be tailored to your objectives within the context of internal and external risk profiles.
- Risk management is transparent and inclusive - All appropriate stakeholders and decision-makers should be involved in ensuring risk management remains relevant and updated.
- Risk management is dynamic, iterative, and responsive to change - A risk management program shouldn’t be based on a rigid template. It should be dynamic, capable of conforming to changing internal and external threat landscapes.
- Risk management is based on the best available information - Risk management processes shouldn't be limited to historical data, stakeholders’ feedback, forecasts, and expert judgments. It’s essential to consider the limitation of data sources and the likely possibility of divergent opinions among experts.
- Risk management is part of decision-making - Risk management should help leadership teams make intelligent risk mitigation decisions by understanding which risks should be prioritized to maximize impact.
- Risk management takes human and cultural factors into account - All risk management activities should be assigned to individuals with the most relevant competencies. Appropriate tools should be available to these individuals to support their efforts as much as possible.
- Risk management facilitates continual improvement of the organization - Strategies should be developed to ensure risk management efforts are continuously improving.
- Risk management explicitly addresses uncertainty - Risk management should directly address uncertainty by understanding its nature and finding ways to mitigate it.
The framework component of the ISO 31000 standard outlines the structure of a risk management framework, but not in a prescriptive way. The objective is to help organizations integrate risk management into their overall management system based on their unique risk exposure context. Businesses should implement the framework through the lens of their risk management objectives, prioritizing the most relevant aspect of the proposed framework. This flexibility makes any management system capable of mapping to ISO 31000, making the standard industry agnostic.
ISO 31000 can be implemented by any industry to reduce enterprise risk, regardless of size or existing risk management process.
The driving factor for the framework aspect of ISO 31000 is the management team’s commitment to embedding a risk management culture across all organizational levels.
The five framework pillars of ISO 31000 are as follows:
- Integration - The risk management framework should be integrated into all business processes, a change that follows the management team’s push for a cultural shift towards greater risk awareness.
- Design - The design of the final risk management framework must consider the organization’s unique risk exposure and risk appetite.
- Implementation - An implementation strategy should consider potential roadblocks, resources, timeframes, key personnel, and mechanisms for tracking the framework's efficacy following implementation.
- Evaluation - The evaluation components broaden the focus on measuring framework efficacy. This process could involve appealing to various data sources, such as customer complaints, the number of unexpected risk-related events, etc.
- Improvement - This is the final step of the popular management system design model, Plan Do, Check Act (PDCA). Improvements should be made based on the insights gathered in the evaluation phase. The objective of each improvement interaction is to reduce the number of surprises caused by the risk management framework.
The design of the risk framework should be based on business objectives and a risk management policy within an organization’s unique risk context (the contextualization of risks is a recurring theme in ISO 31000).
The Framework stage sets the broad risk management context, which is then refined in the Process stage, setting the foundation for more meaningful insights gathered through risk assessments.
The process approach to ISO 31000 is represented graphically as follows:
Communication and Consultation
The first stage of this process approach is communication and consultation. The more cross-functional opinions that are heard, the more comprehensive your risk management efforts will be. This stage draws upon ISO 31000’s inclusivity and cultural factor principles.
Communications aren’t just limited to internal functions. External stakeholders should be involved in all decision-making processes. This will encourage stakeholder involvement in all stages of the risk management program’s development - which supports the primary objective of the Framework stage in ISO 31000:2018.
Scope, Context, and Criteria
Ideally, many of these mechanisms should already be established in your management system. The scope of all management activities is performed within the organization’s context, as defined in ISO 9001 Clause 4.1.
Contextual intelligence is a consideration of all internal and external issues impacting the achievement of business objectives. Contextualization can be achieved by gathering information from the following sources:
- Risk assessment of internal and external risk factors
- Internal audits
- Organization policy statements
- The use of a SWOT template (Strengths, Weaknesses, Opporitnies, Threats)
- Strategy documents
- Questionnaires (for internal and external process investigations)
- Interviews (with stakeholders, senior management, cross-functional teams including finance, human resources, engineering, training, etc.).
The criteria used to assess risk depends on the most appropriate initiative and objective methodology as outlined in the value creation principle of ISO 31000.
This could include
- Strategic objectives
- Operational objectives
- Business objectives
- Health and safety objectives
- Cybersecurity objectives
Start by narrowing your focus to a single scope. Then, after the process has been proven to work, expand your scope into other regions.
After defining your scope, context, and criteria, the actual risk assessment process begins. There are three primary stages in the risk assessment lifecycle.
- Risk Identification - Understanding the source of discovered risks and their classification (whether they originate from internal or external attack surfaces)
- Risk Analysis - Understanding the impact of identified risks and potential risks and the efficacy of their associated security controls.
- Risk Evaluation - A comparison of discovered risks against your risk register.
- Deciding which risk should be addressed based on an acceptance criterion defined by your risk appetite.
Risk evaluation data will determine which actions need to take place. Any control adjustments or framework improvements will be relative to each unique scope, context, and criteria scenario.
Stakeholders should be involved in deciding how to best respond to risk evaluation insights.
The risk treatment stage is where you decide the best course of action. These decisions will depend on your risk appetite, which defines the threshold between the levels of risk that can be accepted and those that need to be addressed.
Different types of risk should be considered, including:
- Strategic risks
- Cybersecurity risks
- Reputational risks
Your methodology for treating risks depends on the risk culture being developed by the management team. Some organizations have a very low-risk tolerance, while others (such as those in heavily regulatory industries like healthcare) have a very low tolerance to risk. These tolerance bands are decided during the calculation of your risk appeite. If your risk appetite has already been determined, revise it to ensure it's clear enough to support the risk management standards of ISO 31000.
A risk matrix is helpful in the risk treatment phase as it indicates what risks should be prioritized in remediation efforts to minimize impact.
In the context of Vendor Risk Management, a risk matrix indicates which vendors pose the most significant risk to an organization’s security posture.
For a deep dive into Vendor Risk Management, read this post.
These insights, coupled with an ability to project the impact of selected
remediation tasks, help response teams optimize their risk treatment efforts, supporting the continuous improvement objectives of ISO 3100
Another form of risk treatment is to outsource the responsibility to a third party. For example, third-party risk management, the process of managing security risks caused by third-party vendors, could be outsourced to a team of cybersecurity experts. Your organization will still be responsible for the outcome of detected risks but without the added burden of also having to manage them.
The benefit of reduced internal resources makes outsourcing third-party risk management a very economical choice for scaling businesses.
Watch this video to learn about UpGuard’s Third-Party Risk Management Service.
Monitoring and Review
Evaluating the effectiveness of your implemented risk framework will determine whether or not your ISO 31000 risk management program was a profitable investment. During each review and iteration process, be sure to keep the human and cultural factor principle front of mind - don’t forget the people impacted by each iteration.
Your risk mitigation objectives shouldn’t be so ambitious that you must handcuff your employees. You need to strike the perfect balance between risk management, risk acceptance, and employee well-being.
Recording and Reporting
Finally, all risk management activities should be recorded. Not only will this support stakeholders with their ongoing risk-based strategic decisions, but it will also provide you with a reference for tracking your management systems maturity throughout the ISO 31000 implementation lifecycle.