ISO 31000

What is ISO 31000?

In business just as in everyday life, there are always risks. In fact, the International Organization for Standardization (ISO) defines risk in a number of its standards as simply an “effect of uncertainty” – a chance that something bad might happen, combined with the severity of outcome if it does.

ISO 31000 is an international standard designed to help companies improve their management of risk by integrating risk awareness and control into everything they do. Unlike certain other ISO standards such as 14001 and 45001, 31000 is not a standard an organization can use for certification purposes. It is intended to be a tool for anyone who manages risk, whether or not they are professional risk managers, and can help them structure their internal audit programs.

ISO originally published 31000 in 2009, but like other ISO standards, it undergoes a review every five years and is revised if considered necessary to ensure that it remains current and effective. 31000:2018, the most recent version of the standard, reflects the emergence of new risk factors in the global economy, such as cryptocurrency, that are pushing organizations to think more comprehensively about the ways they address uncertainties. Compared with the original version, it , it places greater importance on the leadership of senior management and the integration of risk management into all aspects of the organization – a common theme in other recent ISO standards such as 45001.

Select elements of ISO 31000 are listed below.

Leadership and Commitment

Risk management can’t have a central place in an organization unless senior management ensures that it does. Section 5.2 states that management must demonstrate leadership on risk by a statement or policy establishing its importance, and also must make the necessary resources available and assign roles of others responsible for key tasks.

Management’s statement of commitment should describe the organization’s purpose for managing risks, the different roles and responsibilities within the risk management system, and the ways in which conflicting objectives are resolved. It should also indicate measurement and reporting methods that company leadership will use to track their risk management performance.

Additionally, management must ensure that the risk management framework remains appropriate, especially as the organization and its operations continue to change.

The Context of the Organization

As mentioned, ISO 31000 recognizes the importance of an integrated approach to risk, which is a break with past habits of seeing risk management (and EHS management more generally) as being outside the scope of the organization’s normal operations. A more holistic approach to risk starts with understanding the internal and external context of the organization, including social and political factors, contractual relationships, stakeholder perceptions and expectations, and other key factors affecting the organization’s risk management goals.

Section 5.4.2 spells out the expectation that top management needs to demonstrate a continual commitment to risk management. That commitment should include written policies and statements, but also needs to be more than a promise on paper. For example, it must make the necessary resources available, assign responsibilities for key actions, and indicate the role of performance indicators in ensuring that the company stays on track with its risk management goals.

Improvement

Change is a permanent feature of the world we live in. As businesses and the societies they are part of continue to evolve, the landscape of risk changes with them. That’s why 31000:2018 directs an organization to “continually monitor and adapt the risk management framework to address external and internal changes.”

Of course, improvement doesn’t always come from looking outward – sometimes it comes from looking within. Like other ISO standards, 31000:2018 emphasizes continual improvement. Organizations should evaluate their performance, including review of how effectively their risk framework is integrated into its operations, and whether there are opportunities to strengthen their management.

Risk Analysis, Evaluation and Treatment

Not surprisingly, the standard has quite a bit to say on the process of risk analysis, itself. This guidance is not one-size-fits-all, since it recognizes that many factors are in play. For example, Section 6.4.3 states that “risk analysis can be undertaken with varying degrees of detail and complexity, depending on the purpose of the analysis, the availability and reliability of information, and the resources available.”

But 31000:2018 does offer some general guidance. It states that risk analysis should consider factors such as:

• The likelihood of events and consequences;
• The nature and magnitude of consequences;
• Complexity and connectivity;
• Time-related factors and volatility;
• Effectiveness of existing controls; and
• Sensitivity and confidence levels

A key component of risk management is communication and consultation. Section 6.2 states that “communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making.” These elements work together to bring the right kinds of expertise to the risk management process, and make sure the information gathered is sufficient to enable good decisions.

The risk management process puts all of the components of the management system to work. It draws upon the defined scope to determine risk management tools and techniques appropriate for the includes aspects of the organization’s business, and looks carefully at internal and external contexts – some of which can also be sources of risks.

Next comes a lot of thinking about all aspects of risk. Organizations need to set risk criteria, accounting for such factors as the nature and types of uncertainties that can affect outcomes, and how both positive and negative consequences will be measured. Then they proceed to risk identification, paying attention to indicators of beginning stages of risks, their causes, and their possible consequences.

This leads to risk analysis, which is a more detailed consideration of all facets of risk, including connections among causes, timing factors, and likelihood and severity. The complexity of this process will depend on the organization and its operations.

Once you’ve analyzed risks, you’re ready for risk evaluation, in which you make decisions on whether you need to put controls in place, and how to do so. You need to assess the risk treatment options, determine whether additional information may be needed, and then make decisions that best align with your objectives and the expectations of internal and external stakeholders. To ensure transparency and buy-in, you also need communication and input with those stakeholders throughout the process.

The next step, according to Section 6.5.3 of ISO 31000:2018, is to prepare and implement a risk treatment plan, specifying how you will implement the chosen risk treatment options. The information included in the treatment plan must include:

• The rationale for selection of the treatment options, including the expected benefits to be gained;
• The identities of those responsible for approving and implementing the plan;
• Description of the proposed actions;
• List of the resources required, taking contingencies into account;
• Description of performance measures;
• Discussion of constraints;
• Description of required reporting and monitoring; and
• A statement about when actions are expected to be undertaken and completed.

It should be noted, though, that risk treatment options may themselves introduce new risks, so management will also need to assess and control those risks.

Monitoring and Reporting

Sections 6.6 and 6.7 deal with monitoring, documentation and reporting that management to be used to assess the performance of the risk management system. The goal here is for management to not only know how well they’re doing at identifying and controlling risks, but also to use that information to improve the risk management process. This fits in with the Plan-Do-Check-Act cycle of continual improvement stressed in many ISO standards.

The end result of the risk management process as outlined by ISO 31000 is a safer business, more receptive to the welfare of its employees and stakeholders, and more likely to achieve its objectives.

Related Standards

ISO has also published other standards related to risk management, two of which are listed below.

• ISO Guide 73, Risk management - vocabulary: Complements ISO 31000 by providing a collection of terms and definitions relating to the management of risk.
• IEC 31010, Risk management – risk assessment techniques focuses on ways of doing risk assessment. This is particularly useful because ISO 31000:2018 only gives general guidance on risk management, but doesn’t discuss specific methods of actually performing risk analysis. Guidance in this document discusses different methodologies and ways to validate their usage.

Of course, risk and identification and control are also baked into ISO standards that many organizations certify to, such as ISO 14001 for environmental management systems, and ISO 45001 for occupational health and safety management systems. If you’re certified to one or both of those standards, the guidance in ISO 31000: 2018 and the related standards above can help you develop and maintain a broad, consistent approach to managing risks from multiple sources.

A Global Standard for Risk Management

Organizations interested in using ISO 31000: 2018 as guidance can potentially improve the way they identify and control risks, reducing the uncertainties that may affect their business, improving the protection of their assets and increasing value for shareholders.

You’ll have an easier time aligning your risk management practices with ISO 31000: 2018 with the right tools in place. Our VelocityEHS software platform gives you offers broad Risk Management capabilities that can help you protect your people, your assets and your reputation.

With our platform, you’ll be able to conduct many kinds of risk analysis, including hazard studies, Job Safety Analysis (JSAs), Process Hazardous Analysis (PHA), Hazard and Operability Study (HAZOP), Aspects and Impacts, and Bowtie Analysis. You’ll also be able to easily perform critical controls verification to check on the status and effectiveness of risk controls.

A successful risk management program depends on being able to know and document that you’re actually completing the key tasks you think you’re completing.  That means performing frequent inspections of your operations and internal audits of your EMS, itself. After that, you’ll need a system for planning, coordinating, implementing and tracking the controls and other improvements needed to meet your requirements. Our Audit & Inspection and Management of Change solutions make it quick and easy to evaluate EMS performance, and ensure that changes to processes, policies and personnel go through proper risk assessment and approval.

Chemicals are one of the largest and most challenging classes of hazards that facilities need to manage. Looking for a faster, easier way to manage your chemical inventory and SDS library? Our MSDSonline Chemical Management solution is newly updated with more than 350 added and improved features to streamline chemical management and regulatory reporting. You can take confidence that your employees always have right-to-know access to your complete inventory of up-to-date safety data sheets, whether online or offline, with our SDS / Chemical Management Mobile App. Ingredient Indexing features also provide maximum visibility and control over the actual ingredients in your chemical products to help simplify storage, handling and emergency response procedures.

Our Emergency Response Services help you reduce risks of potential emergencies by making it easy for your employees to get the chemical hazard information they need, whenever they need it with 24-hour exposure support and rapid access to SDSs. Our Plan1 First Responder Share Service gives you the ability to map your chemical storage locations and amounts onto a virtual floorplan of your facility, then provide real-time chemical inventory information to first responders and other designated stakeholders — giving them the chemical hazard and emergency response information they need when it matters most.

Need help managing environmental risks? Our Environmental Management suite is a sophisticated, yet easy-to-use software solution that gives you the ability to monitor, manage and share progress on your environmental programs and performance across your entire organization, with a powerful and intuitive calculation engine to enable fast quantification

Your EMS will only be effective if you’ve provided effective training to your workers. Our Training Management solution makes it easy to manage your entire workplace training program, from assigning requirements and delivering training content, to tracking completion and verifying that the right people possess the right knowledge and skills.

Best of all, our solution is designed to work as an integrated platform, accessible from anywhere via the cloud, so you’ll have the kind of accessibility you need to make sure your programs are moving in the right direction.