MANAGEMENT & ACCOUNTING

ISO 31000 and the Principles for

Managing Risk
Patrick Ow

The International Standard ISO 31000 “Risk management – principles and guidelines on
implementation”1 is the first generic international standard on risk management that clearly
and explicitly sets out the principles and framework for managing risk, so that risk manage-
ment can be an integral part of the organisation’s overall governance, management, report-
ing processes, policies, philosophy and culture, thereby helping organisations comply with
legal and regulatory requirements as well as improve their performance.

T
his international standard can to organisational activities and processes. tices (Principle 1), whereby quantifiable
be applied to any public, private In order to demonstrate that risk man- measures and targets tell us whether
and community enterprise, as- agement does create value for the organi- risk management activities have indeed
sociation, group or individual sation, we should be able to demonstrate created value for the organisation
and throughout the life of an organisation, that risk management: n helps decision makers to make informed
and to a wide range of activities, process- n is not a standalone, compliance or tick-of- choices, prioritise actions and distin-
es, functions, projects, services and opera- box activity that can be separated from the guish among alternative courses of action
tions. It provides a common approach
Principles for managing risk Framework for managing risk Process for managing risk Attributes of
in support of other international and (Clause 4) (Clause 5) (Clause 6) enhanced risk
management
local standards dealing with specific 1. Creates value
areas of risks and/or sectors, and 2. Integral part of Mandate and (Annex A —
organisational processes commitment Informative)
does not replace them. Establishing the Context
It is not the intent of this standard to 3. Part of decision-making
4. Explicitly addresses Risk
impose uniformity of risk management
Communication and Consultation

uncertainty Assessment
Design of
across organisations as the design and

Monitoring and Review

5. Systematic, structured framework for Risk Identification
implementation of risk management and timely managing risk
will depend on the varying needs of or- 6. Based on the best
available information Risk Analysis
ganisations and their specific context. 7. Tailored
Therefore, ISO 31000 is not intended Continual Implementing
8. Takes human and cultural improvement of risk
factors into account Risk Evaluation
to be used for the purpose of certifica- the framework management
tion (or standardisation). 9. Transparent and inclusive
10. Dynamic, iterative and Risk Treatment
The relationships between the key responsive to change
parts of ISO 31000 are shown in the 11. Facilitates continual Monitoring and
diagram. improvement and review of the
enhancement of the framework
organisation
Risk management programme
must create value for the main activities and processes of the organ- (Principle 3), all based on the best avail-
organisation isation - but instead, as an integral and in- able information to these decision makers
The most important principle is for your tegrated part of organisational processes, (Principle 6) through the organisation’s
risk management programme to create including all project and change manage- reporting and governance structure and
value for the organisation (Principle 1). ment processes (Principle 2) processes
Risk management should contribute to the n drives a demonstrable and measurable
demonstrable and measurable achievement achievement of objectives and improve- 1 Currently in draft and is expected to be issued
of objectives, which includes improvements ment of organisational processes/ prac- later this year.

 ACCOUNTANTS TODAY s-AY

 ISO 31000 and the Principles for Managing Risk

n has dealt with those aspects of

decision-making that are un-
1%#
1 Develop the Strategy

.

Define mission, vision and values:

certain, considered the nature clarity of purpose
.
Conduct strategic analysis
of that uncertainty and how it
.
F$&")!()%(
'(&(-
can be addressed (Principle .
Understand context
4), and whether risk treat-
ment plans will be adequate 1%#
and effective
2 Translate the Strategy
.

Define strategic objectives
1/1#%'!
*,
Test and Adapt Strategy 1%#
6
and themes .

Conduct profitability analysis
n contributes to the efficiency, .

Select strategic indicators .
Conduct strategy correlation
7
1/1#%'!
- (#!1'3#0 analysis
targets and initiatives
consistency, and reliability of 7
1/1#%6
+.
.
Examine emerging strategies
#/$-/+,!#

7
*,!#"
0!-/#!/"
the organisation’s performance +#1/'!0
7
W-/)$-/!#
.*,,',%
results over time (Principle 5)
n facilitates the continual im-
provement and enhancement #02*10 '0)
#%'01#/
of all aspects of the organisa-
tion (including risk manage- 1%#
ment maturity) (Principle 11
3 Plan Operations
.

cascade and define operational
Operational Plan

.
'$rds
Monitor and Learn

.

Hold strategy reviews

5
1%#

objectives, indicators and targets

.
!#'
#
)(' .
Hold operational reviews
and Annex A). .

Develop plans and budgets
.

Align staff performance 7
/-
$-/+
0
.
Hold individual performance reviews
Risk management is all about .
Monitor and Review Risk and
helping organisations achieve #/$-/+,!#
Risk Register
their objectives and create +#1/'!0
#02*10
value by: (A".1#"
$/-+


.*,


-/1-,
01#/',%
1&#
,%#+#,1
601#+

Harvard Business Review article
,2/6



.

,ecute the process and initiatives
n clarifying what are these strate- .
#reat Risks
gic and operational objectives,
measures and action plans
1%#
4
n articulating, documenting and commu- that is simple, consistent, systematic, of responsibilities and accountabilities,
nicating these strategic and operational timely and structured (Principle 5) and harness the required actions.
objectives, measures and action plans n involving the relevant stakeholders ap- To be successful, risk management should
n effectively managing those uncertainties propriately in a timely manner, and be- function within an overarching risk manage-
(or risks) that are linked to objectives ing transparent to them, so that risk ment framework which provides the neces-
and the achievement of these strategic management remains relevant and up- sary foundations and organisational arrange-
and operational objectives, measures to-date (Principle 9) ments that will embed risk management
and action plans n being dynamic, iterative and responsive to throughout all organisational levels and in-
n aligning individual performance to have change, whereby the organisation should tegrate the risk management process within
a clear line-of-sight towards achieving ensure that risk management continually overall governance, management, reporting
the organisation’s objectives, measures senses and responds to change as new processes, policies, philosophy and culture.
and action plans. risks emerge and others disappear due to Because ISO 31000 stipulates that the risk
changes in internal and external events, management framework is not intended to
Risk management is an integral part context and knowledge change, and moni- describe a separate management system,
of the organisation’s processes toring and review activities (Principle 10). but rather to assist organisations to integrate
Organisations can integrate or embed General roles, responsibilities and ac- risk management within the context of the
risk management into their culture, and countabilities for risk management overall management system, organisations
existing structures and processes by: should be incorporated into: must therefore adapt and customise the
n tailoring or customising risk manage- n individual’s job or position descriptions framework components according to their
ment for the organisation by taking into or responsibilities (for paid employees specific needs and circumstances.
account human and cultural factors, and volunteers/unpaid employees) For a start and as an example, risk manage-
especially when we recognise that the n committees or teams’ terms of reference ment can be integrated into an organisation’s
capabilities, perceptions and intentions or charters strategic planning process, as shown in the di-
of external and internal people can fa- n reporting format, with a risk management agram above. Whatever technique or frame-
cilitate or hinder the achievement of or- section featured in all reports produced work is used to manage risks, it is essential
ganisational objectives (Principle 8) n meeting agendas, with risk management that it is related directly to the objectives of
n aligning risk management with the or- featured as a standing agenda item in eve- the organisation, business unit / department,
ganisation’s external and internal con- ry meeting held within the organisation. programme and services. Therefore, the first
text, risk profile (Principle 7), and risk These inclusions ensure adequate un- step in evaluating risk is often the confirma-
appetite and risk tolerance derstanding, commitment and communica- tion (or setting) of objectives. AT
n carrying out an implementation approach tion of risk. They also promote awareness Contact the writer at [email protected].

ACCOUNTANTS TODAY s-AY