Various Risk Management Systems and Their Applicability to Modern Organisations
Risk management should form an integral part of any organisation’s daily operations. Risks affect the enterprise’s economic performance, its standing in the community, its competitive edge, and its legal compliance. Managing risk effectively thus helps the enterprise to operate safely within its environment. ISO 31000 is an international standard that addresses risk management systems. Its full title is ISO 31000:2009 Risk Management – Principles and Guidelines. The standard is important as it provides a framework for organisations, regardless of size and industry, for effective management of risks. Adoption of the standard increases the likelihood of reaching company objectives, while also improving the probability level of being able to identify threats and opportunities in a timely manner for successful allocation of resources and management thereof.
It should be noted that, unlike many other ISO standards, ISO 31000, though directly related to risk management systems, is not aimed at certification purposes. It is merely a guideline that can be used for internal or external auditing. It can therefore be used for comparison of risk management policies and implementation and, as such, it is a benchmark rather than certification framework for effective risk governance. The standard is also related to ISO/IEC 31020 of 2009 titled Risk Assessment Techniques, which is aimed at effective risk assessments. In addition, the standard relates to ISO Guide 73 of 2009 titled Risk Management Vocabulary, which can be used in conjunction with ISO 31000 for a clearer understanding of the terms used in the standard.
What ISO 31000 Covers
The standard provides the general guidelines for the design, implementation, and maintenance of an effective risk management system. It can be seen as a framework for best practices to make it possible for improved strategic and operational management of an enterprise, in order to minimise risk. The standard is well-suited to independent risk practitioners, for guidance related to internal and external risk audits, for risk analysts, executive level management, and for both line managers and project managers.
What Makes ISO 31000 Different and the Foundation of the Standard
It changes the way that risk is defined. Whereas the Guide 73 defined risk-related to probability of loss, ISO 31000 conceptualises risk as the uncertainty that is related to objectives. With such a definition, it includes opportunities and risks rather than just risks in a negative context. The standard was developed based on AS/NZS 3460 of 2004. It is therefore based on an Australian standard.
Why ISO 31000?
The standard can be applied to the current management systems of an organisation to help manage the risks. In that sense, it gives a formal character to risk management. With implementation, the organisation is able to fill the gaps in risk management, create more accountability, and ensure that risk management forms part of the reporting process. To implement the system may require changes in the existing risk management practices of the enterprise related to documentation and reporting on risks. The standard provides guidelines on how to react towards risk, such as avoidance of the risk by not commencing or continuing with an action or activity that can lead to a particular risk, accepting a risk, or even increasing it in order to achieve an objective related to an opportunity or removing the particular risk completely. It also makes provision for changing the probability of the risk or the outcomes, sharing of the risk, and retaining it as part of a management decision.
The South African Context
In South Africa, the implementation of Safety, Health, Environment, and Quality (SHEQ) principles is seen as essential for safety and to minimise risk. WWISE offers consultation services regarding the setting up of risk management systems, internal and external auditing services, and training also as related to SHEQ policies and the Occupational Health and Safety Standard. The SHEQ System Development Programme as offered by WWISE is specifically aimed at individuals and organisations planning to develop and implement SHEQ management systems.
The 5-day course includes groupwork on the development of the policies and procedures related to relevant standards. It also covers the requirements for such a management system, accountability of the executives and line management, management of resources, ongoing measurement and reporting, implementation pitfalls, and mapping of the process. It also covers the controls required and monitoring of improvement, as well as the writing of the procedures. The course furthermore addresses the development of work instructions, Gantt charts, document collation, and becoming certified.
Related to these is the SHEQ Internal Auditing Training course that runs over a period of three days and covers aspects such as ISO 9001, ISO 14001, and OHSAS 18001. Topics range from auditor conduct to audit planning, checklists, reporting, opening and closing meetings, and presentation of findings. Also related to risk management is the ISO/IEC 27001:2005 standard, which was revised in 2013. The standard relates to information security management to minimise and address risks related to information management in the enterprise. It includes the design, implementation, and maintenance of an information security management system for optimal risk management. The 2013 version has done away with the Deming cycle still used in the older version. With the revised standard, the enterprise can follow any management approach, whether it is the Six Sigma or the Plan-Do-Check-Act approach of the older version.
Also important to note is the ISO 27002 standard, which replaced ISO 17999, and provides the Code of Good Practice. It also provides ISO 27003, dealing with implementation guidelines, and ISO 27004, focussing on performance metrics, while ISO 27006 covers the auditing aspects. Information risk management is just as important as setting up a risk management system for dealing with any type of environmental risk. Implementing and integrating the various standards to ensure optimal risk management should be a priority for the enterprise.
At WWISE, we recognise the difficulty of being able to comply with all the relevant standards, choosing which management systems to implement, and how to integrate the various management systems. We thus assist clients through expert guidance, systems integration, auditing, and training. Get in contact with our consultants for professional assistance if you are not sure where to start or which risk management system to implement.