Risk management without ISO 31000 – how many decisions in your company are made in the dark?

Every company manages risk. It’s just that most do so unconsciously — through experience, intuition and reacting to what has already happened. As long as it works, no one asks about the methodology. The problem arises when something goes wrong and the company discovers it didn’t have the tools to predict it. And that this isn’t the first time.

ISO 31000 is not the answer to every question. Instead, it is a common language and a structured approach to something that, in most organisations, happens in a chaotic and haphazard manner.

What does risk management really look like in most companies?

In a typical company, risk is managed through several parallel, unconnected mechanisms. The finance department monitors liquidity. The legal department tracks regulatory changes. IT responds to security incidents. Sales worries about contracts. Each of these areas operates separately, with its own understanding of risk and its own way of responding.

The result is predictable: the organisation is well prepared for risks that have already affected it, and completely unprepared for those that are yet to come from an unexpected direction. Strategic decisions are made without a full picture of the threats. Opportunities are missed because no one has assessed their risks in a way that would enable an informed decision.

ISO 31000 brings order to this landscape. Not through bureaucratisation, but by introducing a common process — the identification, assessment and response to risk — which permeates the entire organisation rather than operating in separate silos.

How does risk management according to ISO 31000 differ from what you are already doing?

The ISO 31000 standard does not impose specific tools or risk assessment methods. Instead, it sets out the principles and framework that should govern this process within an organisation — regardless of its size, industry or business profile.

The key difference between an intuitive approach and one based on ISO 31000 lies in its systematic nature. Risks are identified before they materialise, assessed according to consistent criteria rather than subjective feelings, and addressed in a documented and monitored manner. Management decisions are based on analysis, not just on experience and gut feeling.

For many companies, the implementation of ISO 31000 is the moment when, for the first time, the risks of different departments are brought together on a single map. And for the first time, management sees the full picture — not just the fragment familiar from their own backyard.

When does the lack of a risk management system really hurt?

Three situations in which the lack of a structured approach to risk costs the most: a sudden regulatory change for which the company was unprepared, because no one was monitoring the legal environment in a systematic way. The loss of a key supplier or customer, the consequences of which proved disproportionately severe because the dependency was not consciously managed. An investment project that went over budget and behind schedule because risks were assessed too optimistically at the planning stage.

Each of these situations is painful in itself. What hurts even more is the realisation that, with a little consistency, it could have been predicted — and addressed earlier, more cheaply, and with greater peace of mind ISO 31000 does not eliminate risk. No standard promises that. Instead, it provides an organisation with the tools to ensure that risks do not catch it off guard — and that the decisions the company makes every day are based on more than just a hunch.