Risk management in organisations – what are the benefits of implementing ISO 31000?

For decades, the development of the global market has necessitated the creation of standards that would allow for the harmonisation of operations between cooperating enterprises. Initially, standardisation bodies focused mainly on the properties of goods placed on the market. For some time now, however, issues concerning the processes themselves – those leading to the creation of specific products or the provision of services – have been gaining in importance.

Risk factors in the operation of modern businesses

In the operations of all types of companies and institutions, security in the broadest sense – encompassing employees, customers, products, data, know-how and physical assets – is playing an increasingly important role. Modern technologies have contributed to rapid development in every area of business, whilst at the same time becoming a source of serious threats. There is virtually no activity free from risk, a fact exacerbated by the fact that we live in very uncertain times.

The climate crisis and the coronavirus pandemic are just two of the many phenomena currently affecting the whole of civilisation. How a company copes with the inevitable element of uncertainty in today’s world may become one of the most important foundations of its success. Therefore, in order to secure a strong market position and credibility in the eyes of stakeholders, the issue of security must not be overlooked in business strategies.

International standards for effective risk management

With growth-oriented companies in mind – those determined to bring the highest quality products or services to market, whilst caring for the well-being of their employees, partners and contractors – standards for effective risk management are being developed. They propose action plans based on expert knowledge and the experience of the most successful enterprises. Why are such standards needed?

In the global market, standardising operational procedures in the face of crises (or the potential for them) offers the same benefits as implementing standards for product quality. It facilitates understanding and cooperation between different entities and builds mutual trust. It is therefore worthwhile to use risk management systems recognised worldwide.

One of the most popular risk management systems is the ISO 31000 standard, developed in 2009 by the International Organisation for Standardisation. Its latest version, published in 2018, forms the basis for the operations of thousands of companies across all continents.

Who can use the ISO 31000 standard, and in what situations?

Risk management involves activities designed to anticipate and prevent risks, as well as to minimise the impact of adverse events should they occur. The ISO 31000 standard aims to systematise such activities – basing them on a structured process, integrated with the overall organisational governance of a given company, as well as its objectives, values and culture.

The ISO 31000 standard has been designed to support any organisation, regardless of its sector, size, legal form or organisational structure. The recommendations included in this risk management system are also sufficiently general to be applicable to various aspects of a company’s operations.

In accordance with the ISO 31000 standard, processes can be managed relating to, for example:

• the production of a specific product and the safety of its subsequent use,
• the performance of daily duties in the workplace,
• the processing of customers’ personal data,
• cooperation with external companies,
• the continuity of contracts with contractors.

The key objectives of risk management within an organisation

Systematic risk management serves two fundamental purposes:

• prevention, i.e. building the organisation’s resilience to potential threats,
• and the effective resolution of problems and minimisation of losses in crisis situations.

By implementing the recommendations of ISO 31000, an organisation is well prepared for potential threats because:

• it can identify the risks associated with its operations,
• it knows under what circumstances these risks may arise,
• it is aware of the potential consequences of adverse events,
• it prevents the occurrence of risk factors in its projects wherever possible.

If, despite the precautions taken, a crisis situation arises, it can be effectively managed in accordance with the guidelines of ISO 31000. The organisation suffers minimal losses because:

• has an effective management system (not only in risk-related areas),
• is able to make good use of its resources, regardless of changing operational circumstances,
• has competent staff who are trained to operate in crisis situations,
• and has a pre-established procedure for dealing with such situations.

Principles of effective risk management according to ISO 31000

The international standard ISO 31000 is intended to serve as a starting point for developing a risk management system tailored to the specific needs of a given organisation. However, its effectiveness depends on adherence to the universal principles set out in the standard. Here are some examples of principles worth following:

1. Risk management is not only intended to protect assets, but also to help build them and improve the company’s operational efficiency.
2. The risk management system should become an integral part of all processes within the company.
3. Risk must be taken into account when making every decision or determining courses of action.
4. Risk management will only yield good results if it is a systematic process.
5. The risk management process should be based on reliable sources of information, best available knowledge and experience.
6. The risk management system must be tailored to the specific nature of the company in question.
7. When managing risk, the so-called human factor must be taken into account – this constitutes an additional element of uncertainty, but at the same time offers opportunities that are worth exploiting.
8. Risk management should be a transparent process for those involved, taking their opinions into account.
9. The risk management system must be dynamic and constantly adapt to changes.

What does systematic risk management in a company involve?

In accordance with the risk management principles set out in ISO 31000, structured, coordinated actions do not, in this context, mean adhering to rigid rules established for specific situations. On the contrary – it is recommended to build a flexible system iteratively, based on a continuously improved framework tailored to the specific nature of the organisation.

The framework refers to the formal elements of the risk management process. In accordance with the recommendations of ISO 31000, it should include elements such as:

• authorising and preparing the relevant personnel for risk management activities,
• establishing the context (external and internal) in which the organisation seeks to achieve its objectives, and thus the context in which the risk management process will take place,
• communication with stakeholders (external and internal), taking their views and interests into account at all stages of risk management,
• defining risk criteria, for example to assess its significance,
• identifying potential risk factors, analysing and evaluating them,
• developing possible strategies for dealing with risk, taking into account their varying degrees of effectiveness,
• in the event of a crisis – defining specific actions and appointing persons responsible for their implementation,
• monitoring and documenting risk management processes.

Although ISO 31000 is highly general in nature, which allows for its versatile application, it describes the stages of the risk management process in detail. As a result, its implementation can form the basis for the effective mitigation of risks, which in turn enhances the organisation’s operational efficiency across all areas.

The benefits of risk management based on ISO 31000

As can be seen, implementing an effective risk management system does not merely serve to safeguard the smooth running of a business – it forms the basis of a modern development strategy. Based on the ISO 31000 standard, it is possible to improve organisational governance, increase operational efficiency, and build a positive brand image.

Increasing the company’s resilience to specific problems involves improving the skills of all team members, increasing their sense of responsibility for the duties entrusted to them, and at the same time ensuring greater comfort, hygiene and safety in their work. Systematic risk management translates into better organisation of all processes within the company, including the improvement of control measures and reporting methods.

The implementation of ISO 31000 recommendations has a measurable impact on the company’s effectiveness in terms of its core activities. Making well-considered decisions, consciously minimising risk, recognising opportunities and using one’s own resources responsibly are factors that increase the likelihood of achieving set objectives.

Nowadays, an organisation that can demonstrate it has a risk management system in place – and, above all, is capable of effectively minimising the impact of risk on its operations – enjoys the particular trust of its stakeholders (consumers, partners, employees, regulatory bodies, etc.). In doing so, it gains a competitive position in the market and, in many cases, a stepping stone towards its intended goals. A documented risk management system is often a prerequisite for participating in a tender or obtaining favourable insurance.

Given the above-mentioned benefits, modern companies often decide to develop various standards that improve the quality of their products or services, streamline their organisation and play an important role in shaping their image. An advantage of ISO 31000 is that the methodology described therein can be successfully applied when implementing other standards, such as ISO 9001, ISO 14001, ISO 22000 or ISO 17025.

How can you implement ISO 31000 within your organisation?

Many International Organisation for Standardisation (ISO) standards set out requirements, compliance with which can be verified by an accredited body through the issuance of an appropriate certificate. The ISO 31000 standard provides guidelines for internal and external audits, but does not form the basis for certification. When implementing this risk management system, however, it is worth seeking the support of professional consultancy in this area. A specialist can assist with a general assessment of the compliance of the company’s processes with the requirements of ISO 31000, identify their strengths and weaknesses, help formulate a development plan and carry out an initial identification of risk factors, as well as provide appropriate training for staff.