Properly implemented risk management is as much about identifying opportunities as well as potential losses.
NSAI has just published a compendium risk management guidance document ‘National Guidance on Implementing I.S. ISO 31000:2009 Risk Management – Principles and Guidelines.’ that will incorporate:
- I.S ISO 31000:2009 – Risk management – Principles and guidelines
- National guidance on implementing I.S. ISO 31000
- I.S. ISO Guide 73 – Risk management – Vocabulary
The supplemental guidance given in NWA 31000 aims to help the user to better distinguish what needs to be done in the different clauses of the standard.
As ISO 31000 is a guidance standard and is not intended for certification purposes, implementing it does not address specific or legal requirements of risk assessment and management. However implementation of this standard will set out a risk management framework and process that can help address requirements outlined on other documents such as:
- Risk management Guidelines for Government Departments and offices – Dept of Finance March 2004.
- Code of practice for the governance of state bodies – May 2009, Department of Finance
- Internal Control: Guidance for Directors on the Combined Code (The Turnbull guidance)
Where can I Purchase Standards on Risk Management?
What is ISO 31000 and How Does it Differ from Existing Guidelines?
ISO 31000 differs from existing guidelines of the management of risk in that it shifts the emphasis from the uncertainty of something happening – an event to the effect of uncertainty on achieving objectives. Implementing risk management in line with ISO 31000 will increase the likelihood of achieving objectives, improve an organizations ability to identify opportunities and threats, have a reliable basis for informed decision making and planning.
ISO 31000:2009 sets out terms and definitions, principles, a framework and a process for managing risk. It is important that the 11 principles of the standard are used as a guiding set of rules for organizational boards and top management in developing their framework and processes for managing risk.
The risk management framework provides the foundations and organizational arrangements for designing, implementing and reviewing risk management in an organization. The overarching component of the framework is the mandate and commitment of the board or top management. Critically the standard requires that the organization ensures there is accountability and responsibility for the management of risk by identifying risk owners (accountable for their decisions or lack of decisions) as distinct from those who are responsible for implementing the decisions of the risk owner. The framework also sets out how management of risk is to be incorporated into the "way of doing things" so that it becomes in integral part of how the organization is managed rather than an "add on" activity.
The risk management process deals more with the specifics of risk identification, analysis and evaluation as well as risk treatment. In both the framework and process stages the importance of communication and consultation as well as monitoring and review are stressed. This is to ensure that relevant information is available to the appropriate people as well as ensuring planned reviews are carried out to monitor the effectiveness of the risk management system.
Development of ISO 31000 and NSAI Involvement
- NSAI participated in the development of ISO 31000. National risk management experts monitored and commented on the development of the international standard through the work of the NSAI Risk Management Standards Committee (RMSC).
- ISO 31000 is the product of over four year's consultation with risk management experts and standard developers in over 30 countries and marks a significant step in providing an international benchmark for risk management.
- ISO 31000 provides a common approach for managing different types of risk, irrespective of the organization's size, type, complexity, structure and location. It is intended to meet the needs of a wide range of stakeholders from executive management who develop risk management policies to risk analysts, line managers and project managers who implement and apply risk management policies and plans etc.
Get in Touch
For any queries in relation to Risk Management Standards please contact:
NSAI RMSCC Technical secretary.