CHAPTER 2: WHAT IS ISO 31000:2018?

In this chapter, we will look at the principles behind ISO 31000 and how these complement other approaches to risk management.

Later chapters will look at some specific ISO 31000 requirements in relation to Annex SL standards, such as ISO 9001 and ISO 27001.

It is important to show that the broad process of considering risk within ISO 31000 follows similar principles the same as many other management systems and, conversely, management systems that operate on risk-based principles can be informed by other systematic approaches to defining and controlling risk. The example we will take is HACCP, but there are a number of others we could have selected.

There is a good reason for taking this approach. The key point to remember is that, in the words of ISO itself: “ISO 31000:2018 provides guidelines, not requirements, and is therefore not intended for certification purposes.”⁷

Sometimes the notion of a generic standard can almost be seen as a negative; after all, there are no specific requirements to understand and implement. This pocket guide is suggesting quite the opposite. Generic requirements can inform the way other more specific standards, specifications and schemes can be understood and then implemented to a greater effect. Even if you have no direct involvement with risk-based management systems outside the ISO arena, the particular examples we will discuss may inspire an alternative approach to those you already use or are thinking of adopting.

ISO defines ISO 31000 as providing:

Organisations using ISO 31000 can compare their own risk management practices with an internationally recognised benchmark. ISO goes on to say that ISO 31000 can provide “sound principles for effective management and corporate governance.”⁹

In fact, ISO goes as far as to say:

The notion of governance is, again, implied in some Annex SL standards but is not specifically required. For example, it could be argued that ISO 9001 – despite being around in its various updates for more than 27 years – still tends to focus on effective management as meaning doing things consistently right, rather than creating processes for consistently doing right things.

Conversely, one focus of ISO 31000 is the influence of risk management on governance of the organisation. In turn, this can inspire a wider impact on policy, objectives and corrective actions through governance within an Annex SL standard, such as ISO 9001.

What are the principles behind ISO 31000?

We’ve already discussed that ISO 31000 looks at risk in terms of opportunities as well as negative outcomes. It also anticipates a risk management framework. Conversely, Annex SL standards expect a risk-based approach to management which, in one sense, is even more generic. This still causes confusion among some parties. ISO 31000 can help achieve a better understanding.

In the rest of this pocket guide, we will look at how ISO 31000 can inform a risk-based approach to management. However, for this chapter, we are going first to Clause 6 – the operational realisation of risk strategy and framework. This shows the tactical implications of ISO 31000, i.e. risk management is a suite of processes rather than just a principle behind it, as it might be with the ISO 9000 family of standards.

Figure 2: An adaption of ISO 31000:2018, Clauses 4, 5 and 6

We’re jumping ahead to Clause 6 because this helps show that the principles of ISO 31000 have been conceived in the more practical arena of tactical, operational processes, rather than just in the areas of strategy. Also, there are many similarities in structure to the PDCA approach commonly adopted for standards such as ISO 9001 and ISO 27001. For example, Communications and Consultation, Recording and Reporting as well as Monitoring and Review.

If we go back to the ISO definition discussed earlier about providing “principles, a framework and a process for managing risk”, it can be seen that principles and a framework actually feed into a process. The framework that ISO 31000 creates could also be fed into existing processes, for example, ISO 9001 or ISO 27001. The framework of risk identification, risk analysis, risk evaluation and risk treatment can apply to any activity the organisation undertakes.

Although ISO 31000 isn’t conceived by ISO as a standard that can be externally assessed, it could directly influence how an organisation implements other standards that can be, e.g. ISO 9001 and ISO 27001. The extent to which this would be undertaken is likely to be proportionate to the value that is being protected and the organisation’s own approach to risk. This could be seen as a risk-based approach to management, which is a requirement of Annex SL standards such as ISO 9000.

It is worth looking at just one systematic approach to risk that isn’t a standard and is sector specific. The one I’ve selected is HACCP, and how this compares with ISO 31000’s Clause 6 process statement.

HACCP is always thought of in terms of food production, processing and distribution. It is, in one sense, a sequence of process controls, rather than a sequential expression of vulnerabilities and risks. However, the principles behind it follow a process methodology that is not dissimilar to ISO 31000 Clause 6. In fact, HACCP has been chosen as our first example of what a risk-based approach to management can be, simply because it defines a clear journey – or process – relating to managing risk (relating to food and beverages). Also, the ISO 9000 family of standards explicitly or implicitly requires a consistency of process or, to put it another way, to minimise variance. HACCP attempts to do this through a risk model.

HACCP is based on the notion of critical control points. Each element of any process can be broken down into stages where there will be critical control points at each stage where there is a defined standard of output. If this is not achieved, it will compromise any controls that come later in the process. It is almost like each stage of the process has its own single point of failure or, rather, failure can manifest itself later in the product production or delivery process because of a failure of controls at an earlier stage.

Figure 3: An adaption of the seven principles of HACCP

What ISO 31000 shows as Scope, Context and Criteria in the ISO 31000 process model can be seen as the seven stages of HACCP fleshed out as the Risk Identification, Risk Analysis and Risk Evaluation silo that sites below it. Of course, ISO 31000 addresses strategic risks as well, and these often can’t be anticipated or defined like HACCP. However, there are a few wider lessons that can be discerned from this comparison.

Whether it is a strategic or tactical risk, understanding the journey or event is key. Risk identification is as much about how an unplanned event could impact an organisation and then processes defined to mitigate against this. Is this a countermeasure? Perhaps. But it is distinguished by the fact that the process – just like HACCP – is planned to be as resilient as possible so that countermeasures are not required or are not required to the same extent.

Critical points of failure are determined. In fact, when considering the risk-based approach to management required by Annex SL, defining what the key points of failure are in any process or set of processes can be very informative.

Critical points of failure can apply to many activities from design and development to managing financial ledgers. Knowing what should be done right is different to knowing what the key things are that must be right. The HACCP requirements to establishing critical limits (in simple terms, what is the distinction between acceptable or unacceptable output at that stage of a process) are another way of looking at this.

Even if the process may be seen as too complex to routinely attempt this, that is, in itself, part of the risk analysis and, later on, the risk evaluation when the effectiveness of all critical control points (and any critical limits) can be discerned. In fact, one could say Clause 6 of ISO 31000 says nothing unique – Risk Identification, Risk Analysis and Risk Evaluation can be found as concepts – if not a word for word nomenclature – in HACCP. This would also apply to most other risk-based standards and specifications.

Both ISO 31000 and Annex SL assume rational decision making – only some sectors are effective at taking into account that effective decision making – both at strategic and tactical levels – makes a significant difference to risk outcomes. One positive example would be commercial airline pilots. They spend much of their time in simulators, training on assumed scenarios and learning from their initial responses and subsequent debriefs as to what may be the best way to manage a real situation, so as to prevent or minimise an unplanned outcome. More generally, but in the same way, critical control points should make us question how far the way we assess risk and how far we look at variance in decision making are inhibitors to assuming controls will work.

At a high level, ISO 31000 and HACCP provide clear models of being aware of risk, defining it and then having management responses to it, both from strategic overviews and a more tactical response. In fact, ISO 31000 could be seen more as a strategic tool and when, in later chapters, we look at other risk frameworks, such as CoCo, we will see how such approaches can be informed by insights from ISO 31000.

Before we look in more detail at the risk-based approach to management in relation to ISO 31000 principles, we are going to consider a document that can be seen as an introduction, or glossary to ISO 31000 itself: IWA 31:2020.

⁷ ISO: The new ISO 31000 keeps risk management simple, issued 15 February, 2018. www.iso.org/news/ref2263.html.

⁸ www.iso.org/iso-31000-risk-management.html.

⁹ www.iso.org/iso-31000-risk-management.html.

¹⁰ www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en.