INTRODUCTION

This pocket guide isn’t written for experts on risk management or, necessarily, experts on management systems. However, it does assume the importance of risk management to all organisations – big and small – and recognises that not having a formal process to identify, assess and control risk can lead to many issues, including difficulties in implementing management systems based on ISO standards. The ISO 9000 family of standards are process based, and this pocket guide will focus on how this broad approach works in a wider arena than a process focus would normally involve.

The absence of a risk-based approach to management might also lead to opportunities being missed or simply not being exploited to their full potential. Risk management is not just about managing negative or catastrophic events, decisions on competing research and development possibilities is one example of a positive. A risk-based approach to management may reduce unnecessary expense or divert resources to better controls. For example, ISO 27002 provides 'attributes' to controls (identifying control type, operational capabilities, security domains, cybersecurity concepts and information security properties), helping the risk assessor to make more informed decisions about which controls might best respond to a given risk.

To achieve all these in effectively, we may require a management system that understands risks and opportunities in a strategic way in terms of leadership priorities. It might be tempting to look at these requirements as something tactical or operational but the leadership’s attitude towards risk and the priorities for dealing with risks will always impact an organisation’s attributes.

This pocket guide is intended to be of interest to those whose experience of risk or management systems has always been very sector based. A life spent looking at financial or governance risk could be surprisingly helpful in understanding how different policies and approaches to risk can be developed.

Annex SL is the structure implemented by ISO standards such as ISO 9001 and ISO 27001. Its purpose is to be a platform for these and other ISO’s risk-based management system requirements, so that any size of organisation can create better systems across multiple standards by having a common format of clauses and goals. Even if you never intend to implement something like ISO 27001, reading Annex SL is like reading the UK’s HSG65 for health and safety management systems; it contains much food for thought.

This pocket guide will often use the terms ‘strategic’ and ‘tactical’, and this will mean different things to different organisations. Annex SL assumes that top management and the wider leadership team take a key part in risk policy and decision making, and this is always useful to be aware of when considering the points made in this pocket guide.

The main focus of this pocket guide will be looking at ISO’s Annex SL (sometimes referred to as Annex L) and how it requires a risk-based approach to management to be adopted by other international standards in the ISO 9000 family, e.g. ISO 9001:2015 and ISO 27001:2022. Although risk is referred to regularly in these standards, there isn’t much of a practical definition of what risks and opportunities actually mean in practice to an individual organisation; as we will see, one advantage of IS0 31000 is that it can inspire the creation of an infrastructure to achieve a risk universe.

This pocket guide will also discuss how risk can be defined within a management system, i.e. what isn’t written in international standards about defining risk and the implications of a risk-based approach to management.

This approach means our focus will be on risk management as a process. Any business process can be designed with risk and opportunities in mind; risk management isn’t necessarily a separate silo or discipline that sits alongside process design.

When discussing risk management, it is only natural to introduce and analyse ISO 31000:2018. ISO refer to this Standard as the “international best practice regarding risk management, which is widely accepted, generic and open to manage any type of risk.”¹

ISO 31000 can be used by any type of organisation. Currently, the Standard isn’t subject to third-party assessment in the way for example that ISO 9001:2015 or ISO 27001:2022 are. However, there are organisations that offer second-party audit processes based on ISO 31000’s principles. Perhaps the most important aspect of ISO 31000 is the way in which it can influence risk management strategy, and this pocket guide will explore how the Standard can be used to benefit an organisation that is implementing an Annex SL standard such as ISO 9001:2015.

But more important than looking at different risk tools and techniques, is the way ISO 31000 can influence the way risk management is implemented within an organisation.

ISO 31000 looks at the distinction between a risk management framework compared to that of a risk management process. One way of considering this is that there is little point in having lots of individual processes to identify and control risk if there isn’t a set of strategic policies and leadership actions that define and support these processes. It flows from this that a framework can be influenced by many factors.

One contemporary example would be planning for resilience – be this to respond to COVID-19 or the shift towards remote working. If we treat COVID-19 as a black swan event (and you could argue against this), those organisations that had invested in resilience were able to adapt more quickly than those who hadn’t. Understanding risk and continually reviewing how efficient and adaptable to sudden change an organisation’s processes could be at short notice, isn’t just a matter of efficiency or continual improvement – which it often is – but it allows for some level of preparedness when unplanned events suddenly arise. With the shift to remote working, organisations that already had an element of this in their processes arguably had already taken strategic views of their risk. However, those who didn’t, needed to change their view of risk overnight for any kind of remote working. Reading ISO 31000 could help inspire the setting up of a wider range of policies and processes to keep risk under review at a strategic level. This, in turn, can enable a nimbler response to black swans and, of course, unplanned opportunities – such as a sudden increase in demand – which needs to be responded to effectively just as much as a disaster does.

In addition to Annex SL standards such as ISO 27001:2022, this pocket guide will also review some other risk management protocols and standards, focusing on sector-specific approaches to risk that can establish a much wider framework to risk management principles, e.g. Hazard Analysis and Critical Control Point (HACCP), which is chiefly used within food safety. In the same context, we will consider wider insights we can derive from sector-based frameworks and protocols from re approaches and there are, of course, many other frameworks and methodologies we could have taken as examples. Nevertheless, these will give a flavour of how looking at risk from a wider perspective than just one sector or approach, can inspire different and sometimes deeper or alternatives ways of identifying and controlling unplanned events. Understanding ISO 31000 can be the linchpin to this understanding.²

¹ IWA 31:2020, Risk management – Guidelines on using ISO 31000 in management systems, www.iso.org/standard/75812.html.

² For more information, visit: www.iso.org/iso-31000-risk-management.html.