ISO 31000 is going to be used more often as more ISO certified companies adopt Risk Based Thinking. However, ISO 31000 can be challenging. Why?
Interestingly, the descriptive nature of the ISO 31000 standard may well be its strength, but may also be its weakness. The standard without the proper guidance of a risk practitioner maybe come discretionary and even arbitrary.
ISO 9001:2015 has Risk Based Thinking requirements. Note ISO 31000 was developed in 2009 and is not harmonized with the new annex SL standards and ISO 9001:2015.
The definition of terms in ISO 31000 is frankly problematic. Why are so many critical terms open to interpretation. This was largely intentional by ISO. ISO definitions are broad and discretionary so they can be used in different applications, sectors, functions, and contexts. The challenge is definitions of critical risk terms can lose their specificity and become discretionary or at worst arbitrary.
If the goal of a Quality Management System or Environmental Management System is consistency, then the interpretation of definitions can affect the architecture, design, deployment, and assurance risk management system.
ISO has elevated the RBT concept to the same level of importance as the Plan – Do – Check – Act cycle and process management. Another challenge, ISO has not defined what Risk Based Thinking is and how it integrates with the ISO 31000 risk management framework.
According to ISO 31000, all risk strategies, tactics, and activities should be risk managed. How is this accomplished? ISO believes the basis of managing risks is Risk Based Thinking (RBT). One challenge is that ISO 31000 was issued in 2009 and ISO developed the RBT concept 6 years later. So, ISO 31000 does not really address RBT since it has not been updated.
In the absence of ISO direction, we define Risk Based Thinking as “risk based, problem solving and risk based, decision making.” This will be discussed extensively throughout the book.
If the organization has existing risk management or enterprise risk management framework, practices, and procedures then the organization should review, assess, and conduct a gap analysis of its existing risk management against ISO 31000.