Guest Post by Greg Hutchins (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
More ISO management systems are incorporating RBT and risk, so the standard is becoming a ‘must know’ standard. ISO 31000 risk management principles, risk management framework, and risk management process are the preferred tools to use with ISO management systems because ISO 31000:
- Is a risk management framework. ISO 31000 has the critical elements of a risk framework, including a focus on culture, risk philosophy, risk definitions, common risk approach, common risk processes, defined roles and responsibilities, importance of accountability, risk competencies, and organizational risk appetite.
- Is harmonized with other ERM standards and frameworks. While the standard does not map 1 to 1 with more comprehensive ERM frameworks, it offers many of the critical elements to start the RBT journey.
- Follows a PDCA framework that can be applied to any ISO management system standard.
- Offers the option of simple risk management (ERM light) or enhanced risk management program (ERM medium light). Both options can be used in the RBT journey for certified organizations to mature and make risk processes more capable.
- Follows an enterprise wide approach to risk management considering the potential impact of risks on critical management systems, processes, stakeholders, product development, stakeholders, outcomes, products, and services.
- Is a process that is based on a set of unified risk management principles.
- Is supported by a structure that is appropriate to organizational context, external environment, and internal environment.
- Is supported by a risk taxonomy and risk vocabulary that is appropriate to ISO management systems.
- Addresses the upside (opportunity risk) as well as the downside (consequence risk).
- Follows the achievement of business objectives approach based on organizational risk appetite.
- Focuses on risk controls as well as other risk treatment options and mitigations.
- Allows an organization to identify, prioritize, and control significant risks.
- Allows an organization to develop monitoring and risk assurance processes.
We recommend that you purchase the ISO 31000 to use with ISO 9001:2015 and the other families of standards.
Leave a Reply