ISO 31000 Risk Management

Transformational Thinking

ISO 31000 revolutionises the thinking on risk management.  You will go through transformation and experience shift in thinking when you read ISO 31000 risk management standards.  We all understand that COSO model is widely used and supported.  Making a shift towards ISO 31000 will only bring more benefits.   

We face risk.  We are thrilled by an opportunity.  According to ISO 31000, when we face right, equally and delightfully we face opportunity, although the English may not look right, because risk always means an opportunty as well.   As you identify a risk, you may end up identifying an opportunity and vice versa.  The pleasant discovery is that opportunity seeking process is the same as risk management process, logically speaking.  As you make a group decision or organisational decision, contextually you may be finding an opportunity or identifying a risk.  Therefore ISO 31000 simply advocates a healthy organisational decision making process.  ISO 31000 removes fears and concerns from the mind and brings it into balance.  If at all an individual or a group makes a decision outside of ISO 31000, it would just be an impulsive or emotional or mechanical and these are not desirable although we often use them thoughtlessly.  We don't question intuitive decision making but we don't consider it as an organisational decision making process.

Secondly, context or environment is given so much importance because it changes from time to time in itself becoming a source of risk (or opportunity).  This makes risk management dynamic and iterative and puts managements on "ever alert" mode to observe context all the time without losing sight of the objectives or strategy, which is also the other source of risk.  So when you identify a risk you not only think of the impact on the objective today but you keep thinking about it every day becasue of possible changes in context.

Thirdly,  risk management does not have to be enterprise wide.  It can be applied to a division or section or process or group or product.   So risk management process can progress steadily across the organisation.

Principles, Framework and Process

At its very core, risk management process is simply risk assessment and risk response.  Risk assessment includes 3 sub-processes being risk identification, analysis and evaluation.  However risk management process has to consider context, monitoring and review, recording and reporting, and communication and consulting as inherent processes, as well.


Whether it is risk management process or culture, you will always need a framework that follows PDCA (Plan-Do-Check-Act) model in terms of Design, Implementation, Evaluation and Improvement.  For this cycle to happen, leadership is important as well as integration of PDCA components.


Risk management is always integrated and can't be approahed in silos.  It is structured and formal, not casual and undocumented.  It changes from company to company and from time to time so it requires precise customisation.  All stakeholders should be included. for the risk management process to work at its best.  It is dynamic because of constant changes in external and internal contexts.  Decisions are made not based on perfect information but on best available information at the point of decision making.  Human and cultural factors play a predominent role in setting internal context.  Finally risk management process can never be perfect but it should aways tend or march towards perfection through continual improvement.