ISO 31000:2018 – risk management guidelines

PECB

The ability of predicting what the future holds and choosing effectively among varying alternatives lies at the center of contemporary societies and organizations. Risk management helps us navigate over a broad range of decision-making processes, from making investment decisions to safeguarding our health, from waging war to planning families, from paying insurance premiums to wearing a seatbelt when we drive, from planting sugar canes to promoting delicious sweets, and many other aspects of life.

Nowadays, people and organizations rely way less on traditions and superstition than they did in the earlier days, and this may not be due to mankind being more rational itself, but rather because of our ability to understand risk, which allows us to make more informed and rational decisions.

The opportunity to manage risk, including here the amount and type of risks that the organizations accept to pursue or retain in order to make forward-looking choices, are key ingredients that catalyze the progress of the economic system.

Risk is an inseparable part of any business which affects its operations and activities, leading them to implement proper risk management processes to effectively manage and treat such risks. Successful organizations are those that have the ability to identify and manage risks, before those risks become destructive actualities that impair the organization’s reputation and its’ ability to operate. Maybe one of the best ways to understand unexpected occurrences and the importance of properly responding to them is through the words of Arthur Rudolph, one of the scientists who developed the Saturn 5 rocket that launched the first Apollo mission to the moon:

“You want a valve that doesn’t leak and you try everything possible to develop one, but the real world provides you with a leaky valve. You have to determine how much leaking you can tolerate”

In the past, organizations generally identified and managed risks individually by employing different insurances as the means of preventing IT failures, breaches, and or legal risks.  This can, at times, be insufficient and can contribute to the creation of a “silo” approach to the risk management, leading to a lack of coordination and potentially reducing the organization’s ability to identify strategic and reputational risks.

The establishment of a risk management process and structure based on ISO 31000 can help organizations close operational gaps derived by risks through the creation of a holistic organization-wide approach to risk management that facilitates communication and provides the fundamental steps on how to design and implement a risk management framework, and how to continually improve the risk management framework by following the ISO 31000 guidelines.

A brief history of risk management

Mankind didn’t always perceive and understand the concept of “risk”, neither did it manage it in the way we do today. The figure below presents some of the major milestones that led to our understanding of the concept of risk, the development of risk management methodologies and the way we perceive and treat risks nowadays.

Read the white paper