Tags Posts tagged with "Risk Management"

Risk Management

by -
Predict, Survive, Grow - ISOUpdate.com

ISO 31000 is a standard on risk management developed by the International Organization for Standardization firstly in 2009 and updated in 2018. It is the international codification of the principles and guidelines of risk management, which emerged as a necessity to have one international standard which applied to all industries and organizations of all sizes. In other words, because there were a number of standards on risk management that different organizations in different industries were implementing, experts deemed it necessary for a new family of standards to emerge and to unify all the concepts in one single standard which would provide guidelines and strategies for implementing risk management. Later on, we will discover how ISO 31000 and ISO 22301 can be intertwined, and how can ISO 31000 deepen the risk management control in an organization that has already implemented ISO 22301 – business continuity management system.

Uncertainty is an inseparable part of every business, and as such, every company has to tackle the risks associated with uncertainty in every dimension of business operations. First, risks have to be identified, after which they are categorized and preventive and responsive measures for each identified risk are implemented. The nature of risk nowadays has evolved into unprecedented complexity, because the amount of data that goes in and out of companies is rapidly increasing. As such, unsurprisingly, contracts and insurance companies require mechanisms in place which make sure that the company is identifying and tackling risks.

ISO 31000 helps organizations protect their assets as well as increase the likelihood of achieving objectives by providing direction and risk management strategies. It is adaptable to the context of every organization and it helps mitigate risk within the organization by implementing risk-based decision-making and risk-based corporate culture. That is to say that both employees and stakeholders make decisions by always bearing in mind the risks associated with each decision, but at the same time, apart from seeing negative consequences, it helps a company also identify positive opportunities.

On the other hand, one of the most famous international standards which deal with the continuation of business operations and business security is ISO 22301. This is a standard on business continuity management and it is widely-implemented in organizations of all sizes and all industries. Differing from ISO 31000, ISO 22301 does lead a company to certification if the latter proves to have implemented the standard and its requirements.

The main goal of this standard is to offer a management system which makes sure that in case of incidents, of every nature, an organization can continue its crucial business operations – in other words, it can survive. Incidents can have a very different nature from each other, ranging from natural disasters to cyber-attacks, and ISO 22301 includes all of these kinds of incidents. It also helps a company to mitigate risk and to evaluate which risks are more imminent and more probable.

Based on these factors, and a proper understanding of the organization and its context, a Business Continuity Plan should be developed (BCP). This plan includes actions and measures to be taken in case of different scenarios, the persons in charge of every scenario and how to contact these persons in case that one of the scenarios happens. In other words, a BCP should be composed, but there should also be instruments to activate the BCP and responsible managers should be appointed for every situation, and the information should be communicated clearly so that every employee is aware of who to contact in different scenarios.

So, among other things, risk assessment and risk management are integral parts of business continuity, and this is where ISO 31000 and ISO 22301 intersect. In ISO 22301 there are two important clauses which deal specifically with risk: close 6.1 on “Actions to address risks and opportunities” and clause 8.2 on “Business impact analysis and risk assessment”.

Every business is exposed to risk, ranging from market risks, investment (or stock) risks, natural risks, cyber risks and so on. Depending on the scale of risk exposure, a company might choose to implement and get certified against ISO 22301, but at the same time have ISO 31000 as a guiding tool for risk-based thinking, risk strategies and risk-based corporate culture. It is a very good integration (but not an integrated management system, since ISO 31000 does not offer requirements but guidance) of two standards which can produce a very detailed and accurate platform, that can serve a business well in difficult times – and as history has often proved, it can help a company stay in business when faced with risks and challenges.

It is often argued that civilization started when the first humans learned to domesticate plants and were able to farm and harvest. In order to be able to farm, one must at least be able to recognize and know seasons, humidity and temperature as minimum requirements to be successful. So, in other words, it was the event of being able to predict which marked the beginning of civilization and its continuation and evolution to this point. We have developed immaculate methods (e.g. scientific method) to predict and forecast in order to survive, thrive and evolve. The same concepts apply to a business if you see it as thinking, living organism which is striving to evolve and thrive, but which also has to deal with the bad days where survival is the main objective. We can consider standards such as ISO 22301 and ISO 31000 as the scientific methods of the world of management, which help a business as a living organism to survive in these bad days while helping them reach their objectives and grow in good times.

About PECB

PECBpecb logo is a certification body for persons, management systems, and products on a wide range of international standards. As a global provider of training, examination, audit, and certification services, PECB offers its expertise on multiple fields, including but not limited to Information Security, Business Continuity, Resilience and Recovery, Governance, Risk Management, and Compliance, Quality Management, IT Governance & Service Management, Health, Safety, and Sustainability.

About the Author

Julian Kuci is the Marketing Quality Assurance Manager at PECB. He is an honour graduate of RIT in Economics & Statistics and Public Policy & Governance. Julian holds a diploma in Transitional Justice from the Regional School of Transitional Justice and is certified against ISO 9001 – Quality Management and ISO/IEC 27001- Information Security Management.

by -
Risk Management in ISO 9001 - ISOUpdate.com

Organizations today work in highly volatile market conditions and deal with a number of risks. Changing trends, new technologies, a surge of social media, concerns over the environment, globalization and many other such factors have changed the way markets operate and move today. Apart from these external factors, internal team structures and dynamics, our own competencies and capabilities play an important role in determining the ability of a company to deal with the changing conditions. Understanding of all these factors, external or internal; referred to as “Context” in ISO 9001; and strategically planning measures to handle these situations are critical to the success of any company today.

The Context of a company may lead to many risks that companies face today. Consider how a complaint on social media regarding your company can go a long way to disrupt a potential client’s impression and may ruin prospects.

Your competition offering higher salaries may lead to high attrition in your own company.

Government plans to change regulations may impact the way you operate and escalate your cost.

Are you ready to deal with these situations?

Companies need to plan effective responses to these risks because if these responses are weak, unplanned or ill-timed, it may have a very dramatic effect on the future of any business.

Efficient Risk Management is important to ensure companies are ready for adverse situations and can deal with them. ISO 9001 requires that a company shall create a sound approach for handling risks and be ready for any unforeseen situations.

What is Risk as Defined in ISO 9001?

ISO defines risk as ‘effect of uncertainty on the expected result’. ISO also defines opportunities which are “Positive Side of Risk”. The context of an organization may also present a number of opportunities and should also be addressed adequately. For example, advancement in technology may make your current methods of operation obsolete and you run the risk of going out of business but it also presents an opportunity for you to venture into newer areas of business. ISO 9001 not only focuses on risks but also emphasizes on capturing opportunities and enlarging them.

How to Identify Risks and Opportunities?

Based on the context and the requirements of interested parties, a company shall determine the risks in its company. This can be done by a simple SWOT Analysis.

As per Wikipedia, SWOT analysis (or SWOT matrix) is a strategic planning technique used to help a person or organization identify strengths, weaknesses, opportunities, and threats related to business competition or project planning.

The Strengths and Weaknesses are internal (Internal Factors) to the organization.

Opportunities and Threats are external (External Factors) to the organization.

Here’s a sample SWOT analysis done by a new food joint:

SWOT Analysis from ISOGlobal

The SWOT matrix points to a number of risks and opportunities. The opportunity of business growth in the age group less than 25 can be easily enhanced with the introduction of food items that this age group likes. This will also handle the risk of lower sales which the business may face of their weakness: “Lack of variety in food items”. ISO 9001 requires that you identify these risks and opportunities and address them appropriately in a timely manner.

How to Address Risks?

Once risks are identified, it is very important for an organization to address it to reduce either the probability of its occurrence and/or reduce the impact of the risk. This could be as simple as identifying actions to mitigate the risks and ensuring timely closure of the actions. However, based on the complexity and size of an organization, a detailed risk evaluation may be carried out. An organization may define a detailed risk methodology to handle risks. This methodology may involve evaluating the risk, giving it a rating to compare it against an acceptance limit and then deciding adequate response to the risk.

Risk Evaluation Methodology

There can be several risk matrixes that can be used to derive risk levels. A simple method is to evaluate risk to give a rating to risk. Below are some of the factors that could be rated:

  • Risk Impact/ Severity: Typical severity level of an outcome of risk may be rated based on the impact of risk. The impact may be high, medium, low or rated in terms of numbers on a scale (Say 1 to 10).
  • Risk Probability / Likelihood: This involves rating the probability of occurrence of the risk. These may be rated as high, medium, low or rated in terms of % of likelihood of occurrence or simply in numbers.
  • Risk Rating may be calculated by simply multiplying Probability and Impact.

Risk Rating= Probability x Impact

  • Risk Acceptance Level: Organization may establish a Risk Acceptance level. This means coming up with an acceptable limit of risk.

This risk rating may be used to establish priority in addressing identified risks and deciding on an adequate level of response to the risk.

How to control risk?

Once the risk rating and acceptance level are decided, the next step is to understand if the risks that are identified falls within the acceptable limit or not. If risk rating lies below the acceptable limit, this would mean already in place and applied controls over the risk are working well and organizations may not need any additional controls on the risk. If the risk is not adequately controlled (i.e. Risk Rating is beyond the acceptable limit), new control procedures or actions may need to be defined. Actions need to be taken on risk to:

  1. Reduce the probability of the risk occurrence (called Mitigation) and /or
  2. Reduce the impact of the risk (called Contingency)

Wherever possible, both the above actions should be taken to control risk.

Review and Monitor Risks

The risks need to be monitored and tracked on a regular basis. Monitoring risks help in understanding the effectiveness of actions planned. Once the control measures are implemented, you may need to check whether the risk is within the acceptable levels or not.

This will require revisiting the risk rating to find out if the controls applied were able to reduce the risk probability or impact. This should be done on a fixed frequency or on events like changes in process, staff, or equipment.


Each business operation of an organization involves risks and opportunities. The key to the success of any organization is to handle these risks and opportunities well in advance. This ensures that there are lesser surprises, better planning and quick decision making.

This, in turn, leads to higher performance and improved customer satisfaction.

Effective Risk Management is vital for the success of any organization and should be done by all levels of management and for all operations.

– Avital Koren is the Director of ISO Global