We face risks all the time but we have learned to manage them by making smart decisions, both in our personal lives and in our professional environment. The question is, are we really making the smartest decisions to fully protect our companies?

Increase your performance
We know that risks can significantly impact a company’s financial prospects as well as damage its reputation. Analysing and managing risks effectively allows you to anticipate problems before they occur, so saving you time and money. In an uncertain world, risk analysis can increase the performance of your organization.

Pick the right process
There are many risk management options, so picking the right one may be difficult. The best option for ensuring that your company complies with the most recent legislation, sector regulations, customer and supplier contracts and any internal agreements is probably ISO 31000.

A generic standard
ISO 31000 is an international generic risk management standard that provides principles, a framework and a process for managing risk. Its approach can be adapted to develop guidelines tailored to your company to assess existing risk management methods. The standard also provides a foundation for implementing other ISO risk management standards and guidelines.

ISO 31000 is dynamic and responsive to change because it was designed to be applied to all sectors (banking, industrial, public, etc.), no matter what kind of organization you run, what type of services you sell or where you are located.

Easy enough
ISO 31000 was published in 2009 and remains the international standard for risk management. Its 34 pages include a terminology list (ISO Guide 73) that explicitly identifies all possible risks, making it accessible and easy to understand for everyone. It also has a guide on how to apply risk assessment techniques (ISO/IEC 31010), allowing your company to continuously protect and increase its value in a systematic and structured way.

ISO 27005 or ISO 31000?
An alternative standard is ISO 27005, which provides guidelines for managing risks that could threaten an organization’s information security. Although ISO 27005 and ISO 31000 are similar in structure and methodology, ISO 31000 is more general and provides guidelines that can be applied to any area of risk management in an organiszation.

ISO 31000 or COSO?
ISO 31000 defines risk as the “effect of uncertainty on objectives”, so it takes into account that risks can have positive effects as well as negative ones. COSO has also developed guidance for risk management, but it focuses on the analysis of events rather than the consequences of events for an organization. Comparing ISO 31000 with COSO’s guidance shows that ISO 31000 offers a range of benefits because …

  • It is more practical
  • It provides more details
  • It explicitly defines the terms
  • It is more clearly written and easier to understand for CXOs and risk professionals
  • It contains information that can be adapted to develop guidelines to assess existing risk management methodologies
  • It provides a foundation for implementing other ISO risk management standards and guidelines
  • It creates and protects value
  • It is an integral part of all organizational processes
  • It is part of the decision-making process
  • It explicitly addresses uncertainty
  • It is systematic, structured and timely
  • It is based on the best available information
  • It can be tailored to your needs
  • It takes human and cultural factors into account
  • It is transparent and inclusive
  • It is dynamic, iterative and responsive to change
  • It facilitates continual improvement of the organisation.

We suggest that you use risk management as a tool for developing action plans and programmes to support your business needs.

More on ISO 31000 : http://www.iso.org/iso/home/standards/iso31000.htm


Philippe Wanson – Senior Consultant – Information Security, Risk Management & Audit