Organizations of all types and sizes are facing a range of risks that can affect the achievement of their objectives. These objectives can relate to a range of the organization's activities, from strategic initiatives to its operations, processes and projects, and be reflected in terms of strategic, operational, financial and reputational outcomes and impacts.
All activities of an organization involve risks. Risk management aids decision making by taking account of uncertainty and its effect on achieving objectives and assessing the need for any actions.
The ISO 31000 Standard offers generic orientations for risk management. ISO 31000 sets out principles, a framework, and a process for the management of all forms of risk, including safety and environment, in all organizations, regardless of size. It does not mandate a one-size-fits-all approach, but emphasizes tailoring the principles and guidelines to the specific needs and structure of the organization.
The risk management process contained in ISO 31000 follows the well worn lead set by the Australian and New Zealand standard AS/NZS 4360, which consists of:
- Communication and consultation
- Establishing the context
- Risk assessment consisting of the three steps of identification, analysis and evaluation
- Risk treatment
- Monitoring and review