Value Creation and Protection is at the core of this section of ISO 31000 and gives it relevance to any business. Without ‘Protection’ an organization is a risk of being caught unaware of possible problems – internal or external (4.1) and meet an untimely demise!
- Integrated – make risk management part of the culture – you’ll see a requirement in clause 5.1.1 c) for Management to make sure that the requirements of the Standard are integrated into the business processes. This ties in perfectly with this Principle
- Structured and Comprehensive – Much better to have a ‘Framework’ on which to build a Risk Management plan than simply wander around looking for risky situations. The next post will have more details on the ISO 31000 ‘Framework’.
- Customized – Each organization is so unique that a ‘cookie-cutter’ approach is dangerous. Even multiple sites within the same organization will have a different set of risks based on its Context (4.1), Interested Parties (4.2), People (7.1.2, 7.2), Infrastructure (7.1.3), Work Environment (7.1.4), Communication (7.3) and Awareness (7.4) to name just a few variables.
- Inclusive – include all aspects of the ‘end-to-end’ workflow and all of the people related to the flow (4.4.1 a & b).
- Dynamic – risk and opportunities are always changing and you will benefit from assessing how well you’re managing all aspects related to your organization (Performance Measurement 9.1.3 e] and Management Review 9.3.2 e)
- Best available information – don’t become a victim of ‘paralysis from analysis. You may never have 100% of the information you’d like to have before you have to make a decision (8.2.3 – review of customer requirements, 9.1.3 – Performance Evaluation, measurement and analysis)
- Human and culture factors – a system won’t reduce risk, but people will. This links to 4.1 Context, 7.1.2 People, 7.1.4 Work environment, and most of 5 – Leadership.
- Continual Improvement – to reduce surprises: 9.2 Internal Audits, 10.2 Corrective Action, 10.3 Improvement
That’s the ‘Principles’ section from ISO 31000. There will be more detail about ‘Framework’ and ‘Process’ in the next 2 posts. These ideas will help you get started on your risk management journey, but be sure to get a copy of ISO 31000 if you want more guidance for your activities. All of your efforts will pay you a surprising return on your investment!
Know Quality, Know Profits…No Quality, No Profits
If you’d like to see how we’ve designed our platform to help manage risk, schedule a demo and we’ll see if it can make your ‘ISO life’ simpler and safer!