ISO 31000: Streamlining Enterprise Risk Management (ERM) Systems to Achieve Corporate Goals

All enterprises face their share of risks and there is a need to set up sturdy risk management processes. ISO 31000 focuses on the effect of uncertainties on a company’s outlined objectives and considers both the positive and negative consequences associated with the uncertainties.

The new ISO 31000 Risk Management standard provides a universally recognized paradigm for risk professionals to clearly define terminologies, establish formal processes, understand the context of their efforts, and evaluate opportunities vested in taking risks. These enhancements augment demand within companies to incorporate the ISO 31000 guidelines on risk management.

This 24-page document lays down sets of principles, a framework, and a process for the management of all forms of risk, including safety and environment, in all organizations, regardless of size. It does not mandate a one-size-fits-all approach, but tailors the principles to suit the specific needs and structure of every organization.

The principles spell out an array of functions and pre-requisites before embarking upon a risk management platform. A risk management procedure is deemed worthless if it does not hold the promise of creating value, if it is not an integral part of the organizational process and if it is not responsive to immediate change.

The framework constitutes an ongoing cycle seeking continual improvement after a thorough review preceded by testing out the implications of the risk. An overwhelming feature of this framework is that it inscrutably points towards the mandate and commitment of the organization’s board and top management to the implementation, review and continual improvement of how risk is managed. The ultimate goal is to ensure that the risk is fully focused on the achievement of set objectives.

The stipulated process dictates an elaborate sequence of steps. Starting with communication and establishment of the context for standard risk management, it flows to an intense level of risk assessment wherein risk scores are assigned to each predicted risk. Post a diagnosis to the risk invasion, the process is monitored and reviewed for further enhancement.

Steady alignment between ISO 31000 and AS/NZ risk management standards results in organizational resilience, proactive management, heightened stakeholder confidence and trust and reliable decision making. The AS/NZS 4360:2004 standard is crucial and comprehensive as it adopts a systematic application of management policies, procedures and practices to the tasks of identifying, evaluating, treating, monitoring and reviewing risks.

Through the expansion and development of the framework, mitigation of risks is thoroughly enhanced. Its firm integration with BCP (Business Continuity Planning) is a noteworthy benefit for several industries seeking to combat the consequences of realized residual risks and carry on with successful business proceedings. Implementation of AS/NZ organizational objectives coupled with ISO 3100 guidelines can deliver more certainty in today's world of heightened corporate risks.

MetricStream's ERM approach is clearly well aligned with the guidelines of ISO 31000. Widely embedded within the strategy that risk needs to be identified and driven from the front line operation level, where risks are uncovered and reported up within the context of our company's overall risk appetite and tolerance.

“We intend to use ISO 31000 as the guide to implementing risk management systems. By carefully plotting out the process, we take on the existing approaches using a gap analysis followed by maturity evaluation. Not only will this address the immediate steps to be taken but it will also deal with how effective risk management can be sustained over time. ISO 31000 holds the potential to quickly receive universal acceptance” said Gaurav Kapoor - Chief Financial Officer and General Manager, MetricStream Inc.

Prime attention must be given to the effects of individual risks. It is essential to adopt a new paradigm for risk and risk management, conduct a gap analysis to ascertain whether the framework possesses all the necessary elements, monitor the entire framework and evaluate their risk management maturity in order to assess and identify the improvements or changes required.

One cannot deny the fact that stakeholders often bear the brunt of such risks. Hence, in order to salvage the organization's reputation and to salvage the hazards borne by stakeholders, reliable accountability at the operations level is mandatory. ISO 31000 does just that as it focuses on transferring accountability gaps in Enterprise Risk Management (ERM).

In the context of MetricStream's broad spectrum of diverse customers, ISO 31000 perfectly fits the bill. This approach delineates sector-specific terms and guidelines which empower performance within varying industries and organizations. For those organizations that have already invested in advancing risk management activities, ISO 31000 represents a meaningful benchmark for assessing the maturity and effectiveness of those investments.

“I see the new ISO 31000 risk management series as a very positive development in the risk management standards landscape. GRC and risk professionals have taken a closer look at the new ISO 31000 standard and have indeed established that it can be applied in their organizations to help streamline risk management on a global scale,” said Gaurav Kapoor - Chief Financial Officer and General Manager, MetricStream Inc.