On The Frontlines: The Role of ISO 31000 in Risk Management

What are some of the key attributes of ISO 31000?

ISO 31000 defines risk as the "effect of uncertainty on objectives." By broadening the understanding of risk, ISO 31000 encourages organizations to consider both upside and downside risks. Management must strike a balance between managing the risks they take to create value and those that can cost them.

ISO 31000 also places objectives at the center of the risk management process, which ties it to corporate safety and performance management. It encourages organizations to align their risk management efforts with their strategic objectives, which ensures it is integrated into decision-making processes. Communication and consultation are also crucial attributes of ISO 31000. Effective communication ensures that relevant information is shared among stakeholders. Consultation encourages them to seek input from each other to consider different risk perspectives. This inclusive approach enhances the quality of risk management decisions and increases stakeholder engagement.

Given the multitude of elements, it is imperative that some level of risk management is adopted by every organization, regardless of size or scope. By shifting the focus to objectives and emphasizing communication and consultation, ISO 31000 promotes a more proactive and integrated approach to risk management.   

How have technological developments enhanced risks in organizations and how can internal auditors stay abreast of emerging risks?

The increasingly fast pace of technological developments presents both challenges and opportunities for organizations and the volatility, uncertainties, complexities, and ambiguities (VUCA) surrounding these developments increases risk for both organizations and society.

There are many challenges for organizations, such as keeping up with technological advancements, managing digital transformation, and ensuring data management and privacy. Organizations need to stay abreast of the latest technological developments to remain competitive, which requires continued learning and investment into research and development. Balancing this fast pace of innovation while maintaining corporate stability requires ongoing adaptation of business models.

Massive amounts of data are now being generated, which creates opportunities but also generates challenges in ensuring privacy and compliance with global data protection regulations. To stay abreast amid persistent change, internal auditors should continuously monitor technological advancements, industry trends, and their associated emerging risks.

How does the ISO 31000 model vary from ‘traditional’ risk management?

The ISO 31000 risk management guidance standard represents a modern approach to risk management. It differs from traditional risk management in several key aspects and incorporates additional elements that are crucial to consider in the VUCA landscape of the 21st century.

ISO 31000 represented a major shift in mental models regarding risk and its management. Specifically, ISO 31000 defines risk as potentially positive or negative, puts objectives at the core of everything, and promotes communication and consultation.

This modern technique opposes the traditional, often siloed approach. Traditionally, risk is the domain of experts who write reports and hand them over to decision-makers. As the focus is mainly on negative risks, organizations tend to shy away from the risk new technologies and innovation offers.

ISO 31000 states that the risk management process should be in the hands of the managers. They should be aware of the threats and opportunities that can impact objectives so they can align and make informed decisions. This consequence of the shifted mental models is, in my view, the most prominent difference between traditional risk management and the way ISO 31000 proposes it.

Peter Blokland will be presenting a session on risk management at The IIA’s International Conference on July 10.