Jump to content
  • Jeff Jones: Is ISO 31000:2018 relevant to your organisation?


    Nadine Cranenburgh

    254373235_Jeffjones.jpg.be2f5f2e9c9fcf02c39abeb3060c38df.jpg

    Jeff Jones is an Associate Fellow of the Risk Management Institution of Australasia and member of the Queensland Chapter Committee of the Engineers Australia Risk Engineering Society. He’ll share his thoughts about whether ISO 31000:2018 is redundant or relevant to your organisation at a REBOK lunchtime webinar on Tuesday 22 September 2020. Register here.

    What is risk, and how does it relate to risk management?

    The 2018 update to ISO 31000 defines risk as “effect of uncertainty on objectives”.  But this means different things to different people. ‘Effect’ is the first term to unpack, and that’s the deviation from the expected. This can be positive, negative or both, and result in opportunities and threats. That’s where the language starts to get debatable. Do we call risk neutral, and the upside opportunity and the downside threat? Or do we call the upside opportunity and the downside risk? The concept of using the word ‘objectives’ is also debatable, there are some other standards that don’t do that. But I support it.

    Risk is also expressed as the source of potential events and their consequence and likelihood. But unfortunately that lends itself to the predominant view of risk assessment as a qualitative risk matrix process. This is only one of many processes, and it’s beneficial, but it shouldn’t be used to the detriment of having a broader toolkit at our disposal.

    Most people see risk assessment as risk management, which it’s not. Most businesses adopt risk management frameworks that are just risk assessment processes. They don’t achieve the values defined in ISO 31000:2018 – which defines risk management as “coordinated activities to direct and control an organisation with regard to risk”. It’s not just about proactive control of risk to promote positive outcomes, but also to mitigate threats and negative outcomes.

    Can you tell us more about risk management frameworks?

    Risk management frameworks integrate risk management (not risk assessment) into all the organisation’s activities and functions. In modern organisations it should be implemented at the highest level, from the board and through the whole organisational structure including all the risk committees and governance structures. In particular, it should drive the organisation’s decision making. It’s about support from stakeholders and top management. Like any other framework, it requires design, implementation, evaluation, continuous improvement and integration. The end game of risk management is not just risk assessments, but decision making. At the top end it’s decision making, at the operational and tactical level it’s risk assessments.

    Why do organisations find it difficult to articulate the benefits of risk management?

    It’s hard for an organisation to measure the success of risk management. In fact, where risk management is most successful it goes unnoticed, because businesses thrive and achieve their business objectives. When things fail, risk management gets the blame. But many other risks could have eventuated if risk management processes weren’t in place.

    Risk management is also a compliance requirement for many industries. Therefore, it's done to tick a box and not really integrated into decision making or management systems – which is the intention of ISO 31000:2018.

    The final reason is that risk management is a relatively new field compared to core disciplines such as financial and quality management. There’s nothing forcing an organisation to put risk management systems in place, but if financial management is neglected the business will fall over.

    Do you think the ISO 31000:2018 standard is relevant in today’s increasingly complex world?

    There’s some controversy about whether the world has moved on from the standard. I think it’s a framework that can be applied to any environment, it’s just a matter of how you view and think about it. It’s called up in a lot of Acts, regulations and tendering processes. Anywhere where risk is mentioned, ISO 31000:2018 is referenced. So I think its relevance is still there.

    But it’s not a black and white standard. It has to be used in context for each organisation, and each organisation will adopt it differently. This leads to healthy differences of opinion, but not clarity for organisations looking for benchmarks to implement the standard in new risk management frameworks.

    Edited by Nadine Cranenburgh


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...