When ISO 31000 Risk Management -- Principles and Guidelines on Implementation, was released in November 2009 by the International Organization for Standardization (ISO), it acknowledged risk management as a key business activity.
"Risk management" has numerous definitions. For the purposes of this article, we'll use the ISO 31000 definition, which defines risk management as "coordinated activities to direct and control an organization with regard to risk." Building on this definition, a good risk program should have a risk management framework, which ISO 31000 defines as "a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization." Finally, a good risk management program ought to have a risk management policy, defined as "a statement of the overall intentions and direction of an organization related to risk management."
The ISO 31000 risk management standard: Table of contents
>> The ISO 31000 risk management standard and business continuity
>> Components of the standard
>> The risk management framework
>> Using ISO 31000 for your BCM program
Aside from determining if your existing risk efforts reflect the new global standard, you should also know that your BCM activity can benefit from the new standard. Benefits of using ISO 31000 include using enterprise-wide risk management processes to: 1) increase competitive advantage by adopting a globally accepted risk management standard; 2) increase awareness and understanding of the organization's risks; 3) improve the reduction, mitigation and/or elimination of those risks; 4) acknowledge that identified risks are within the organization's risk criteria and tolerance; and 5) improve client/stakeholder confidence and trust.
If you don't currently have a formal risk management program, guidance from ISO 31000 may be useful as you develop your program. And if you don't currently have a BCM program, consider using the British Standard BS-25999 Part 2:2007 for that activity.
Briefly, ISO 31000 has three elements: risk management principles, risk management process and a risk management framework. Let's examine each component.
ISO 31000 states that risk management:
- Creates and protects value
- Is an integral part of all organizational and decision-making processes
- Is systematic, structured and timely
- Is based on the best available information
- Takes human and cultural factors into account
- Is transparent and inclusive
- Is dynamic, iterative and responsible to change
- Facilitates continual improvement of the organization
Clearly, the above list of risk management principles probably appears -- in one form or another -- in most risk management programs. When reviewing your existing program or launching a new effort, be sure to factor these principles into your assessment and planning actions. They can serve as a handy checklist so you can be sure your efforts are consistent with the standard.
Next is the risk management framework, from which risk management processes can be developed. The risk management framework will be useful as you perform risk assessments as part of a BCM program. The following diagram provides an effective starting point (see "The risk management framework" below). Note that we have also described how each of these elements in the risk management process are applicable to BCM.
The risk management framework
The above framework is designed to create an environment which facilitates the development and implementation of risk management processes within an organization. These can then be leveraged in the course of performing risk assessments. You could also consider ISO 31010:2009, risk management -- risk assessment techniques for guidance on how to organize and conduct a risk assessment.
Let's examine each of the framework elements and their relationship to the BCM process.
- Mandate and commitment: Success of any risk management effort requires senior management support and approved funding. If you have a risk management activity, make sure that senior management is fully informed and supportive of your efforts. If you plan to develop a program, prepare a proposal to senior management that demonstrates the benefits of the program by showing how identifying, mitigating and reducing or eliminating risks can help ensure the organization's continued operations. This should also be performed in advance of any BCM activity.
- Design a framework for managing risk: Begin by understanding your organization, how it works, its critical activities, the internal and external risks and threats, and your firm's vulnerabilities. (This is typically part of a business impact assessment, or BIA.) Develop a policy (or review the existing policy) that establishes a risk management function; defines its scope and purpose as well as value to the organization; identifies team members and their roles and responsibilities; and delineates the function's activities, goals and accountabilities. (This should also be developed for a BCM program.) Resources needed to implement a risk management program range from locating experienced staff to funding awareness and training programs. (Again, the same is true of a BCM program.) Finally, creation of internal (e.g., senior management, department heads) and external (e.g., audit firms) reporting mechanisms is essential to ensure that the program's results are known to all key individuals and organizations.
- Implementation of risk management: In an existing risk management program, the use of ISO 31000 may be as fundamental as benchmarking the program against the standard's provisions. Identification of variances can be translated into opportunities for improvement. For new risk management programs, consider ISO 31000 as one of the development tools you can use in building a strong, standards-based effort.
- Monitoring and reviewing the framework: Well-managed organizations have processes in place to examine how well the organization is running. This can range from regular operating unit status reports to internal and/or external audits. The key message here is that risk management, like any other business function, must be regularly monitored and reviewed to ensure optimal performance. (Risk management and BCM audits are frequently used to validate performance against controls.)
- Continual improvement of the framework: For many organizations, continuous improvement has become as important as "normal" operations. The notion that business processes are static and unchanging is no longer relevant. Continuous improvement believes that nearly everything an organization does can be improved, and ought to be reviewed continuously to identify those opportunities. This is no different with risk management. (And the same is true for BCM.)
Just about any business activity involves a certain amount of risk. Acceptance of risks in concert with a structured risk management approach suggests that shrewd business leaders will want to be focused on a risk-based way to do things. This doesn't mean avoiding risks; rather it means using a process that helps identify and minimize risks, while allowing the firm to focus on its core competencies at the same time. This is where you can begin incorporating risk management activities into a BCM program. And as we have seen earlier, adherence to ISO 31000 will ensure that your BCM efforts are consistent with good risk management practice.
Many factors make up a risk-aware enterprise. Identification and recognition of risks and vulnerabilities are key activities. Risk management activities are key components of a BCM initiative. Assuming you are either reviewing your risk management program or starting a new one, the following steps can help make the transition easier. Note that each of these steps can be adapted to a BCM program.
1. Understand your business -- Make sure you know what you want to achieve by understanding your risks, threats and vulnerabilities. Most likely it will be to minimize interruptions to activities that generate sales, provide better customer service and reduce delivery times to customers. Whatever the issues, identify those business activities first, then identify the risks and threats (these can range from a hurricane or an earthquake, depending on the company's location) to continued operation of those activities, and finally figure out what needs to be done to achieve it. Typically these activities are completed by a BIA.
2. Understand your culture -- Knowing your organization, its culture and value set are key ingredients in building a successful risk management activity. Your culture typically means support for generally accepted behaviors, such as honesty, integrity and high ethical standards. Find ways to introduce a risk management culture that will, in time, come instinctively to employees -- at every level.
3. Energize your leadership -- Organizations that embrace risk management principles and policies obtain their energy, attitude and approach from the top. Executives who do not understand and therefore are not supportive of a risk management process could see their attitudes filter down to key business units. This is also true for a BCM activity.
4. Integrate risk management into core values -- Closely aligned with corporate culture are the company's core values, such as individual ownership and accountability, integrity, teamwork and collaboration, communications, and a penchant for excellence. Another core value might be to identify and minimize risks to the organization by establishing an enterprise-wide BCM function.
5. Assess and benchmark risk management -- How does your firm know it's keenly focused on identifying and managing risk? More than simply stating it has a risk focus, organizations must actively develop (or update) risk management programs that examine risks at all levels of the business. By doing this, and by leveraging established benchmarks like ISO 31000, organizations can assess their risk posture, risk appetite, and overall risk readiness. Documented efforts to analyze and address risks using recognized benchmarks can underscore the firm's intent to perform at the highest levels. The same is true when assessing a BCM program.
6. Identify enabling standards -- Support for risk management standards like ISO 31000 and NIST SP 800-30 demonstrates a commitment to building a risk-focused organization. Investing time and resources to stay current with risk management developments and improve compliance can not only help companies mitigate potential risks, but can also uncover opportunities for performance improvement and brand enhancement. Several BCM standards are available to facilitate your program.
The ISO 31000 risk management standard isn't envisioned by the ISO as a tool for risk management accreditation, which differs from its other well-known standards, such as ISO 9000 and ISO 14000, which are widely used for accreditation. By contrast, the BCM standards listed earlier in this article are all approved standards for the Department of Homeland Security's Private Sector Accreditation and Certification Program. Be sure to have a strategy that leverages relevant standards when developing risk management and BCM programs.
About this author: Paul Kirvan, CISA, CSSP, FBCI, CBCP, has more than 20 years experience in business continuity management as a consultant, author and educator. He has been directly involved with dozens of IT/telecom consulting and audit engagements ranging from governance program development, program exercising, execution and maintenance, and RFP preparation and response. Kirvan currently works as an independent business continuity consultant/auditor and is the secretary of the Business Continuity Institute USA chapter and can be reached at firstname.lastname@example.org.