Risk Management – Article 1
Risk Management Principles
Keshav Ram Singhal
Every organization, whether it is small, medium or large, private or public, manufacturing or service, faces various factors and influences that may be internal and external. Internal and external factors and influences in an organization lead to uncertainty with regard to achievement of organization’s objectives. The effect of uncertainty on the organization’s objectives is termed as risk. Thus risk is an effect of uncertainty on objectives. An effect is a deviation from the expected. The effect may be positive and/or negative. To manage risk, an organization needs to carry out coordinated activities. Risk management is a process that is underpinned by a set of principles. Also it needs to be supported by a structure that should be appropriate to the organization, its environment and context. International Organization for Standardization (ISO) in 2009 has published an International Standard ISO 31000 that describes Risk management – Principles and guidelines. ISO 31000:2009 standard targets the quality of an organization’s management and suggests risk management frameworks, processes and activities that should be followed to help organizations better meet their goals and objectives.
Clause 3 of ISO 31000:2009 describes eleven risk management principles that an organization should comply at all levels for effective risk management and these are:
1. Risk management creates and protects value
2. Risk management is an integral part of all organizational processes
3. Risk management is part of decision making
4. Risk management explicitly addresses uncertainty
5. Risk management is systematic, structured and timely
6. Risk management is based on the best available information
7. Risk management is tailored
8. Risk management takes human and cultural factors into account
9. Risk management is transparent and inclusive
10. Risk management is dynamic, iterative and responsive to change.
11. Risk management facilitates continual improvement of the organization
Creating and protecting value
Risk management creates and protects value. It contributes to achievement of organization’s objectives and improvement of performance within the organization. Organization’s objectives and performance may relate:
- Human health and safety
- Statutory and regulatory compliances
- Public acceptance
- Environmental protection
- Product quality
- Project management
- Operational efficiency
- Good governance and reputation
The goal of risk management is to increase the likelihood that the organization will achieve its objectives by managing risks to be within the stakeholders’ appetite for risk. Risk management done correctly not only protects but creates value for achievement of objectives and improvement of performance.
Organizational processes and risk management
Risk management is an integral part of all organizational processes. It should include strategic planning, all projects and change management processes. It is not a stand-alone activity. It is not separated from the main activities and processes of the organization. It is part of the organization’s management responsibility.
Risk management and decision making
Risk management is part of decision making. Risk management helps management to take decisions. It helps in identifying informed choices, prioritize action and differentiate among alternative actions.
Risk management and uncertainty
Risk management clearly and in detail describes uncertainty (state of being uncertain – what may happen in future) and its nature.
Risk management approach
Risk management is a systematic, timely and structured approach. It contributes to efficiency and timely action that lead to consistent, comparable and reliable results.
Risk management and information
Risk management is based on the best available information. Information is the input to the risk management and such information is sourced from various information sources that may be from:
- Historical data
- Stakeholder feedback
- Judgement from an expert
Decision makers in risk management should be careful and take into account any limitations of the data used, modeling used or possibility of divergence among experts.
Tailoring risk management
Risk management is tailored aligning with internal and external context and risk profile of the organization.
Human and cultural factors in risk management
Risk management takes human and cultural factor into account. It recognizes human capabilities, perceptions and intentions.
Transparency in risk management
Risk management is transparent and inclusive. Risk management requires appropriate and timely involvement of stakeholders including decision makers at all levels of the organization ensuring risk management relevant and up-to-date. To determine risk criteria, involvement of stakeholder include properly representing them and taking their views taken into account.
Risk management responsive to change
Risk management is dynamic, iterative and responsive to change. It continually senses and responds to change. New risks emerge and/or some risks change and/or other risks disappear with occurring of external/internal events, change of context and knowledge, monitoring and review of risks.
Risk management leads improvement
Risk management facilitates continual improvement of the organization. An organization can improve its risk management maturity and other aspects by developing and implementing strategies. Continual improvement in risk management is emphasized and it can be achieved by:
- Setting of organizational goals
- Measurement, review and change (modification) of processes, systems, resources, capabilities and skills.
Risk management principles are helpful in managing effective risk management in an organization and guidelines mentioned in ISO 31000:2009 standard are developed on the basis of risk management principles.
ISO 31000:2009 standard is available from International Organization for Standardization (ISO). Please visit ISO website iso.org.