Introduction
Running a business involves risk. Risk cannot be avoided, but it can be managed. ISO 31000 provides guidelines for managing risk in an organization and provides areas to be focused upon in an organization with relation to risk.
Types of Risks
Risk management is the coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
ISO 31000 divides risks into three categories:
- Hazard (if the uncertain event occurs, there will be negative outcomes)
- Control (the results of the uncertainty are themselves uncertain)
- Opportunity (if the uncertain event occurs, there will be positive outcomes)
Hazard Risks
Hazards are risks leading to a negative outcome. Examples of these would be safety concerns, such as hazardous chemicals, high voltage electricity, or moving machinery. ISO 31000 addresses all forms of risk, including safety risks, financial risks, political risks, and marketing risks. As a result, phrases such as “risk tolerance” are used. While there may be zero tolerance for risk when it comes to safety, in other areas, such as financial risk, there is a certain level of tolerance – even for risks in the “hazard” category.
Control Risks
Some types of risks have uncertain outcomes; these are classified as “control risks.” Control risks are most commonly associated with project management. Typically the project schedule, budget, and specifications are at risk due to unknown and unexpected events or conditions. Most organizations will strive to eliminate these control uncertainties.
Opportunity Risks
Opportunity risks are those risks that an organization knowingly takes on in order to get a positive result. For example, investing in new technology involves some risk; it may have greater costs in the long run, or may be quickly replaced by another development.
Enterprise Risk Management
An effective ERM program helps drives informed decision-making for better performance and greater rewards. As a critical business system, Enterprise Risk Management transforms your organization and empowers you to tackle your risk potential head-on – proactively identifying, understanding and managing your risk to position your organization for sustainable, long-term growth.
A successful enterprise risk management program will:
- Provide the foundation for all risk data across your organization
- Deliver visibility to all risk data
- Improve accountability and control
- Support compliance, new regulations and frameworks
Next steps
- Purchase a copy of ISO 31000:2018 standard.
- Consider a Gap Analysis or pre assessment from SYSMAC www.sysmacs.com to make sure you are best placed to achieve your objectives.
- Conduct training on awareness and internal audit for relevant staff.