Section 4 of ISO31000 opens with the simple statement that "The success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels." The standard devotes about 5 pages to talking about what a framework requires and sums it up in the Figure 1 below.
|Figure 1: Relationship between the components of the framework for managing risk (ISO31000)|
We'll go even further, and say that the risk management framework is the heart of organizational risk management. It might be tempting to overlook this portion of ISO31000 or to downplay its significance and jump straight to Section 5: Process but that would be a mistake. No matter how much you and your organization know about risk, no matter how excellent your latest risk assessment is and despite an outstanding risk treatment plan, unless an organization has a well structured and appropriate risk management framework it will not have a sustainable risk management system.
Of all the elements of ISO31000, building the risk management framework deserves primacy for this is where policy, mandate, organizational commitment and structure set the scene for ongoing successful application of risk management. And it isn't a one-time event. Like most of risk management, it is an iterative, adaptive process and as you can see from Figure 1, the authors of ISO31000 clearly intended it to be a cyclical process.
At the very least a framework should provide you with guidance regarding how your organization manages risk and in particular provides:
• A centralized and comprehensive source of risk policy, procedures and information.
• A consistent taxonomy for classification and prioritization of risk.
• Automated (or at least consistent) workflow for risk management.
• Auditable paper trail of records, decisions made and changes.
- Organizational objectives vision and mission (ie. The reason for existence of the organization).
- A risk assessment based on those objectives
- A risk treatment plan to support achievement of the objectives (which might also be known as a Strategic Plan, Operational Plan, etc)
- Policies and Management Standards - set the high level expectations and guide decision making
- Procedures and Guidelines - provide the step by step process flows to implement the policies as well as some general guidance about how to interpret high level policy or standards.
- Work Instructions – provide task specific detailed instructions for each step in the process flow.
- Forms, Templates & Tools – are the specific tools and documentation that people will use to identify, assess and document risks.
- Training Needs Analysis – involves identifying what people need to know in order to implement the ‘Systems’ previously developed.
- Training & Implementation – involves delivering the training that your people will need so that they can begin to correctly implement the various elements that support organizational objectives.
- Reporting, Monitoring & Review – are the final elements to close the feedback look, assess how effective the framework is and provide appropriate feedback for continuous improvement.
|Figure 2: Illustrative Example of a Risk Management Framework|