Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization’s objective is “risk”.
All activities of an organization involve risk. Organizations manage risk by identifying it, analyzing it and then evaluating whether the risk should be modified by risk treatment in order to satisfy their risk criteria. Throughout this process, they communicate and consult with stakeholders and monitor and review the risk and the controls that are modifying the risk in order to ensure that no further risk treatment is required.
ISO 31000 was prepared by the ISO Technical Management Board Working Group on risk management. It sets out principles, a framework and a process for the management risk that are applicable to any type for organization in public or private sector. It does not mandate a “one size fits all” approach, but rather emphasizes the fact that the management of risk must be tailored to the specific needs and structure of the particular organization.
According with this International Standard, the implementation and maintenance of management of risk will enable an organization to increase the likelihood of achieving objectives, to encourage proactive management, to be aware the need in identifying and treating risk throughout the organization, to improve the identification of opportunities and threats, to improve controls, to improve stakeholder confidence and trust, to improve operational effectiveness and efficiency, to improve loss prevention and incident management, to minimize losses, and others.
This international standard is intended to meet the needs of a wide range of stakeholders, including:
- Those responsible for developing risk management policy within their organization
- Those accountable for ensuring that risk is effectively managed with the organization as a whole or within a specific area, project or activity
- Those who need to evaluate an organization’s effectiveness in managing risk
- Developers of standards, guides, procedures and codes of practice that, in whole or in part, set out how risk is to be managed within the specific context of these documents.