ISO 31000 has introduced some important and more pertinent terms to the risk management standard and hence helps in better orchestration and implementation of the Risk Management process across the organization to yield benefits while at the same time controlling the costs and the overall optimization of resources.

Risk Management - Generic Terms and Definitions

  • The risk owner is defined as a “person or entity with the accountability and authority to manage risk.” This definition will help the risk manager reinforce to management that risk ownership must be with management and not with the risk manager.
  • Risk appetite is an area that many organizations struggle with and while risk appetite, is not defined in ISO 31000 (it is in ISO Guide 73:2009), the Standard defines risk attitude as the organization’s “approach to assess and eventually pursue, retain, take or turn away from risk.”
  • Risk management policy is also defined as a “statement of the overall intentions and direction of an organization related to risk management.”
  • The risk management plan should specify the “approach, the management components, and resources to be applied to the management of risk.” ISO has released ISO Risk management Guide 73:2009 - Vocabulary to provide further guidance concerning generic terms and definitions relating to risk management to support consistency. It contains some of the definitions now deleted from ISO 31000.

PMP Certification Training Course

For your next role as a Project ManagerView Course
PMP Certification Training Course

Risk Management Framework

The relationships between the various components of managing risks, including the risk management framework, are better highlighted and illustrated in ISO 31000, as shown in the figure below.

Risk management framework

Mandate and Commitment

Risk management is not off-project activity; it is an ongoing activity requiring an ongoing commitment. It must be mandated from the Board (or equivalent), implemented by senior management, and supported by all levels of management and risk owners to be sustainable.

Want to become a project management pro? Our Project Management Post Graduate course is all you need to become one. Explore more about the program now.

Design of Framework for Risk Management

Like all good projects, processes, and strategies, risk management processes must be well designed to support effective implementation. Defining the context of the risk management framework, formulating a Risk management policy, embedding processes into practice, assigning resources, and determining responsibility are all key elements of designing an effective framework to manage risk. Well designed periodic reporting to stakeholders and effective communication mechanisms will support effective implementation.

Implementing Risk Management

Once the framework has been designed, implementation is about putting the theory into practice and bringing the risk management framework to life. Specifically, this is about ensuring the risk management process is understood by risk owners (through excellent communication and training), and risk management activities take place (through risk assessments, risk workshops, internal controls, etc.), and decisions and business processes factor in risk thinking.

Monitoring and Review

Involves confirmation that the various risk management elements and activities are working effectively in line with expectations. Any gaps identified will need to be documented and re-mediated.

Continual Improvement

This is about continuing to “tweak” and enhance key elements of the risk management framework to either improve current processes and/or progress towards a more mature risk management framework. A highly committed organization will improve both its processes and maturity over time.

Integrated Risk Management Principles, Framework, and Processes 
Integrated Risk Management Principles, Framework, and Processes 

Enroll in our PMP Certification Course today and develop a strong foundation in the principles of project management. 

Risk Management Process – Explained

ISO 31000 recognizes the importance of feedback by way of two mechanisms. These are monitoring and review of performance and communication and consultation. Monitoring and review ensure that the organization monitors risk performance and learns from experience. Communication and consultation are presented in ISO 31000 as part of the risk management process, but it may also be considered to be part of the supporting framework. Reporting and disclosure are only very briefly mentioned in ISO 31000, and they are not included in the process shown in the diagram below. Also, the monitoring and review feedback activities set out in ISO 31000 do not explicitly mention the tasks of monitoring risk performance and reviewing the risk management framework.

After considering numerous options and variants, ISO 31000:2009 largely adopted the same broad process as AS/NZS 4360:2004 for managing risk, as shown in the above diagram. While the process essentially steps like, in practice, there is considerable iteration between the steps and between the continuously applied elements of communication and consultation and monitoring and review. Drawing a picture of this is difficult, and for this reason, the diagram used in the standard was deliberately not shown as a flow chart. Its purpose is to show the relationship between the clauses of the standard that describe the process. The standard gives a set of general options to be considered when risk is treated.

The order of the list reflects preference. Importantly, the options deal with both risks that have a downside and/or upside consequences. The general options are:

  1. Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
  2. Taking or increasing the risk to pursue an opportunity
  3. Removing the risk source
  4. Changing the likelihood
  5. Changing the consequences
  6. Sharing the risk with another party or parties (including contracts and risk financing)
  7. Retaining the risk by informed decision.
Are you looking forward to making a mark in the Project Management field? If yes, enroll in the Project Management for Beginners Program now and get a step closer to your career goal!

Source – ISO 31000 standard

PMP® and PMI® are registered trademarks of the Project Management Institute, Inc.

About the Author

Vijay ReddyVijay Reddy

Vijay Reddy has several years of experience in delivering and managing IT Services, Software Development, Product and Production Support and has expertise in IT strategy consulting, Governance and risk management, IT security, cloud computing and implementation

View More

Find PMP® Certification Training in these cities

PMP Certification Training Course in AtlantaPMP Certification Training Course in AustinPMP Certification Training Course in BostonPMP Certification Training Course in CharlottePMP Certification Training Course in ChicagoPMP Certification Training Course in ClevelandPMP Certification Training Course in DallasPMP Certification Training Course in DenverPMP Certification Training Course in DetroitPMP Certification Training Course in FargoPMP Certification Training Course in HoustonPMP Certification Training Course in IrvingPMP Certification Training Course in Jersey cityPMP Certification Training Course in Las VegasPMP Certification Training Course in Los AngelesPMP Certification Training Course in MiamiPMP Certification Training Course in Mountain ViewPMP Certification Training Course in NashvillePMP Certification Training Course in New York CityPMP Certification Training Course in Orange CountyPMP Certification Training Course in OrlandoPMP Certification Training Course in PhiladelphiaPMP Certification Training Course in PhoenixPMP Certification Training Course in PittsburghPMP Certification Training Course in PleasantonPMP Certification Training Course in PortlandPMP Certification Training Course in RaleighPMP Certification Training Course in RochesterPMP Certification Training Course in San DiegoPMP Certification Training Course in San FranciscoPMP Certification Training Course in San JosePMP Certification Training Course in SeattlePMP Certification Training Course in TampaPMP Certification Training Course in Washington
  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.