#54 – ISO GUIDELINES ON RISK MANAGEMENT – UMBERTO TUNESI

Umberto Tunesi pixReading  ISO Guide 73 (2009) Risk Management Vocabulary, ISO 31000 (2009) Risk Management – Principles and Guidelines and IEC / ISO 31010 (2009) Risk Assessment Techniques is quite an instructive exercise.

All are available on the ISO on-line store and though they aren’t very cheap, as any standard.  Unfortunately, they should preferably be free-of-charge to anybody working in the field.  However with ISO’s Risk Based thinking coming shortly, they’re worth their price.  Purchase them now and be prepared for risk management.

The key document is obviously ISO 31000 and ISO Guide 73 plus IEC / ISO 31010  which  supports it.

While ISO 31000’s structure is very similar to ISO 9001’s, ISO 31000 “is not intended for the purpose of certification” (ref. its Section 1 – Scope).

ISO Guideline 73 is an instructive document, too.  It consists of three Sections: # 1 Terms relating to Risk, one definition; # 2 Terms relating to Risk Management, four definitions and # 3 Terms relating to Risk Management Process, 43 definitions.

Section # 3 includes some interesting definitions, such as (document references between parentheses):

  • Risk perception (3.2.1.2),
  • External context (3.3.1.1),
  • Internal context (3.3.1.2),
  • Risk identification (3.5.1),
  • Likelihood (3.6.1.1) vs. Probability (3.6.1.4),
  • Risk appetite (3.7.1.2), risk tolerance (3.7.1.3), risk acceptance (3.7.1.6), which mean that no organization cannot be risk-free and has therefore to accept a predefined  level of risk.
  • Risk financing (3.8.1.4) and risk audit (3.8.2.6) complete my listing.

IEC / ISO 31010 is a technical and very, very interesting document.  It’s much better than it’s ISO 9001 and 14001’s ISO 19011 equivalent.

Though consisting of 192 pages in its bilingual – English and French – edition, it’s certainly a document worth studying and knowing.  IEC / ISO 31010, beyond the standard foreword and introduction consists of:

  • Section # 4 Risk assessment concepts,
  • Section # 5 Risk assessment process,
  • Section # 6 Selection of Risk assessment techniques,
  • Annexes A and B,
  • Numerous Figures and Tables.

IEC / ISO 31010 Section # 1 Scope states that “this standard is not intended for certification, regulatory or contractual use.”  Now, while might be clear enough what certification and regulatory use can mean, the expression “intended for contractual use” can result in being rather foggy.

IEC / ISO 31010 refers ISO 31000, which is referred to by ISO 9001 (2015), which is a contractual standard.  Instead, so where do we get to?  IEC / ISO 31010 is a basic guideline for risk assessments.  Organizations’ customers and organizations themselves get more and more eager to get rid of risks, so risk assessments are becoming  more  instrumental in all businesses.

So, how can a standard be based on a guideline?  It’s just what’s happened and still happens with ISO 9001, ISO 14001 and ISO 19011.  The auditors say “we’ve found this, we’ve found that”, but the guideline doesn’t make the top management strictly comply with the auditors’ findings.

If IEC / ISO 31010 intention is not to be used for contractual purposes, then it should nevertheless be recommended to risk based thinking organizations, both for internal and externally requested risk assessments.

IEC / ISO 31010 specific contents include:

Section # 4 Risk Assessment Concepts is quite similar to ISO 19011 in that the audits’ basics are heralded once more, though what I’ve written above still holds true.  Any audit effectiveness depends on the auditee’s top management will and commitment to implement the audit findings.

Section # 5 Risk Assessment Process will be found very similar to the automotive APQP (Advanced Product Quality Planning) to those familiar with it.  It’s probably the most interesting IEC / ISO 31010 Section because its contents are the closest contacts with the quality world.

Annex A Risk Assessment Techniques and Annex B, a kind of SWOT analysis of Annex A Risk Assessment Techniques and represent the most operational part of this Guideline.

Figures and Tables give examples of implementation and are certainly intended by ISO to be helpful to the organizations wanting or needing to implement risk avoidance or risk reducing policies.

ISO 31000

It’s the sound-track of the non-specific risk avoidance or risk reducing film.  While our minds are generally still too occupied with safety and security risks, ISO 31000 teaches us that risks are anywhere, anytime, that man’s life can’t go on without risking it.

ISO 31000 is structured in five Sections, certainly Section # 4 Framework is a most interesting one.

In addition, its Annex A, point A.3.2 Full accountability for Risks, refers to both ISO 73 definitions and IEC / ISO audit guidelines.

CONCLUSION

I’d like to say that ISO they has done a good job on providing risk management guidance.

Hope to see that the continual improvement they keep asking for will be implemented by them, too.

Leave a Reply

Your email address will not be published. Required fields are marked *