#93 – IS ISO 31000 AN ERM GUIDELINE? – GREG HUTCHINS

Posted on by

Greg_Hutchins_pixMaybe.  But, not ERM as Enterprise Risk Management (ERM), but as ‘Enhanced Risk Management (ERM).  So, what is ERM in ISO 31000?

ISO 31000 Annex A describes the ‘Attributes of Enhanced Risk Management,’ which is the ERM equivalent for ISO 31000.

The Annex states an organization should design and deploy a risk management framework that is appropriate to the organization.  Think context.  The following attributes of an ISO 31000 Enhanced Risk Management reflect a high level of risk capability and maturity:

  • Organization has a current, correct, and comprehensive understanding of its risks.
  • Organizational risks are within its risk appetite and tolerance.
  • Organization focuses on continual improvement of risk management controls appropriate to its risk appetite and tolerance.
  • Explicit risk management performance goals are developed and measured.
  • Risk management performance is part of the organization’s performance assessment.
  • Enhanced performance includes enterprise wide, fully defined accountability for risks, controls, and risk treatment (risk management).
  • Each person within the organization is aware of the risks, controls, and tasks in which they are accountable.
  • Each person accountable for risk has appropriate training, authority, time, and resources to fulfill his or her accountabilities.
  • All decision making involves explicit consideration of risk in all key processes.
  • Risk management is the basis for effective organizational governance.
  • Risk management performance is communicated to critical external and internal stakeholders.
  • Risk informed decisions are made about the level of risk and the appropriate level of risk treatment and management.
  • Comprehensive and frequent reporting of significant risks and risk management is integrated into organizational governance.
  • Risk management is central to the organization’s management system and processes so risks are viewed in terms of uncertainty to achieving objectives.
  • Language of management is based on the language of uncertainty and risk.

Lesson Learned:  We refer to ISO 31000 as an ‘ERM light’ framework.  So, use the above attributes of an ERM light risk management as the basis for an ERM system in your organization.  It is also a good starting point in your RBT journey.

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:

Leave a Reply

Your email address will not be published. Required fields are marked *