Blog

Significant opportunities to integrate risk management with strategic planning seem to have been lost on many organisations since the introduction of ISO 31000 (international standard on risk management).

While most commentators deemed that the replacement of ASNZ 4360:2004 would have little effect on organsiations already complying to that standard, Cambron suggests that there are significant differences between that and ISO 31000.  The new standard is not certifiable, but it will be the benchmark for charities and government funded organisations.

While the broad intent of the old and new standards is the same, there are three significant differences (and opportunities). The new standard:

1.       Provides a different definition of risk (surely that is important).

2.       Lists a set of 11 risk principles.

3.       Is much more explicit about risk being integrated into normal business processes.

These opportunities allow organisations to link risk management to business planning objectives, which clarifies the process for employees by presenting risk management as a tangible part of their business unit’s objectives and linked to the day-to-day operations of the organisation.

To make this connection, firstly consider that under ISO 31000 risk is defined as the ‘effect of uncertainty on objectives’ where:

• effect is a positive or negative deviation from the expected;
• uncertainty is the deficiency of information; and, most importantly
• objectives relate to your organisation’s own objectives be they strategic, operational, project or product.

Are you starting to see the link between business planning?

Secondly, consider the 11 new principles in ISO 31000:

a) Risk management creates and protects value.

b) Risk management is an integral part of all organisational processes.

c) Risk management is part of decision making.

d) Risk management explicitly addresses uncertainty.

e) Risk management is systematic, structured and timely.

f) Risk management is based on the best available information.

g) Risk management is tailored.

h) Risk management takes human and cultural factors into account.

i) Risk management is transparent and inclusive.

j) Risk management is dynamic, interactive responsive to change.

k) Risk management facilitates continual improvement of the organisation.

Now do a mental ‘find and replace’ on the above principles. Simply replace the words: ‘Risk management’ with ‘Planning’.

To my mind, the ‘Risk Management Principles’ double as a very comprehensive set of ‘Planning Principles’.  Because space doesn’t allow, you’ll have to trust me when I say, that if the same find and replace logic is applied to the detail supporting each of the principles in the standard, we still get the same neat and meaningful result.

Thirdly, ISO 31000 is much more explicit in stating that risk management should be embedded into normal practices and processes. The new standard still requires an organisation-wide risk management plan, however it also indicates that the risk management plan can be integrated into other organisational plans, such as a strategic plan.

Put simply - the success objectives for business planning should be reflected in risk management plans.

Clearly, resources can be much better utilised if planning and risk are managed simultaneously. Yes, you will still need to maintain a list of risks but these can be more obviously linked to your business planning objectives, again, making much more sense to employees.

A final suggestion, if you are involved in a Risk Management Committee or have direct responsibility for planning and/or risk outcomes, take the time to read ISO 31000 for yourself and make up your own mind.

The flip side to this coin is if your organisation does not properly manage planning processes it would seem unlikely that it can manage risk.

Gary Bourke