Risk Management in ISO standards

Risk Management in ISO standards

The issue of risk in management systems appeared in the ISO standards in 1996, with the publication of ISO 13335-1. It was developed by ISO 13335-3 in 1998. Those standards were developed in context of information security. Their approach was adopted by standard for information security management systems (ISO 27001:2005). Risk management in those standards comprised of following steps [ISO/IEC TR 13335-3, 1998, p. 17]:

  • assets identification,
  • assessment of assets value,
  • identification of threats,
  • identification of vulnerabilities,
  • identification of existing protections,
  • risk level estimation,
  • evaluation of the options for treatment of risk,
  • selecting controls for the treatment.

That procedure was overly complicated and too inflexible to be used on regular basis. Identification of assets and their value, as well as threats and vulnerabilities didn’t add much value to the whole process of risk management.

In 2009 an alternative emerged – ISO 31000 Risk management – principles and guidelines. That standard presented new, less bureaucratic approach, closer to project risk management and operational risk management methodologies.

According to principles introduced by ISO 31000, risk management should be integral part of all organizational processes. It should be systematic approach to address risks that are related to organization or its environment. It should include all important aspects of company operation (people, capabilities, culture, etc.). Properly implemented, risk management should facilitate continual improvement of the organization.

Risk management framework, which is constructed according to PDCA cycle, includes:

  1. understanding the organization and its context, integration into processes, establishing communication and reporting mechanisms,
  2. implementing the framework for managing risk, including risk management process,
  3. monitoring and review of the framework,
  4. continual improvement of the framework.

The process is the most visible tool of risk management methodology presented in ISO 31000. It comprises of three key elements: establishing the context, risk assessment (identification, analysis, evaluation) and treatment. Monitoring and communication are complementary elements. The standard suggests implementation of the process in such a way that is would be possible to call it from any other process, similarly to corrective or preventive actions. It means that the process should be kept simple, flexible, decentralized and quick to use. Otherwise it will add much work to managers and will create unnecessary bureaucracy.

Organization which implements quality management system according to ISO 9001 is not required to implement risk management consistent with ISO 31000, however it is the most rational solution, as all management systems standards will refer to ISO 31000 methodology in future.

ISO 9001 requires organization to consider specificity of the organization and its context as well as needs and expectations of interested parties during planning quality management system. It should determine risks and opportunities and address them to:

  • assure achievement of desired results,
  • prevent undesired effects,
  • achieve continual improvement.

Moreover, organization should plan actions necessary to address these risks and opportunities, integrate those actions into its QMS processes and evaluate their effectiveness. All actions should be proportionate to potential impact on the conformity of products and services [ISO 9001, 2015, p. 25].

Risk management in ISO 9001 is better integrated with quality management system than former preventive actions. It exists on all levels of the organization. However the standard doesn’t supply any methodology, which can be confusing for companies implementing it. Only after reading ISO 31000 it becomes clear how the risk management should look like to be compatible with QMS.

The apparent shortcoming of the ISO 9001 requirements is lack of economics of quality. The problem was already raised after 2000 version. Ignoring economic side of company management leads to distortion of quality management system idea. In practice the high quality cannot be reached without economic calculation. Meanwhile, ISO 9001 requirements concerning monitoring of QMS (including risk management) refer to effectiveness, instead of efficiency.

Recommended external sources: