ISO 31000

Communication and consultation are key components of risk management. Section 6.2 states that “communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making.” These elements work together to improve risk management, such as by getting groups of employees with specific expertise together to perform risk assessments such as hazard identifications (HAZIDs), job safety analyses (JSAs) and bowtie analysis, an assessment that visually maps risk pathways to easily show risk causes, consequences, and controls present. This collaboration is necessary to gather the information needed to support good decisions.

ISO 31000 recognizes the importance of an integrated approach to risk management. Historically risk management (and EHS management more generally) was viewed by organizations as an add on function, optional or a “necessary evil” outside the scope of the organization’s normal operations. In other words, leaders viewed risk management and EHS performance as “safety’s job”. A more holistic approach to risk accounts for the internal and external context of the organization, including social and economic factors, contractual relationships, stakeholder perceptions and expectations, and other key factors affecting the organization’s risk management goals.

ISO 31000 has much to say on the process of risk analysis itself. This guidance is not one-size-fits-all, since it recognizes that risk encompasses many facets such as safety, environmental, business continuity, and resilience. Risk analysis should consider factors including:

• the likelihood of events and consequences
• the severity of potential consequences
• complexity and interconnectivity of sources of risk
• effectiveness of existing risk controls
• and sensitivity and confidence levels.

From there, the organization compares the results of the risk analysis with established risk criteria to determine where additional action may be needed, such as risk treatment/control options, further risk analysis , reconsideration of risk objectives, or maintaining existing risk controls, or. If there’s a need for risk treatment, the treatment plan must explain selection of treatment options, describe proposed actions and performance measures and a timeline for completion of actions, discuss constraints affecting risk treatment, assign responsibilities of personnel who’ll approve and implement the plan, and describe the planned risk reporting and monitoring. The risk treatment plan should consider whether risk treatment options may introduce new risks that management will need to assess and control.

Like other ISO standards, 31000:2018 emphasizes continual improvement, which refers to the need for organizations to evaluate their performance and review how effectively their risk framework is integrated into its operations, and seek opportunities to strengthen their management system. Company leadership should clearly define responsibilities for monitoring and review and “continually monitor and adapt the risk management framework to address external and internal changes.” This approach aligns with the Plan-Do-Check-Act (PDCA) cycle stressed in many ISO standards.

Continual improvement depends on good practices of recording information related to operational risk management systems performance and communicating risk management activities and outcomes across the organization. Robust internal reporting, including reporting on the status and effectiveness of the most important risk controls, helps provide information for decision-making, improves risk management activities, and increases engagement with stakeholders, including those with responsibility and accountability for risk management.