ISO 31000: The Framework for Risk Management
The VelocityEHS Operational Risk Solution can help you manage risk more effectively at your organization to align with ISO 31000.
What is ISO 31000?
Base Your Risk Management on Globally Recognized Best Practices
The success of any company depends on its ability to identify and control risks, including risks to employee safety, the environment, the community, business continuity, and its reputation.
ISO 31000 (2018), the most recent version of a standard originally published by International Organization for Standardization (ISO) in 2009 is a great resource for organizations looking to integrate risk awareness and control into everything they do. ISO 31000’s clear, expert guidelines can be used by anyone who creates and protects value in organizations by managing risks, making decisions, setting and achieving objectives and improving performance. Managing risk is part of governance and leadership, and is fundamental to the improvement of the organization’s management systems, resulting in a safer and more resilient business, more receptive to the welfare of its employees and stakeholders, and more likely to achieve its objectives. Companies pursuing Environmental, Social, and Governance (ESG) maturity should strongly consider implementing ISO 31000.
The ISO 31000 Process
Select elements of the ISO 31000 process are listed below.
Leadership & Commitment
Top management and oversight bodies should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment by establishing a risk management approach, plan, or course of action. Once the risk management approach is developed, leadership is responsible for ensuring that the necessary resources are allocated to managing risk and assigning authority, responsibility, and accountability at appropriate levels within the organization. Leadership fosters a culture where managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.
Communication & Consultation
Communication and consultation are key components of risk management. Section 6.2 states that “communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making.” These elements work together to improve risk management, such as by getting groups of employees with specific expertise together to perform risk assessments such as hazard identifications (HAZIDs), job safety analyses (JSAs) and bowtie analysis, an assessment that visually maps risk pathways to easily show risk causes, consequences, and controls present. This collaboration is necessary to gather the information needed to support good decisions.
Scope & Context
ISO 31000 recognizes the importance of an integrated approach to risk management. Historically risk management (and EHS management more generally) was viewed by organizations as an add on function, optional or a “necessary evil” outside the scope of the organization’s normal operations. In other words, leaders viewed risk management and EHS performance as “safety’s job”. A more holistic approach to risk accounts for the internal and external context of the organization, including social and economic factors, contractual relationships, stakeholder perceptions and expectations, and other key factors affecting the organization’s risk management goals.
Risk Assessment & Treatment
ISO 31000 has much to say on the process of risk analysis itself. This guidance is not one-size-fits-all, since it recognizes that risk encompasses many facets such as safety, environmental, business continuity, and resilience. Risk analysis should consider factors including:
- the likelihood of events and consequences
- the severity of potential consequences
- complexity and interconnectivity of sources of risk
- effectiveness of existing risk controls
- and sensitivity and confidence levels.
From there, the organization compares the results of the risk analysis with established risk criteria to determine where additional action may be needed, such as risk treatment/control options, further risk analysis , reconsideration of risk objectives, or maintaining existing risk controls, or. If there’s a need for risk treatment, the treatment plan must explain selection of treatment options, describe proposed actions and performance measures and a timeline for completion of actions, discuss constraints affecting risk treatment, assign responsibilities of personnel who’ll approve and implement the plan, and describe the planned risk reporting and monitoring. The risk treatment plan should consider whether risk treatment options may introduce new risks that management will need to assess and control.
Monitoring & Reviewing
Like other ISO standards, 31000:2018 emphasizes continual improvement, which refers to the need for organizations to evaluate their performance and review how effectively their risk framework is integrated into its operations, and seek opportunities to strengthen their management system. Company leadership should clearly define responsibilities for monitoring and review and “continually monitor and adapt the risk management framework to address external and internal changes.” This approach aligns with the Plan-Do-Check-Act (PDCA) cycle stressed in many ISO standards.
Recording & Reporting
Continual improvement depends on good practices of recording information related to operational risk management systems performance and communicating risk management activities and outcomes across the organization. Robust internal reporting, including reporting on the status and effectiveness of the most important risk controls, helps provide information for decision-making, improves risk management activities, and increases engagement with stakeholders, including those with responsibility and accountability for risk management.
Benefits of Following ISO 31000
Organizations using ISO 31000: 2018 as guidance can potentially improve their identification and control of risks, reducing the uncertainties that may affect their business, helping to protect their assets and increasing value for shareholders. This improvement will carry over to other aspects of their management systems, since risk identification and control are baked into other ISO standards such as ISO 14001 for environmental management systems, and ISO 45001 for occupational health and safety management systems.
VelocityEHS Operational Risk can help you align with ISO 31000.
We Can Help
Ready to Start Aligning with ISO 31000?
It can be difficult to implement ISO 31000 while using inefficient tools, like hard copies or desktop software applications. The VelocityEHS software platform includes broad Operational Risk capabilities that can help you engage your employees and simplify identification and management of EHS risks. You’ll have a holistic view of risks at your organization and to your organization—in one dashboard—along with the flexibility to adapt and scale with your business.
Rapidly Scale Risk & Control Programs
Flexible risk assessment tools to fit your business, such as Job Safety Analysis (JSAs), Process Hazardous Analysis (PHA), Hazard and Operability Study (HAZOP), Aspects and Impacts, and Bowtie Analysis.
Engage Workers in Managing Risk
Accelerate sharing of risk management best practices. Increase awareness of risks and mitigation activities.
Easily Verify Critical Controls
Check the effectiveness and status of risk controls. Monitor risks in real-time, from anywhere. Schedule audits & risk reviews.
Ensure Compliance & Enhance Operational Efficiency
Maintain compliance with regulations like Workplace Health and Safety (WHS), Control of Major Accident Hazards (COMAH), Process Safety Management (PSM), and international standards like ISO 45001.
Protect your people, your assets, and your reputation with VelocityEHS
Our Operational Risk Solution Supports ISO 31000.
The VelocityEHS software platform includes broad Operational Risk capabilities that can help you engage your employees and simplify identification and management of EHS risks.
Management of Change
Learn More
Hazard Studies
Learn More
Master Bowties
Learn More
Risk Analysis
Learn More
Critical Control Verification
Learn More
Master Controls
Performance Standards
Auto-Calculation Risk Ratings
Management of Change
Learn MoreHazard Studies
Learn MoreMaster Bowties
Learn MoreRisk Analysis
Learn MoreCritical Control Verification
Learn MoreMaster Controls
Performance Standards
Auto-Calculation Risk Ratings
Partner with the most trusted name in the industry
Stress less and achieve more with VelocityEHS at your side. Our products and services are among the most recognized by industry associations and professionals for overall excellence and ease of use.
Learn how VelocityEHS can help your organization align with ISO 31000.
Find out why our case studies demonstrate that companies using our Operational Risk solution have reported a reduction in injury rate and increased efficiency and strengthened their safety culture. Schedule your demo today!