ERMA EBA

Exam-Based Assessment
READING MATERIAL SERIES
the principles of

RISK
Module 2
MANAGEMENT
INTRODUCTION TO
ISO 31000
www.erm-academy.org
This document is intended to be available
only to the persons entitled to receive the
confidential information and legal privileges
it may contain.

The copyright of this document is owned by

ERMA. Any duplication, reproduction, or
modification in any form, in whole or in part,
without prior written consent of ERMA is
strictly prohibited.

We thank you for your understanding.

ERMA EBA
Exam-Based Assessment
READING MATERIAL SERIES
The EBA reading material series is consisted of the following modules:

1 - Introduction to ERM
2 - Introduction to ISO 31000
3 - Principles of Risk Management
4 - Framework of Risk Management
5 - Process of Risk Management
6 - ISO 31000 Glossary
We strongly recommend you to read the complete ERMA EBA reading
material series to prepare yourself for the EBA you are participating in.
Module 2

INTRODUCTION TO
ISO 31000
A. What is ISO 31000?
ISO 31000 is

A generic risk management standard. It was

developed by the ISO Technical Management
Board Working Group on risk management. The
official name of the standard is ISO 31000:2009
Risk management - Principles and guidelines. ISO
published this new standard on November 13,
2009

ISO 31000 defines a set of guidelines. We refer to them as guidelines because

they’re voluntary. They’re not requirements or contractual obligations. They’re
suggestions only. These risk management suggestions or guidelines are discussed
in the following sections:
1. Risk Management Principles
2. Risk Management Framework
3. Risk Management Process

ERMA EBA Reading Material Series 1

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
1. What is ISO 31000?

The following are some fair reasons why ISO 31000 as

guidelines is not intended for the purpose of
certification:
๏ Risk is not on its own but related to the objectives of organization. It is very
difficult - if not impossible to determine which approach is the best for
achieving them. Every organization is unique with their unique objectives and
unique circumstances.
๏ Risk is related to uncertainty whilst certification is related to an assurance on
certain aspects that are being certified. Therefore, it is impossible to certify
something uncertain or related to the uncertainty.
๏ Risk management is an integral part of organization’s business processes,
hence it does not make any sense to certify only a part of the whole processes
in the organization and expect the result that applies for the whole
organization’s. Likewise, it does not make sense either to certify all the business
processes in organization in order to have certification for ISO 31000.
๏ There are many methods and techniques used in risk management, depending
on the organization’s business process, resource availability and maturity.
Therefore, it is very difficult to certify which one is the best as all are conditional
dependent.

ISO 31000 is supported by two complimentary documents, namely ISO Guide

73:2009 that provides standard terms and definitions, and ISO 31010 that provides
a list of various risk assessment techniques, as well as considerations in selecting
the most appropriate technique to suit the need of organization.

ERMA EBA Reading Material Series 2

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
B.Some terms and definitions
Whilst more details about terms and definitions are provided in part five of glossary,
we highlight some terms and definitions as an integral part of introduction to ISO
31000. They are as follow:
1. Risk and uncertainty.
2. Risk owner.
3. Risk management.
4. Risk management plan.
5. Control.

1. Risk and uncertainty

Risk is the “effect of uncertainty on objectives”, and an effect is a positive or
negative deviation from what is expected (positive or negative). So, risk is the
chance that there will be a positive or negative deviation from the objective you
expect to achieve.

ISO 31000 recognizes that organizations operate in an uncertain world. Whenever

you try to achieve an objective, there’s always the chance that things will not go
according to plan. There’s always the chance that you will not achieve what you
expect to achieve. Every step you take to achieve an objective involves uncertainty.
Every step has an element of risk that needs to be managed. According to ISO
31000, you can reduce your uncertainty and manage your risk, by using a
systematic approach to risk management.

ERMA EBA Reading Material Series 3

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
2. Some Terms and Definitions

Below is an example that illustrates how some type of risks are linked to the
organization’s objectives that relate to its respective type of risk:

Type of risk Description of the risk Organization’s Objectives

Business risk Business Risk: Effect of Organization’s business objectives: Increased

uncertainty to the Profitability, bigger market share, higher
organization’s business competitiveness, maintain reputation, getting
objectives. more repeat order, increased share price of the
company.

Investment risk Investment Risk: Effect of Organization’s investment objectives: Higher

uncertainty to the Return on investment (ROI), Higher Internal rate
organization’s investment of return (IRR), Shorter Payback period.
objectives.
Quality (risk) Quality Risk: Effect of Organization’s quality objectives: Zero defect,
uncertainty to the better six sigma scoring, higher customer
organization’s quality satisfaction index, acceptable pass-through rate,
objectives. lower cost of quality
Operational risk Operational Risk: Effect of Organization’s operational objectives: Effective
uncertainty to the recruitment for best talent, effective internal
organization’s operational control, effective strategy deployment process,
objectives. smooth succession plan, zero accident
Technology risk Technology Risk: Effect of Organization’s technology objectives: High
uncertainty to the software reliability, high process stability, high
organization’s technology process automation productivity, low energy
objectives. process.
Financial risk Financial Risk: Effect of Organization’s financial objectives: High liquidity,
uncertainty to the no exchange rate exposure, zero default, low
organization’s financial A/R overdue, low interest risk
objectives.

Uncertainty is a state of being that involves a deficiency of information and leads to

inadequate or incomplete knowledge or understanding.

In the context of risk management, uncertainty exists whenever your knowledge or

understanding of an event, consequence, or likelihood is inadequate or incomplete.

ERMA EBA Reading Material Series 4

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
2. Some Terms and Definitions

So, you can reduce your uncertainty by getting better information and improving
your knowledge and understanding.

Consequence is the outcome of an event affecting objectives.

Risk is often expressed in term of a combination of the consequences of an event

(including changes of circumstances) and the associated likelihood of occurrence.
Below is the illustration of how do they link each other:

2. Risk owner

Risk owner is “person or entity with the accountability and authority to manage risk”.
Implementing risk management in an organization requires a clarity who is
accountable and authorized to manage risk. It follows the risk breakdown structure,
as illustrated below:

ERMA EBA Reading Material Series 5

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
2. Some Terms and Definitions

3. Risk management
Risk management is ‘coordinate activities to direct and control an organization with
regard with risk”. ISO 31000 Risk Management consists of three components as
illustrated below:

Those three components are integrated in a form so called ‘risk management

architecture’ or ‘ISO 31000 risk management architecture.

4. Risk management plan

Risk management plan is ‘scheme within the risk management framework
specifying the approach, the management components and resources to be
applied to the management of risk”.

Management components typically include but not limited to procedures, practices,

assignment of responsibilities, activities (including their sequence and timing).

The risk management plan can be applied to a particular product, process and
project; and it can be applied for a part or for the whole of organization. Some
examples of risk management plan:
๏ Risk Management manual.
๏ Risk Management standard operating procedures.
๏ Risk Management implementation plan.
๏ Et cetera

ERMA EBA Reading Material Series 6

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
2. Some Terms and Definitions

5. Control
Control is “measure that is modifying risk”. Controls include any process, policy,
device, practice, or other actions which modify risk. However, controls may not
always exert the intended or assumed modifying effect. Some examples of controls:

๏ ISO 9000 quality management series are the controls to modify quality risks.
๏ Feasibility study is control to reduce investment risks.
๏ Corporate code of conduct is control to reduce integrity risks.
๏ Whistle blower is control to reduce fraud risks.
๏ Et cetera.

ERMA EBA Reading Material Series 7

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
C.The scope of ISO 31000
ISO 31000 is an international risk management
standard.

It can be used by any organization no matter what size it is or what it does. It can
be used by both public and private organizations and by groups, associations, and
enterprises of all kinds. It is not specific to any sector or industry and can be applied
to any type of risk.

ISO 31000 can be applied to the achievement of any and all types of objectives at
all levels and areas within an organization. It can be used at a strategic or
organizational level to help make decisions and can be applied to all types of
activities. It can be used to help manage processes, operations, functions, projects,
programs, products, services, and assets.

However, exactly how you apply ISO 31000 is up to you and will depend on your
organization’s needs, objectives, and challenges, and should reflect what it does
and how it operates.

ERMA EBA Reading Material Series 8

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
D. Who should use ISO 31000
ISO 31000 can be used by a wide range of stakeholders, including people who
need to:
๏ Establish a risk management policy.
๏ Ensure that risk is managed properly.
๏ Manage and control risk within an organization.
๏ Evaluate risk management practices and processes.
๏ Explain how risk should be managed and controlled.
๏ Develop risk management procedures and guides.
๏ Prepare related standards and codes of practice.

ERMA EBA Reading Material Series 9

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
E. Why use ISO 31000?
When properly implemented and applied, ISO 31000 will help you to:
๏ Increase the likelihood that objectives will be achieved.
๏ Improve your ability to identify threats and opportunities.
๏ Establish a sound basis for planning and decision making.
๏ Help you allocate and use risk treatment resources.
๏ Improve the overall resilience of your organization.
๏ Improve operational efficiency and effectiveness.
๏ Encourage personnel to identify and treat risk.
๏ Help minimize your organization’s losses.
๏ Improve your risk management controls.
๏ Comply with legal and regulatory requirements.
๏ Enhance your approach to environmental protection.
๏ Improve the effectiveness of your governance activities.
๏ Enhance your organization’s health and safety performance.
๏ Improve loss prevention and incident management activities.
๏ Encourage and support continuous organizational learning.
๏ Improve the trust and confidence of your stakeholders.
๏ Enhance both mandatory and voluntary reporting.
๏ Comply with international norms and standards.

ERMA EBA Reading Material Series 10

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
F. Overview of ISO 31000
The diagram below shows how the three main sections are interrelated and how
each of these three sections are, in turn, organized. The standard starts by listing a
set of risk management principles.

Use these principles to guide the establishment of your risk management

framework. Then use the framework to guide the establishment of your risk
management process.

Together these three sections make up what ISO 31000 calls a risk management
architecture, or sometimes it calls as ‘ISO 31000 Risk Management Architecture’

ERMA EBA Reading Material Series 11

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
6. Overview of ISO 31000

ERMA EBA Reading Material Series 12

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
6. Overview of ISO 31000

Preview of risk management principles

The first part of ISO 31000 Risk Management Architecture (or the Part 3 of ISO
31000 document) above discusses eleven risk management principles. These
principles provide a pragmatic conceptual foundation for the rest of the standard,
and emphasize the importance of people aspect, especially in developing a new
risk paradigm which is critical in building appropriate organizational risk culture and
conducive change management environment. It says that your approach should
address the human and cultural factors that influence the achievement of your
organization’s objectives.

It says further that your approach to risk management should be an integral part of
your organization’s processes (especially its decision making process), should be
tailored to its environment, should create and protect value, and should support
and encourage continual improvement. It also says that your approach should not
only be structured, systematic, and iterative, it should also be dynamic, responsive,
and inclusive. In addition, your approach should also deal with the many
uncertainties that threaten your organization’s success.

In general, these risk management principles should influence how you design and
implement your organization’s risk management framework and process.

Preview of risk management framework

The second part of ISO31000 Risk Management Architecture (or the Part 4 of ISO
31000 document) discusses ISO’s risk management framework. It starts by asking
you to make risk management part of your organization’s general management
system and to use this risk management framework to support your risk
management process. Then, it asks you to make a commitment to risk
management by establishing a risk management policy, by formulating risk
management objectives, and by assigning risk management responsibilities.

ERMA EBA Reading Material Series 13

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
6. Overview of ISO 31000

This part is an iterative (cyclical) process. This iterative process starts by asking you
to make a commitment to risk management. It then asks you to design, implement,
monitor, and improve your risk management framework, and to do it in that order.
Repeat this iterative process whenever you need to change your risk management
policy, modify your risk management objectives, or improve your framework. In
short, this iterative process asks you apply the basic management process of PDCA
(Plan-DO-Check-Action).

Preview of risk management process

The third part of ISO 31000 Risk Management Architecture (or the Part 5 of ISO
31000 document) explains how to apply a risk management process. It starts by
asking you to make risk management an integral part of your organization’s
management approach. It then emphasizes the need to communicate and consult
with both external and internal stakeholders and to continuously monitor and review
your organization’s risk management process.

The risk management process itself starts by establishing your organization’s unique
context. Once you understand both your external and internal context, you’re ready
to carry out your risk assessment process, which involves identifying, analyzing, and
evaluating risks. Once you know what your risks are, you’re ready to formulate and
implement risk treatment plans.

Repeat this process every time you have a risk that needs to be assessed and
controlled, and get them well documented.

ERMA EBA Reading Material Series 14

Module 2 - Introduction to ISO 31000
THE COPYRIGHT OF THIS DOCUMENT IS OWNED BY ERMA, Enterprise Risk Management Academy
www.erm-academy.org
ERMA EBA - Reading Material Series

Module 2
INTRODUCTION TO ISO 31000

(c) 2011 ERMA, Enterprise Risk Management Academy

All Rights Reserved
This document is intended to be available only to the persons entitled to receive the
confidential information and legal privileges it may contain. Any duplication,
reproduction, or modification in any form, in whole or in part, without prior written
consent of ERM Academy is strictly prohibited.
For further information, please visit our portal at www.erm-academy.org or send an
email to [email protected]