MODULE 2

Part 2: ISO 31000

© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)
Table of contents
1. Introduction ................................................................................................................. 3
2. ISO 31000..................................................................................................................... 3
2.1 A standardised risk framework........................................................................................ 5
2.1.1 External context........................................................................................................ 5
2.1.2 Internal context ........................................................................................................ 5
2.1.3 Accountability ........................................................................................................... 5
2.1.4 Organisational integration........................................................................................ 6
2.1.5 Resources ................................................................................................................. 6
2.1.6 Internal reporting mechanisms ................................................................................ 6
2.1.7 External reporting mechanisms................................................................................ 7
2.2 A standardised risk management process....................................................................... 7
2.2.1 Communication and consultation ............................................................................ 9
2.2.2 Establishing the context ........................................................................................... 9
2.2.3 Risk identification ................................................................................................... 11
2.2.4 Risk analysis ............................................................................................................ 11
2.2.5 Risk evaluation........................................................................................................ 12
2.2.6 Risk treatment ........................................................................................................ 13
2.2.7 Selecting the relevant risk treatment option ......................................................... 15
2.2.8 Preparing and implementing risk treatment plans ................................................ 15
2.2.9 Monitoring and review ........................................................................................... 16
3. Conclusion ................................................................................................................. 18
4. Bibliography ............................................................................................................... 18

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 2 of 18
Learning outcome:

LO3: Use the ISO 31000 international standard for risk management.

1. Introduction
Risk management practices have systematically been formalised and adopted across various
industries in an attempt to standardise best practices in this field. As mentioned in Part 1,
there are several important documents that assisted in this process of formalisation and
adoption; documents that were drafted specifically to establish risk management as a
distinct and necessary part of business practices. Parts 2 and 3 will give you an overview of
these documents and explain how they impacted risk management practices internationally
and nationally. Further, attention is paid to the way in which risk management practices are
adopted and implemented by organisations in accordance with risk management best
practices.

2. ISO 31000
The International Organisation for Standardisation (ISO) is an international standard-setting
body, with delegates and representatives from various national standards organisations
across the world. It was formed in 1947 with the help of the (then newly formed) United
Nations in order to become a global standardisation institute. The function of this
organisation is to promote worldwide propriety, or conformity to the same set of standards,
with a specific focus on industrial and commercial pursuits. This is to ensure that
international standards by which individual organisations can be measured exist for all
aspects of industry. ISO standards are continuously updated to reflect changes across
industries worldwide, meaning that standard business practices are constantly developing,
thus allowing organisations to adapt to a changing world.

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 3 of 18
 Figure 1: The icon of the International Organisation for Standardisation. (Source:
http://www.iso.org/iso/home.html)

In 2009, ISO 31000 was released as a set of standards related to risk management. The
purpose of ISO 31000 is to provide principles and generic guidelines on the practice of risk
management that can act as the international standard for business pursuits. This is done to
streamline the risk management process, since currently an enormous variety of risk
management standards, methodologies and procedures relating to various industries, fields,
and regions are in existence. ISO 31000 integrates all these practices, resulting in an
implementable international standard for the risk management process.

The focus of ISO 31000 is the incorporation of risk management strategies and procedures
across all aspects of a company in an integrated manner. In the introduction to this set of
standards, the aim is defined as follows: “This International Standard recommends that
organisations develop, implement and continuously improve a framework whose purpose is
to integrate the process for managing risk into the organisation’s overall governance,
strategy and planning, management, reporting process, policies, values and culture.”
Further, ISO 31000 was developed in such a way that any kind of organisation, regardless of
their industry, size or structure, can benefit from implementing the standards it sets forth.

ISO 31000 has a dual focus of setting standards for a risk management framework, and
setting standards for the actual risk management process. The following section draws on
ISO 31000 to give you a comprehensive understanding of the international standard risk
management framework and process. This is essentially a map for all of your risk
management practices, and you should familiarise yourself with this in order to bring your
business’s risk-related activities up to standard.

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 4 of 18
2.1 A standardised risk framework
The framework within which the risk management process is executed can determine its
efficacy and success. The framework is what allows the process to be embedded into all
aspects of an organisation.

To design a framework that will meet the needs of your organisation, you need to
understand the internal and external context within which your organisation functions, as
these can significantly affect the framework you develop.

2.1.1 External context

To evaluate your organisation’s external context, you will have to consider the following:

• The social, cultural, legal, regulatory, financial, technological, economic, natural,

and competitive environment in which you conduct business, both locally and
internationally where relevant;

• Key drivers and trends that impact on the objectives your organisation has set; and

• Your own relationships with external stakeholders.

2.1.2 Internal context

To evaluate the internal context of your organisation you must consider the following:

• Organisational structure, governance, various roles, and accountability;

• Policies and objectives, as well as the strategies you have in place to reach them;

• Capabilities, or the resources and knowledge that your organisation has;

• Information systems and information flows pertaining to the decision-making

process;

• Relationships with internal stakeholders (which contributes to the organisation’s

culture);

• Standards and guidelines that the organisation has in place; and

• Contractual relationships the organisation is in.

2.1.3 Accountability
Another important aspect of a risk management framework is the accountability systems
that you have in place. An organisation should ensure that those who manage organisational
risks have the authority, the competency and the accountability to do so effectively. To do
this, your organisation should:

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 5 of 18
 • Identify risk owners who are in an appropriate position to manage particular risks;

• Identify who is accountable for the development, implementation and

maintenance of the risk management frameworks you have in place;

• Identify the risk management responsibilities of each person at every level of the
organisation; and

• Establish measurement and reporting processes for performance.

This gives your risk management practices a human face. Knowing who is accountable for
the various aspects of planning and implementation assists you in understanding your
process. If you know who is doing what, you can keep track of what is being done.

2.1.4 Organisational integration

It is imperative that risk management is not viewed or developed as a separate management
tool. Instead, risk management processes should form part and parcel of every practice and
process that takes place within the organisation in a relevant and efficient manner. Of
particular importance is that risk management should be firmly embedded into policy
development, since policies that incorporate risk management will have beneficial
organisation-wide effects. If risk management is part of your strategic planning and review
processes, it will permeate the entire organisation.

2.1.5 Resources
Resource allocation towards risk management processes is another aspect of the framework
that benefits from standardisation. If you don’t have strategically allocated resources, you
will not be in a position to respond to risks in a timeous and efficient manner. Resources you
should consider include:

• People – their skills, levels of experience and fields of competence;

• The material resources necessary for the implementation of your various risk
management processes;

• The actual methods and tools you use to manage risks;

• Information and knowledge management systems that help you streamline your
processes; and

• Training programs to upskill personnel.

2.1.6 Internal reporting mechanisms

A system of communication that allows the various role-players in the risk management
process to take accountability for the activities that fall under their control should form part
of your standardised framework. Role-players should also be able to report on progress,
changes, decisions, or problems that arise to ensure that everyone who needs access to this

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 6 of 18
information can be easily informed. An added benefit is that the chosen framework will
constantly be re-evaluated to determine whether it is still effective and meeting its
outcomes. Finally, you should have consultation processes in place, which will allow all
internal risk management process stakeholders to meet and discuss any matters arising from
their duties.

2.1.7 External reporting mechanisms

Since your business may have various external stakeholders (people who have a vested
interest in the functions of your organisation), having procedures in place will allow them to
be informed of your risk management process. As part of this, you should ensure that there
is an effective two-way exchange of information between your business and these external
stakeholders. Your reporting to these parties should also follow any relevant legal,
regulatory and governance requirements. Further, you should leverage your
communications with these external parties to build confidence in your organisation, as well
as keep them informed of any crises that you are undergoing. Open and honest
communication with external stakeholders is thus an important element of your
standardised risk management framework.

2.2 A standardised risk management process

ISO 31000 also defines the processes that should be performed as part of standard risk
management practices in any organisation. If initiated and diligently performed, these
standard guidelines should prove to be an effective risk management strategy, assisting your
organisation in the difficult task of managing risks efficiently and proactively.

It is important to note that the risk management process should form an integral part of
your management duties (a previously mentioned idea that will also resurface in all of the
further foundational documents discussed). Risk management should not be regarded as a
separate business function, but should rather be integrated into every facet of your
managerial responsibilities. By default, this means that it should also be embedded in your
business’s culture and specifically tailored to the processes and needs of your business. The
ISO standards set out below should be developed in a manner that will make them relevant
and useful within the context of your business as a whole. This overview of the process
should act as a broader guide for you to tailor to the specific requirements of your business.

Figure 2 is a representation of the ISO 31000 risk management process:

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 7 of 18
 Figure 2: The ISO 31000 risk management process overview (Source:
https://ppl.app.uq.edu.au/content/1.80.01-enterprise-risk-management)

Each step of the process is displayed in this overview. In the centre of the diagram, the area
outlined in blue indicates the actual process of assessing risks, which includes Risk
Identification, Risk Analysis and Risk Evaluation. To the left you will see that each step of the
assessment process relies on the Communication and Consultation process. This means that
before each of the steps in the process, there is an additional communication and
consultation process that needs to be followed in order to keep everyone informed of the
ongoing process.

To the right of the risk assessment steps is a Monitoring and Review process. Again, this
means that for each step in the process, there is a subsequent phase in which the steps are
reviewed and monitored to ensure that everything ran according to plan. The monitoring
and review process is also cyclical, in that it feeds back into the top of the process. In other
words, once your risk assessment process is complete, you feed the information you
gathered from that process back into the process, so that you can learn from mistakes, build
on previous progress and continue to develop your process as you go.

Finally, you will see that above and below the risk management process there are two
contextual steps - Establishing the Context and Risk Treatment. The former involves putting
the whole risk management process into perspective and defining where in your business
activities you will situate the risk management process. The latter refers to the actual
treatment of the risks once all the subsequent steps have been completed.

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 8 of 18
Below you can find an explanation of the various steps in the process as set forth in ISO
31000. This overview was developed as the international standard, and should form a solid
foundation for your own risk management process.

2.2.1 Communication and consultation

To keep everyone participating in the management of risk informed at every stage is
imperative to the success of your process. Every other step in the process is connected to
Communication and Consultation, because there should be a system in place to disseminate
information about what was decided or done during each step in the process to those who
need to know about it. Therefore, you should develop a line of communication early on, to
ensure that you do not end up in a situation where crucial information does not reach those
it impacts timeously. Communications should cover issues such as the risk in question, its
causes, and its potential consequences (if you can foresee them), as well as the measures
being taken to treat the risk.

Remember that, ultimately, people make risk management decisions. Their perspectives on
how to manage those risks will differ depending on the quality and quantity of information
they have access to. The best precautionary measure for any business is to ensure that
people are as informed as possible when it is time to make such decisions, and that they
have a breadth of relevant skills and experience. All communication should facilitate
truthful, relevant, coherent and accurate exchanges of information.

2.2.2 Establishing the context

During the risk management process, it is important to establish the internal and external
context, since this is what allows you to define your objectives within the applicable internal
and external parameters. Establishing context also allows you to determine the scope of the
risk criteria that you will use for the rest of the process. The context and parameters that are
relevant here are similar to those for the standardised framework mentioned above. The
only difference is that during the actual process you have to consider the external and
internal contexts in more detail and depth. Your focus should also be on how they relate to
the focus and aims of your particular risk management process, in order to customise this
for your own purposes. Refer back to section 2.4.1 for the factors to take into account when
establishing internal and external context.

Establishing the context of the risk management process

Of further importance is the establishment of the objectives, strategies, scope and
parameters of those activities that are related to risk management. Risks can only be
managed to the extent that you can justify the resources being allocated to the various
activities being performed. It is therefore important for you to establish the scope of the
resources available for these activities, so that you have an idea of the scope of your
process. This step in the process entails:

• Defining the goals and objectives of your risk management activities, as well as
allocating various responsibilities in your process;

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 9 of 18
 • Defining the depth, breadth and scope of the risk management activities to be
performed;

• Defining the interrelationships between the various projects, processes and

activities of your organisation to find places of overlap that you can use to your
advantage;

• Defining your risk assessment methodologies, so that you have a logical system to
assist you in assessing risks;

• Defining the way in which you will measure and evaluate the performance and
effectiveness of your risk management activities so that you know when your risk
management practices are successful;

• Identifying the decisions that you will have to make regarding the risks and how
you will manage them; and

• Identifying the scope and context of any studies you will have to conduct and
information you will have to gather to perform your risk management duties.

If you effectively define and establish the context of your risk management practices within
your business, you will be better equipped to understand the process you have to follow in
order to manage your risks effectively.

Defining risk criteria

As part of establishing the context of your process, another crucial step is to define the
criteria you use to determine the significance of risk. This is what allows you to understand
which risks are the most threatening, which will have the greatest impact, which should be
addressed at what time, and which should receive most of your attention and resources.
Some of these criteria will be influenced by the specific pieces of legislation or regulations
that apply to your industry, so you will have to keep that in mind when defining your risk
criteria. Besides that, other factors you should consider include:

• What are the causes of these risks, and what are their consequences, but also how
will you measure their impact;

• What is the probability that they will transpire;

• The timeframe of the probability of them happening or the timeframe of the

consequences affecting you;

• How will you determine what the level or severity of risk is that you attach to each
possibility;

• How do other stakeholders in the organisation view this risk;

• At what level does this risk become acceptable to your business, or at what level
will you be able to tolerate it even if it negatively affects you; and

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 10 of 18
 • Are there any risks that you should consider in combination since they can
potentially affect you together or be negated by the same remedies. You must
then also determine how you will consider and address these combinations.

Sections 4.2.1 and 4.2.2 deal with the steps in the process that happen prior to the steps
that follow here. Next, we move into the actual risk assessment part of the process.

2.2.3 Risk identification

The purpose of this step in the process is to allow you to create a comprehensive list of risks
that your business faces. This list should detail any potential events that “might create,
enhance, prevent, degrade, accelerate or delay the achievement of objectives” (District
Council of Mallala, 2013). By identifying these events you will not only be able to prepare
yourself for addressing them if they materialise, but also be prepared to capitalise on them if
they present opportunities. It is crucial at this stage to identify as many potentially risk-
bearing events as possible, since any that you do not identify here will not be addressed at
any of the following stages of the process. Miss them here, and you miss them completely,
and may leave yourself dangerously exposed.

Risks that originate from within and without your organisation should be included in this list,
even if the actual cause or source of the risk is not clear to you. When looking for risks to
identify, you should cast your gaze widely, considering a diverse range of potential
consequences even if their source or cause is not evident to you. The more comprehensive
the list of risks, the better you can prepare yourself with the risk management process. You
should also consider the fact that some consequences may have a knock-on or cascading
effect, where one thing that goes wrong can cause another and another and another, greatly
increasing the damage that can be caused. Any significant causes and consequences should
be considered and no potential risk, no matter how seemingly irrelevant, can be safely
ignored without due consideration.

There are various risk identification tools and techniques that you will be able to use during
this step of the process. You will have to determine which ones are most relevant in which
scenarios to help you identify the risk and its possible outcomes. Another thing to remember
is ensuring that the right people are consulted throughout this step, since they may have
knowledge that can help you to identify further risks or consequences that you may not
foresee. The tools and techniques used to identify risks are discussed in detail in Module 6,
which delves into the practical side of the risk identification process.

2.2.4 Risk analysis

The next step in the process that ISO 31000 sets out is the risk analysis phase. The purpose
of risk analysis is for you to familiarise yourself with the risk once it has been identified. You
should find out more about the risk, conduct research, and develop an understanding of
potential consequences. Only through proper understanding of the risk will you be able to
know whether or not it actually poses a significant threat, what that threat level is, and then
determine what you can do to address it if necessary.

The risk analysis process has three main focuses:

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 11 of 18
 1. The cause and source of the risk. In other words, where is this risk coming from and
what caused it in the first place?

2. The positive and negative consequences of this risk. That is, if this risk actually
happens, what impact, for better or worse, will that have on your business?

3. The probability that any of these consequences will occur. Meaning, what is the
probability that any of the potential consequences you identified end up actually
happening?

While doing the risk analysis you should also keep in mind that these factors are not stable
or stationary influences. The cause or consequence of a risk, or the probability that it
happens, can change or be influenced by other changing factors. This sensitivity to
preconditions can mean that what you think is a small risk with a small probability of
happening, can eventually turn into a significant risk with a high probability of happening.

Importantly, you should ensure that when you inform relevant stakeholders about these
risks, you also inform them of how they are sensitive to changes, as well as which
assumptions you make about them. Since you cannot predict the future with absolute
certainty, you will have to make some assumptions about the risk or its consequences, and it
is important that you explain the assumptive perspective from which you analyse each risk.
This will ensure that other stakeholders understand the context of your analysis and realise
where the margins for error lie.

The actual practice of this analysis entails several possible methods, which you can apply in
varying degrees of detail. Ultimately, though, your analysis will either be qualitative, semi-
qualitative, quantitative or a combination of these three, depending on the circumstances
you find yourself in. Furthermore, to analyse the consequences and their probabilities, you
may model the outcomes of a set of events, or make extrapolations from experimental
studies or whatever other data you can gather.

The details of the risk analysis process will be explained in a lot more depth in Module 6,
where you learn exactly how to go about evaluating the risks that you have identified.

2.2.5 Risk evaluation

Once you have identified and analysed the risks that your business faces, ISO 31000
stipulates that the next step is to evaluate those risks. This means that you must now make
decisions about which risks will need to be responded to, as well as the priority that each
risk will have.

In practice, evaluating risks means comparing the level of risk found during your analysis
phase with the risk criteria that you established when you determined the context of risk
management within your business. When you know what level of threat a risk poses, and
you know what levels of risk you can and cannot accept, you can determine which of the
risks need to be responded to, and how urgently.

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 12 of 18
As in the above consideration, the decision you make about each risk here is also influenced
by legislation and regulations that apply to your field, and you should also consider the risk
that external parties will be exposed to as a result of the action you take.

If during this evaluation phase you find that you cannot reach a clear decision, you can also
decide that further analysis is necessary. You may conclude that the best course of action is
to keep the controls and measures in place as they are, and that no further action is
required to address an identified risk. This will all depend on your business’ attitude towards
and appetite for risk.

These three steps above form the Risk Assessment part of the risk management process.
Once the risk has been fully assessed (identified, analysed and evaluated), you can move
onto the next phase, which is risk treatment.

2.2.6 Risk treatment

Broadly speaking, the treatment of risks requires that you make a choice regarding what you
want to do about the risks you face. You then have to implement your choice, and once
implemented, continue to assess the efficiency and adequacy of that choice.

The risk treatment process is cyclical in nature, feeding back into itself, keeping the process
constantly repeating. The steps sound simple but they all require further effort and
attention:

• You must assess the risk treatment option to determine if it will address the risk
sufficiently;

• You must make a decision about whether the levels of risk involved are acceptable
to your business;

• If it is not tolerable, you must alter your treatment option or develop a new one to
address the risk; and

• Assess the efficiency of the new treatment plan, and repeat the above steps until
the risk has been satisfactorily managed.

There is a limited number of treatments that you can implement to address a risk. But they
are neither mutually exclusive nor are all viable options for every type of risk. You can use
them to varying degrees as the situation requires to create the most suitable treatment
option. ISO 31000 explicitly says that businesses usually benefit from a combination of these
treatment options, so you are strongly advised to make use of all of them in your risk
management pursuits.

But you should also keep in mind that all of these options require trade-offs. To lesser or
greater degrees, they require resources to implement, and when used ineffectively can not
only waste said resources, but also expose you to the risk they did not help treat. So, it is up
to you to weigh up the benefits and shortcomings of each option, and to then put them,
alone or in conjunction, to their greatest use. The risk treatment options available to you
are:

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 13 of 18
 1. Avoiding the risk entirely by deciding to not pursue it, or to stop performing the
activity that exposes you to the risk in the first place. This is most useful when the
risk is internal, or in your sphere of influence. When you can make the decision
about whether or not the event is a risk to your business, you will be able to avoid it.

An example of this would be if you decide to not pursue a specific project or investment if
you determine that it is too risky for the level of risk your business can accept or if the return
is insufficient.

2. Taking or increasing the risk if it allows you to pursue a potentially beneficial

opportunity.

For example, if you chose to invest in a project that has a small probability of success, but
where success would significantly benefit your business. In this case you act in a risk-seeking
manner, determining that the potential benefits are worth the risk.

3. Removing the source of the risk.

For example, stopping the production of a certain product if the production thereof is
known to be potentially hazardous, or is negatively affecting your business in some manner.
Another example is if you withdraw from a specific investment, if that investment is deemed
to be too risky for your business’ risk appetite.

4. Changing the probabilities attached to a risk.

For example, if you decided to allocate more resources and personnel to a specific project, if
your current estimates indicate that the probability of successfully completing that project is
too low. More resources and effort, if used correctly, could ensure that the project has
greater chances of success.

5. Changing the consequences of the potential risk.

An example of this would be that instead of producing 100 units of a risky product, you only
produce 50, thereby limiting the potential negative consequences.

6. Sharing the risk with another party or parties, which includes contracts with external
parties and risk financing mechanisms.

For example, if you took out insurance for a specific risk, which means that negative
consequences will now be carried by an insurer instead of your business. Taking out fire
insurance means that your insurer will bear the financial burden of a fire on your premises.
Another example is if you outsource a specific function of your business to another
company, say the software development side, so that the task and its associated risks are
handled by an outside party.

7. Retaining the risk after making an informed decision.

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 14 of 18
For example, if you decide to pursue a project or an investment despite the potential risks
they expose you to. You would only do this if the risks are negligible, you have contingency
plans in place, or you would be able to weather the effects of the risk without severely
disrupting your business activities.

2.2.7 Selecting the relevant risk treatment option

According to ISO 31000, you should make this choice based on the costs and efforts it would
require from you compared to the benefits you can receive. But this decision should also be
made with regard for the “legal, regulatory, and other requirements such as social
responsibility and the protection of the natural environment”. Decisions should also take
into account risks which can warrant risk treatment that is not justifiable on economic
grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks.

Importantly, it goes on to state that organisations have a responsibility to all of their

stakeholders when deciding on a risk treatment option. The decision should be made in such
a way that it does not offend their values and perceptions, and so that it is communicated to
them in an open and appropriate manner. If the risk treatment options you select and
implement can have an impact on risks elsewhere in your business or on the stakeholders,
this should be taken into account. Even when one risk treatment option can be as effective
as another, some of them may be more acceptable to stakeholders than others.

An example of two options with different levels of acceptability for a stakeholder, say a
shareholder in this case, would be an organisation maximising its profits through exploiting
child labour in the manufacture of goods versus providing a lower return, but investing in a
socially responsible manner.

The treatment plan you devise should also clearly reflect the order of prioritisation that you
attribute to each risk treatment option. So, you should detail which option should be
implemented, to what degree it should be implemented, and with what level of urgency.

Finally, ISO 31000 explains that it is important to remember that a risk treatment option can
expose you to further risks. On the one hand, the failure or ineffectiveness of a risk
treatment option could result in a new, more significant risk to arising. The previous risk you
faced could be exacerbated or a completely different one could arise as a result of the
ineffective treatment. On the other hand, risk treatments can also give rise to secondary
risks, which you will then have to assess, treat, monitor and review. But since these risks are
linked, you should identify and maintain the way in which they are connected, and treat the
secondary risk with the same treatment option you use for the primary risk. They should not
be treated as separate risks, since the one causes the other, so the same plan must be used
to address both. If not, you could find yourself in a position where your risk treatment
options create more risks in need of treatment, prompting you to go through this whole
process anew for each subsequent risk.

2.2.8 Preparing and implementing risk treatment plans

In conjunction with the implementation of a risk treatment option, you should also create a
risk treatment plan to document the decisions you make and the processes that you

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 15 of 18
implement. This will allow you to monitor and review your risk management efforts with
more accuracy, allowing you to look at the way you manage risks and to then make
adjustments when and where they are necessary. The information you record in the risk
treatment plan should include the following:

• The reason why you chose the treatment options in question, explaining what
benefits you expected to gain;

• Who is responsible and accountable for approving the plan, and who is responsible
for implementing the plan;

• What specific actions have been proposed in this situation;

• What resources will be required to implement this option, also including whatever
resources will be required for a contingency plan;

• What system you will use to measure the performance of this option and what
constraints are there on your system;

• What requirements will there be for reporting and monitoring on the plan; and

• What the timeline of this option is, as well as the schedule that is being worked to.

These together form the content of the risk treatment plan that you will use to keep all
stakeholders informed. This treatment plan forms part of the greater integrated risk
management processes of your business, and should be shared and discussed with all
relevant stakeholders. They should also be informed of any residual risk that remains after
the completion of the risk treatment, and whatever risk remains should be monitored and
reviewed and, if necessary, treated.

2.2.9 Monitoring and review

The next step is to the right-hand side element of Figure 2 above, the Monitoring and
Review part of the risk management process overview. Keep in mind that the arrows in the
diagram show that this step in the process takes place during each of the steps taken above.
Your monitoring and review process should thus be integrated into the whole of your
greater risk management process as it requires continual attention. Remember that
monitoring and reviewing responsibilities should be clearly defined, so that all stakeholders
know who is in charge of checking the progress of the process.

Your organisation’s monitoring and review process should focus on every facet of your risk
management process, paying particular attention to the following:

• Ensuring that the controls in place are effective and efficient in the way they were
designed and implemented;

• Finding additional information that can be used to improve your process as you go;

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 16 of 18
 • Analysing and learning from events that transpire, which includes near-misses,
changes in the situation, trends in the market, successes achieved and failures
experienced;

• Detecting changes in the external or internal context as you originally defined it,
including such eventualities as the changing of the risk criteria or the nature of the
risk itself which will subsequently require changes to your risk treatment plan; and

• Identifying any risks that emerge from the implementation of your risk treatment
option.

Recording the risk management process

All of your risk management activities should be traceable, so that you can continue to
improve the tools at your disposal and your overall process. This means that when you make
decisions that affect how you record your risks you should keep the following in mind:

• The organisation’s need to continue learning from the actions of today;

• The benefits to be gained from re-using information from these actions in the
performance of your managerial duties;

• The cost and effort involved in the creation and maintenance of your records;

• The legal, regulatory and operational needs for these records;

• The method by which these records can be accessed, how easy it is to retrieve this
information and how you will store it;

• How long you will keep these records for consultation purposes before they
become obsolete; and

• The sensitivity of the information.

This is then the current international standard for the risk management process. This
detailed overview of the stipulations of ISO 31000 should give you a strong framework for
your risk management activities. Admittedly, this is an intricate process, especially since it is
ongoing. But if you develop your risk management process to ensure that it incorporates all
of the aforementioned steps and factors, you will match up to international standards.
Consequently, your business will become more robust, able to adapt and survive, even
thrive, because you have an effective risk management system in place to guide you through
times of uncertainty.

Note:

All of the steps of the process will be fleshed out in the modules to come. This is important,
because you will need to understand exactly what each of the steps entail in practice in
order to effectively perform them. So whereas this is the overview of the process, the
practical details are still to come.

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 17 of 18
3. Conclusion
The discussion on ISO 31000 provides insight into a clear model on which you can build your
own risk management system. If you think back on the framework and process as laid out in
ISO 31000 you will remember that your risk management system should include the
following steps:

• Establishing context

• Identifying risks

• Analysing risks

• Evaluating risks

• Treating risks

In Part 3 you will cover the important role of the highly-regarded King reports, as well as the
purpose of the Committee of Sponsoring Organisations of the Treadway Commission
(COSO), in the adoption of effective risk management strategies globally.

In Part 2 of the notes you found out how ISO 31000 established the international standard
risk management procedures and the specifics of the framework and process it formalised.

4. Bibliography
COSO. 2015. The Committee of Sponsoring Organisations of the Treadway Commission.
Available: http://www.coso.org/ [2015, 8 October].

District Council of Mallala. 2013. Risk Management Framework. Available:

http://www.mallala.sa.gov.au/webdata/resources/files/D13%2010699%20%20Risk
%20Management%20Framework%20V1.pdf [2017, 3 August].

ISO 31000. 2009. International Organisation of Standardisation. Available:

http://www.iso.org/iso/catalogue_detail?csnumber=43170 [2015, 8 October].

The King III report. 2015. The King Committee on Corporate Governance. Available:
https://www.saica.co.za/Technical/LegalandGovernance/King/tabid/2938/language
/en-ZA/Default.aspx [2015, 8 October].

Tel: +27 21 447 7565 | Fax: +27 21 447 8344

Website: www.getsmarter.com | Email: [email protected]
© 2017 UCT / GetSmarter All Rights Reserved (not authorised for commercial use)

Page 18 of 18