ISO provides additional and useful risk management guidance
Hopefully, you are familiar with the global risk management standard, ISO 31000:2009.
ISO has now developed and just published ISO 31004. This is a “Technical Report” titled “Risk management – guidance for the implementation of ISO 31000”.
Because it is a global document, you can download it from your national standards board’s site. In the US, you can find it on the ANSI site as well as on the ISO Swiss site. It is not free, but it is not expensive either.
The Technical report “provides: a structured approach for organizations to transition their risk management arrangements in order to be consistent with ISO 31000, in a manner tailored to the characteristics of the organization; an explanation of the underlying concepts of ISO 31000; [and,] guidance on aspects of the principles and risk management framework that are described in ISO 31000”.
In addition to advice on upgrading risk management using ISO 31000, the Technical Report has useful appendices including a discussion of underlying concepts and principles. This latter starts by explaining that “Organizations of all kinds face internal and external factors and influences that make it uncertain whether, when and the extent to which, they will achieve or exceed their objectives. The effect that this uncertainty has on the organization’s objectives is risk”.
Another useful section says “Controls are measures implemented by organizations to modify risk that enable the achievement of objectives. Controls can modify risk by changing any source of uncertainty (e.g. by making it more or less likely that something will occur) or by changing the range of possible consequences and where they may occur.”
It concludes this appendix with “Risk management is an integral component of management, as it involves coordinated activities concerned with the effect of uncertainty on those objectives. That is why, in order to be effective, it is important that risk management is fully integrated into the organization’s management system and processes.”
Perhaps of most use is the discussion and explanation of risk management principles. I am not going to list or discuss them here, as you should really read and consider themselves for yourself.
I recommend purchase of ISO 31000:2009 (if you don’t already own it) and the new 31004:2013.
I welcome your comments.