Everyone understands “risk” in the same way
There are different types of risk for a company, for which various ISO standards and recommendations have been developed. It depends on the perspective from which you look at dealing with risks. Different functional areas have different perspectives on the “risks” and these need to be brought together and a common understanding developed. In connection with the management systems and the associated risks, certain ISO standards have been created that cover how to deal with the requirements.
The definition of risk according to ISO standards
In the current requirements of ISO standards for risk management systems, risk is defined as the “impact of uncertainty”. Uncertainty is created by specific issues or causes affecting the organization. The risk management guide, the ISO 31000 standard, defines “risk”, supplementing it, as “the impact of uncertainty on targets” and states that “an impact represents a deviation from what is expected”. Here, too, the impact can be both negative and positive and encompass different categories, aspects and levels.
Other management system standards also describe requirements for risk management, the requirement that risks and opportunities in information security must be considered. There is even a supplementary standard, ISO 27005, which deals exclusively with risk management and information security.
ISO 27001 contains an international set of rules on information security. The ISO 9001 standard addresses the concept of a risk-based approach and thinking, which is essential to achieving an effective quality management system. In order for the requirement to be met, the organization must plan and implement measures to deal with risks and opportunities. ISO 9001 states that the organization should understand its context and determine the risks as planning.
Organizational risks at management level
Now, of course, the question still needs to be clarified is how the organizational risks are handled in principle and in the management department. There is usually one person responsible for the risks in a company, which would usually be the management. To this end, the ISO 31000-2018 standard defines “risk management” as “the coordinated activity of managing and controlling an organization with regard to risks”. Furthermore, the standard states that risk management is understood as a management task and should be viewed with a top-down approach.
What is the actual goal of risk management? It serves to create values and to protect them through specifications. Risk management controls the targeted and planned handling of possible risks in a company. This includes all activities and measures designed to minimize the risk and, if the worst comes to the worst, to regulate the extent of damage.
In order to get a clear picture of the risks your company is exposed to, you should first start with a context analysis.
In this context analysis, you consider internal and external issues for your company and also determine the associated risks and their influence on your company and its business processes. In ISO 31000 Section 5.4 you will get help on how to carry out your context analysis.
In order to ensure comprehensive protection , the risks should be considered at all levels of the organization. In this way, anyone who is responsible for a specific area can incorporate, evaluate and document the specifications into the processes. With the help of ISO standards, a common understanding can be established and the risk assessment procedure coordinated. The ISO standard 31000 can serve as a guideline for implementation.