1. Afrikaans
  2. Albanian
  3. Arabic
  4. Armenian
  5. Azerbaijani
  6. Basque
  7. Belarusian
  8. Bengali
  9. Bosnian
  10. Bulgarian
  11. Catalan
  12. Cebuano
  13. Chichewa
  14. Chinese
  15. Croatian
  16. Czech
  17. Danish
  18. Dutch
  19. English
  20. Esperanto
  21. Estonian
  22. Filipino
  23. Finnish
  24. French
  25. Galician
  26. Georgian
  27. German
  28. Greek
  29. Gujarati
  30. Haitian Creole
  31. Hausa
  32. Hebrew
  33. Hindi
  34. Hmong
  35. Hungarian
  36. Icelandic
  37. Igbo
  38. Indonesian
  39. Irish
  40. Italian
  41. Japanese
  42. Javanese
  43. Kannada
  44. Kazakh
  45. Khmer
  46. Korean
  47. Lao
  48. Latin
  49. Latvian
  50. Lithuanian
  51. Macedonian
  52. Malagasy
  53. Malay
  54. Malayalam
  55. Maltese
  56. Maori
  57. Marathi
  58. Mongolian
  59. Myanmar
  60. Nepali
  61. Norwegian
  62. Persian
  63. Polish
  64. Portuguese
  65. Punjabi
  66. Romanian
  67. Russian
  68. Serbian
  69. Sesotho
  70. Sinhala
  71. Slovak
  72. Slovenian
  73. Somali
  74. Spanish
  75. Sudanese
  76. Swahili
  77. Swedish
  78. Tajik
  79. Tamil
  80. Telugu
  81. Thai
  82. Turkish
  83. Ukrainian
  84. Urdu
  85. Uzbek
  86. Vietnamese
  87. Welsh
  88. Yiddish
  89. Yoruba
  90. Zulu

Risk Management with ISO 31000

By Graphic Products Editorial Staff
Published: Apr 1, 2014
Updated: Sep 16, 2016

Running a business involves risk. Risk cannot be avoided, but it can be managed. ISO 31000 provides guidelines for managing risk in an organization, within the established management system, structure, and culture of that organization. ISO 31000 does not offer specific procedures, and there is no “ISO 31000 certification.” Instead, the standard focuses on basic principles and guidelines that can be applied worldwide.

Types of Risks

Risk management is the coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

Handbook on Decision Making: Vol 2: Risk Management in Decision Making by Jie Lu, Lakhmi C. Jain, and Guangquan Zhang

The first step in managing risks is to understand the risks that need to be managed. In order to use the ISO 31000 guidelines, you need to understand that “risks” may not mean what you expect.

A traditional definition of risk involves the exposure to danger, with potential for injury or loss. ISO 31000 creates a new definition of risk as “the effect of uncertainty on objectives, whether positive or negative.” This definition shifts the understanding of risk away from the possibility of a negative outcome and toward the uncertainty itself. With appropriate risk management processes in place, ISO 31000 views risk as having the potential to provide opportunities.

Next, ISO 31000 divides risks into three categories:

  • Hazard (if the uncertain event occurs, there will be negative outcomes)
  • Control (the results of the uncertainty are themselves uncertain)
  • Opportunity (if the uncertain event occurs, there will be positive outcomes)

Hazard Risks

Hazards are risks leading to a negative outcome. Examples of these would be safety concerns, such as hazardous chemicals, high voltage electricity, or moving machinery. A three-prong approach is typically used to address safety-related hazards.

  1. Eliminate the hazard through the use of engineering controls. This may involve redesigning equipment or processes to eliminate the hazard entirely, or providing guarding to make the hazard inaccessible. The objective of engineering controls is to eliminate all possibility of negative consequences.
  2. Reduce the hazard through the use of administrative controls. This involves implementing standards, procedures, and practices that prevent negative consequences. For example, pathways might be established with floor marking tape to keep foot traffic separate from forklift traffic. Work schedules could be arranged so that hazardous activities are performed when fewer employees are present.
  3. Protect individuals from the hazard using Personal Protective Equipment (PPE). For example, employees might be required to wear eye protection and a face shield when they grind welds on piping.

However, ISO 31000 also addresses risks that are not safety-related, such as theft. Because it is an uncertain event with a negative outcome, theft falls into the hazard category.

ISO 31000 addresses all forms of risk, including safety risks, financial risks, political risks, and marketing risks. As a result, phrases such as “risk tolerance” are used. While there may be zero tolerance for risk when it comes to safety, in other areas, such as financial risk, there is a certain level of tolerance – even for risks in the “hazard” category.

Control Risks

Some types of risks have uncertain outcomes; these are classified as “control risks.” An example of a control risk would be paving a road in early spring. The road may need to be completed by June in order to handle the anticipated heavy summer traffic. However, the progress of paving work is subject to the weather, and the risk of poor weather is greater in the spring. The outcome of the paving project is uncertain — and the results of a delay are also uncertain.

Control risks are most commonly associated with project management. Typically the project schedule, budget, and specifications are at risk due to unknown and unexpected events or conditions. Most organizations will strive to eliminate these control uncertainties. However, some projects must be undertaken with control risks, because the benefits still outweigh the risks. (Waiting until summer to start the paving project might eliminate the weather concern, but the roads would not be finished in time for the heavy seasonal traffic.)

Opportunity Risks

Opportunity risks are those risks that an organization knowingly takes on in order to get a positive result. For example, investing in new technology involves some risk; it may have greater costs in the long run, or may be quickly replaced by another development. However, the benefits may be worth the risk.

All organizations take opportunity risk, but the tolerance for opportunity risk will vary from one group to another. Some organizations are aggressive, willing to take on more risk in return for the benefit of rapid improvement. Others may wait for an opportunity to have a proven track record before they adopt it.

Opportunity risks can't be avoided. There is a risk in taking advantage of any opportunity, and there is even risk associated with doing nothing. The best approach is to understand the risks, and make decisions that bring the greatest value to your organization.

Risk Assessment and the Risk Matrix

Two of the most significant aspects of a risk are the severity of its outcome and the probability of its occurrence. These two aspects should be considered during the process of risk assessment.

When assessing risks a consistent approach must used. Do not allow individual departments to rank the severity and likelihood of a risk according to standards of their own choosing. This can lead each department to focus on the risks that strongly affect them, and ignore any others. With varying standards for risk evaluation, it will be impossible to implement a facility-wide assessment of risks. One of the best approaches to resolve this problem is to create a “risk assessment team.” This team would establish uniform and measurable criteria for ranking risk, and use those criteria to assign rankings to each event being evaluated.

The Risk Matrix

One of the tools available for assessing risk is the Risk Matrix. The severity and likelihood of a given risk are quantified on a scale from 1 to 10, and presented on a chart. Placing “severity” on the X axis and “likelihood” on the Y axis gives a chart that presents risks in a simple and effective way. The most serious risks appear in the upper right section of the chart.

The risks can be compared against each other easily, because each risk’s seriousness is the product of its likelihood and its severity. Using general rules of comparison, the Risk Matrix can be divided into three color-coded areas:

  • A low severity, low likelihood area (shown in green). Often, these risks are considered tolerable and do not require action. However, the type of risk must also be taken into account: in the area of safety, even low severity/low likelihood risks need to be addressed.
  • In the middle are the moderate risks (yellow). These risks typically need to be monitored, but still may not require action unless they relate to safety.
  • The upper right section (red) of the chart has the high severity, high likelihood risks. These risks must be addressed with control measures as soon as possible.

One of the major benefits of the Risk Matrix is that it provides a simple diagram of risk rankings that can quickly be understood. It is an excellent tool for presenting risks to upper management in a way the effectively communicates the need to address certain risks. Keep in mind, though, that a risk matrix alone is not a good decision making tool. It only provides guidance on which risks need to be addressed.

Risk Communication

Risk communication is an ongoing and interactive process, in which risk-related information is shared between the decision-makers and other stakeholders. ISO 31000 addresses the need for an effective risk communication system. Clear and accurate risk communication is needed while developing a risk management plan, and it is essential for communicating that plan to others.

While ISO 31000 does not include specific communication requirements, there are many laws and standards that do. Knowing the requirements of these laws and standards is essential. For example, OSHA's Hazard Communication Standard (HCS) requires Safety Data Sheets and labeling that provides information about chemical hazards.

A key component of risk communication is the use of signs and labels to provide information visually. For example, with a DuraLabel 9000 large format printer, extra large, high visibility labels can be made for chemical storage drums. The DuraLabel 9000 also can make warning signs for enclosures, labels with equipment operating instructions, and large format signs with safety and hazard information.

Learn more about the DuraLabel 9000, as well as the complete family of DuraLabel printers and tough-tested supplies, by calling 888.326.9244 today.

Share this article