Download iso_31000_for_smes.pdf PDF

File Size1.8 MB
Total Pages22
Table of Contents
0   Introduction
1	Objectives and governance
1.1	Clear objectives
1.2	Mapping and assessing current governance arrangements
2	Mandate and commitment
2.1	Defining your commitment
2.2	Setting objectives for implementing ISO 31000:2009
2.3	Develop performance measures for risk management
2.4	Internal and external stakeholders
2.5	Communicate risk management commitment to stakeholders
3	Designing the framework for managing risk
3.1	Risk management framework
3.2	Compare your current risk management to ISO 31000:2009
3.3	Risk management principles
3.4	Understand the internal and external contexts of your organization
3.5	Risk management policy
3.6	Alignment between risk management policy and the organization
3.7	Risk attitude
3.8	Risk criteria
4	Implementing risk management
4.1	Understand your organization’s capability, capacity and culture with respect to risk
4.2	Planning the transition to ISO 31000:2009
4.3	Implementing the risk management framework
4.4	The risk management plan
4.5	Resources to implement the risk management plan
4.6	Establishing the context of the risk management process
4.7	Risk management methodologies
4.8	Communication of and consultation on the risk management process
5	Monitoring and review
5.1	Monitoring and review of the risk management framework
5.2	Monitoring and review of the risk management process
6	Continuous improvement of the framework
6.1	Determining the effectiveness of risk management
6.2	Continual improvement of the framework
6.3	Continual improvement of the implementation of the process
Annex A — Risk management techniques for SMEs
Annex B — Specific guidance for SMEs
Annex C — Guides, handbooks and references for SMEs
Document Text Contents
Page 1

for SMEs

ISO 31000
Risk management

for SMEs





















International Organization
for Standardization

Ch. de Blandonnet 8, CP 401

CH -1214 Vernier, Geneva, Switzerland

International Trade Centre
Palais des Nations,

CH -1211 Geneva 10, Switzerland

United Nations Industrial
Development Organization

Vienna International Centre, P.O. Box 300,

AT -1400 Vienna, Austria
© ISO, 2015

All rights reserved

ISBN 978-92-67-10645-8

With empirical evidence showing
that around half of SMEs close down
before completing their fi ft h year, it
is clear that operating a business can
be a risky endeavour.
ISO 31000 : Risk management –
a practical guide for SMEs describes
the requirements of ISO 31000,
and provides guidance to identify
and implement risk manage-
ment strategies.

COVER - ISO 31000 Risk Management - A practical guide for SMEs.indd 1-3COVER - ISO 31000 Risk Management - A practical guide for SMEs.indd 1-3 2015-10-22 08:56:082015-10-22 08:56:08

Page 2

for SMEs

ISO 31000
Risk management

for SMEs
a practical guide

31000_handbook_en.indd 1 2015-10-26 13:46:26

Page 11

0   Introduction

0.1   Purpose

This guide has been prepared as a brief overview of how to implement risk
management in alignment with ISO 31000:2009 in a small-to-medium-sized
enterprise (SME), and follows a “question, followed by guidance” format.

ISO 31000:2009, referred to as the standard throughout this document, is a
brief and high-level set of principles and guidelines on how to implement
risk management. The standard is 23 pages long and presents 11 principles, a
framework, and a process that can to be tailored to fit an organization of any
type and of any size.

This guide is to assist decision-makers in SMEs in understanding the standard
and in implementing risk management that is tailored for the size and com-
plexity of SMEs in both developed and developing countries.

The standard, in Clause 1 states

“Although this International Standard provides generic guidelines, it is not
intended to promote uniformity of risk management across organizations.
The design and implementation of risk management plans and frameworks
will need to take into account the varying needs of a specific organiza-
tion, its particular objectives, context, structure, operations, processes,
functions, projects, products, services, or assets and specific practices

This guide is a checklist and a supplement to the standard and has been written
assuming the reader has access to the full standard. The purpose of this guide
is to provide clarification, guidance and brief introductory explanations for
all the elements of ISO 31000:2009, copies of which can be purchased from
ISO or through your national standards organization.

0.2   The value of implementing risk management

This brief summary outlines the value of making an explicit commitment
to implementing risk management as a core value of your organization.
Businesses of any size have to manage risks, and this is true from creation
of the business and during its lifetime. Individuals or groups who perceive

10 ISO 31000: Risk management – A practical guide for SMEs

31000_handbook_en.indd 10 2015-10-26 13:46:27

Page 12

the presence of a risk that can have a positive effect on the organization’s
objectives, for example a demand for a product or service, may treat this risk
by opening a new store or office. In order to commence operations, business
owners must manage other risks related to: the acquisition of a location; the
identification of skills valuable to the enterprise; and the attraction and recruit-
ment of employees who have these skills, the acquisition of financing, raw
materials, machinery, etc. This list is a few examples of risks relevant to an

Risk management is an essential business activity for enterprises of all sizes.
Enterprises that manage risks effectively will thrive and produce high quality
products or services where these are the organizational objectives.

Implementation of risk management that is aligned with ISO 31000:2009 is
done with the primary objective of successfully achieving objectives. It is for
this reason that the commitment to implement risk management must exist at
all levels in the company. Owners and the Board of Directors (if there is one)
as well as managers at all levels should understand the benefits that coherent
and reliable risk management can bring, and communicate that understanding
to staff by implementing it.

0.3   The value of following this guide

Enterprises both small and large need to identify, understand and manage the
uncertainties or risks that are critical to achieving success. ISO 31000:2009
provides a proven, robust and reliable approach to managing risk. Enterprises
must understand and manage risks to develop and thrive. By aligning risk
management with ISO 31000:2009 organizations will implement risk man-
agement consistently and effectively.

This guide is designed to help organizations build on the risk management
that enabled the organization to come into existence by supporting a move
from anecdotal, event-driven risk management, to risk management that is
strategic, focused on actual goals, reliable and cost effective. Risk management
is more than taking or avoiding risks. Risk management is the development
of a clear understanding of the risks that are important to the enterprise and
managing them as the organization evolves and the operating environment
(physical, environmental, financial and social) changes through time.

ISO 31000: Risk management – A practical guide for SMEs 11

31000_handbook_en.indd 11 2015-10-26 13:46:27

Page 21

Management should identify, approve and communicate the objectives of the
organization to all employees.

1.2 Mapping and assessing current governance

Do you have a clear management framework or a document that describes the
governance of your organization?

□ Yes → Go to next question
□ No → See guidance below

Governance is how and when decisions are made and includes accountability
as a key consideration. Governance provides clarity over roles and responsi-
bilities and identifies the processes that are essential for the organization to
continue and to function effectively. Governance documents describe how
management (including the Board of Directors if there is one) directs the

Governance functions include planning and budgeting, performance measure-
ment, assurance and auditing, procurement, hiring, assessing and dismissing
staff as well as control over all day-to-day operations.

The management of an organization, enabled by its governance arrangements,
can be described as “coordinated activities to direct and control an organi-
zation”. Risk management is defined as “coordinated activities to direct and
control an organization with regard to risk”. The parallels between these
two statements demonstrate how closely risk management and governance
are linked.

Reporting relationships are often shown in an organization chart that identi-
fies the flow of authority in the organization. While such a chart may be a first
step, it is only the beginning of mapping the governance of an organization. If
the organization is legally incorporated there will be a Board of Directors and
a Chief Executive Officer. For very small organizations, there may simply be
an owner and governance relationships that are not written down. It is a best
practice to develop, approve and communicate the governance arrangements

20 ISO 31000: Risk management – A practical guide for SMEs

31000_handbook_en.indd 20 2015-10-26 13:46:28

Page 22

to employees, and to periodically review them to ensure that they are relevant
as business conditions evolve.

Documenting the organization’s governance includes identifying approval
pathways and criteria for decisions, the span of control for each major division
or manager, the documentation required to support business planning as well
as how strategic and tactical targets are established and progress is moni-
tored. Governance-related documentation should also reference applicable
legislation, regulations, guidelines, as well as internal and external policies
that relate to governance and control.

It is critical that the description of governance reflects current arrangements
and the levels of authority that have been established. The presence of cur-
rent, clear and effective governance is essential to creating an effective risk
management framework.

ISO 31000: Risk management – A practical guide for SMEs 21

31000_handbook_en.indd 21 2015-10-26 13:46:28

Similer Documents