Working with ISO 31000


Risk and Opportunity Management – What is it?

Risk and Opportunity management describes the planned and systematic approach used to identify, evaluate and manage the whole range of business risks and opportunities facing any business.

Risk and opportunity is defined as ‘something happening that may have an impact on the achievement of objectives’. Risk and opportunity management is a central part of any organisation’s strategic management. It is the process whereby an organisation’s management team and operational managers methodically address the risks and opportunities attached to their activities with the goal of achieving sustained benefit within their activity and assess the portfolio of all activities.

The purpose of the Risk and Opportunity Management Framework is to:

  • Add value to the activities of the organisation;
  • Assist in achieving the organisation’s goals and deliver programs and services within an acceptable level of risk;
  • Provide staff and management with a systematic and formalised process for identifying and managing risk and opportunity;
  • Ensure a consistent approach to risk and opportunity management is adopted across the organization;
  • Ensure risks are identified and effectively managed using appropriate internal controls;
  • Allow resource allocation towards risk mitigation strategies to be considered during strategic planning and business plan development;
  • Develop an organisational ethos and operating culture which achieves the integration of the risk and opportunity management process into all staff and management activities.

Risk Management Process

The process for managing an organisation’s risks should be consistent with the International Risk Management Standard ISO 31000:2009.

It involves five key steps and additional steps to ensure feedback through a monitoring and review process and appropriate communication and consultation. Opportunities are also undertaken in the following manner.

Risk management principels

1.Creates Value

2.Integral part of organisational processes

3.Part of decision making

4.Explicitly addresses uncertainty

5.Systematic, structured & timely

6.Based on the best available information


8.Tales human & cultural factors into account

9.Transparent & inclusive

10.Dynamic, iterative & responsive to change

11.Facilitates continual improvement & enhancement of the Organisation

Screen Shot 2016-08-01 at 2.02.05 PM

Step 1: Communicate & Consult

Communication and consultation are important elements in each step of the risk and opportunity management process. Effective communication is essential to ensure that those responsible for implementing risk management, and those with a vested interest, understand the basis on which risk management decisions are made and why particular actions are required.

It is important that the communication approach recognises the need to promote risk and opportunity management concepts across all management and staff.

Step 2: Establishing the Context

Establishing the context defines the basic parameters within which risks must be managed and sets the scope for the rest of the risk and opportunity management process. The context includes the organization’s external and internal environment.

External Context

Establishing the External Context is not only about considering the external environment, but also includes the relationship or interface between the organization and its external environment. This may include:

  • Business, social, regulatory, cultural, competitive, financial and political environment;
  • Community impact;
  • Health and Safety;
  • Media;
  • Legal and Regulatory obligations; and
  • External stakeholders/ key third party service providers.

Establishing the external context is important to ensure that stakeholders and their objectives are considered when developing risk management criteria and that externally generated threats and opportunities are properly taken into account.

Internal Context

An understanding of an organization is important prior to undertaking the risk and opportunity management process, regardless of the level. Areas to consider include:

  • Culture;
  • Strategic Plan and Drivers;
  • Annual business plan and annual budget;
  • Key Performance Indicators;
  • Occupational Health and Safety;
  • Governance; and Internal stakeholders;

Step 7: Monitoring and Review

Risk and opportunity management is a dynamic process. New risks and opportunities will be identified and some will be removed or will be no longer valid. The assessments of likelihood and consequence will need to be reviewed, particularly in the light of the management actions undertaken and contingency arrangements will need to be updated in response to changing internal and external events.

Key strategic/corporate risks and opportunities are kept under regular review by the Management team and Managers regularly review operational risks/opportunities in line with the planning and budget management frameworks. It is critical that regular monitoring and review is undertaken by each business unit of critical activities and projects.

Any risks rated ‘Extreme’ or ‘High’ should be monitored on a regular basis to ensure that the rating assigned, controls identified, and treatment plans established remain valid.

Roles and Responsibilities

Key responsibilities as they relate to risk and opportunity are:

The organisation as a whole should:

  • Review and endorse its risk and opportunity management policy;
  • Ensure a framework is in operation that delivers a consistent approach to risk and opportunity management
  • Review Audit reports and monitor that effective risk management and controls have been implemented

Senior Management should:

  • Review reports from management, and the External Auditors
  • Perform a high level review of the organization’s risk management activities
  • Review the risk profile of the organization and ensure high level risks are suitably controlled and treated

The Chief Executive should:

  • Implement the Risk and Opportunity Management Policy and Framework across the organisation;
  • Ensure appropriate delegations are in place for staff to undertake risk management activities;
  • Ensure risk and opportunity management is embedded in to all critical functions and activities across the organization.

Key Managers should:

  • Promote the adoption of the ISO 31000 Framework within their work areas;
  • Promote a proactive risk management culture in accordance with business risk management initiatives;
  • Monitor and lead the implementation of risk assessments appropriate to their work area in accordance with the framework and ensure that risks are identified and managed in their strategic planning, business planning and budget review process;
  • Ensure that proposed events and significant projects within their jurisdiction are not approved without a formal risk assessment that effectively identifies and manages risks and opportunities with them.

Human Resources should:

  • Monitor, review and update the Framework across the organisation;
  • Provide leadership and guidance in the application of the Framework and associated tools;
  • Ensure suitable training is available is the use of the policy, framework and tools.

Supervisors should:

  • Ensure the adoption and operation of the Framework across their work areas
  • Ensure that risks and opportunities are identified, assessed and managed in accordance with the process outlined in the Framework
  • Promote a positive risk and opportunity management culture with their line personnel.

All personnel should:

  • Understand and apply the risk and opportunity management policy, framework and related procedures
  • Actively contribute to the management of risks and opportunities within the scope of their work
  • Report any risks identified to their manager or supervisor in a timely manner


Leave a Comment

We would be glad to get your feedback. Take a moment to comment and tell us what you think.