Risk and Opportunity Management
Risk-based thinking is an important new concept that has been brought to the fore of management system planning in all international ISO standards, based on the new high-level structure (Annex SL). Risk-based thinking makes preventive action part of strategic and operational planning and builds the concept of risk into the whole management system. Along with risk-based thinking, continual improvement requires the organisation to also identify and address opportunities for improvement within the Management System.
Risk and opportunity can be defined as “something happening that may have an impact on the achievement of objectives”. Risk and opportunity management is the process whereby an organisation’s management team and operational managers methodically address the risks and opportunities attached to their activities, performed with the goal of achieving sustained benefit within their operations and assess the portfolio of all activities. This process should be consistent with the international risk management Standard ISO 31000:2018.
ISO 31000:2018 was published in 2018, and this standard represents the latest developments in risk management. ISO 31000 assists organisations in achieving objectives by improving the identification of threats and opportunities and allocating resources for risk treatment. Often overlooked, the different risk assessment techniques are described in the newly released ISO 31010:2019.
What is required to ensure successful implementation of risk and opportunity management steps?
The organisation should:
- Review and endorse its risk and opportunity management policy.
- Review audit reports and ensure that effective risk management and controls have been implemented.
- Ensure a framework is in operation that delivers a consistent approach to risk and opportunity management.
Senior Management should:
- Review reports from management and external auditors.
- Review the risk profile of the organisation and ensure high-level risks are suitably managed and treated.
- Conduct a high-level review of the organisation’s risk management activities.
Key Managers should:
- Promote the implementation of the ISO 31000 framework within their work areas.
- Promote a culture of proactive risk management.
- Monitor and lead the implementation of risk assessments, as appropriate to their work area and in accordance with the framework implemented.
Risk management is critical, as the risks affecting organisations can not only have consequences for the economic performance and professional reputation of the company but may also have broader environmental, safety and societal outcomes. Organisations must, therefore, perform their due diligence in managing their risks and opportunities.