How to Develop a Robust Risk Management System for Your Business

Risk is inherent to doing business. As a polymorphic phenomenon with both threatening and beneficial aspects, risk needs to be controlled through a systematic approach.

Here, I am going to explain risk management according to the guidelines of ISO 31000.

The consequences of risks often extend beyond you as an entrepreneur and may trigger catastrophic events beyond your imagination. Think of the 2008 global financial crisis, which initially seemed like just a default in the mortgage industry. What is critical is that you are the accountable person for the events triggered by the risks you own.

Entrepreneurs and startups assume that well-established business enterprises have enough resources and maturity to pursue systematic approaches in risk management or that this is beyond the capacity of startups. However, ISO standards are generic, meaning that businesses, regardless of their size or industry, can implement global best practices by tailoring them to fit their business practices.

Related: Your Business Faces More Risks Than Ever — Here’s How to Ensure You’re Prepared For Any Disaster

What is risk?

There are different definitions of risk, but simply, it means uncertainty. The level of risk in any dimension of your business initiative is directly dependent on the level of information you have about that dimension.

Unlike what people commonly assume about risk, it is not always a negative event. Risk can manifest as either a threat or an opportunity. Risk management is a continuous interplay between the knowns and unknowns.

The ultimate goal of any risk management program is to proactively decrease or increase the probability or impact of uncertain events — decreasing it in the case of a threat and increasing it in the case of an opportunity.

What is a risk management system?

We are living and doing business in a fast-paced, ever-changing era, and uncertainty is intrinsic to change.

While this constant evolution brings emerging unknowns and their associated uncertainties, it is not effective to evaluate risks only at the initiation of a new endeavor or through periodic risk assessments.

The ever-changing world prompts us to adopt continuous risk management processes, which are enabled by the PDCA cycle in ISO standards.

The Deming PDCA cycle, in the context of an ISO-based risk management system, enables iterative progression from Planning (P) to Corrective Actions (A), ensuring continuous risk assessment, analysis and treatment, while enabling continual monitoring and improvement of the system as a whole.

Planning for implementation: Establish a product-based context

Planning for the implementation of a risk management system using ISO 31000 involves establishing the context of the system. As I mentioned, ISO standards are generic and can be adopted by any type of organization, regardless of its sector and business size.

What defines the context of the system is the purpose of your business. Your business scope and its associated attributes establish the context of the risk management system.

If you are a business organization that produces different types of products (goods or services) for various industries, the context of the risk management system should be limited to the boundaries of a specific product or industry.

Even for a single-product small business, it is more strategic to define the scope and boundaries of the system based on the product itself, rather than the business as a whole.

Related: The 5 Step Process To Identify Risk and Improve Decision-Making

Identify interested parties and their requirements

Every business initiative is a structured response to market demand, whether it is untapped or presents opportunities for a more satisfactory solution than what competitors offer.

To appropriately address a market demand, a business organization must meet various requirements that extend beyond customer preferences.

While customer needs constitute one of the main requirements for a business, other critical requirements must also be justified in relation to customer needs. Fulfilling the business purpose requires meeting all the requirements specific to that product or business endeavor.

These include:

1. Internal obligations to shareholders and employees

2. External constraints in dealing with suppliers

3. Regulatory requirements

These bodies have an interest in your business, and the existence and growth of your business depend on fulfilling their requirements. A successful business must balance all these requirements while ensuring market competitiveness.

These requirements are attributes of your business dimensions, and you will never achieve complete certainty for the various possible situations you may encounter while meeting these requirements.

The structured approach of ISO 31000 empowers you to maintain consistency in managing uncertainties related to your competency in fulfilling these requirements.

The integration of ISO 31000 into your business practices leads to

1. Identifying all interested parties

2. Identifying the specific requirements of each identified body

3. Mapping the attributes of each requirement to relevant business processes.

“What if?” scenarios

“What if” scenarios come into play when you review probable events that you are uncertain about, assess the likelihood of their occurrence and evaluate their impact if they occur.

Reviewing “What if” scenarios helps you score probable events by multiplying their likelihood and impact. The resulting scores allow you to prioritize the probable events. High-score events are those qualified for further analysis and appropriate treatment.

Related: Don’t Wait For Disaster to Strike — These 5 Preventive Measures Can Protect Your Business From All Kinds of Risk

Treatment: Risk control design

There are different types of treatments:

• Mitigation — where you decide to enhance the business procedure and process that would cause a probable event by implementing a control on it

• Acceptance — when you accept the risk by taking no action and putting it on a watch list until you get more information

• Transfer — where you share the risk in the form of a contract model like a joint venture or simply insurance, although the latter is tricky in risk ownership and accountability

The ISO 31000 standard should be integrated into your targeted business processes for effectiveness, meaning the implementation of ISO 31000 adds structure to your business processes. The monitoring of the management system for continual improvement ensures consistency between your business processes and the requirements of those interested in your business and controls nonconformities by implementing corrective actions in the system.