Implementing ISO 31000 with Risk Register

ISO 31000:2018 is a globally-recognized standard that provides guidelines for effective risk management. Developed by the International Organization for Standardization (ISO), it aims to help organizations integrate risk management into their governance, strategy, and planning processes, thereby enhancing their ability to achieve objectives, improve performance, and encourage innovation. The standard is designed to be flexible and applicable to any organization, regardless of size, industry, or sector, and can be used throughout the organization's life cycle.

ISO 31000 outlines risk principles, an implementation framework, and a broad process for managing risk. This guide will show you how to implement ISO 31000 using Risk Register, a tool developed by ProjectBalm. The application is designed to help organizations manage risk systematically and effectively by integrating risk management practices into their Jira environment, and already has thousands of users. By following this guide, you will learn how to configure and utilize Risk Register by ProjectBalm to align with the principles and processes outlined in ISO 31000, ensuring a robust approach to risk management that supports your organizational goals.

Download Risk Register by ProjectBalm Today!

Principles of ISO 31000

Understanding the principles of ISO 31000 is crucial for effectively implementing risk management practices. These principles provide the foundation for integrating risk management into the organizational framework, ensuring it supports the achievement of objectives, improves performance, and encourages innovation. Following are the principles:

  1. Integrated: Risk management must be an integral part of all organizational activities, ensuring that it is embedded in the overall structure and functions of the organization. This principle means that risk management must not be an isolated activity but part of the organization's fabric.

  2. Structured and Comprehensive: A structured and comprehensive approach to risk management contributes to consistent and comparable results. This principle requires that risk management processes are methodical and thorough, covering all necessary areas to produce reliable outcomes.

  3. Customized: The risk management framework and process must be customized and proportionate to the organization’s external and internal context, and related to its objectives. Customization ensures that risk management practices are relevant and tailored to the specific needs and conditions of the organization. 

  4. Inclusive: This involves the appropriate and timely involvement of stakeholders which enables their knowledge, views, and perceptions to be considered. Inclusivity in risk management leads to improved awareness and informed decision-making by incorporating diverse perspectives.

  5. Dynamic: Risks can emerge, change, or disappear as an organization’s external and internal context changes. Risk management should anticipate, detect, acknowledge, and respond to these changes and events in a timely manner to remain effective. A risk management process that is bogged down by bureaucracy, for example, will be ineffective.

  6. Best Available Information: The inputs to risk management should be based on historical and current information, as well as future expectations. This principle emphasizes the importance of using accurate and timely information while acknowledging limitations and uncertainties.

  7. Human and Cultural Factors: Human behavior and culture significantly influence all aspects of risk management at each level and stage. Recognizing these factors, especially during implementation, ensures that risk management practices are realistic and aligned with the organization’s culture.

  8. Continual Improvement: Risk management should be continually improved through learning and experience. It is not enough to simply implement the process and then leave it to entropy. This principle emphasizes the importance of regularly updating and refining risk management processes to enhance their effectiveness over time.

Compliance Artifacts 

To ensure compliance with ISO 31000, several key artifacts need to be produced and maintained. These artifacts support the effective implementation and monitoring of risk management processes within the organization. Below is the list of essential artifacts, which you can store using Jira in conjunction with Risk Register by ProjectBalm.

  1. Risk Management Policy: A documented policy that outlines the organization's commitment to risk management, the objectives of risk management activities, and the scope of the risk management framework. Also the structure, processes, and procedures for managing risk within the organization. This includes guidelines for risk identification, assessment, treatment, monitoring, and review. We recommend this be stored in Confluence. See next section for more information on this important document.

  2. Risk Register: A central repository for recording and tracking identified risks, their analysis, treatment plans, and monitoring status. The Risk Register should include information on risk sources, triggers, impacts, probabilities, and controls. Risk Register by ProjectBalm meets all of these requirements.

  3. Risk Treatment Plans: Detailed plans for addressing identified risks, including selected treatment options, actions to be taken, resources required, responsibilities, timelines, and monitoring mechanisms. Risk Register by ProjectBalm supports treatment plans.

  4. Monitoring and Review Reports: Various views and reports that enable you to monitor and publish risks and also view any changes to the risk or risk treatment plans. Risk Register by ProjectBalm supports table and heat map views, as well as a gadget that can be used to create complex Jira dashboards and various other reporting options. 

  5. Training Materials: Documentation and materials used for training staff and raising awareness about the organization's risk management policies, procedures, and their roles in the risk management process. User documentation for Risk Register by ProjectBalm can be found here. Tutorial videos can be found here

By producing and maintaining these artifacts, your organization can demonstrate compliance with ISO 31000 and ensure a robust and effective risk management process. 

Download Risk Register by ProjectBalm Today!

Risk Management Policy

The risk management policy is a critical document that establishes the foundation for an organization's approach to risk management. It ensures that risk management practices are aligned with the organization’s objectives, strategy, and culture. ISO 31000 emphasizes the importance of such a policy as part of a comprehensive risk management framework. You can store your risk management policy in Confluence. 

Why a Risk Management Policy is Necessary:

  1. Alignment with Organizational Objectives: The risk management policy ensures that all risk management activities are aligned with the strategic objectives of the organization. This alignment helps in achieving a unified direction and purpose in managing risks.

  2. Commitment and Accountability: A formal policy demonstrates the commitment of top management to risk management. It assigns clear roles and responsibilities, ensuring that everyone in the organization understands their part in the risk management process.

  3. Consistency in Risk Management Practices: The policy provides a standardized approach to risk management, ensuring consistency in how risks are identified, assessed, treated, monitored, and reviewed across the organization.

  4. Communication and Awareness: A documented policy facilitates communication and awareness about risk management practices within the organization. It serves as a reference point for employees and stakeholders, ensuring that everyone is informed about the risk management objectives and processes.

Components of a Risk Management Policy Compatible:

  1. Purpose and Scope:

    • Clearly define the purpose of the risk management policy and its scope within the organization.

    • Specify which parts of the organization and which types of activities the policy applies to.

  2. Risk Management Objectives:

    • Outline the objectives of the risk management activities, such as protecting assets, ensuring business continuity, and supporting strategic goals.

  3. Risk Management Principles:

    • Include the principles of ISO 31000, such as being integrated, structured, comprehensive, customized, inclusive, dynamic, based on the best available information, and continuously improving.

  4. Roles and Responsibilities:

    • Define the roles and responsibilities of individuals and committees involved in the risk management process.

    • Ensure that top management’s commitment to risk management is clearly stated and that accountability is assigned at appropriate levels.

  5. Risk Management Process:

    • Describe the risk management process, including risk identification, risk assessment, risk treatment, risk monitoring, and review.

    • Provide guidelines on how each step should be carried out and documented.

  6. Risk Appetite:

    • Define the organization’s risk appetite and tolerance levels, indicating the amount and type of risk the organization is willing to accept.

    • Establish criteria for risk evaluation and prioritization.

  7. Monitoring and Review:

    • Specify how the risk management policy and framework will be monitored and reviewed to ensure effectiveness.

    • Include procedures for continuous improvement based on feedback and changing circumstances.

  8. Communication and Reporting:

    • Outline the communication plan for risk management activities, ensuring that relevant information is communicated to stakeholders in a timely and effective manner.

    • Describe the reporting requirements and formats for risk management activities and outcomes.

By developing a risk management policy that incorporates these components, organizations can ensure compliance with ISO 31000 and foster a culture of proactive risk management. This policy serves as a cornerstone for the organization’s risk management framework, guiding all risk-related activities and decisions.

Risk Register Set Up

Having created your risk policy, the next step is to set up Risk Register by ProjectBalm to support your new process.

Step 1: Set Up Risk Models

Risk models enable you to assess the risks within your organization. These models will reflect your organization's risk tolerance levels and help you make informed decisions about priority and treatment. Below are the steps to set up risk models in Risk Register by ProjectBalm:

Full explanations of the following screens, including screenshots, can be found here.

  1. Access Risk Models:

    • Navigate to the Risk Register settings in Jira.

    • Select "Risk models" from the settings menu.

  2. Create or Edit Risk Models:

    • Click on "Add a risk model" to create a new model or select an existing model to edit.

    • Define the risk model name and associate it with relevant projects.

  3. Set Impact and Probability Levels:

    • Customize the impact and probability levels to align with your organization's risk criteria.

  4. Configure the Risk Matrix:

    • Use the risk matrix to map out the risk levels resulting from different combinations of impact and probability.

    • Ensure the matrix accurately reflects your organization's risk tolerance by adjusting the cells to represent appropriate risk levels (e.g., Low, Medium, High, Critical).

  5. Define Risk Criteria:

    • Establish clear criteria for evaluating risks. This includes thresholds for acceptable risk levels and guidelines for prioritizing risks based on their severity. Record these in the descriptions of the impact and probability levels.

Step 2: Create Projects to Capture Risk Information

Having set up your risk models, you must create projects in Jira to capture risk information. There are two approaches to this, which can co-exist:

  1. Utilize Existing Jira Projects:

    • For project-based risks, you can use the existing Jira projects to capture risks related to those projects.

    • If required, integrate risk management into the project's workflow to ensure risks are identified and managed throughout the project lifecycle.

  2. Organizational Risk Register:

    • You can also create a dedicated Jira project to contain risks. 

    • This is often the preferred approach for organizational or enterprise risk management, but is also sometimes done for project-based risks.

Step 3: Set Up Issue Types to Capture Risk Information

Your organization must decide which issue type will hold risk information. While it’s possible to use any existing issue type, including existing ones such as “Task,” organizations most often choose to set up a dedicated risk issue type:

Create a Risk Issue Type:

  • Set up a new issue type in Jira called "Risk."

  • Set this as your primary risk type. This ensures that essential risk information such as impact, probability, and level will appear on the issue. 

  • Add fields for additional risk information you wish to include, such as description, assignee, priority, and so on.

Step 4: Define Project Access in Jira

Defining appropriate access levels is crucial for ensuring that only authorized personnel can view and manage risk information. This ensures the integrity and security of your risk management processes. This document provides detailed information about permissions in Risk Register by ProjectBalm. Below is a summary of the key information:

Role-Based Access Control:

  1. Global Administrator:

    • View and change application settings.

    • Add and change risk models.

    • Delete risk registers.

    • View and change risk register settings.

  2. Jira Administrator:

    • Create new projects and new risk registers based on those projects.

    • Assign global and project-specific roles and permissions.

  3. Project Administrator:

    • Create project-based risk registers if they have the necessary permissions.

    • View the list of risk registers for their projects.

    • Add, change, and remove risk assessments on issues.

  4. Risk Owners and Team Members:

    • Edit issues (project permission) to add, change, and remove risk assessments.

    • View risk register settings if they have the appropriate permissions.

Specific Permissions Required:

  1. Creating Risk Registers:

    • Project-Based Risk Register: Requires 'Create risk registers' permission and either Global Administrator, Project Administrator, or 'Browse projects' permission.

    • Filter-Based Risk Register: Requires 'Create risk registers' permission and access to the specified filter.

  2. Viewing Risk Registers:

    • Risk registers will appear in the list if the user has the following permissions:

      • Project-Based Risk Registers: Global Administrator, Project Administrator, or 'Browse projects' permission.

      • Filter-Based Risk Registers: Permission to view the specified filter.

  3. Modifying Risk Registers:

    • To change risk register settings, users must be a Global Administrator or Risk Register Administrator.

    • Note: Settings for multi-project risk registers cannot be changed.

  4. Adding and Changing Risk Assessments:

    • Users need 'Edit issues' project permission to add, change, or remove risk assessments on issues.

Step 5: Create Risk Registers within the Projects

A risk register is a collection of risks that you can view. A risk register can be based on a project, in which case the register contains all of the risks in that project. However, it is also possible to create registers based on a filter. This is most commonly done in order to provide a multi-project view of the risks. Instructions for creating a risk register can be found here.

Download Risk Register by ProjectBalm Today!

Risk Management Process

ISO 31000 endorses the following general risk management process:

 Each step will be explained below, along with the implementation using Jira and Risk Register by ProjectBalm.

Risk Identification

The goal of risk identification is to recognize and describe risks that might help or hinder an organization in achieving its objectives.

Risk identification should take into account a variety of factors, including both tangible and intangible sources of risk, causes, events, vulnerabilities, capabilities, and changes in the external/internal context. It is also important to consider indicators of emerging risks, the nature and value of resources, and the potential impact on objectives. Additionally, the limitations of knowledge and the reliability of information, time-related factors, and biases, assumptions, and beliefs of those involved should be taken into account. Classic risk identification techniques can be found here.

Risk identification should be an ongoing process and integrated into the organization’s strategic and operational activities.

In project risk management, risk identification tends to happen at key stages such as during the project initiation phase, when developing project plans, at major milestones, and whenever there are significant changes to the project scope, resources, or environment. Regular risk reviews and updates are also conducted throughout the project lifecycle to capture new risks and reassess existing ones as the project evolves.

In organizational risk management, risk identification typically occurs during strategic planning sessions, annual reviews, and when there are changes in the external or internal business environment. This includes during mergers and acquisitions, entering new markets, launching new products or services, and changes in regulatory landscapes. 

Configuration in Risk Register:

Risk Analysis and Evaluation

Risk analysis involves a detailed consideration of the identified risk, including uncertainties, sources, relevant events, controls, impacts, and probabilities. The goal is to record all of this information in the risk issue, especially the impact and probability. 

Risk evaluation takes all of this information and assigns a risk level according to predetermined criteria. In Risk Register by ProjectBalm, the risk level is automatically calculated using the defined risk model, and so the analysis and evaluation steps have been combined in this guide. 

Configuration in Risk Register:

Note that ISO 31000 refers to Risk Identification, Analysis, and Evaluation collectively as Risk Assessment. 

Risk Treatment

The risk treatment process involves selecting and implementing measures to address risks identified during the risk assessment phase. ISO 31000 requires this to be an iterative process of formulating risk treatment options, implementing risk treatment, assessing the effectiveness of the treatment, and deciding whether the remaining risk is acceptable. If the remaining risk is not acceptable, further treatment is required. 

Typical risk treatments include: 

  • Avoiding the risk.

  • Reducing the probability of the risk through mitigation.

  • Reducing the impact of the risk through mitigation.

  • Transferring the risk to another entity.

  • Accepting the risk.

Risk treatment should be guided by the organization’s risk management policy, which should outline the criteria for selecting risk treatment options, the approach to implementing treatment plans, and the process for monitoring and reviewing the effectiveness of the treatments. The policy should ensure that risk treatment decisions are aligned with the organization’s objectives and risk appetite.

Treatment plans can be complex, with multiple steps that must be planned, implemented, and tracked. More information on risk treatment can be found here.

Configuration in Risk Register:

  • Risk Treatment Plans:

    • Create Jira issues for each risk treatment plan. Use of the “Task” issue type is common, but some organizations choose to create a specific “Treatment” issue type. 

    • Document the selected treatment options, including the rationale for selection, and expected benefits.

    • Create detailed action plans within Jira issues, assigning tasks, setting deadlines, and specifying required resources.

    • Link the treatment plans to the relevant risk. 

  • Monitoring and Review:

    • Use the risk register table to track the progress of risk treatment plans.

    • Regularly update the status of risk treatments and assess their effectiveness.

  • Residual Risk Assessment:

    • Evaluate the remaining risk after treatment has been applied.

    • Document whether the residual risk is acceptable.

    • If further treatment is needed, create and link a new treatment plan.

Recording and Reporting

The purpose of recording and reporting is to communicate risk management activities and outcomes throughout the organization, facilitating transparency, accountability, and informed decision-making. Proper documentation and communication ensure that all stakeholders are aware of the risks, the decisions made to address them, and the outcomes of those actions.

ISO 31000 emphasizes that all aspects of the risk management process should be recorded and reported appropriately to ensure clarity, consistency, and alignment with organizational objectives. This includes documenting all risk analysis, decisions, reasons for decisions, treatments, outcomes, and any other relevant information.

Risk Recording

Recording involves documenting all stages of the risk management process, from risk identification to treatment and monitoring. Accurate records are vital for auditing purposes, continual improvement, and compliance with internal and external requirements.

Configuration in Risk Register:

The recording of information in Risk Register has been fully described in the process steps above, but following is a summary:

  • Risk Register Entries: Ensure that each identified risk is recorded in the Risk Register with detailed information, including risk description, sources, potential impact, probability, and assigned risk owners. 

  • Risk Assessments: Document risk assessments, including inherent and residual risk levels, in the Risk Register, using the risk assessment panel within Jira to record probability, impact, and risk level.

  • Treatment Plans: Record the details of risk treatments, including the selected options, implementation plans, and assigned responsibilities. Treatment plans should be linked to the corresponding risks within the Risk Register.

  • Change Logs: Utilize Jira's history logs and the custom risk history to track changes to risk assessments, treatments, and decisions. This ensures a transparent audit trail, which is crucial for accountability and continuous improvement.

Risk Reporting 

Reporting is the process of communicating risk management information to relevant stakeholders. Effective reporting ensures that decision-makers have the information they need to manage risks effectively and that all stakeholders are informed about the risk landscape and the measures being taken to address risks. 

Configuration in Risk Register:

Monitoring and Review

The goal of monitoring and review is to ensure and enhance the quality and effectiveness of the process implementation and outcomes. Continuous monitoring and regular review of the risk management process and its results should be an intentional component of the risk management framework, with clearly assigned responsibilities. 

Continuous monitoring involves the ongoing observation of how the risk management process is functioning. This includes assessing whether the process is being followed correctly, identifying any deviations from the established procedures, and ensuring that the process remains aligned with the organization’s strategic objectives.

Regular reviews involve periodic assessments of the risk management process to evaluate its effectiveness and identify opportunities for improvement. These reviews should examine the overall process design, the quality of its implementation, and the outcomes it produces.

Configuration in Jira:

  • Process Dashboards: Utilize Jira dashboards to monitor the health and effectiveness of the risk management process itself. Dashboards can display metrics such as the issue completion rate, created vs resolved, and time in status, providing a clear view of how well the process is being executed.

  • Review Schedules: Establish regular schedules for reviewing the risk management process. These reviews should involve key stakeholders and focus on assessing whether the process is meeting its objectives and producing the desired outcomes.

  • Audit Logs: Use Jira’s history logs and the risk history logs to audit the execution of the risk management process, including compliance with established procedures, timelines, and responsibilities. This helps to ensure that the process is being followed as intended and provides a basis for identifying areas for improvement.

Monitoring and review are essential for driving continuous improvement in the risk management process. By regularly evaluating the process, organizations can identify inefficiencies, gaps, and opportunities to enhance the process, ensuring it remains effective and aligned with evolving organizational needs.

Download Risk Register by ProjectBalm Today!

Previous
Previous

Forty Common Project Risks

Next
Next

Defining Risk Scales