The final stage of a successful risk management strategy that follows the ISO 31000 framework is monitoring and reviewing risk criteria, analysis, treatment, and the framework itself.
A comprehensive risk strategy involves continuous evaluation as the organisation evolves. It could be that reviews are performed annually, monthly, or weekly – it’s up to the leadership to determine the review and reporting requirements of the accountable individuals involved in delivering and monitoring risk processes.
In the final part of our blog series on ISO 31000, we look at clauses 6.6 and 6.7 and how to monitor and review the risks you have identified within your organisation.
Clause 6.6: Monitor and review the risk
As with all Standards within the higher Annex SL framework, the concept of Plan, Do, Check, Act applies to the risk management strategy an organisation creates under ISO 31000. An integral part of ensuring continuous quality and improvement in process, efficiency, and output is to monitor strategic goals and performance on a regular basis.
When a risk has changed, for example, an external factor such as the exchange rate has impacted upon trade, the risk treatment needs review. However, the whole risk strategy needs to be considered as a constantly evolving element as the objectives of an organisation change over time.
A review process should include all stakeholders, internal and external, to ensure a holistic input into the ongoing shaping of the risk management processes.
Clause 6.7: Recording and Reporting
Once you monitor and review the risk, the risk management process needs to be recorded and reported to:
- Ascertain the organisation’s stance on risk culture, appetite, and tolerance
- Communicate effectively to all stakeholders at key stages
- Deliver clear data on the effectiveness of risk treatment plans
- Improve engagement with stakeholders and draw on feedback
- Provide valuable information for decision making across the organisation
Reporting timeframes and performance metrics are to be determined at an early stage of the strategy development, to manage expectations of stakeholders and ensure timely and appropriate information gathering.
Reports should consider information such as the audience type, data sensitivity, and how the data relates to overall objectives and goals of the organisation.
That’s it! You’ve come to the end of your ISO 31000 Toolkit.
Now that you understand the importance of monitoring and reviewing risk, find out how one of our customers use our risk management software to manage data.