We are all aware that pregnancy & childbirth involve certain risks, but these risks are managed with care by the parents and trained professionals. The obstetrician addresses these risks by identifying, analysing, evaluating and treating symptoms at every stage of the pregnancy based on their knowledge and a concrete plan of action. Similarly, risks that an organisation faces also need to be managed through a well-designed action plan that involves identifying, analysing, evaluating and treating all possible risks.

The process machine of an organisation never stops its activity of receiving required inputs, churns them by pre-determined activities and pushes out desired output(s). If the process machine fails and the organisation is found still alive, it is probably living in a ‘zombie state’ and is just counting the days of its existence.  

The ISO 31000 Risk Management imperative is meant for realistic implementation & maintenance of ISO Management System Standards, be it health & safety, quality, information security, environment or business continuity, each of which has a distinct Management System Standard.     

ISO 31000 is not meant for third party certification which means, it is not audited by certification bodies for the purpose of third party audit based certification. This makes it less attractive to many organisations that just do what is needed as a baseline to get certified for one or other ISO Management System Standard. There are organisations that heave a sigh of relief, when the third party management systems auditor leaves a positive recommendation. This, in most cases, shows the auditor's satisfaction that a given management system is maintained at baseline maturity. A management system auditor does not issue a non-conformity report, just because the organisation could not show objective evidence of ‘continual improvement’. Such improvement is possible only if the organisation raises itself to meet the rigors of increased or modified risks and the dangers latent in residual risks. 

The new series of ISO Management System Standards that are fashioned on the ISO Annex SL, make mature risk management approach imperatives to meet even the baseline requirements of such standards. But most organisations, particularly in the developing countries, try to do the bare minimum needed to pass off the certification audit gate. This minimalist approach tends to create a shallow level of implementation of management system standard requirements.

‘Risk’ is the centrifugal force that can keep the implementation and maintenance of a Management System Standard pulsating by design. In fact, there is hardly an agenda that can be pursued by an organisation through the ISO Management System Standards implemented, if such implementation is not led by a robust ‘Risk Management approach’. An organisation that has a cavalier risk management approach doesn't fear death by ignorance, as it doesn't know what risks it is into, comprehensively, and neither wants to believe that a risk may even take it down into an abyss.

The principles and framework that form the core of ISO 31000 standard has the potential to engage the decision-makers and the implementation and maintenance teams get a serious focus in unravelling the mystery that is ‘risk’ with all its dimensions unfolded. Risk has the potential to deny the positive outcome, as well as not warding off the negative effects, if it is not recognised in letter & spirit.

Unfortunately, there are plenty of organisations that suffer from a myopic vision, treating risks, as something that has to do just with financial aspects of their businesses. Such myopic vision only tends to increase the blindness of the organisation to risk realities, when its Enterprise Risk Management (ERM) division does not have a serious, measured and transparent approach to square in the risk factors in managing the business, by a to and fro communication with different business and supporting divisions in the organisation, and, thus enhancing and deepening the maturity of risk mgt across all the functions of the organisation. Paradoxically, most of the ERM function managers and even the CROs of many organisations do not understand ISO Management Systems and neither want to. This contributes to the depth of myopia in the organisation, creating avoidable communication gaps between the ERM and the business & supporting functions.

So the question is, has your organisation conducted a brain storming session on pushing the positives of ISO 31000 approach to managing risks in your organisation with more maturity? After all, that maturity journey is never-ending and continues to throb till your organisation survives and thrives. The absence of a global risk management approach is just an invitation for risks to slap our faces, now and then, and that too, when we are least guarded.  It also has the potential to drown us once for all.  And yes, there is nothing in a business, if the dynamics of risks are not managed, exploiting the opportunity that arises out of it, to the benefit of the organisation. 

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views, official policy or position of GlobalLinker.