Risk frameworks are useful for organizations that require a clear roadmap for managing risk in their environments. What an organization determines is acceptable risk, its risk profile or appetite, is related to internal mission commitments and external drivers such as laws, regulations, and consumer expectations. This section will consider frameworks that can serve as tools for aligning risks to the business mission.
ISO 31000:2018 is a guidance standard and is not intended for certification purposes. Implementing it does not address specific or legal requirements related to risk assessments, risk reviews, and overall risk management. However, implementation and use of ISO 31000:2018 standard will set out a risk management framework and process that can assist in addressing organizational requirements and, most importantly, provide a structured and measurable risk management approach to assist with the identification of cloud-related risks. The guideline is achieved by eight principles, five framework elements, and processes related to risk assessment and treatment.
Framework:
- Integration
- Design
- Implementation
- Evaluation
- Improvement
Amended and updated in 2018, ISO 31000:2018 sets out terms and definitions, principles, a framework, and a process for managing risk. It can be used by any organization regardless of its size, activity, or sector. Using ISO 31000:2018 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.
Key updates include:
- Review of the principles of risk management, which are the key criteria for its success
- Highlighting of the leadership by top management and the integration of risk management, starting with the governance of the organization
- Greater emphasis on the iterative nature of risk management, noting that new experiences, knowledge and analysis can lead to a revision of process elements, actions, and controls at each stage of the process
- Streamlining of the content with greater focus on sustaining an open systems model to fit multiple needs and contexts
Similar to other ISO standards, it lists 11 key principles as a guiding set of rules to enable senior decision makers and organizations to manage risks:
- Risk management creates and protects value
- Risk management is an integral part of the organizational procedure
- Risk management is part of decision making
- Risk management explicitly addresses uncertainty
- Risk management is systematic, structured, and timely
- Risk management is based on the best available information
- Risk management is tailored
- Risk management takes human and cultural factors into account
- Risk management is transparent and inclusive
- Risk management is dynamic, iterative, and responsive to change
- Risk management facilitates continual improvement and enhancement of the organization
The foundation components of ISO 31000:2018 focus on designing, implementing, and reviewing risk management in an organization. The overarching requirement and core component of ISO 31000:2018 is management’s endorsement, support, and commitment to ensure overall accountability and support.
Similar to the “plan, do, check, and act” lifecycle for continuous improvement in ISO 27001:2013, ISO 31000:2018 outlines the requirement for integration and implementation of risk management becoming an “embedded” component within organizational activities as opposed to a separate activity or function.
From a completeness perspective, ISO 31000:2018 focuses on risk identification, analysis, and evaluation through risk treatment. By performing the various stages of the lifecycle, a proactive and measured approach to risk management should be the result, enabling management and business decision makers to make informed and educated decisions.