20 Key Questions to Ask about ISO 31000: 2009 Risk management principles & guidelines

1. What are the specific measurable performance goals, measures and targets that will use to
demonstrate the achievement of objectives and the improvement of organisational and individual performance? 2. Have all significant internal and external risks linked to objectives been identified, assessed, treated and reported?

3. Is risk management viewed by management as an integral part of management and their

responsibilities?

4. Is risk management tailored and embedded in all the organisation's culture, practices and
processes (esp. policy development, business and strategic planning) in a way that it is adequate, relevant, effective and efficient?

5. Does all decision making at all levels of the organisation involves the explicit consideration
of the positive and negative effect of uncertainty on objectives based on best available information? 6. Are there communication and consultation plans, and reporting and escalation mechanisms in placed to support and encourage individual accountability for risk, and timely and adequate reporting of risk?

7. Appropriate mechanisms in place to provide Management and Board with consistent,

comparable, accurate, timely and reliable results on the organisations performance against its strategy and objectives, the underlying causes of any performance variance and any changes in the internal/external environments or risk factors which would cause them to consider altering the organisations strategy and objectives? 8. Is the organisations risk management context and risk criteria based on organisational objectives, and external and internal context?

9. Are there comprehensive, fully defined and fully accepted accountabilities for risks, controls
and risk treatment task for all individuals and committees at all levels of the organisation?

10. Those accountable for the development, implementation and maintenance of the
framework for managing risk have been identified?

11. Responsibilities of people at all levels in the organisation responsible for the risk
management process identified?

12. Is there appropriate and timely involvement of stakeholders and, in particular, decision
makers at all levels of the organisation? 13. Does the organisation constantly monitors and evaluates changes in its external and internal environment and their impact on strategy and objectives, and risk management practices?

14. Is there periodically review to determine whether the risk management framework, policy
and plan are still appropriate, given the organisations' external and internal context? 15. Is risk and risk management performance assessment, assurance and reporting an integral part of organisational performance assessment, measurement and reporting?

16. Are designated individuals appropriately skilled and have adequate resources (e.g. tools,
templates and information) to assess and improve controls, monitor risk, implementing risk treatments and communicating effectively about risk and their management to external and internal stakeholders? 17. Does the organisation have communication and training programs on risk management that includes creating awareness of risk, promoting a risk-aware culture, having a common plain
ISO 31000 Principles 20 Questions to Ask patrickow@gmail.com Page 1 of 5

language understanding of the term "risk" and the risk management process, and providing guidelines on policies, plan and procedures for individual employees?

18. Does the organisation have a system in place to ensure the adequacy, effectiveness and
efficiency of controls, designed to provide reasonable assurance regarding the achievement of objectives?

19. Does all decision making at all levels of the organisation involves the application of risk
management process to some appropriate degree within the appropriate risk tolerance limits?

20. Is risk management regarded by everyone as essential for the achievement of objectives?

ISO 31000 Principles 20 Questions to Ask

patrickow@gmail.com

Page 2 of 5

Annex A provides further advice for organisations wishing to manage risk more effectively. A.3.1 Continual improvement An emphasis is placed on continual improvement in risk management through the setting of organisational performance goals, measurement, review and the subsequent modification of processes, systems, resources, capability and skills. This can be indicated by the existence of explicit performance goals against which the organisation's and individual manager's performance is measured. The organisation's performance can be published and communicated. Normally, there will be at least an annual review of performance and then a revision of processes, and the setting of revised performance objectives for the following period. This risk management performance assessment is an integral part of the overall organisation's performance assessment and measurement system for departments and individuals. 1. Is risk and risk management performance assessment, assurance and reporting an integral part of organisational performance assessment, measurement and reporting?

ISO 31000 Principles 20 Questions to Ask

patrickow@gmail.com

Page 3 of 5

Annex A provides further advice for organisations wishing to manage risk more effectively. A.3.2 Full accountability for risks Enhanced risk management includes comprehensive, fully defined and fully accepted accountability for risks, controls and risk treatment tasks. Designated individuals fully accept accountability, are appropriately skilled and have adequate resources to check controls, monitor risks, improve controls and communicate effectively about risks and their management to external and internal stakeholders. This can be indicated by all members of an organisation being fully aware of the risks, controls and tasks for which they are accountable. Normally, this will be recorded in job/position descriptions, databases or information systems. The definition of risk management roles, accountabilities and responsibilities should be part of all the organisation's induction programmes. The organisation ensures that those who are accountable are equipped to fulfil that role by providing them with the authority, time, training, resources and skills sufficient to assume their accountabilities.

2.

Are designated individuals appropriately skilled and have adequate resources (e.g. tools, templates and information) to assess and improve controls, monitor risk, implementing risk treatments and communicating effectively about risk and their management to external and internal stakeholders? Does the organisation have communication and training programs on risk management that includes creating awareness of risk, promoting a risk-aware culture, having a common plain language understanding of the term "risk" and the risk management process, and providing guidelines on policies, plan and procedures for individual employees? Does the organisation have a system in place to ensure the adequacy, effectiveness and efficiency of controls, designed to provide reasonable assurance regarding the achievement of objectives? Does all decision making at all levels of the organisation involves the application of risk management process to some appropriate degree within the appropriate risk tolerance limits?

3.

4.

A.3.3

Application of risk management in all decision making All decision making within the organisation, whatever the level of importance and significance, involves the explicit consideration of risks and the application of risk management to some appropriate degree. This can be indicated by records of meetings and decisions to show that explicit discussions on risks took place. In addition, it should be possible to see that all components of risk management are represented within key processes for decision making in the organisation, e.g. for decisions on the allocation of capital, on major projects and on re-structuring and organisational changes. For these reasons, soundly based risk management is seen within the organisation as providing the basis for effective governance.

5.

ISO 31000 Principles 20 Questions to Ask

patrickow@gmail.com

Page 4 of 5

Annex A provides further advice for organisations wishing to manage risk more effectively. A.3.4 Continual communications Enhanced risk management includes continual communications with external and internal stakeholders, including comprehensive and frequent reporting of risk management performance, as part of good governance. This can be indicated by communication with stakeholders as an integral and essential component of risk management. Communication is rightly seen as a two-way process, such that properly informed decisions can be made about the level of risks and the need for risk treatment against properly established and comprehensive risk criteria. Comprehensive and frequent external and internal reporting on both significant risks and on risk management performance contributes substantially to effective governance within an organisation. A.3.5 Full integration in the organisation's governance structure Risk management is viewed as central to the organisation's management processes, such that risks are considered in terms of effect of uncertainty on objectives. The governance structure and process are based on the management of risk. Effective risk management is regarded by managers as essential for the achievement of the organisation's objectives. This is indicated by managers' language and important written materials in the organisation using the term uncertainty in connection with risks. This attribute is also normally reflected in the organisation's statements of policy, particularly those relating to risk management. Normally, this attribute would be verified through interviews with managers and through the evidence of their actions and statements.

6.

Is risk management regarded by everyone as essential for the achievement of objectives?

ISO 31000 Principles 20 Questions to Ask

patrickow@gmail.com

Page 5 of 5