ISO 31000

ISO 31000 is the international management standard for the principles and guidelines for risk management. It recommends implementing a framework to integrate the process for managing risk into an organization’s overall governance, policies, values and culture. It outlines a simple framework and describes the processes to implement that framework and the principles that define it.

The principles are rules to follow that make risk management effective. These 11 principles guide organizations in recognizing that risk management helps decision-makers make informed choices; prioritizing actions; and distinguishing among alternative courses of action. An underpinning is that risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. Additionally, the principles stress that risk management needs to be based on the best available information and that it should take human and cultural factors into account.

While each of these is important, this paper focuses on how risk can be integrated into an organization’s decision making process. Management is an information processing activity. It involves gathering, processing and disseminating information. The right information, in the right form, at the right time is needed to make decisions. In the context of decision-making, it is easy to see the impact of risk in terms of uncertainty. Making decisions despite significant degrees of uncertainty is what one does when buying lottery tickets, for example. This is more commonly known as guessing, and guessing is not a good approach to corporate decision making. Effective decision-making requires facts, not gut feel.

Internal and External Risks

Although risk is everywhere, that does not make it bad. It just means we need to acknowledge its existence and decide how much risk we need to manage. Understanding the potential impacts of unplanned events allows us to assess the degree to which we need to manage both the possible occurrence of the event and the degree to which it causes impacts.

Internal risks can be broadly classified into types that relate to doing work (i.e., scope, schedule, cost), but they can go beyond that to include cultural, policy, environmental and other risks, although these tend to be factors that influence schedule, scope and cost. External risks vary depending on many factors based on the type of organization (public, private, regulated, unregulated), geography, centralization, environment, markets, legislation and other factors.

Whatever the source of risk, it is normal for many organizations to assess risk by looking at the combination of probability of occurrence and level of impact for each risk. This can be modeled using a spreadsheet, or it can be subject to Monte Carlo simulation to analyze the impacts of variations within the system, or it can be analyzed via various other industry-based techniques.

Risk Tolerance

Our risk tolerance drives the extent to which we manage risk. The risk tolerance levels of the organization and external parties also must be considered. If the risk is deemed unacceptable after mitigation, then more mitigation is warranted until the cost of prevention outweighs the liabilities. Depending on the nature of the liabilities, different organizations may have very different tolerances. Risk tolerance is an organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives, according to ISO Guide 73:2009. In ISO 31000, this is referred to as risk attitude and is described as an organization’s approach to assess and eventually pursue, retain, take or turn away from risk. The risk that remains after mitigation is residual risk.

Risk & Review Topics

Risk Assessment and Management
Risk is increasingly involved as a component of organizational decision-making. Risk management needs to be ubiquitous within the organization, so that negative impacts can be reduced and opportunities can be leveraged in decisions at all levels. While risk probabilities are often classified in qualitative terms such as low, medium and high, another factor often incorporated is criticality. The combination of probability and criticality can be used relatively easily to establish decision-making priorities for assets. Risk management is integral to decision-making and thus affects all parts of the asset management framework. Risk management and assessment therefore is represented in the policies and processes for identifying, quantifying and mitigating risk and exploiting opportunities, as explicated in IAM’s “Asset Management — an Anatomy” version 3.

Contingency Planning and Resilience Analysis
This topic gained much attention in 2020 as organizations attempted to deal with the impacts of COVID-19. Resilience is defined as an ability to recover from or adjust easily to misfortune or change. It is described by the National Infrastructure Advisory Council (NIAC) as the ability to reduce the magnitude and/or duration of disruptive events. The NIAC also states that the effectiveness of a resilient infrastructure or enterprise depends upon its ability to anticipate, absorb, adapt to and/or rapidly recover from a potentially disruptive event. One way to improve resilience is through contingency planning. This area focuses on the processes and systems to see that an organization can continue to operate its assets to deliver the required level of service in the event of an adverse impact or maintain the safety and integrity of the assets, whether or not they are operating.

Asset Performance and Health Monitoring
Asset performance and health monitoring describes the processes and measures used by an organization to assess the performance and health of its assets using performance indicators. The indicators can be leading or lagging, and they may allow for the prediction of future asset performance and health as well as the assessment of current or historic performance. The term asset health is used in relation to measures that monitor the current (or predicted) condition or capability of an asset (or asset system) to perform its intended function by considering potential modes of failure. Clear criteria are required to understand when there is a deviation between the predicted and actual performance for an asset such that the need for appropriate remedial action can be evaluated. It is important that measures and associated targets align to the organization’s asset management objectives and strategy as described in a strategic asset management plan (SAMP) and provide feedback on, and understanding of, the assets. The SAMP defines the desired current performance, level of service and condition of assets.

Stakeholder Engagement
A stakeholder is a person or organization with a vested interest in an organization’s operations and performance. Stakeholders typically include investors, employees, customers, suppliers, communities, governments, regulators and others. Stakeholders hold an interest in outcomes, so if the outcomes are at risk, stakeholders are exposed to risk.

Stakeholder engagement is a critical but often undervalued activity. Often this involves finding ways to explain an organization’s plans and/or activities to its stakeholders rather than seeking input and directly engaging with them. The IAM describes this subject simply as the methods an organization uses to engage with stakeholders, but despite a simple definition, it is not a simple topic. Stakeholders include parties both internal and external to the organization. Potentially, each stakeholder can have an impact on how an organization performs, although some impacts are more obvious and more direct. The interests and expectations for an organization’s plans and activities may also vary or be directly in conflict between different stakeholders. Stakeholder engagement should support the effective management of assets, including incentives and processes for employees.

Management of Change
Ideally, asset management embraces continuous improvement, which means changing the way that things are done to make improvements. But if organizations are continually changing, the need to understand the impacts of those changes, communicate the changes and remove barriers becomes a core competency. This is what management of change involves. It is focused on technical changes and proactive elimination of risk associated with change, and it overlaps with configuration management. Change management, on the other hand, is focused on people and — as noted by the IAM — people do asset management.

In a world where the rate of change is increasing, both the management of change and change management will require increased focus for effective asset management organizations. In short, value comes from what gets used, not from what gets designed or built. Asset management is the coordinated activity of an organization to realize value from assets. Change is an instrumental part of those coordinated activities.

Other Risk & Review Topics

Sustainable Development
Sustainable development reflects the goal of making asset management enduring, not a one-off project that then slowly diverges from its original drivers. It also incorporates environmental, social and economic aspects to determine activities to undertake. This requires an organization to take a long-term view of its asset management activities. Every organization should strive to make strong, smart and sustainable capital investments. Sustainable development is the interdisciplinary, collaborative process used by an organization to maintain an enduring, balanced approach to economic activity, environmental responsibility and social progress.

Asset Management System Monitoring
Asset management system (AMS) monitoring should not be overlooked. Developing an AMS helps organizations define their requirements for asset management, and the AMS reflects the processes, information, people, tools and resources to carry out those requirements. Like any process or system, it must be monitored to see that it is meeting its objectives. This area focuses on the processes and measures used by an organization to assess the performance of the systems it deploys. The aim is to evaluate the extent to which the AMS is fit for its purpose and whether the organization is achieving its asset management objectives.

Management Review, Audit and Assurance
This category, while similar to AMS monitoring, represents a review by top management of the information gathered from monitoring the AMS. It thus represents an organization’s processes for reviewing and auditing the effectiveness of its asset management processes and AMS. These reviews focus on both internal and external changes that may require adapting the AMS, and they provide visibility into asset management activities for top management.

Asset Costing and Valuation
This subject evaluates financial aspects such as asset value, accounting codes and financial reporting. For large organizations operating across multiple states, countries or other jurisdictions, this will involve harmonizing levels of internal reporting and valuation while supporting varying requirements.

Each organization needs to define processes for capturing as-built, maintenance and renewal unit costs, as well as the methods used by the organization for valuing and depreciating its assets. This includes verifying that the quality of financial information is appropriate for the organization’s financial reporting framework. This subject can become very complicated very quickly, but adhering to generally accepted accounting principles (GAAP) can help improve transparency in financial statements.

Conclusion

The Risk & Review group of subjects in the IAM’s conceptual model contains the largest number of subjects of any group. Although some have described the model as comprising leftovers that did not neatly fit into the other five groups, there is sound logic for grouping these subjects together. Each represents areas of risk or topics that require careful review.