INDUSTRIAL SECURITY UMSA

ISO 31001

The ISO 31001 standard is the standard related to Management System

Risks, previously in the 2008 edition is referred to as the ISO 31000 standard, and
the update is the ISO 31001 standard.
WHAT IS ISO 31000?
ISO 31000 outlines a family of standards for risk management, standards
encoded by theInternational Organization for Standardization.
The global approach of ISO 31000 is not a management system; it is a part
INTEGRAL management of an organization The ISO 31000 is not prescriptive, without
requirements for certification; and its basis is the reality of the organization:
Its internal/external context
Its objectives
Existing practices
His performance

ISO 31000:2018
The risk-based approach of management systems
ISO 9001:2015
ISO 14001:2015
ISO 45001

The process establishes the context, defines the criteria for the risks, and performs a
structured risk assessment identifies the appropriate treatment for the
risks to improve the performance of the management system and the organization in
the scope of your objectives
Since ISO 31000 explicitly works with risks as a
emergent property of an organization, this standard reinforces the capacity of
adaptation (including extreme situations that threaten existence) of
an organization as a whole (stakeholders, structure, organization,
resources, etc.).
The risk management process in ISO 31000 has the potential to generate
many treatment options for risks, which opens the field to start
the planning of business continuity and activities at all levels and
stages of the organization's strategy and operations.
WHAT IS ISO 31000:2018?

Page 1 | 6
 INDUSTRIAL SECURITY UMSA

It is the modification of ISO 31000: 2009, so let's see what ISO is.
31000:2009

ISO 31000:2009
SCOPE
The purpose of the ISO 31000:2009 standard is to apply and adapt to the public, any
public or private company, community, association, group or individual. It is
It is important to clarify that this standard does not have a certification purpose, since
rather provides certain guidelines for the implementation of a culture
organizational and can also be very useful for a management system
ISO 9001 2015.
DEFINITION OF RISK
The new definition abandons the engineer's view ('risk is the combination
of the probability of the event and its consequences") to link the risks to the
objectives of the organization: "risk is the effect of uncertainty on the
objectives
THE 11 PRINCIPLES OF RISK MANAGEMENT
1. "Risk management creates value and reserve" Risk management
tangibly contributes to achieving the objectives and improving performance of the
organization, through the review of its management system and its processes. It
try to change the approach to visualize the world of eventualities
potentials instead of focusing on non-conformities that occurred,
only. It is a great step for the world of management.
Risk management is integrated into organizational processes.
risk must be integrated into the existing management system at both levels
strategic and operational.
3. "Risk management is integrated into the decision to do of the process." The
risk management is a decision aid for the discussed options, for
set priorities and select the most appropriate actions
4. "Risk management explicitly addresses uncertainty". Through the
identification of potential risks, the organization can apply reduction of
tools and the risk of financing with the aim of maximizing the
possibilities of success and minimize the loss of opportunities.
Risk management is systematic, structured, and used in a way
opportune." Risk management processes must be consistent throughout the
organization to ensure the effectiveness, relevance, consistency, and reliability of
the results.
6. 'Risk management is based on the best available information.' Effective of
Risk management, it is important to consider and understand all the information.
available and relevant for an activity, recognizing the limitations of the
data and the models used

Page 2 | 6
 INDUSTRIAL SECURITY UMSA

7. "Risk management is advisable." The management of risks of a

organization must adapt according to the available resources - resources of
personal, finances, and time - as well as their internal and external environment
8. "Risk management integrates human and cultural factors."
risk must recognize the contribution of individuals and cultural factors
for the achievement of the organization's objectives.
9. "Risk management is transparent and participatory." By involving the parties
relevant interested parties, internal and external, during the management process of
risk, the organization recognizes the importance of communication and consultation in
the stages of risk identification, assessment, and treatment.
10 "Risk management is dynamic, iterative, and sensitive to change."
risk management must be flexible. The competitive environment requires the organization
to adapt to the internal and external context, especially when new
risks appear, certain risks change, while others disappear.
11. 'Risk management facilitates the continuous improvement of the organization.'
organizations with maturity in risk management are those that
they invest for the long term and demonstrate the normal achievement of their objectives.

MAIN CHANGES IN ISO 31000:2018

The structure

It is important to mention that in this version, ISO aimed to deliver

a clear, objective, and concise standard —only 16 pages— which already represents
a great difference compared to its predecessor from the year 2009.

The document, which is divided into four sections, at first glanceprovides

interesting structural changes:

Updated and simplified language within a reference structure

renovated.
Emphasis throughout the standard on the leadership role of the Top Management
Management and the responsibility that must be assumed to ensure that the management of
risks are integrated at all levels of the organization.
Greater attention to the dynamic and changing nature of management.
risks, which demands that organizations assess their risks and
its impacts, in light of new circumstances or factors in the external context or
internal, but also in response to comments about gaps that
detect in the current risk processes or in their associated controls.

Page 3 | 6
 INDUSTRIAL SECURITY UMSA

MAIN CHANGES IN ISO 31000:2018 – REVIEWING THE STANDARD

The document, as we have noted, consists of 16 pages divided into 4

sections, presents the following news:
The introduction

Now it is more concise and objective. Include an image with diagrams that explain.
the interrelationship between principles, structure, and process. In the 2009 version
it seemed that the only goal of the introduction was to convince the readers to
that managing risks was something positive for the organization, a concept that, without
to be erroneous, seems to be a little obvious.

Terms and definitions

At this point, the reduction becomes even clearer. In the 2009 version, there were 29.
items, while the 2018 edition offers us only 8. It is important to highlight
that the terms have not "disappeared", just their mention is omitted, and if any
The user wants to consult a term or definition present in the regulation, they can
refer to annex Guide 73 - Risk Management - Vocabulary.
Principles

There was also a reduction in terms of the principles, which went from 11 present in the
2009 version, it changes to 8 in the 2018 edition. Despite the reduction, the
essential concepts remain as the absent principles have been
included throughout the standard.
Structure

From this point on, the wording of the items has changed quite a bit, but without
many alterations in the meaning. Despite this, some ideas
they gained more visibility than in the previous version:

Leadership positioning. Just like with other ISO standards

recent publication, the leadership of top management is considered essential for the
assignment of responsibilities for activities and the change of culture in the
organization, through the declaration of commitment.
Systemic supervision. In the new edition of ISO 31000, it is specified that
need to ensure that systems are up and running to manage the
risks and operate effectively, acknowledging that these can be automated or
no.

Page 4 | 6
 INDUSTRIAL SECURITY UMSA

Organizational context. When analyzing the context of the organization, one ...
include as factors to consider the complexity of social networks and the
dependency on other stakeholders.
Communication and consultation. Emphasis is placed on the importance of
communication and consultation with stakeholders in general. Without
embargo, the importance of developing improvements in information is highlighted
based on data collected through consultations.
Application. The new formulation is focused on planning the
structure, the elimination of objective citations for record keeping and the
compliance with the same legal requirements that were already present in the
previous version.
Processes

The process ofrisk management it involves the application of policies and practices
aligned with what has been defined during the structuring. At this point of the
norm, as in the previous one, some practical recommendations are described
as the necessary activities for the risk management process.

THE EMPHASIS IN THE 2018 VERSION OF ISO 31000

The 2018 edition emphasizes the dynamic nature of risk management. This
it means that it is a work that requires constant re-evaluations and
changes to be effective, as it is governed by cultural and technological factors,
of market, legal, etc.

This can occur differently at various levels of the organization.

guidelines for the identification, analysis and assessment of risk have been
clearer in this new version, which facilitates the understanding of how to do it.

However, the standard no longer specifies tools or methods, since

risk management must be aligned with the context of the organization, which
use ISO 31010 as a reference, a standard on techniques for risk assessment
risks.

The focus on the documentation of the risk management process and its
results are now more flexible, highlighting the need to assess relevance
from the information and the cost-benefit relationship of the creation, maintenance and
retention of documented information.

In the 2018 version, there are no longer attached data that explain the attributes of a
advanced risk management, as in the previous edition. We can conclude
ISO 31000 now comes with a more organizational or strategic volume and
less detailed, probably because the writers believe that some
aspects have already matured in the majority of organizations, which makes
unnecessary certain explanations, orientations or justifications.
Page 5 | 6
 INDUSTRIAL SAFETY UMSA

The main changes in ISO 31000:2018 reinforce the idea that risk management
risks are something intrinsic to the organization, through leadership, culture,
integration with processes and employee involvement.

CONCLUSIONS
Standardization within a company sets the foundations for the present and the future.
with the purpose of establishing an order for the benefit of all parties involved,
this standardization can be applied to any company and can be adapted
to the specific requirements of each organization. The application of standards
seeks to improve the functioning and efficiency in the use of resources,
what is well managed can lead to cost reduction.

BIBLIOGRAPHY

- Invalid input format. Please provide text for translation.

- https://www.isotools.org
- Unable to access the content of the provided link.
31000
- https://www.iso.org

Page 6 | 6