ISO 31000 Compliance – Risk Management
Cloud processing and outsourcing add external risks to a business’ operation. The International Standards Organization (ISO) has implemented a new standard for risk management which needs to be considered when embarking on a cloud processing and/or outsourcing initiative.
ISO 31000 provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.
However, ISO 31000 cannot be used for certification purposes, but does provide guidance for internal or external audit programs. Organizations using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management and corporate governance.
A risk management policy should include the following sections:
- Risk management and internal control objectives
- Statement of the attitude of the organization to risk
- Description of the risk aware culture or control environment
- Level and nature of risk that is acceptable
- Risk management organization including policies and procedures
- Details of procedures for risk recognition and ranking
- List of documentation for analyzing and reporting risk
- Risk mitigation requirements and control mechanisms
- Allocation of risk management roles and responsibilities
- Risk management training topics and priorities
- Criteria for monitoring and benchmarking of risks
- Allocation of appropriate resources to risk management
- Risk activities and risk priorities for the coming year