Risk Managment: Writing an ISO-Compliant Risk

A poorly written risk is usually easy to spot. It sounds like a worry, a weakness, or a control failure: “Poor system performance,” “lack of staff training,” “non-compliance,” “cybersecurity issue.” These may all be important matters, but they are not risks.

ISO 31000 defines risk as the “effect of uncertainty on objectives.” That compact definition changes the whole discipline. Risk is not just something bad that might happen; rather, it is the relationship between an objective, uncertainty, and the consequences that may follow. ISO 31000 provides principles, a framework, and a process for managing risk, and is designed to be used by organisations of any size or sector. 

The first requirement of an ISO-compliant risk is an objective. A project may face uncertainty about supplier capacity; a business unit may face uncertainty about regulatory change; a board may face uncertainty about market confidence. But the risk only becomes meaningful when we can say what objective is affected: revenue growth, service continuity, safety, compliance, delivery time, reputation, or strategic positioning.

The second element is the risk source: the underlying element that can give rise to risk. This might be a technology dependency, a regulatory environment, a labour-market constraint, a third-party provider, or customer behaviour. Good risk writing distinguishes the source from the event. “Regulatory change” may be a source; “a new reporting obligation takes effect before our platform is ready” is an event.

The event is the occurrence or change that matters. ISO-style risk language should avoid vagueness. “Cyber risk” is not an event. “A privileged account is compromised” is. So is “a critical vendor misses a delivery milestone” or “demand exceeds available support capacity during launch.” The event may be something that happens, or something that fails to happen.

Next come the causes. ISO 31000 recognises that events may have multiple causes. A delivery delay might arise from supplier capacity, unclear requirements, customs disruption, or internal approval bottlenecks. Naming these causes helps management see where intervention is possible.

Then come the consequences. These must connect directly back to the objective. If the objective is maintaining customer trust, the consequence may be reputational damage or increased churn. If the objective is regulatory compliance, the consequence may be breach notification, remediation cost, or enforcement action. Importantly, ISO 31000 allows for positive as well as negative consequences: uncertainty can create opportunity as well as threat.

The remaining elements make the risk decision-ready. Probability describes the chance of the event occurring. Impact describes the magnitude of the consequence: its scale, scope, severity, and duration. Timeframe explains when the risk may materialise or over what period it should be assessed. Existing controls identify the measures already in place that affect likelihood or impact. Finally, an ISO-aligned risk should state its uncertainties and assumptions: the limits of available evidence, the quality of data, and the judgements being made.

Risk Register by ProjectBalm

And this is why we created Risk Register by ProjectBalm.

Our goal was to automate ISO-compliant risk management techniques, and do so via an elegant, usable interface that works with you, and not against you. Risk Register will help you to identify, analyse, treat and monitor risks more easily and effectively than ever before.

Risk Register now includes our unique Risk Foundry feature, a database of 100 standard ISO-compliant risks as well as 500 best practice treatments. Using Risk Foundry, you can quickly populate your register with high quality risks.

If you are experienced at risk management, you will find in Risk Register a tool that works the way you want it to work. If you are new to risk management, our documentation and videos will take you through the whole risk management process, giving lots of useful examples.

Risk Register is fully compatible with risk management standards such as ISO 31000, and can also be used for governance, risk, and compliance (GRC) programs such as Sarbanes-Oxley and PCI. And, of course, Risk Register allows you to easily distinguish between opportunities and threats.

Over the last few years, we've grown to become the most popular risk management solution in the Jira marketplace and we are now an Atlassian Platinum Partner. Why not try out Risk Register by ProjectBalm for yourself?

Reference. International Organization for Standardization. ISO 31000:2018 Risk Management — Guidelines. Geneva: International Organization for Standardization, February 2018.