Integrating Risk and ISO Standards
Knowing how to embrace risk as a vehicle for improvement is something that some organisations are better at than others, often doing so unknowingly. Indeed, an organisation that fears risk in certain aspects, perhaps those that they’re not familiar with, such as information security, could be missing a trick. Being risk averse, playing it safe, may mean an organisation is operating sub-optimally.
It’s easy to say that organisations should embrace risk but less easy to do when the stakes are high. That’s why ISO management system standards are demonstrably adding value to organisations; they provide a risk-based framework for continual improvement. That’s a great example of risks being an opportunity.
ISO standards help organisations in a couple of ways; first, there’s the opportunity cost of not addressing something that’s not right, or flipped around, it’s the cost of failure. Here’s an example: an IT system that just works – it’s old, but it’s stable and doesn’t go wrong - "if it ain’t broke". And it underpins the organisation’s raison d’etre so it’s very important. But the hardware and the operating system are no longer supported, so there are few spares available and there are no security patches being released, so it’s vulnerable. In NQA we often come across examples of this. It’s a risk that is unaddressed but the cost of failure has the potential to be very high.
Secondly, addressing risks can open up opportunities, simply by changing. But it’s only by actively managing risks that these opportunities present themselves. The ISO management system standards risk management framework enables an organisation to contextually review risks to make things better – this is continual improvement, whether it be reducing the cost of failure or embracing the benefits of change.
All of the ISO management system standards operate to a common structure, known as Annex SL. This commonality makes it much easier for organisations to integrate their standards. It means an organisation certified to multiple standards, say Quality, Environmental and Energy Management, will reap the benefits across multiple disciplines in a single risk framework. You can find out more about the Annex SL standards here.
Tim Pinnell, NQA’s head of Information Assurance, recently spoke at an IIRSM webinar about the benefits of ISO management systems to risk management. He was joined by Helen Barge, Director of Risk Evolves consultancy and Ian McKinney of AJ Gallagher Corporate Insurance.
Ultimately there were three views on the same subject:
Tim - as an auditor of management systems
Helen - as a consultant to organisations who implement management systems
Ian - who brokers insurance for both types of organisations – those who have and those who have not implemented management systems.
The overwhelming conclusion is that the organisations certified to management systems are much better at managing risk and the benefits thereof including efficiencies, low cost of failure, increased opportunities, reduced risk in the supply chain, greater internal and external assurance.
Author - Tim Pinnell, NQA Information Security Assurance Manager