How can you use ISO standards to better manage risk?  What are important ISO standards for risk management?

We get asked a lot about what some of the most important risk management standards are. Here is a review of two important standards, ISO 19600 and ISO 37000.

ISO 19600 is a risk management standard that provides guidelines for establishing, implementing, maintaining, and improving a compliance management system within an organization. It is designed to help organizations manage their compliance risks and meet their legal and regulatory obligations.

The standard ISO 19600 covers a wide range of topics related to compliance and risk management, including the following:

  • Leadership and commitment
  • Policies and procedures
  • Risk assessment
  • Training and awareness
  • Communication and reporting
  • Monitoring and review
  • Continual improvement

Risk management and policies

The policies and procedures section of ISO 19600 provides guidance on the development, implementation, and maintenance of effective policies and procedures within an organization. This section covers a wide range of topics related to policy development, including the following:

  1. Policy development process: This section outlines the process for developing and reviewing policies and procedures within an organization. The process should involve input from key stakeholders, including legal, compliance, and risk management personnel, as well as employees who will be affected by the policies.
  2. Policy structure and content: This section provides guidance on the structure and content of policies and procedures. Policies should be written in clear, concise language that is easily understood by employees. They should also be organized in a logical and coherent manner, with clear headings and subheadings.
  3. Policy implementation: This section outlines the steps that should be taken to ensure that policies are effectively implemented within the organization. This may include training programs for employees, communication strategies to ensure that employees are aware of the policies, and the establishment of monitoring and reporting mechanisms to ensure that policies are being followed.
  4. Policy maintenance and review: This section outlines the steps that should be taken to maintain and review policies and procedures over time. Policies should be reviewed on a regular basis to ensure that they remain relevant and effective, and should be updated as necessary to reflect changes in the organization’s operations or regulatory environment.

One of the key principles underlying the policies and procedures section of ISO 19600 is the need for policies to be risk-based. This means that policies and procedures should be developed based on an assessment of the risks faced by the organization. Risk assessment should take into account both internal and external factors, including the organization’s operations, the regulatory environment, and the potential consequences of non-compliance.

Another important principle is the need for policies and procedures to be integrated into the overall management system of the organization. This means that policies and procedures should be developed in a way that is consistent with the organization’s mission, values, and objectives. They should also be integrated with other management system standards, such as ISO 9001 (quality management) and ISO 14001 (environmental management).

In addition to these principles, the policies and procedures section of ISO 19600 emphasizes the importance of communication and training in ensuring that policies and procedures are effectively implemented within the organization. Communication strategies should be developed to ensure that employees are aware of the policies and understand their obligations under them. Training programs should be developed to provide employees with the knowledge and skills they need to comply with the policies.

The policies and procedures section of ISO 19600 emphasizes the importance of monitoring and reporting mechanisms in ensuring that policies are being followed within the organization. These risk management mechanisms should be established to provide ongoing feedback on the effectiveness of policies and to identify areas where improvements can be made.

The policies and procedures section of ISO 19600 provides comprehensive guidance on the development, implementation, and maintenance of effective policies and procedures within an organization. By following these guidelines, organizations can develop policies that are risk-based, integrated with the overall management system, effectively communicated and trained to employees, and regularly reviewed and updated to reflect changes in the organization’s operations or regulatory environment.

Risk management and continual improvement


The continual improvement section of ISO 19600 is a critical component of a compliance management system that focuses on the ongoing monitoring, evaluation, and enhancement of the system. This section provides guidance on establishing a culture of continuous improvement within the organization, with the aim of enhancing compliance performance and reducing compliance risks over time.

The continual improvement section of ISO 19600 covers several key aspects of the compliance management system, including the following:

  1. Monitoring and measurement: This section outlines the need to establish monitoring and measurement processes to assess the effectiveness of the compliance management system. This may include regular compliance audits, risk assessments, and other forms of monitoring and evaluation to identify areas of weakness and opportunities for improvement.
  2. Analysis and evaluation: This section outlines the need to analyze and evaluate data collected from monitoring and measurement processes. The analysis should identify trends, patterns, and opportunities for improvement, and should be used to inform decision-making about changes to the compliance management system.
  3. Corrective and preventive action: This section outlines the need to establish processes for corrective and preventive action to address non-compliance and mitigate compliance risks. Corrective action involves addressing non-compliance when it occurs, while preventive action involves identifying and addressing potential sources of non-compliance before they occur.
  4. Management review: This section outlines the need for regular management reviews of the compliance management system to evaluate its effectiveness, identify areas for improvement, and ensure that it remains aligned with the organization’s overall objectives.

The continual improvement section of ISO 19600 emphasizes the importance of establishing a culture of continuous improvement within the organization. This means that all employees should be encouraged to identify areas for improvement and to contribute to the ongoing enhancement of the compliance management system.

To facilitate this culture of continuous improvement, the section also provides guidance on the need for communication and training to ensure that all employees are aware of their roles and responsibilities in enhancing compliance performance. Employees should be trained on how to identify and report non-compliance, as well as how to contribute to the ongoing improvement of the compliance management system.

The continual improvement section of ISO 19600 emphasizes the need for leadership and commitment to ensure the success of the compliance management system. This involves establishing clear objectives and goals for the system, allocating appropriate resources, and providing support and guidance to employees to facilitate their contributions to the ongoing improvement of the system.

The continual improvement section of ISO 19600 provides comprehensive guidance on establishing a culture of continuous improvement within the organization to enhance compliance performance and reduce compliance risks over time. By establishing monitoring and measurement processes, analyzing and evaluating data, and taking corrective and preventive action, organizations can continually enhance their compliance management systems and ensure that they remain effective and aligned with the organization’s overall objectives.

The International Risk Podcast Governance Compliance

ISO 3700 and risk management

ISO 37000 is a global standard that provides guidance on effective governance of organizations. It provides a framework for establishing, implementing, maintaining, and improving governance systems within organizations. The standard is designed to be applicable to organizations of all types and sizes, including public, private, and non-profit organizations.

The standard is organized into ten main sections, each covering a different aspect of governance. These sections include:

  1. Scope and purpose: This section provides an overview of the standard, its scope, and its purpose. It outlines the principles of effective governance and the benefits of implementing the standard.
  2. Normative references: This section lists the standards and other references that are cited throughout the document.
  3. Terms and definitions: This section provides definitions of the key terms used in the standard.
  4. Context of the organization: This section covers the need to understand the organization’s internal and external context, including its culture, values, and stakeholders.
  5. Governance framework: This section outlines the need to establish a governance framework that includes policies, procedures, and processes for effective governance.
  6. Leadership and culture: This section covers the need for effective leadership and a strong governance culture within the organization.
  7. Governance risk management: This section covers the need to identify, assess, and manage governance risks within the organization.
  8. Performance evaluation and improvement: This section covers the need to evaluate the effectiveness of the governance system and to continuously improve it over time.
  9. Governance reporting: This section covers the need to report on the organization’s governance performance to stakeholders.
  10. Annexes: This section contains additional guidance and information on implementing the standard.

The standard ISO 37000 emphasizes the importance of effective governance in achieving organizational objectives and creating value for stakeholders. It recognizes that effective governance requires a strong leadership commitment and a culture that values accountability, transparency, and ethical behavior.

One of the key themes throughout the standard is the need for a comprehensive governance framework that includes policies, procedures, and processes for effective governance. The standard recommends that organizations establish a governance framework that is appropriate to their size, complexity, and risk profile.

The standard also emphasizes the importance of effective leadership and culture in achieving effective governance. It recognizes that effective leadership is essential in setting the tone for governance within the organization, and that a strong governance culture is essential in ensuring that governance is embedded throughout the organization.

Another key theme throughout ISO 37000 is the need to identify, assess, and manage governance risks within the organization. The standard recommends that organizations establish a formal process for identifying and assessing governance risks, and that they develop and implement controls to manage those risks.

The standard also emphasizes the importance of performance evaluation and improvement in achieving effective governance. It recognizes that regular evaluation of the governance system is essential in identifying areas for improvement, and that continuous improvement is essential in ensuring that the governance system remains effective over time.

ISO 37000 emphasizes the need to report on the organization’s governance performance to stakeholders. It recognizes that transparency and accountability are essential in building trust with stakeholders, and that reporting on governance performance is an important aspect of transparency and accountability.

The standard ISO 377000 provides comprehensive guidance on effective governance of organizations. It recognizes that effective governance is essential in achieving organizational objectives and creating value for stakeholders, and that effective governance requires a strong leadership commitment and a culture that values accountability, transparency, and ethical behavior. The standard provides a framework for establishing, implementing, maintaining, and improving governance systems within organizations, and it emphasizes the importance of a comprehensive governance framework, effective leadership and culture, governance risk management, performance evaluation and improvement, and governance reporting.

How to create a formal process for identifying governance risks

Establishing a formal process for identifying and assessing governance risks is a critical step in ensuring effective governance within an organization. This process helps to identify potential risks to the organization’s governance system, evaluate the likelihood and potential impact of those risks, and develop and implement controls to manage those risks.

To establish a formal process for identifying and assessing governance risks, organizations can follow the following steps:

  1. Define the scope of the risk assessment: The first step is to define the scope of the risk assessment, including the areas of the organization that will be assessed, the types of risks that will be evaluated, and the time frame for the assessment.
  2. Identify governance risks: The next step is to identify potential governance risks, including risks related to the organization’s governance structure, policies, procedures, and practices. This can be done through a variety of methods, including reviewing previous risk assessments, conducting interviews with key stakeholders, and analyzing data on governance-related incidents.
  3. Evaluate the likelihood and potential impact of each risk: Once potential risks have been identified, the organization should evaluate the likelihood and potential impact of each risk. This can be done using a risk matrix or other similar tool to assess the likelihood of the risk occurring and the potential impact of the risk on the organization’s governance system.
  4. Prioritize risks: After evaluating each risk, the organization should prioritize risks based on their likelihood and potential impact. This will help to ensure that the organization focuses its resources on the most significant risks.
  5. Develop and implement controls to manage risks: Once risks have been prioritized, the organization should develop and implement controls to manage those risks. This can include developing policies and procedures to mitigate risks, implementing monitoring and reporting systems to identify emerging risks, and establishing contingency plans to respond to risks if they occur.
  6. Monitor and review the risk assessment process: Finally, the organization should monitor and review the risk assessment process to ensure that it remains effective over time. This can include conducting regular assessments of the organization’s governance risks, evaluating the effectiveness of existing controls, and updating the risk assessment process as needed.

Establishing a formal process for identifying and assessing governance risks is essential in ensuring effective governance within an organization. This process helps to identify potential risks to the organization’s governance system, evaluate the likelihood and potential impact of those risks, and develop and implement controls to manage those risks. By following the steps outlined above, organizations can develop a comprehensive risk assessment process that helps to ensure the effective governance of the organization.

How to identify governance risks

There are several methods that organizations can use to identify potential governance risks. Here are some of the most common methods:

  1. Review of previous risk assessments: One of the most straightforward methods is to review previous risk assessments. This can include reviewing internal audit reports, external audit reports, and other risk assessment documents to identify potential governance risks.
  2. Interviews with key stakeholders: Another method is to conduct interviews with key stakeholders, including board members, senior executives, and other key employees. This can help to identify potential risks that may not have been identified through other methods.
  3. Data analysis: Organizations can also analyze data on governance-related incidents to identify potential risks. This can include analyzing data on internal investigations, regulatory enforcement actions, and other incidents related to governance.
  4. Benchmarking: Benchmarking involves comparing an organization’s governance practices to those of other organizations in the same industry or sector. This can help to identify potential gaps or weaknesses in the organization’s governance system.
  5. Scenario planning: Scenario planning involves developing hypothetical scenarios that could impact the organization’s governance system, such as a major cyber-attack, a regulatory change, or a significant market disruption. This can help to identify potential risks and develop strategies to manage those risks.
  6. Risk mapping: Risk mapping involves creating a visual map of the organization’s governance risks, including the likelihood and potential impact of each risk. This can help to identify potential risks that may not have been identified through other methods and prioritize risks for further assessment.
  7. Internal control assessments: Internal control assessments involve evaluating the effectiveness of the organization’s internal controls related to governance. This can help to identify potential weaknesses or gaps in the organization’s governance system.

Organizations should use a combination of methods to identify potential governance risks. By using multiple methods, organizations can ensure that they are identifying all potential risks and developing effective strategies to manage those risks.

The International Risk Podcast Governance Compliance

What questions can I ask to understand potential governance risks?


Here are 15 key questions that can be asked of key stakeholders, including board members, senior executives, and other key employees to assess potential governance risks:

  1. How would you define our organization’s governance system, and what are its key components?
  2. What governance risks do you think our organization faces, and how likely are they to occur?
  3. How do we currently manage our governance risks, and what strategies do we use to mitigate them?
  4. Are there any specific areas of our governance system that you believe are particularly vulnerable to risk?
  5. How do we ensure that our governance system complies with all relevant laws, regulations, and standards?
  6. How do we monitor and report on our governance risks, and how do we ensure that our reporting is accurate and reliable?
  7. How do we ensure that all key stakeholders are aware of our governance risks and understand their roles and responsibilities in managing those risks?
  8. How do we ensure that our governance system is aligned with our organization’s strategic objectives and values?
  9. How do we evaluate the effectiveness of our governance system, and how do we ensure that it is continuously improving?
  10. How do we ensure that our governance system is transparent and accountable, and that all key stakeholders have a voice in its development and implementation?
  11. .How do we ensure that our governance system is resilient and can adapt to changes in our organization’s environment and circumstances?
  12. How do we manage conflicts of interest within our governance system, and how do we ensure that our decision-making processes are fair and objective?
  13. How do we ensure that our governance system promotes ethical behavior and a strong culture of compliance within our organization?
  14. How do we ensure that our governance system is effective in managing risks related to emerging technologies, such as cybersecurity, data privacy, and artificial intelligence?
  15. How do we ensure that our governance system is supported by appropriate resources, including funding, technology, and personnel?

By asking these key questions of key stakeholders, organizations can gain a better understanding of their governance risks and develop effective strategies to manage those risks.

Listen to The International Risk Podcast every week to learn more about risk management, governance, and compliance.

The International Risk Podcast

Leave a Reply

Your email address will not be published. Required fields are marked *