READINESS OF XYZ MANUFACTURING COMPANY IN ADAPTING ISO 31000: 2018 RISK MANAGEMENT GUIDELINES

ABSTRACT  

This study examined the current readiness level of the subject organization in adapting the ISO31000 risk management guidelines. The researcher used descriptive research design-quantitative method to examine the current awareness level of the subject company on the principles of the guidelines as well as the current status in their readiness to the framework and processes of the ISO31000 guidelines. This research was able to highlight the significance of adapting the ISO 31000 risk management guidelines. It was able to show that even though the subject company has already an existing enterprise risk management program, there were still gap in terms of the guidelines provided by ISO 31000 risk management guidelines. The research was able to provide the empirical data of the gap in the awareness of the subject company on the provided principles of ISO 31000 guidelines. It was also able to provide the gap in the current status of the company in relation to its existing risk management framework and processes in comparison with the ISO 31000 guidelines. It is evident that there should be calibration and alignment of awareness of the ISO 31000 principles amongst all levels of the management team on the subject company. The sufficient information amongst all levels of the management team could help facilitate risk oversight and decision-making. The result of the study led the researcher to strongly recommend that the company implement a suggested action plan that could improve the awareness level amongst all levels of management in the subject company. The suggested action plan also included the creation of a risk management policy and benchmarking activity that will help increase the readiness level of the subject company in implementing the ISO 31000 framework and processes.

INTRODUCTION            

Nature and Scope of the Problem Investigated  

Risk management plays a very important role in any industry since it ensures the safety, reliability, and efficiency of the business. All companies generally adopt a proactive approach related to risk management since it will help the organization make the best decisions, optimize their resources, and maintain compliance with customer and regulatory requirements. The nature and process by which an organization addresses risks are directly related to its resilience in times of crisis. Due to advanced planning brought about by effective risk management, an organization becomes better equipped or more resilient to handle disruptions.

ISO 31000:2018 Risk Management-Guidelines provides principles and comprehensive framework that helps organizations establish and implement their risk management processes; and provides guidelines on how organizations will be able to maintain and continually improve their risk management processes. 

The research investigated the gap between the existing risk management process of the manufacturing company relative to the requirements of ISO 31000:2018 Risk Management-Guidelines. 

Research Problems and Objectives  

This research determined and provided answers to the following research problems and objectives: 

1. The level of organizational awareness of company Xyz relative to ISO 31000:2018 risk management principle;

2. The current status of the risk      management program of company Xyz relative to ISO 31000:2018 defined framework and processes; and

3. The action plan needed to be able to achieve the full readiness in the adaptation of ISO31000:2018 Risk Management-Guidelines.

Research Framework  

The research study used the conceptual framework as illustrated below on Fig. 05. This framework showed that the input of the research was ISO 31000:2018 Risk Management-Guidelines. Using the ISO 31000:2018 risk management principle, framework, and process, the organization was assessed objectively using survey questionnaires taken from the understanding of this ISO guidelines. The research was conducted using quantitative descriptive design. Intended output of the research was to know the awareness and readiness level of Xyz company to be able to adapt to ISO 31000 risk management guidelines. Upon successful understanding of the current level of awareness and readiness of company Xyz, the objective of this study was to be able to devise an action plan needed for company Xyz to achieve the full readiness in the adaptation of ISO 31000:2018 Risk Management- Guidelines.

Figure 1. Conceptual Framework

Research Significance 

The study finds its significance in the contribution of understanding the empirical data on the current effectiveness of the risk management program of Company Xyz relative to the industry guidelines ISO31000:2018 Risk Management-Guidelines. The study will strengthen the understanding of Risk Management Theory which provides the basic framework for understanding and addressing risks in an organization. The study will show that with the adaptation of the ISO 31000:2018 guidelines, the organization can proactively identify risks, reduce vulnerabilities, enhance decision-making, protect assets, and improve their overall resilience in facing uncertainties. 

Philosophical Lens   

This research applied positivism as its philosophical underpinning. The characteristics of positivist research include an emphasis on the scientific method, statistical analysis, and generalizable findings. Positivism asserts that knowledge should be based on observable facts and verifiable data. 

In line with the positivist lens, the researcher used survey questionnaires which will be the instrument to gather the raw data from the identified respondents of company Xyz. Upon the collection of the survey results, statistical analysis of the collected data will be conducted. From this, the researcher will be able to assess the readiness of company Xyz to adapt the principles, framework, and processes of the ISO 31000 risk management guidelines. 

Scope and Limitations   

This study covered the different business processes of company Xyz. This study focused on understanding the level of awareness of company Xyz on the different principles of ISO 31000:2018 Risk Management Guidelines. In addition, it focused on understanding the current risk management programs of the subject company and compared them with the principles, framework, and processes set by ISO 31000:2018 Risk Management-Guidelines. With this, the researcher was able to assess the readiness of company Xyz to adapt to this industry risk management guidelines. The scope of this study only included the different levels of the management team since they are the ones who are generally involved in the risk management programs of the company. It will not include rank-and-file employees of the company as respondents. 

Due to the limitation of time, the study focused on ISO 31000 provisions and did not include ISO 31010 which provides guidance on the application and selection of systematic techniques for risk assessment.

Definition of Terms   

ISO 31000. The ISO guidelines on risk management used in this study with its latest revision published in 2018. This ISO guidelines provides the principles, structured framework, and processes intended to meet the needs of any type of organization or situation. 

ISO 31000 Principles. The principles that provide guidance on the characteristics of effective and efficient risk management, communicating its value and explaining its intention and purpose. These principles are the foundation for managing risk and should be considered when establishing the organization’s risk management framework and processes. These principles should enable an organization to manage the effects of uncertainty on its objectives (ISO 31000,2018). 

ISO 31000 Framework. The purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions. The effectiveness of risk management will depend on its integration into the governance of the organization, including decision-making. This requires support from stakeholders, particularly top management. Framework development encompasses integrating, designing, implementing, evaluating and improving risk management across the organization (ISO 31000,2018). ISO 31000 Processes. The risk management process involves the systematic application of policies, procedures and practices to the activities of communicating and consulting, establishing the context and assessing, treating, monitoring, reviewing, recording and reporting risk (ISO 31000,2018).   

Awareness. The quality or state of being aware of the employees of subject company on the items in relation to the ISO 31000 principles. 

Readiness. Readiness is the state of the subject company in being fully prepared for adapting the guidelines provided in the ISO 31000 risk management guidelines. 

Adapting. Adapting means to how the subject organization will be able to align with the risk management guidelines of ISO 31000 guidelines.

Review of Pertinent Literatures   

Implementation of risk management has been proven to be beneficial to the organization however its effectiveness is difficult to assess even if the risk management system is ISO 31000-certified. As discussed by Björnsdottir (2022), the certification is not a guarantee of being able to identify and assess all relevant risks in business operations. It was mentioned that methods and tools are needed to support evaluation of the efficacy and robustness of a risk management system. 

As discussed in several literature, application of risk management with the use of the ISO 31000 or COSO ERM as their guidelines have resulted in positive gains for the company. As discussed by Al-Masawa et al. (2023), with the use of ISO 31000, they were able to adapt a project risk management framework that resulted in a smooth flow of accurate, real-time material for the companies. 

Like most other ISO management guidelines, ISO31000 provides the principles, structured framework, and process intended to meet the needs of any type of organization or situation. In order to be applied to such a vast diversity of activities and risks, the guidelines is fundamentally intended to be generic and rational (Lalonde et al., 2012). ). In an updated version, published in 2018, the principles of risk management have been reviewed. Greater emphasis is put on leadership by top management to ensure that risk management is integrated into all organizational activities, starting with the governance of the organization (Talapatra et al., 2019). 

Most studies applying risk principles and guidelines in public organizations are led      by countries such as Australia, New Zealand, Canada, UK and USA. There is a need for increased awareness regarding risk management in the public sector worldwide, especially for emerging and developing countries. Scholars, by referring to ISO 31000 guidelines and other sound guides and reports, can establish risk models for specific public authorities and agencies in their countries. Through their work, they should aim to promote and support risk management in their country (Ahmeti & Vladi, 2017).

METHODOLOGY

Research Design 

In this study, the researcher used descriptive-quantitative research methodology. It was used to describe and summarize characteristics, behaviors, or phenomena within the identified population. It focused on providing an accurate representation of the subject being studied by the collected numerical data and analyzing it using statistical techniques. The researcher used quantitative research questionnaires derived from ISO 31000 risk management guidelines. A survey was conducted using the 3-point and 4-point Likert Scale in order to assess the perceptions of the survey respondents. 

Research Locale 

The study was conducted by the researcher in company Xyz which is a manufacturing company located in First Philippine Industrial Park in Tanauan City, Batangas. The company manufactures products such as refrigerators, chillers, ovens, coffee makers, and spare parts. All of the company’s products are being exported to different customers around the world. 

Population and Sampling Design   

The researcher based the sampling design on the statement that the most appropriate person to arrange chaos is the. Risk management is generally being done by the leadership team in company Xyz. And based on this logic and on actual practice, the respondents for this study were identified to be from the management team. 

The researcher used the stratified sampling method since the population were categorized into three main groups: the top-level management, the middle-level management, and the low-level management. The top-level management consisted of the directors and managers of the company. The middle-level management consisted of senior supervisors and senior specialists. Lastly, the low-level management consisted of the supervisors and engineers. Proportionate sampling technique by getting half of the total population of the three main groups, representing the three management levels. The sampling technique was presented in Table 03: Target Respondents of the Study.

Research Instruments   

The design of the research was quantitative, and the instrument for this was a survey questionnaire that collected the primary data. The survey questionnaire had three sections. Questions were generally derived from the guidelines of ISO 31000:2018. The instrument had undergone validation by a certified research specialist.

Data Gathering Procedure   

The researcher started the data gathering process by identifying a complete      list of company employees that belong to the identified respondents of this study. Approval from the top management was also requested to be able to achieve support for this important research regarding the company’s readiness to adapt ISO 3100 Risk Management Guidelines. 

The importance of the study was clearly discussed to each respondent to ensure their maximum participation in the survey. Survey was conducted by handing printed copies of the survey questionnaires to each respondent as this was required by the company’s legal adviser. Manual distribution and collection of the survey forms were done by the researcher. Completed survey forms were collected, tabulated, graphed, and analyzed. 

Management and Treatment of Data   

As part of the data analysis, the quantitative data, 3-point Likert scale was used using the defined weights on the given scale, its interval, and class limits. The means of the overall responses of Company Xyz in its readiness to adapt to ISO 31000 risk management were interpreted based on Table 01.

Table 01.  Summary of Data Analysis Matrix

RESULTS AND DISCUSSION

General Awareness Level of Company Xyz related to ISO 31000 Principles 

The researcher was able to get the general awareness level of company Xyz in relation to ISO 31000 risk management principles. The survey data resulted in an overall mean of 2.64 as shown on Table 11. The overall mean falls on the range (2.33 - 3.00) which was defined in Table. 08 with interpretation of “Fully Aware”. This means that company Xyz is fully aware of the required ISO 31000 Risk Management Principles. This is a big turnout of results since the sample population (223 respondents) had a total response of 1649 for “Fully Aware” for all the survey questions. This resulted in 67.2% in terms of percentage.

Awareness Level in Terms of Management Level 

To further understand where the weakness of awareness lies with regards to the ISO 31000 principles, the researcher analyzed the data related to responses in terms of management level. The data can be interpreted that the engagement of risk management matters of the subject company is not being completely deployed down the middle-level and low-level management. Awareness of the ISO 31000 principles can be affected by constant communication among different levels of management. 

The data can be interpreted that the engagement of risk management matters of the subject company is not being completely deployed down the middle-level and low-level management. Involvement of all stakeholders such as the middle-level and low-level management should be calibrated the same as that of the top-level management. Communication among the three levels of management should be open, transparent, and timely. This type of communication will help to ensure that relevant information is shared effectively within the organization and shall promote better understanding of risks.

Overall Readiness Level of Company XYZ related to ISO 31000 Framework & Processes 

The researcher was able to get the overall readiness level of company Xyz in terms of adapting the ISO 31000 risk management framework and processes. The survey data resulted in an overall mean of 3.15. This means that company Xyz is “Partially Ready” in adapting the ISO 31000 Risk Management framework and processes. The weakness was more on taking into considerations all factors affecting the business, the regular review of the risk management policy, surveillance of risk processes at all levels and implementation of risk mitigating actions. 

Action Plan to Achieve Full Readiness in Adapting of ISO 31000 guidelines 

In order for the company to be able to fully adapt to ISO 3100 guidelines, suggested action plan on Table 02 was provided.

Table 15.  Action Plan to Improve the Readiness Level of Company XYZ in Adapting ISO 31000 Risk Management Guidelines

RESEARCH IMPLICATIONS

Summary of Findings 

The research provided understanding of the subject organization’s current risk management status by understanding the organization’s awareness level on the principles of ISO 31000 principles. This study also provided valuable insights into the current readiness level of the subject organization in terms of the ISO risk management processes and framework given that they have existing risk management programs such as Enterprise Risk Management (ERM), Business Resiliency Plan (BRP), SWOT- Strengths, Weaknesses, Opportunities, & Threats, etc. 

Awareness level of company Xyz on the ISO 31000 principles have shown to be very good reflecting that the organization is fully aware of the principles of ISO 31000. This means that they are generally fully aware that in their organization:  

- that risk management is integrated into the organization’s processes, 

- customized, structured, comprehensive, inclusive, dynamic, and transparent, 

- dynamic, fluid and responsive to change, 

- considers the best available information 

- takes into account human factors and company culture 

- encourages and drives continual improvement 

Still in relation to awareness, it was a significant finding that awareness of ISO 31000 decreases from top-level management going down to low-level management. There is a need for better engagement regarding risk management matters between the top-level management to the middle and low-level management. 

Another significant finding observed as discussed was that the organization needs to improve in identifying all risks that may come from both internal and external factors such as competitors, the organization itself, suppliers, market, and customers must be identified and reviewed for all possible negative impacts that they can bring to the organization’s performance, quality, damage, loss or reputation risks. 

Similar to the above significant finding, the organization should allocate enough resources to take hold of the best available information to be able to assess risk originating from external factors such as political, economic, socio-cultural, technological, legal, and environmental factors.

Derivable Conclusions from Research Data 

From the data gathered and presented, the researcher concluded that the company. As required in ISO 31000 guidelines, under communication and consultation, there must be sufficient information to facilitate risk oversight and decision-making therefore, there should be calibration of awareness of the ISO 31000 principles amongst all levels of the management team. 

The researcher also concluded that company Xyz, although having its own risk management procedure and various implemented processes, is only partially ready in adapting the ISO 31000 guidelines’ framework and process basically since their procedure is not supported by a policy that is complete with the requirements of ISO 31000. 

The presented action plan will be helpful to increase the organization’s readiness to fully adapt to the versatile framework and processes of the ISO 31000 risk management guidelines. The action plan starts with the creation of a policy that is aligned with the requirements of ISO 31000 that will provide the needed guidelines in the creation of a robust framework and process of risk management.

Research and Policy Recommendations 

This study presented the completeness and versatility of ISO 31000 guidelines. It is therefore strongly recommended that the company implement the suggested action plan to improve the readiness level of a company in adapting the risk management guidelines. It would also be interesting to have a study on the risk management performance of the subject company after ISO 31000 guidelines had been implemented. 

Conduct of similar studies are recommended to provide additional data on the effectiveness of ISO 31000 in helping organizations minimize risks and possible negative impacts that they can bring to the organization’s performance, quality, damage, loss or reputation risks.   

WORK CITED   

Ahmeti, R., & Vladi, B. (2017). Risk management in public sector: A literature review. European journal of multidisciplinary studies, 2(5), 190-196. 

Björnsdottir, S. H., Jensson, P., Thorsteinsson, S. E., Dokas, I. M., & de Boer, R. J. (2022). Benchmarking ISO Risk Management Systems to Assess Efficacy and Help Identify Hidden Organizational Risk. Sustainability, 14(9), 4937. 

Al-Masawa, M. E. S., Aziz, N. A. A., Manab, N. A., & Omran, A. (2023). The Relationship Between Project Risk Management Framework and Sustainable Development of Mud Architecture Building in Yemen. International Journal of Business and Technology Management, 5(1), 514-529. 

ISO 31000:2018; Risk Management—Principles and Guidelines. ISO: Geneva, Switzerland, 2019. 

Lalonde, Carole & Boiral, Olivier. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management. 14. 272-300. 10.1057/rm.2012.9. 

Talapatra, S.; Uddin, M.K.; Antony, J.; Gupta, S.; Cudney, E.A. An empirical study to investigate the effects of critical factors on TQM implementation in the garment industry in Bangladesh. Int. J. Qual. Reliab. Manag. 2019, 37, 1209–1232.