ISO 31000 is a set of guidelines that set out the basic principles of risk management which are applicable to any organization. Reading this article will help you understand why we adopted ISO 31000 in its 2018 revision and what benefits it brings to an organization that is about to become our partner (customer, vendor, creditor, or any other stakeholder that is involved in the values Infranet creates). This resource is not a debate on right or wrong risk management practices, but merely an explanation of a basic framework that set's out our commitment to strategically manage risk. Examples listed in this document are here merely to describe what risk management means for Infranet and its partners (stakeholders).

In order to understand the importance of ISO 31000:2018, it is important to understand what a risk is.

"Risk is an effect of uncertainty on objectives." It is important to unpack this statement so anybody can understand it by explaining what does it mean in real life by explaining these keywords:

• effect of uncertainty
• objective

Goals and Objectives

Objective refers to any business goal or a set o goals that we want to achieve. In order to correctly define any goal it should have all of the following attributes defined:

• Specific - saying exactly what should be done
• Measurable - provide a way to evaluate it by using metrics or data targets
• Achievable - within a certain scope, it should be possible to accomplish (does not necessarily mean that it should be easy or fast)
• Relevant - it should make sense within the organization so that improves business in some way 
• Time-bound - stating when should it be done by putting a timeframe on it  

Those goal descriptions are oftentimes described as SMART goals (combining the first letters of all goal attributes). If a goal is missing any of its attributes then it's not a goal anymore. 

A good example of a clearly defined simple SMART goal definition would be:

"Infranet aims to acquire 1.100 new paying customers for its new time-tracking SaaS product TeamBench withing 12 months from its market launch by gaining 200 new customers every month, and losing 20 of paying customers each month."

Achieving a goal creates value for any organization (Infranet included). Achieving a goal as set out in the previous example obviously creates value for Infranet. After defining a goal, a question arises: How can anyone be certain that the goal will be achieved? The answer is self-evident: no one can be 100% certain. Why? Because there are risks involved. Those risks bring uncertainty to achieving a specific goal and the effect of that uncertainty can have a consequence manifesting as a hindrance to achieving that goal.

Effect of Uncertainty

Uncertainty can have different effects on a goal or objective. Let's unpack those kinds of effect:

Uncertainty can influence the desired effect a goal should produce. Following the example mentioned above we'll mention a non-exhaustive example list of events that produce such effects that have consequences (read risks) in attaining such goal:

1. an existing market player adapts to TeamBench pricing strategy and offers lower prices - this is obviously a risk as it can lower the chance (likelihood) of Infranet achieving generating revenue from set 1000 paying customers - this is obviously a risk with an effect with a negative consequence
2. TeamBench could prove to have inadequate user experience - this is a risk that can cause customers stopping to use TeamBench as SaaS after a shorter period of time than expected and influencing Infranet to generate the revenue set out in the goal - this is obviously a risk with an effect with a negative consequence
3. TeamBench can prove to be so adopted by the market that Infranet reaches that is gained by 600 new customers each month and looses 90 existing customers each month" - this is still a risk, but it is not self-evident whether this the effect is either positive, negative or both - it is important to unpack this scenario a bit more 

For the sake of this example let's assume that every customer pays a fee of 3 EUR/month for a service.

Comparison of Risk 3 scenario and original objective

Indicator	Original	Risk 3
New customer per month	200	600
Lost customers per month	20	90
Monthly churn %	10%	15%
Total customers 12-months	9.900	23.310
Total revenue 12-months [EUR]	29.700	69.930
Active customers 12th month	1.100	2.310
CLC [months]	7.62	5.98
CLV [EUR]	22.85	17.93
Figures in this table are listed for theoretical sake of comparison

Comparing the original objective and Risk 3 scenario here several conclusions (listed non-exhaustively) :

At first glance the Risk 3 may seem as if Risk 3 has the following positive impacts:

• 2,35 times higher revenue than the original goal
• 2,1 times higher number of active customers on the 12th month

However, the negative impact of risk 3 are as follows:

• the original scenario assumes that customers will order service on average of 7,62 months whereas in the risk 3 scenario customer life cycle (CLC) is 5.98 months or 21,5% less, causing less loyal customers
• less loyal customers tend to negatively influence the brand (higher number of complaints etc.)
• as the number of newly acquired customers in scenario 3 is 3 times higher than in the original objective increase in cost of support is imminent (not calculated here)
• in risk 3 scenario, the total number of active customers (1.100) will be reached in the 2nd month of the launch, whereas the original objective assumes reaching that goal in the 10th month which will increase the need for cash (either by employing additional support staff or by investing in automated support resolution (i.e. driven by chatbots or AI)
• the organization will need to adapt significantly faster to increase the number of active customers in risk 3 than in the original objective
• there will be an increased need for cash for the cost of infrastructure (e.g. Azure)  
• due to the CLC in the original scenario, the number of total active customer reaches 1.100 after 10 months, whereas in risk scenario 3 growth stops after 7 months
• a customer in the original scenario yields 22,85 EUR whereas risk 3 yields 17.95 EUR in a lifetime

As a conclusion, the single distinguishing factor between the 2 scenarios is the monthly churn rate, as the major risk that will, after analysis and evaluation need to be treated. The monthly churn rate is a complex measurement and can have several sources

Risk management

ISO 31000:2018 assumes several risk treatment options:

• avoiding the risk
• taking or increasing the risk to pursue the opportunity
• removing the risk source
• changing the likelihood
• changing the consequences
• sharing the risk
• retaining the risk

Not all risk treatment methodologies are suitable for all risks and the choice of the most suitable one depends on balancing potential benefits in relation to the achievement of objectives against cost, effort, or disadvantages of implementation. For the sake of brevity, the process of risk analysis choosing the right risk treatment options is not discussed here. If you want to know more, feel free to contact us.

Risks in implementing our products or custom ICT solutions

Above listed risk example serves to depict the methodology of how do we approach risks in a systematic and strategic way for our product. The same methodology would apply if you were to purchase any of our products. In an example, if a customer were to implement InfraBilling or InfraRoute as a solution, we would work with them to help them assess the risks of implementation and come up with a plan on how to treat the risk prior to the implementation