Since its inception, ISO 31000 has become a widely accepted standard for enterprise risk management by private corporations, government bodies, and nonprofit organizations throughout the world.
Although the ISO standard has only been around for 10 years, its origins date back to 1995 when the AS/NZS 4360 standard from Australia and New Zealand was first published.
Following its 2004 revision, the committee responsible for developing the AZ/NZS standard decided to push for the creation of an international standard that would be applicable to a wide variety of organizations irrespective of industry, sector, local language, and culture. Shortly thereafter, the International Standards Organization (ISO) put together a working group from 25 different countries to examine existing standards and best practices.
The first international risk management standard was published as ISO 31000 in 2009…
However, as risk management practices continued to evolve and constructive feedback poured in from practitioners worldwide, it soon became apparent that the current standard was incomplete. For example, it didn’t include enough explanation on concepts like risk appetite and integration of risk management with other processes, nor did it provide instructions on implementation, among other things.
Therefore, a new ISO 31000 standard was developed and released in February 2018 that was dramatically different than its predecessors…
The new ISO ERM standard places greater emphasis on creating and protecting value as a key driver of risk management
As I explain here and in countless other areas on my blog, the fundamental purpose of enterprise risk management is not to just protect, but enhance and create value for the organization.
Understanding the need for risk management practices to evolve to adequately deal with today’s threats, the ISO technical committee responsible for developing the standard sought to provide a clearer, shorter, and more concise guide than the 2009 version.
As explained by Jason Brown, Chair of the technical committee, the revised ISO 31000 standard:
….focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of the business.
This quote leaped off the page at me, and if you’ve completed my questionnaire, you may understand why. Inconsistent leadership, “tone-at-the-top,” or whatever you want to call it, is considered to be the number one ERM implementation challenge according to many risk professionals.
In fact, based on the results Nathan and I have analyzed to this point, this is the biggest ERM challenge by a long shot…
Besides a greater emphasis on leadership, the 2018 standard also focuses more on the “iterative” nature of risk management. An iterative process can be defined as “repeating rounds of analysis or a cycle of operations” to arrive at a desired result.
The 2018 ISO ERM standard was developed to provide a high-level, comprehensive view of what a successful risk management initiative should look like…
If you get a copy of the standard, you will find it easy to read and something you can do in a lunch hour.
It essentially provides a bird’s eye view and not a step-by-step process for risk professionals to follow. Instead, risk professionals must determine the parts of the standard most relevant to their organization and work from there.
The standard consists of 3 main components:
- Principles – At its core, the fundamental principle and purpose of risk management is value creation and protection. Branching out from this core purpose are 8 principles that support this goal, including integrated, customized, inclusive, structured and comprehensive, and more.
- Framework – The framework goes down a level deeper by providing components for integrating risk management into the activities and function of the organization. It centers on leadership and commitment, or rather what management and the board must do to ensure the integration of risk management in the organization. Developing a framework for your organization involves integrating, designing, implementing, evaluating, and improving.
- Process – This is where the rubber really meets the road. As the name implies, the process is the real-world application of policies and procedures. Examples include risk identification, risk analysis, risk reporting, risk treatment or response, and more. Beyond the high-level overview the standard provides, there is a lot of information on each of these processes here on this website and other resources both online and in print.
In the end, the new ISO 31000 standard goes a long way toward bridging the gap between recommendations and implementation, delivering information that is concise, applicable, and easy to read, especially when compared to other standards like COSO and the OCEG “Red Book” among others.
Explaining why ISO 31000 is the best standard, plus additional considerations
If you determine the ISO 31000 standard will be the benchmark for your risk management activities, it’s inevitable you are going to get questions from leadership as to why you chose this one.
In many ways, I’ve already discussed these reasons…
ISO 31000 is concise and easy to follow.
It can be read in about an hour and is applicable to pretty much any industry, culture, and language.
Also, ISO 31000 doesn’t focus on audit perspective, but rather value creation and protection. As I explain here, connecting risk management to the audit functions in your organization carries a host of negative consequences in my opinion.
And as you may know, ISO develops a wide variety of standards covering things like Quality Control, manufacturing, health & safety, and more. If your organization uses any of these in its operations, it will be easier to adopt the risk management standard since all ISO standards follow roughly the same format.
Although the 2018 version is a vast improvement over the 2009 version, there are still areas that need to be addressed in future versions, including my concern below.
One word of caution…
One thing you may notice if you ever purchase the ISO 31000 standard and read through it is some of the terminology it uses.
For example, instead of saying risk appetite, ISO calls it risk criteria.
In the process component of the standard, it uses risk assessment as an umbrella term that covers risk identification, analysis, and what it refers to as evaluation.
These are a couple of examples I have noticed. Sometimes the terms ISO uses will not line up exactly with how your organization explains something.
This difference in terminology can lead to a lot of confusion among risk professionals and the organization at large.
What’s important to remember that any terminology you use internally should fit your organization. If not, risk management will definitely struggle to make a meaningful impact.
Are you using the ISO 31000 standard as the guidepost for your risk management efforts? Have you found it easy to follow and applicable to your organization?
I’m interested in your thoughts on ISO 31000 and if you find it helpful in its stated purpose of protecting and creating value. Feel free to comment below or join the conversation on LinkedIn.
This article is the first in a 3-part series examining and comparing the two most common ERM standards – ISO 31000 and COSO. I plan to publish my overview of COSO in early March and a comparison piece shortly thereafter.
And if you have identified the ISO 31000 standard as the best fit for your organization but are struggling how to best put it to use, please don’t hesitate to contact me or complete the form below to be added to my coaching and consulting waitlist today!
Featured image courtesy of NastySensei Sens via Pexels.com