As the recent global financial crisis has underscored, risk management is not an exact science. Risk management can be especially ineffective when it’s equated with compliance. Organizations can be compliant with the regulations governing their industries and still incur risks that have a negative impact on their businesses and beyond. Even at sophisticated organizations, risk management often is practiced in “silos” and without a clear understanding of how the risk levels to which one part of the business adheres can prove harmful to the organization as a whole.
This FAQ provides an introduction to ISO 31000:2009, a new international standard aimed at helping organizations of all types and sizes to manage risk across the enterprise. The ISO 31000:2009 risk management standard was published in November 2009 by the International Organization for Standardization (ISO). A concise 24 pages long, ISO 31000:2009 is noteworthy, not only for its brevity but also for its emphasis on the fundamentals of enterprise risk management.
|What is the ISO?|
The International Organization for Standardization (ISO) was formed in 1947 and is made up of representatives from the national standards bodies of 161 countries. With more than 18,000 international standards in its portfolio, the organization claims to be the world’s largest developer of standards. Headquartered in Geneva, ISO is a non-governmental organization. As such, its standards are voluntary, but many of its member institutes are part of the governmental structures of their countries, and ISO standards have found their way into many laws. Information technology professionals are probably familiar with the ISO/IEC 27000 series of standards for IT security management.
Learn more about the history of ISO.
|What is ISO 31000?|
ISO 31000 is an international standard developed to help organizations of any size and type to manage risk effectively. Touted as a practical document to help organizations develop their own approach to risk, ISO 31000 provides the principles, framework and generic process for managing any type of risk in a transparent and systematic manner. ISO 31000 can be applied “to any public, private or community enterprise, association, group or individual.”
|How can my organization get a copy?|
The ISO standards are not free. Copies of ISO 31000:2009, Risk management — Principles and Guidelines and the ISO Guide 73:2009, Risk management vocabulary, a collection of terms and definitions related to risk management, can be purchased from the ISO Central Secretariat for 112 Swiss francs (about $100) and 86 Swiss francs (about $75) respectively, or through the ISO Store. The reports are also available at ISO national member institutes.
|How does ISO 31000 define risk?|
Although risk often is defined in terms of negative impact or hazard, ISO 31000 views risk as exposure to the consequences of uncertainty — positive or negative. Risk management is about identifying the variations from what is planned or desired, and managing those risks to maximize opportunities, minimize losses, and improve decisions and outcomes.
|What is ISO 31000 designed to help
- Increase the likelihood of achieving objectives.
- Encourage proactive management.
- Be aware of the need to identify and treat risk throughout the organization.
- Improve the identification of opportunities and threats.
- Comply with relevant legal and regulatory requirements and international norms.
- Improve financial reporting.
- Improve governance.
- Improve stakeholder confidence and trust.
- Establish a reliable basis for decision making and planning.
- Improve controls.
- Effectively allocate and use resources for risk treatment.
- Improve operational effectiveness and efficiency.
- Enhance health and safety performance, as well as environmental protection.
- Improve loss prevention and incident management.
- Minimize losses.
- Improve organizational learning.
- Improve organizational resilience.
|What are the main principles of good
- Risk management should add value to an organization.
- Risk management should link to corporate governance.
- Responsibility for risk management should link to strategic direction.
- Risk management should be embedded in an organization’s objectives, strategy, operating practices and internal culture.
- Risk management is a catalyst for change in the organization’s culture.
- Risk management is dynamic, not static. When objectives change, risk management changes.
- Risk management is systematic, consistent and proportional.
- Risk management is specific.
- Risk management is evidence-based.
- Risk management is transparent and inclusive.
|What are the main elements of the ISO 31000
risk management process?
- Communicate and consult.
- Establish the context.
- Identify risk.
- Analyze risk.
- Evaluate risk.
- Treat risk.
- Monitor and review.
|Who in a company should get these documents?|
ISO 31000 should be seen by:
- Anyone responsible for implementing risk management within an organization.
- People who need to ensure that the organization is managing risk.
- People who need to evaluate an organization’s practices in managing risk.
- Developers of standards, guides, procedures and codes of practice relating to the management of risk.
|How does ISO 31000 relate to specific risks of
particular kinds of work?
ISO 31000 should not be seen as a replacement for established international standards that are used successfully to manage specific risks in such sectors as machinery safety, transportation, energy, IT and the environment, Rather, it should be viewed as a top-level document that supports those existing standards.
|Can my business become ISO 31000-certified?|
ISO 31000 is not a standard in which organizations can seek to be certified. By implementing ISO 31000, organizations can compare their risk management practices with an internationally recognized benchmark that provides sound principles for effective management. The ISO Guide 73 ensures that everybody is using the same terms and definitions when talking about risk.
|In what ways does ISO 31000 fall short?|
ISO 31000 was praised in early reviews as a clear, relatively concise, high-level guide to risk management. The value of ISO 31000 is less obvious, however, for organizations schooled in risk concepts and looking for details on how to translate concepts into practical tools. As advertised, ISO 31000 is a process-oriented standard, as opposed to a controls-oriented standard, such as the COSO Enterprise Risk management — Integrated Framework.
Forrester Research Inc. analyst Christopher McClean cautioned in a briefing that ISO 31000, for example:
- Does not determine how an organization measures risk: Risk managers will still have to figure out how to create reliable risk data.
- Does not ensure that all germane risk areas are identified.
- Does not provide risk taxonomies, “heat maps,” or other templates for developing risk documentation and reports.