STANDARDS

20-24_ISO_Sep09.qxp:Value 8/28/09 11:09 AM Page 20

T he ISO 31000 ‘Risk Management -Principles and Guidelines’ is scheduled tobe published in December 2009. This willmark the end of a four-year development

period, during which up to 60 experts, representing30 countries, worked within an ISO internationaltechnical committee.

The ISO guidelines are designed for a wide rangeof risk management practitioners, experienced ornovice, and for those responsible for risk manage-ment oversight who are interested in benchmarkingtheir risk management organisation and practicesagainst a recognised international reference.

It is important to understand both the usefulnessand the limitations of such a generic reference. ISO31000 describes voluntary risk management guide-lines, not a prescriptive compliance requirement.

In order to avoid the kind of costs and time con-sumption that resulted from the launch of the ill-fatedCOSO II Enterprise Risk Management – IntegratedFramework (in 2004), this brief overview is designedto highlight the principal positive and negative fea-tures anticipated with the ISO 31000. The objective isto alert risk management practitioners to the immi-nent publication of a new international risk manage-ment guideline in the guise of a new ISO standard.

The ISO 31000 chapter headings are: 1) Scope; 2) Terms and definitions; 3) Principles; 4)Framework; and 5) Process. Arguably, chapter 2would be better positioned in an appendix – leavingjust four core chapters.

Positive featuresThe new standard:• can apply to any activity or domain in any organ-

isation – public or private;• will supplement or replace a variety of independ-

ent, national risk management standards;• provides an umbrella’ for more than 60 recog-

nised standards and guidelines that refer to riskmanagement (per CEN – European Committeefor Standardisation);

• despite being labelled as an ISO standard, is:� a set of guidelines;� voluntarily applicable: it is not prescriptive, andthere is no legal requirement; and

� specifically not intended for certification; • provides a globally applicable risk management

reference guide with generic:� three-pillar architecture (principles, frame-

work, process); and � risk management terminology (tree-structure):

ISO/IEC Guide 73;• represents an international consensus; • provides for a continuum of improvement

through the iterative process and feedback loopsor opportunities for lessons learned at each stagein the process;

• provides a single global reference for stakeholdersin an organisation who have an interest in riskmanagement;

• provides a useful communication tool about both the organisational context and scope of risk management;

• will facilitate risk management education andtraining programmes.

Things to watch out forISO 31000 will be an internationally recognised reference Like it or not, ISO 31000 will become a commonreference for stakeholders concerned with risk man-agement. Familiarity with the content and the adop-tion of the risk management framework andprocess described (or something sufficiently similarto be tracked to ISO 31000) will be advantageous torisk management professionals, especially in largeor complex organisations.

Standard versus guidelineThough ISO’s name indicates that it is an interna-tional standards body, ISO 31000 has been issued asa generic guideline and specifically not as a certifi-able standard. Risk management professionalsshould take care to make this distinction clear tosenior executives in their organisations and moregenerally when referring to ISO 31000.

ISO 31000 is a user-friendly tool, compared with COSO IIEven if the risk management process has been made more elaborate than strictly necessary, theISO 31000 two-dimensional, graphic triptych isvastly more helpful to the risk manager than the

cumbersome and confusing COSO II cube (assem-bled by a handful of sponsoring organisations that shared a common interest in developing aheavyweight, compliance-focused enterprise riskmanagement (ERM) process that promoted theimportance of internal control and internal audit functions).

Keep the risk management architecture simple ISO 31000 is built around a three-pillar structure:risk management principles; risk managementframework, and risk management process. Thisarchitecture is both robust and relatively simple toapply. The principles address the issue of risk man-agement purpose and objectives. The frameworkestablishes the mandate and commitment at senior

management and board levels. It also requires adescription of the internal and external organisa-tional contexts. The process describes the imple-mentation of risk management at the business unitlevel for day-to-day activities of risk assessment andrisk treatment.

Avoid the creation of a parallel management system ISO 31000 clearly states (when addressing the riskmanagement framework): ‘This framework is notintended to prescribe a management system, butrather, to assist the organisation to integrate riskmanagement into its overall management system.Organisations should adapt the components of theframework to their specific needs’.

Lessons should be learned from the troubledimplementation of the ISO 9000 series during theearly years, and problems encountered with the creation of parallel quality management systems.

StrategicRISK SEPTEMBER 2009 | www.strategicrisk.co.uk 21

STANDARDS

Alex Dali and Christopher Lajtha offer some practical tips forresponding to the new risk management standard ISO 31000

Like it or not, ISO31000 will become acommon referencefor stakeholdersconcerned with riskmanagement

The gold standard

20-24_ISO_Sep09.qxp:Value 8/28/09 11:10 AM Page 21

22 StrategicRISK SEPTEMBER 2009 | www.strategicrisk.co.uk

STANDARDS

Many companies that have implemented ISOstandards on a large scale start wondering, after afew years, if the benefits are really worth the costsinvolved. ISO standards can be expensive to imple-ment and to maintain if parallel management systems are set up to support a bureaucratic compliance reporting process.

The opportunity to review existing practicesAlthough ISO 31000 does not impose any compul-sory compliance, it would be a mistake to overlookits usefulness as a generic reference. A risk manage-ment team may find it helpful to compare its ownrisk management framework and process to thatdescribed in ISO 31000 and to track the similaritiesand differences.

Use ISO 31000 as a means to interface moreeffectively with business unitsThe business proposition of effective risk manage-ment is to promote improvement in business per-formance. It would be a mistake to use ISO 31000as a tool for the creation of burdensome reportingon risk. Where possible, use and leverage informa-tion that is already captured within the normalcourse of business operations.

IS0 31000 could be useful in response to credit rating agency enquiries Some credit rating agencies have started to look at

ERM as a factor in their credit rating analysis.Without being prescriptive, ISO 31000 provides auseful cross-reference framework for explaininghow risk management is structured and imple-mented within a specific organisation.

Beware of national standards bodies/associationslooking for certification opportunitiesISO 31000 states that ‘this international standard isnot intended for the purpose of certification’.

However, there is a danger of creeping certification,especially if the ISO label is taken at superficial facevalue. You need to monitor carefully the activities of national standards bodies and others whoseinterests may lie in finding reasons for certification.

Beware misperceptions of the invasiveness of ISO 31000 There are some who perceive that ISO 31000 is anattempt at some form of world domination in the

field of risk management guidelines. This is notISO’s stated aim: ISO 31000 is a non-prescriptive,non-compulsory generic reference tool. It does notpretend to impose best practices, but rather to har-monise principles, framework and processes.Opinions expressed about ISO 31000 should not bereceived uncritically, but checked and challenged.National and regional risk management associa-tions can help by providing clear guidance to their members.

Use ISO 31000 (ISO/IEC Guide 73) terminology as areference, not a requirement The ISO/IEC Guide 73 ‘Risk Management –Vocabulary - Guidelines for Use in Standards’ wasfirst published in June 2002. Guide 73 seeks to pro-vide a reference language for risk and risk manage-ment, and is the source of terms and definitionsreferred to in ISO 31000. Guide 73 is being reviewedby the same ISO committee dealing with the ISO31000 and is expected to be published at the sametime, at the end of 2009.

While the motivation for a common language ofrisk is sound, and a key attraction of a global refer-ence standard, some of the compromise definitionsthat have been agreed in Guide 73 and therefore ISO31000 are not as useful as they could have been (seeexamples in box). Risk managers should not hesi-tate to simplify or add clearer focus to the languagethat they use when crafting internal corporate risk

The risk management relationships

Relationships between the risk management principles, framework and process (extract from ISO/FDIS 31000)

a) Creates value

b) Integral part of organizational processes

c) Part of decision making

e) Systematic, structuredand timely

d) Explicitly addresses uncertainty

f ) Bases on the best available information

g) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive

j) Dynamic, iterative and responsive to change

k) Facilitates continual improvement and enhancemen of the organization

Principles for managing risk

(Clause 3)

Mandate and

commitment (4.2)

Design of framework

for managing risk(4.3)

Continualimprovement

of theframework

(4.6)

Implementingrisk

management(4.4)

Monitoring and review

of the framework

(4.5)

Framework for managing risk(Clause 4)

Establishing the context(5.3)

Risk identification (5.4.2)

Risk analysis (5.4.3)

Risk evaluation (5.4.4)

Risk treatment (5.5)

Mon

itor

ing

an

d re

view

(5.6

)

Com

mun

icat

ion

an

d c

onsu

ltat

ion

(5.2

)

Risk assessment(5.4)

Process for managing risk(Clause 5)

The risk managementarchitecture is bothrobust and relativelysimple to apply

20-24_ISO_Sep09.qxp:Value 8/28/09 11:10 AM Page 22

management policies and guidelines – language thatis consistent with that used by senior executivemanagement and other business support functions.

Keep the risk management process simple and robust While a two-phase risk management processdefined in terms of risk analysis and risk responsemay be considered somewhat minimalist, the ISO31000 process diagram is arguably more compli-cated than necessary. This should not deter refer-ence to ISO 31000 or the crafting of a similar, yetsimpler, process diagram.

Keep a critical eye out for exaggeration and self-serving statements Statements such as ‘There should be an organisa-tion-wide risk management plan to ensure that therisk management policy is implemented and thatrisk management is embedded in all of the organisa-tion’s practices and processes’ may be applicable toa handful of organisations, but not to the vast

majority. This represents more of a text-book idealthan a practical guideline, and should not be takentoo literally.

Communication – look out for stakeholder overkill Statements such as ‘Communication and consulta-tion with external and internal stakeholders shouldtake place at all stages of the risk managementprocess’ need to be examined critically in the con-text of current business practices and controlledcommunication flows. Quite apart from the practi-cal realities of managing complex organisations,what might appear appropriate to an academic oran NGO may not feel so appropriate to a CFO, headof legal department or head of communications orinvestor relations in a multinational company.

Be sceptical about external consultants sellingsystems on the back of ISO 31000Try to exploit the information management systemsand platforms already in use to capture exposure

metrics. Simple web-accessible database tools canbe customised to feed the risk management processinformation needs and reporting requirementswithout recourse to expensive proprietary systems.Many IT companies offer web-based GRC (gover-nance, risk and compliance) or ERM software solu-tions. However, ISO 31000 makes no specialdemands for information management beyondwhat has been already determined by good riskmanagement practice. ■

Alex Dali is managing partner of the consultancy company Atlascope, www.atlascope.com, andChristopher Lajtha is principal of independent risk andinsurance management resource Adageo,chris.lajtha@orange.fr

Key definitions

Until the final version of ISO 31000 ispublished in December 2009, com-ments about key word definitionscannot be definitive. However, analy-sis of the most recent, close-to-finalversions reveals that some definitionsmay prove to be less useful thanothers. Examples where special atten-tion, and perhaps further simplifica-tion, may prove to be useful include:

Risk is defined as ‘the effect of uncer-tainty on objectives’. A couple ofnotes accompany this definition.

Effect is described in a note as ‘devia-tion from the expected (positive ornegative)’. Uncertainty is describedin another note as ‘the state, evenpartial, of deficiency of informationrelated to understanding or knowl-edge of an event, its consequence orlikelihood’. This is a considerableimprovement over earlier definitionsof risk expressed narrowly in terms

of a combination of event impact(severity) and likelihood (probability).

A similar, but arguably more granu-lar, definition of risk is ‘a measure ofdeviation from a range of expected out-comes’. (Note that risk is effectively ameasure of distance by this definition.)

Risk management is defined as ‘theco-ordinated activities to direct and con-trol an organisation with regard to risk’.This is a very broad definition and hencenot as useful as it should be. Real-lifeexperience does not suggest that riskmanagers, for the most part, are‘charged with directing and controllingorganisations with regard to risk’. Thisdefinition appears to be rooted in aca-demic consensus rather than practicaloperational reality.

A simpler, and probably more opera-tionally useful, definition is that riskmanagement is ‘a discipline for dealingwith uncertainty’.

Risk management plan is defined asa ‘scheme, within the risk management

framework, specifying the approach,the management components, andresources to be applied to the manage-ment of risk’.

Given the ISO 31000 architecture –principles, framework and process –the reference to a risk managementplan appears to be somewhat bureau-cratic and confusing, especially in theform of an organisation-wide edictsuggested in ISO 31000 (Section 4.3.4Framework; Design; Integration).

The notion of risk transfer has beenreplaced, within the generic headingof risk treatment, by that of ‘sharingrisk with another party or parties’.This is a positive development in thatit more correctly reflects the practicalreality that shifting responsibility andaccountability for risk management toothers is rarely fully achievable. Evena resort to external risk financing ismore akin to risk sharing than risktransfer, since the extent of such riskfinancing is rarely 100%, and oftenmaterially less important.

The reference to risk owner – definedas ‘the person or entity with accounta-bility and authority to manage the risk’could be problematic for some riskmanagement practitioners. Internalmanagement allocation of responsibil-ity for risk treatment initiatives doesnot transfer ‘ownership’ of risk. It trans-fers obligations to perform tasks to acertain standard and within a certaintime frame. While people understandthe notion of task allocation and performance obligations, confusionmay be caused by the notion of risk ownership.

The notion of residual risk definedas ‘the risk remaining after risk treatment’ may have some theoreticalinterest in an artificial environmentbut does not seem to have much practical application. Residual risk should be understood as one element of an exposure profilesnapshot that is assumption-based and valid only at a particularmoment in time.

STANDARDS

24 StrategicRISK SEPTEMBER 2009 | www.strategicrisk.co.uk

WEBLINKS visit: www.strategicrisk.co.uk

Getting ready for the 31000New ISO supply chain standards

20-24_ISO_Sep09.qxp:Value 8/28/09 11:10 AM Page 24