Alex Dali and Christopher Lajtha offer some practical tips for responding to the new risk management standard ISO 31000

Network with other risk managers online
Join StrategicRISKs exclusive LinkedIn group

The ISO 31000 ‘Risk Management - Principles and Guidelines’ is scheduled to be published in December 2009. This will mark the end of a four-year development period, during which up to 60 experts, representing 30 countries, worked within an ISO international technical committee.

The ISO guidelines are designed for a wide range of risk management practitioners, experienced or novice, and for those responsible for risk management oversight who are interested in benchmarking their risk management organisation and practices against a recognised international reference.

It is important to understand both the usefulness and the limitations of such a generic reference. ISO 31000 describes voluntary risk management guidelines, not a prescriptive compliance requirement.

In order to avoid the kind of costs and time consumption that resulted from the launch of the ill-fated COSO II Enterprise Risk Management – Integrated Framework (in 2004), this brief overview is designed to highlight the principal positive and negative features anticipated with the ISO 31000. The objective is to alert risk management practitioners to the imminent publication of a new international risk management guideline in the guise of a new ISO standard.

The ISO 31000 chapter headings are: 1) Scope; 2) Terms and definitions; 3) Principles; 4) Framework; and 5) Process. Arguably, chapter 2 would be better positioned in an appendix – leaving just four core chapters.

Positive features

The new standard:

• can apply to any activity or domain in any organisation – public or private;

• will supplement or replace a variety of independent, national risk management standards;

• provides an umbrella’ for more than 60 recognised standards and guidelines that refer to risk management (per CEN – European Committee for Standardisation);

• despite being labelled as an ISO standard, is:

• a set of guidelines;

• voluntarily applicable: it is not prescriptive, and there is no legal requirement; and

• specifically not intended for certification;

• provides a globally applicable risk management reference guide with generic:

• three-pillar architecture (principles, framework, process); and

• risk management terminology (tree-structure): ISO/IEC Guide 73;

• represents an international consensus;

• provides for a continuum of improvement through the iterative process and feedback loops or opportunities for lessons learned at each stage in the process;

• provides a single global reference for stakeholders in an organisation who have an interest in risk management;

• provides a useful communication tool about both the organisational context and scope of risk management;

• will facilitate risk management education and training programmes.

Things to watch out for

ISO 31000 will be an internationally recognised reference

Like it or not, ISO 31000 will become a common reference for stakeholders concerned with risk management. Familiarity with the content and the adoption of the risk management framework and process described (or something sufficiently similar to be tracked to ISO 31000) will be advantageous to risk management professionals, especially in large or complex organisations.

Standard versus guideline

Though ISO’s name indicates that it is an international standards body, ISO 31000 has been issued as a generic guideline and specifically not as a certifiable standard. Risk management professionals should take care to make this distinction clear to senior executives in their organisations and more generally when referring to ISO 31000.

ISO 31000 is a user-friendly tool, compared with COSO II

“The risk management architecture is both robust and relatively simple to apply

Even if the risk management process has been made more elaborate than strictly necessary, the ISO 31000 two-dimensional, graphic triptych is vastly more helpful to the risk manager than the cumbersome and confusing COSO II cube (assembled by a handful of sponsoring organisations

that shared a common interest in developing a heavyweight, compliance-focused enterprise risk management (ERM) process that promoted the importance of internal control and internal audit functions).

Keep the risk management architecture simple

ISO 31000 is built around a three-pillar structure: risk management principles; risk management framework, and risk management process. This architecture is both robust and relatively simple to apply. The principles address the issue of risk management purpose and objectives. The framework establishes the mandate and commitment at senior management and board levels. It also requires a description of the internal and external organisational contexts. The process describes the implementation of risk management at the business unit level for day-to-day activities of risk assessment and risk treatment.

Avoid the creation of a parallel management system

ISO 31000 clearly states (when addressing the risk management framework): ‘This framework is not intended to prescribe a management system, but rather, to assist the organisation to integrate risk management into its overall management system. Organisations should adapt the components of the framework to their specific needs’.

Lessons should be learned from the troubled implementation of the ISO 9000 series during the early years, and problems encountered with the creation of parallel quality management systems.

Many companies that have implemented ISO standards on a large scale start wondering, after a few years, if the benefits are really worth the costs involved. ISO standards can be expensive to implement and to maintain if parallel management systems are set up to support a bureaucratic compliance reporting process.

The opportunity to review existing practices

Although ISO 31000 does not impose any compulsory compliance, it would be a mistake to overlook its usefulness as a generic reference. A risk management team may find it helpful to compare its own risk management framework and process to that described in ISO 31000 and to track the similarities and differences.

Use ISO 31000 as a means to interface more effectively with business units

The business proposition of effective risk management is to promote improvement in business performance. It would be a mistake to use ISO 31000 as a tool for the creation of burdensome reporting on risk. Where possible, use and leverage information that is already captured within the normal course of business operations.

IS0 31000 could be useful in response to credit rating agency enquiries

Some credit rating agencies have started to look at ERM as a factor in their credit rating analysis. Without being prescriptive, ISO 31000 provides a useful cross-reference framework for explaining how risk management is structured and implemented within a specific organisation.

Beware of national standards bodies/associations looking for certification opportunitiesISO 31000 states that ‘this international standard is not intended for the purpose of certification’. However, there is a danger of creeping certification, especially if the ISO label is taken at superficial face value. You need to monitor carefully the activities of national standards bodies and others whose interests may lie in finding reasons for certification.

Beware misperceptions of the invasiveness of ISO 31000

There are some who perceive that ISO 31000 is an attempt at some form of world domination in the field of risk management guidelines. This is not ISO’s stated aim: ISO 31000 is a non-prescriptive, non-compulsory generic reference tool. It does not pretend to impose best practices, but rather to harmonise principles, framework and processes. Opinions expressed about ISO 31000 should not be received uncritically, but checked and challenged. National and regional risk management associations can help by providing clear guidance to their members.

Use ISO 31000 (ISO/IEC Guide 73) terminology as a reference, not a requirement

The ISO/IEC Guide 73 ‘Risk Management – Vocabulary - Guidelines for Use in Standards’ was first published in June 2002. Guide 73 seeks to provide a reference language for risk and risk management, and is the source of terms and definitions referred to in ISO 31000. Guide 73 is being reviewed by the same ISO committee dealing with the ISO 31000 and is expected to be published at the same time, at the end of 2009.

While the motivation for a common language of risk is sound, and a key attraction of a global reference standard, some of the compromise definitions that have been agreed in Guide 73 and therefore ISO 31000 are not as useful as they could have been (see examples in box). Risk managers should not hesitate to simplify or add clearer focus to the language that they use when crafting internal corporate risk management policies and guidelines – language that is consistent with that used by senior executive management and other business support functions.

Keep the risk management process simple and robust

While a two-phase risk management process defined in terms of risk analysis and risk response may be considered somewhat minimalist, the ISO 31000 process diagram is arguably more complicated than necessary. This should not deter reference to ISO 31000 or the crafting of a similar, yet simpler, process diagram.

Keep a critical eye out for exaggeration and self-serving statements

Statements such as ‘There should be an organisation-wide risk management plan to ensure that the risk management policy is implemented and that risk management is embedded in all of the organisation’s practices and processes’ may be applicable to a handful of organisations, but not to the vast majority. This represents more of a text-book ideal than a practical guideline, and should not be taken too literally.

Communication – look out for stakeholder overkill

Statements such as ‘Communication and consultation with external and internal stakeholders should take place at all stages of the risk management process’ need to be examined critically in the context of current business practices and controlled communication flows. Quite apart from the practical realities of managing complex organisations, what might appear appropriate to an academic or an NGO may not feel so appropriate to a CFO, head of legal department or head of communications or investor relations in a multinational company.

Be sceptical about external consultants selling systems on the back of ISO 31000

Try to exploit the information management systems and platforms already in use to capture exposure metrics. Simple web-accessible database tools can be customised to feed the risk management process information needs and reporting requirements without recourse to expensive proprietary systems. Many IT companies offer web-based GRC (governance, risk and compliance) or ERM software solutions. However, ISO 31000 makes no special demands for information management beyond what has been already determined by good risk management practice. n

Key definitions

Until the final version of ISO 31000 is published in December 2009, comments about key word definitions cannot be definitive. However, analysis of the most recent, close-to-final versions reveals that some definitions may prove to be less useful than others. Examples where special attention, and perhaps further simplification, may prove to be useful include:

Risk is defined as ‘the effect of uncertainty on objectives’. A couple of notes accompany this definition.

Effect is described in a note as ‘deviation from the expected (positive or negative)’. Uncertainty is described in another note as ‘the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood’. This is a considerable improvement over earlier definitions of risk expressed narrowly in terms
of a combination of event impact (severity) and likelihood (probability).
A similar, but arguably more granular, definition of risk is ‘a measure of deviation from a range of expected outcomes’. (Note that risk is effectively a measure of distance by this definition.)

Risk management is defined as ‘the co-ordinated activities to direct and control an organisation with regard to risk’. This is a very broad definition and hence not as useful as it should be. Real-life experience does not suggest that risk managers, for the most part, are ‘charged with directing and controlling organisations with regard to risk’. This definition appears to be rooted in academic consensus rather than practical operational reality.
A simpler, and probably more operationally useful, definition is that risk management is ‘a discipline for dealing with uncertainty’.

Risk management plan is defined as a ‘scheme, within the risk management framework, specifying the approach, the management components, and resources to be applied to the management of risk’.
Given the ISO 31000 architecture – principles, framework and process – the reference to a risk management plan appears to be somewhat bureaucratic and confusing, especially in the form of an organisation-wide edict suggested in ISO 31000 (Section 4.3.4 Framework; Design; Integration).

The notion of risk transfer has been replaced, within the generic heading of risk treatment, by that of ‘sharing risk with another party or parties’. This is a positive development in that it more correctly reflects the practical reality that shifting responsibility and accountability for risk management to others is rarely fully achievable. Even a resort to external risk financing is more akin to risk sharing than risk transfer, since the extent of such risk financing is rarely 100%, and often materially less important.
The reference to risk owner – defined as ‘the person or entity with accountability and authority to manage the risk’ could be problematic for some risk management practitioners. Internal management allocation of responsibility for risk treatment initiatives does not transfer ‘ownership’ of risk. It transfers obligations to perform tasks to a certain standard and within a certain time frame. While people understand the notion of task allocation and
performance obligations, confusion may be caused by the notion of
risk ownership.

The notion of residual risk defined as ‘the risk remaining after risk
treatment’ may have some theoretical interest in an artificial environment but does not seem to have much
practical application. Residual
risk should be understood as one
element of an exposure profile
snapshot that is assumption-
based and valid only at a particular moment in time.