The new ISO 31000 is due to be published in February 2018: what changes can you expect?
- Published: Friday, 19 January 2018 09:54
ISO 31000, 'Risk management – Principles and guidelines', was published in 2009 and has been undergoing a revision. The new version will be available in mid-February and in this article Alexei Sidorenko, CRMP, provides a preview of what risk managers can expect from the new standard.
After more than five years in the making and thousands of comments received from representatives of 54 participating and observing countries as well as multiple liaison organizations, the updated ISO 31000 standard is nearing publication.
In this short article I will attempt to summarize the key changes to the world’s most popular risk management standard and how the changes will impact businesses.
The key changes proposed in 2018 version are…
There are in fact no significant changes. That’s right, all the changes are either cosmetic or reinforcing the messages that were always in there since the 2009 version. This could either mean that the 2009 version was already great and just needed more emphasis or it could mean that the members of the ISO TC262 committee that developed the standard did not have an appetite for change or innovation. It’s actually both and full credit should go to the authors of the ISO 31000 2009 version, because the document in its original form already listed all the right principles and concepts.
So, what has actually changed?
Here are some of the most important changes:
- The document is shorter. It is now only 15 pages (excluding covers and bibliography);
- The number of principles has reduced from 11 to 8 without losing any of the important messages;
-The standard reinforces the purpose of risk management. According to the authors, the purpose of the risk management framework is to assist the organization in integrating risk management into all its activities and functions. The effectiveness of risk management will depend on its integration into the governance and all activities of the organization, including decision-making.
- Top management and oversight bodies responsibility is added. They should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment.
- The concept of integration is reinforced throughout the document, here are just few examples:
- Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations.
- Properly designed and implemented, the risk management framework will ensure that the risk management process is a part of all activities throughout the organization, including decision-making, and changes in external and internal contexts will be adequately captured.
- The organization should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.
- The risk management process should be an integral part of management and decision-making and should be integrated into the structure, operations and processes of the organization.
- The new standard explicitly states that there can be many applications of the risk management process within an organization, customized to achieve objectives and to suit the external and internal context in which they are applied.
- The standard also addresses the dynamic and variable nature of human behavior and culture which should be considered throughout the risk management process.
These messages are very powerful. They are not new, but they reinforce the type of risk management that is integrated into business activities and key decision-making processes. The type of risk management that is not done on a pre-determined periodic basis (quarterly, monthly, etc.), but instead done at the time of making an important business decision or as part of the business process or activity.
What does it mean for businesses?
Since all the changes are either reinforcing existing ideas or cosmetic, does that mean risk managers don’t have to do anything? I wish I could say that was true for all.
It is true for the risk managers who have been applying the ISO 31000 principles since its publication in 2009. In 14 years in risk management, I have probably met less than 10 people like that globally. For them, ISO 31000:2018 will be a nice reinforcement of what they have been doing for years. Well done you!
The majority of risk managers in non-financial companies, however, choose to settle for regular risk register updates, period risk reporting and standalone risk management framework documents. All these practices are relatively ineffective and never did align well with the original ISO 31000 principles. So, for these, the new standard is a wonderful opportunity to reevaluate their current risk management methodologies and start building a business case on why risk management needs to be better integrated into decision making and key business process.
National and international risk management associations also have an important role to play in building awareness around the new ISO 31000 to help integrate risk management principles into national legislation and government issued guidelines.