By DOROTHY GJERDRUM, ARM-P, chair of the US TAG ISO 31000 and executive director of the Public Entity & Scholastic Division at Arthur J. Gallagher Risk Management Services; and WAYNE L. SALEN, ARM, CHCM, CPSM, vice chair
of the US TAG ISO 31000, director of risk management at Labor Finders International Inc. and RIMS board member
Published in November of 2009, ISO 31000 is the first international standard on the practice of risk management. The standard applies to any type or size organization, as well as all internal organizational processes, in any country. Our profession can expect that this standard will be widely adopted as the norm for risk management practices.
For traditional risk managers in the United States, it is important to remember that this new standard is intended to build upon what they already do well and expand their view about risk. For decades, risk managers have been incredibly creative and forward-thinking about risk finance and risk transfer techniques.
They have not been as forward-thinking about identifying a broad range of risks--beyond insurable risk, hazard identification, emergency planning or disaster preparedness--or addressing cumulative or crossover risks (such as IT or pandemic planning). The enterprise focus of the ISO 31000 is substantially beyond the focus of traditional risk management coursework and training.
A real strength of this new approach is the identification of a clear-cut sequence of risk owners all the way up to the board level, and the necessary widespread education about risk--both inside and outside an organization. It clearly assigns accountability and strengthens communication. The link to business objectives (at all levels) strengthens both the relevance and the importance of risk management.
And in staying away from the traditional jargon of the profession, the new standard is aimed at being useful for all managers, whether they be operational or financial risk managers or project managers.
ISO 31000 was created by a working group that included technical advisors from 18 countries. In a series of six meetings over several years, the group revised the Australia/New Zealand risk management standard (AS/NZS 4360:2004).
The United States participated in the review and adoption process through the U.S. Technical Advisory Group (U.S. TAG) that was sponsored by the American Society of Safety Engineers (ASSE), which was authorized by the American National Standards Institute (ANSI) to participate in the international working group. The U.S. TAG reviewed and commented on the standard before its final publication and approved ISO 31000 as the standard for the practice of risk management in the United States. It will now be using ISO 31000 as the base document for developing an American National Standard in the next few months.
ISO 31000 is not intended to be a compliance standard; therefore, its implementation is voluntary. Being a voluntary standard allows for more flexibility in implementation and it relaxes the timeframe for adoption as well.
The basis for ISO 31000 is simply that management of risk is central to the livelihood and success of all organizations. The standard outlines the principles that make risk management effective, the framework in which risk management occurs and the process for managing risk.
The standard outlines a long list of the attributes of effective risk management, which includes improving corporate governance, financial reporting and stakeholder trust. When done effectively, according to the standard, the management of risk will raise awareness of the need to identify and treat risk throughout the organization and improve the identification of both opportunities and threats. It will improve controls as well as operational effectiveness and efficiency. The successful implementation of risk management will help organizations comply with relevant legal and regulatory requirements and international norms. And the process of risk management will establish a reliable basis for decision making and planning, and will appropriately allocate and use resources for risk treatment.
Some of the more traditional attributes of effective risk management are also included in the standard, including enhancing health and safety performance, environmental protection, improving loss prevention, incident management, minimizing losses, as well as tracking key risk components (positive and negative). From a wider organizational perspective, effective risk management will improve organizational learning and resilience.
The standard is intended to address a wide range of stakeholders, including those responsible for developing risk management policy (e.g., policymakers), for ensuring that risk is effectively managed (as a whole or for a specific project or activity), for evaluating whether risk is being managed effectively (such as audit and governance), and for developers of standards and codes of practice.
The standard can be used by any public, private or community enterprise, association, group or individual. It is not intended to be specific to any industry, sector or process.
The standard recommends that organizations develop a framework to fully integrate the process for managing risk, reporting and accountability into the organization. That means that risk management is an active component in governance, strategy and planning, management, reporting processes, policies, values and culture. The framework is intended to be adapted to the particular needs and structure of each organization.
The component parts of the framework include establishing the mandate and commitment to risk management; designing the framework for managing risk (which includes understanding the organization's internal and external contexts, establishing a risk management policy, integration of risk management into organizational processes, internal and external communication, and reporting and allocation of appropriate resources); implementing the risk management process, monitoring and review of the process; and continual improvement of the framework.
The core of the risk management process should sound familiar to risk managers. It incorporates the five steps in the traditional risk management process: identify, analyze, select the best response, implement and monitor. Those steps are expanded some, but they are still central to the process.
In addition to the core steps of the process, there are two key functions that should happen continually throughout the risk management process:
1. Communication and consultation need to be built into the process and involve both internal and external stakeholders.
2. Monitoring and review ensure that controls are effective, lessons are learned risks will be appropriately addressed, and the organization will be resilient and ready for change.
ISO 31000 contains some definitions that would be of interest to traditional risk managers, such as "risk" being the effect of uncertainty on objectives and "risk management" being the coordinated activities to direct and control an organization with regard to risk.
As for the aforementioned "risk owner," it is defined as is the person (or entity) with the accountability and authority to manage the risk, while a "stakeholder" is any person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity. (Decision-makers are also stakeholders.)
One definition that traditional risk managers will notice for its absence is "risk control." In its place is "risk treatment," the process to modify risk, such as avoiding risk, removing the risk source, changing the likelihood or consequence, sharing the risk, taking or increasing risk in order to pursue an opportunity, or retaining the risk by informed choice. Unlike "risk control," it was felt that "risk treatment" addresses the opportunities posed by certain risks, not just the traditional hazards or perils of risk.
There are more definitions contained in the standard, and the explanatory notes are also helpful. Guide 73 includes additional definitions related to risk management that may be referenced in other ISO standards.
ISO 31000:2009 was published, along with "Guide 73: Definitions," on November 15, 2009. It is available on line at www.asse.org/ or www.ansi.org. The cost is $110. Another document that is closely related is the standard on the process of risk assessment (ISO 31010), currently being finalized by a separate ISO working group (and not yet published).
Ultimately, the new ISO 31000 standard will make risk management central to the success of an organization and an intimate part of key processes such as planning, management and governance.
If you are ready to lead your organization's approach to risk management to the next level, this standard should be your first investment and your guide.
January 1, 2010
Copyright 2010© LRP Publications