Exploring the new ISO 31000:2018 risk-management standard.
One of the guiding principles behind risk management is the creation of value to the relevant stakeholders. This is why formal risk-management frameworks are put in place to enable stakeholders to identify the probability of risks surfacing and assess their associated consequences – not forgetting establishing the controls to mitigate them.
Regardless of their scope of work and geographical locations, organisations have in the past implemented risk-management frameworks guided by the International Organisation for Standardisation (ISO) 31000:2009, Principles and Guidelines.
The revision of this guideline was long overdue! Hence, in February 2018, ISO published the revised ISO 31000:2018 Risk Management – Guidelines, following the hard work put in by members of the Technical Committee ISO/TC 262, Risk Management.
What does this revision mean for those organisations that have built their risk-management frameworks based on the old ISO 31000:2009 standard?
The first step, for any standard that has been revised, is to determine the key differences between the old and new.The following changes have been highlighted by ISO, when comparing the revised standard to the earlier ISO 31000:2009 version:
• Review of the principles of risk management, which are the key criteria for its success;
• Highlighting the leadership role of top management and the integration of risk management, starting with the governance of the organisation;
• Greater emphasis on the iterative nature of risk management, noting that new experiences, knowledge and analysis can lead to a revision of process elements, actions and controls at each stage of the process; and
• Streamlining the content with greater focus on sustaining an open-systems model to fit multiple needs and contexts.
There are numerous benefits the transition from ISO 3100:2009 to ISO 31000:2018 will bring, particularly with regard to the emphasis on leadership and commitment as illustrated in Figure 1.
In my view, this affirms the opportunity to ensure that we all manage risks in our respective functional areas and do not leave it to the risk specialists. This will not weaken top management’s accountability in the direction in which they manage risk, but should complement it.
The emphasis on value creation is visibly noticeable as the basis of the additional principles.
Does that mean that the earlier edition of 2009 (as shown in figure 2), with 11 principles, is obsolete? Not entirely. There is a need to integrate or align with the new edition, but, more especially, to look at the added benefits that these initial principles have had in guiding the organisation’s risk-management framework.
I guess the question we might ask is: “How did the previous ISO 31000:2009 improve the way we managed risk?”
Our answers will enable us to embrace the transition to ISO 31000:2018. It is worth noting that the ISO 31000 standard is a guideline and is not meant for certification.