The IRM has published a guide to help risk managers navigate the newly revised ISO 31000 standard –A risk practitioner’s guide to ISO 31000: 2018.
The overhaul of the standard was released at the end of last year and the ISO says that ‘This is not just a new version of ISO 31000… it gives new meaning to the way we will manage risk tomorrow.’
ISO 31000 is designed to provide direction on how companies can integrate risk-based decision making into their governance, planning, management, reporting, policies, values and culture. It is an open, principles-based system, meaning managers have the flexibility to implement the standard in a way that suits the needs and objectives of their organisation.
The 2018 revision delivers a clearer, shorter and more concise guide that the ISO says will help organisations use risk management principles to improve planning and make better decisions. The main changes are:
Jason Brown, chair of technical committee ISO/TC 262 on risk management, which developed the standard, said: “The revised version of ISO 31000 focuses on the integration with the organisation and the role of leaders and their responsibility. Risk practitioners are often at the margins of organisational management and this emphasis will help them demonstrate that risk management is an integral part of business.
“The ISO 31000 framework and its processes should be integrated with management systems to ensure consistency and the effectiveness of management control across all areas of the organisation.”
There is much useful information in ISO 31000 for risk professionals as they support their employer and/or clients in the implementation of a risk management initiative through a combination of principles, framework and process. The key message from the IRM is that organisations should implement the ISO 31000 principles and components that are best suited to their particular circumstances and modify other principles and components as necessary.
Risk professionals will need to extract the guidance and advice most relevant to their employer or client organisations when formulating a successful risk management initiative that will enhance the success of the organisation.
The standard doesn’t include a checklist to work through, but the IRM guidance document has this covered, with a whole section on the relevance of ISO 31000 for risk professionals. The guidance covers the activities that should be worked through on a continuous basis, related to planning, implementation, measurement and learning.
So, while ISO 31000 contains much valuable information and represents robust, high-level guidelines for the management of risk, the challenge for risk professionals will be to align it with their own approach to implementing a risk management initiative.