After more than five years in the making and thousands of comments received from representatives of 54 participating and observing countries, as well as multiple liaison organisations, the updated ISO 31000 standard is going through the final stages of feedback and will likely be published in early 2018.
This article summarises the key changes to the most popular standard in the risk management world, ISO31000, and how the changes will impact businesses.
Key Changes Proposed in the 2018 Version
There are no significant changes. That is right. Five years in the making and thousands of comments received and processed and, at the end, all changes are either cosmetic or reinforce the messages that have been included since the 2009 version. This could either mean the 2009 version was already great and just needed more emphasis, or it could mean that the members of the ISO TC262 did not have an appetite for change or innovation. It is actually both and full credit should go to the authors of the ISO31000 2009 version, because the document in its original form already listed all the right principles and concepts.
So, what has changed? Here are some of the most important changes:
- The document is shorter. It is now only 15 pages (excluding covers and bibliography).
- The number of principles has reduced from eleven to eight, without losing any of the important messages.
- The standard reinforces the purpose of risk management. According to the authors, the purpose of the risk management framework is to assist an organisation in integrating risk management into all its activities and functions. The effectiveness of risk management will depend on its integration into the governance and all activities of the organisation, including decision making.
- The responsibility of top management and oversight bodies has been added. They should ensure that risk management is integrated into all organisational activities and should demonstrate leadership and commitment.
- The concept of integration is reinforced throughout the document; here are just few examples:
- Risk management should be a part of, and not separate from, the organisational purpose, governance, leadership and commitment, strategy, objectives and operations.
- Properly designed and implemented, the risk management framework will ensure that the risk management process is a part of all activities throughout the organisation, including decision making, and that changes in external and internal contexts will be adequately captured.
- The organisation should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.
- The risk management process should be an integral part of management and decision making and should be integrated into the structure, operations and processes of the organisation.
- The new standard explicitly states that there can be many applications of the risk management process within an organisation, customised to achieve objectives and to suit the external and internal context in which they are applied.
- The standard also addresses the dynamic and variable nature of human behaviour and culture, which should be considered throughout the risk management process.
These messages are very powerful. They are not new, but they reinforce the type of risk management that is integrated into business activities and key decision-making processes; the type of risk management that is not done on a pre-determined periodic basis (quarterly, monthly and so on), but at the time of making an important business decision or as part of the business process or activity.
What does it mean for Businesses?
Since all the changes are either reinforcing existing ideas or cosmetic, does that mean risk managers do not have to do anything? Yes for those risk managers who have been applying the ISO31000 principles since its publication in 2009. However, in 14 years in risk management, I have probably met less than 10 people like that globally. Nevertheless, here are some examples of successful practices:
- Integrating into strategic planning – the effect of uncertainty on the strategic objectives is assessed at the time the strategy is formulated and not after it was approved by the board. Risk analysis becomes an important step of the actual strategy setting and update processes. Risk managers use scenario analysis or simulation modelling to present an independent opinion on strategic objectives, the likelihood of achieving them and the impact the risks may have on their achievement.
- Integrating into budgeting – while it is quite common to budget using three scenarios (optimistic, realistic and pessimistic), it may not be sufficient from a risk management point of view. These scenarios are often formed without the risk management team’s participation or even without due consideration of the actual risks associated with the budget. Thus, even the pessimistic scenarios often do not account for many significant risks, creating an overly optimistic and misleading picture for executives and decision-makers. Proper risk analysis can bring significant value to the budgeting process. Risk managers should review and improve management assumptions used in scenario analysis or introduce the use of simulation modelling to make sure all important risks are captured and their impact on liquidity assessed. Risk analysis helps replace static, point-in-time budgets with a distribution of possible values. It also helps set management key performance indicators (KPIs) based on the risk information, thus improving the likelihood of them being achieved and reduces the conflict of interest the finance department and management team have in presenting an overly optimistic budget. Risk analysis helps to identify the most critical risks affecting the budget, allowing management to allocate ownership and determine the budget for risk mitigation.
- Integrating into performance management – risk management could be integrated into the performance management cycle of the organisation, both at the individual level and the corporate level. One of the risk managers we interviewed shared an example where traditional static corporate KPIs have been replaced with dynamic, risk-based, ranged KPIs. This allowed management to have bands of values instead of a single value. Some KPIs stayed as single value estimates; however, they were calculated as the 95 percent percentile of the distribution of possible values based on the Monte-Carlo simulation. Triggers and key risk indicators may also be set for corporate KPIs to improve monitoring and performance tracking. At an individual level, risk management KPIs may be set around risk-based decision making, timely risk mitigation, risk management training grades or an internal audit assessment of the risk management effectiveness in different business units.
- Integrating into investment decision making – the use of simulation allows users to estimate the range of project costs and expected returns, along with the most significant assumptions made by management that affect project KPIs.
For these risk managers, ISO 31000:2018 will be a nice reinforcement of what they have been doing for years.
The majority of risk managers in non-financial companies, however, choose to settle for regular risk register updates, period risk reporting and standalone risk management framework documents. All these practices are relatively ineffective and never did align well with the original ISO31000 principles. So, for them, the new standard is a wonderful opportunity to re-evaluate current risk management methodologies and start building a business case on why risk management needs to be better integrated into decision-making and key business processes.
National and international risk management associations have an important role to play in building awareness around the new ISO 31000 to help integrate risk management principles into national legislation and government-issued guidelines.