The New ISO 31000 Keeps Risk Management Simple

RiskDamage to reputation or brand, cybercrime, political risk and terrorism are some of the risks that private and public organizations of all types and sizes around the world must face with increasing frequency. The latest version of ISO 31000 has just been unveiled to help manage the uncertainty.

Risk enters every decision in life, but clearly some decisions need a structured approach. For example, a senior executive or government official may need to make risk judgements associated with very complex situations. Dealing with risk is part of governance and leadership, and is fundamental to how an organization is managed at all levels.

Yesterday’s risk management practices are no longer adequate to deal with today’s threats and they need to evolve. These considerations were at the heart of the revision of ISO 31000, Risk management – Guidelines, whose latest version has just been published. ISO 31000:2018 delivers a clearer, shorter and more concise guide that will help organizations use risk management principles to improve planning and make better decisions. Following are the main changes since the previous edition:

  • Review of the principles of risk management, which are the key criteria for its success
  • Focus on leadership by top management who should ensure that risk management is integrated into all organizational activities, starting with the governance of the organization
  • Greater emphasis on the iterative nature of risk management, drawing on new experiences, knowledge and analysis for the revision of process elements, actions and controls at each stage of the process
  • Streamlining of the content with greater focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts

As Chair of technical committee ISO/TC 262 on risk management that developed the standard, I suggest that the revised version of ISO 31000 focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of business.”

Each section of the standard was reviewed in the spirit of clarity, using simpler language to facilitate understanding and make it accessible to all stakeholders. The 2018 version places a greater focus on creating and protecting value as the key driver of risk management and features other related principles such as continual improvement, the inclusion of stakeholders, being customized to the organization and consideration of human and cultural factors.

Risk is now defined as the “effect of uncertainty on objectives”, which focuses on the effect of incomplete knowledge of events or circumstances on an organization’s decision making. This requires a change in the traditional understanding of risk, forcing organizations to tailor risk management to their needs and objectives – a key benefit of the standard. Jason Brown explains: “ISO 31000 provides a risk management framework that supports all activities, including decision making across all levels of the organization. The ISO 31000 framework and its processes should be integrated with management systems to ensure consistency and the effectiveness of management control across all areas of the organization.” This would include strategy and planning, organizational resilience, IT, corporate governance, HR, compliance, quality, health and safety, business continuity, crisis management and security.

The resulting standard is not just a new version of ISO 31000. Reaching beyond a simple revision, it gives new meaning to the way we will manage risk tomorrow. As regards certification, ISO 31000:2018 provides guidelines, not requirements, and is therefore not intended for certification purposes. This gives managers the flexibility to implement the standard in a way that suits the needs and objectives of their organization.

The principle objective of ISO/TC 262 is to help organizations ensure their viability and success over the longer term, in the interests of all stakeholders, by providing good risk management practice. Because “failure to manage risks is inherently risking failure.

In the next column I will address the use of the ISO 31000 in the security context and where we will be developing the HB167 Security Risk Management Handbook

ISO/TC 262, Risk management
News: ISO 31000 revision moves towards a clearer and more concise text
The revision of ISO 31000 on risk management has started
Web page: ISO 31000 – Risk management
TC website : ISO Committee

ISO store
ISO 31000

Jason Brown is the National Security Director for Thales in Australia and New Zealand. He is responsible for security liaison with government, law enforcement and intelligence communities to develop cooperative arrangements to minimise risk to Thales and those in the community that it supports. He is also responsible for ensuring compliance with international and commonwealth requirements for national security and relevant federal and state laws. He has served on a number of senior boards and committees, including Chair of the Security Professionals Australasia, member of ASIS International Standards and Guidelines Commission and Chair of Australian Standards Committee for Security and resilience. As of February 2017, Jason has been appointed Chair of the International Standards Committee for Risk Management.