20-24_ISO_Sep09.

qxp:Value 8/28/09 11:09 AM Page 20

STANDARDS
20-24_ISO_Sep09.qxp:Value 8/28/09 11:10 AM
The gold standard
Alex Dali and Christopher Lajtha offer some practical tips for
responding to the new risk management standard ISO 31000
T
he ISO 31000 ‘Risk Management -
Principles and Guidelines’ is scheduled to
be published in December 2009. This will
mark the end of a four-year development
period, during which up to 60 experts, representing
30 countries, worked within an ISO international
technical committee.
The ISO guidelines are designed for a wide range
of risk management practitioners, experienced or
novice, and for those responsible for risk manage-
ment oversight who are interested in benchmarking
their risk management organisation and practices
against a recognised international reference.
It is important to understand both the usefulness
and the limitations of such a generic reference. ISO
31000 describes voluntary risk management guide-
lines, not a prescriptive compliance requirement.
In order to avoid the kind of costs and time con-
sumption that resulted from the launch of the ill-fated
COSO II Enterprise Risk Management – Integrated
Framework (in 2004), this brief overview is designed
to highlight the principal positive and negative fea-
tures anticipated with the ISO 31000. The objective is
to alert risk management practitioners to the immi-
nent publication of a new international risk manage-
ment guideline in the guise of a new ISO standard.
The ISO 31000 chapter headings are: 1) Scope;
2) Terms and definitions; 3) Principles; 4)
Framework; and 5) Process. Arguably, chapter 2
would be better positioned in an appendix – leaving
just four core chapters.
Positive features
The new standard:
• can apply to any activity or domain in any organ-
isation – public or private;
• will supplement or replace a variety of independ-
ent, national risk management standards;
• provides an umbrella’ for more than 60 recog-
nised standards and guidelines that refer to risk
management (per CEN – European Committee
for Standardisation);
• despite being labelled as an ISO standard, is:
 a set of guidelines;
 voluntarily applicable: it is not prescriptive, and
there is no legal requirement; and
Page 21
 specifically not intended for certification;
• provides a globally applicable risk management
reference guide with generic:
 three-pillar architecture (principles, frame-
work, process); and
 risk management terminology (tree-structure):
ISO/IEC Guide 73;
• represents an international consensus;
• provides for a continuum of improvement
through the iterative process and feedback loops
or opportunities for lessons learned at each stage
in the process;
• provides a single global reference for stakeholders
in an organisation who have an interest in risk
management;
• provides a useful communication tool about
both the organisational context and scope of
risk management;
• will facilitate risk management education and
training programmes.
Things to watch out for
ISO 31000 will be an internationally recognised reference
Like it or not, ISO 31000 will become a common
reference for stakeholders concerned with risk man-
agement. Familiarity with the content and the adop-
tion of the risk management framework and
process described (or something sufficiently similar
to be tracked to ISO 31000) will be advantageous to
risk management professionals, especially in large
or complex organisations.
Standard versus guideline
Though ISO’s name indicates that it is an interna-
tional standards body, ISO 31000 has been issued as
a generic guideline and specifically not as a certifi-
able standard. Risk management professionals
should take care to make this distinction clear to
senior executives in their organisations and more
generally when referring to ISO 31000.
ISO 31000 is a user-friendly tool, compared with COSO II
Even if the risk management process has been
made more elaborate than strictly necessary, the
ISO 31000 two-dimensional, graphic triptych is
vastly more helpful to the risk manager than the
STANDARDS
cumbersome and confusing COSO II cube (assem-
bled by a handful of sponsoring organisations
that shared a common interest in developing a
heavyweight, compliance-focused enterprise risk
management (ERM) process that promoted the
importance of internal control and internal
audit functions).
Keep the risk management architecture simple
ISO 31000 is built around a three-pillar structure:
risk management principles; risk management
framework, and risk management process. This
architecture is both robust and relatively simple to
apply. The principles address the issue of risk man-
agement purpose and objectives. The framework
establishes the mandate and commitment at senior
Like it or not, ISO
31000 will become a
common reference
for stakeholders
concerned with risk
management
management and board levels. It also requires a
description of the internal and external organisa-
tional contexts. The process describes the imple-
mentation of risk management at the business unit
level for day-to-day activities of risk assessment and
risk treatment.
Avoid the creation of a parallel management system
ISO 31000 clearly states (when addressing the risk
management framework): ‘This framework is not
intended to prescribe a management system, but
rather, to assist the organisation to integrate risk
management into its overall management system.
Organisations should adapt the components of the
framework to their specific needs’.
Lessons should be learned from the troubled
implementation of the ISO 9000 series during the
early years, and problems encountered with the
creation of parallel quality management systems.
StrategicRISK SEPTEMBER 2009 | www.strategicrisk.co.uk 21
20-24_ISO_Sep09.qxp:Value 8/28/09 11:10 AM Page 22

STANDARDS

Many companies that have implemented ISO
standards on a large scale start wondering, after a
few years, if the benefits are really worth the costs
involved. ISO standards can be expensive to imple-
ment and to maintain if parallel management
systems are set up to support a bureaucratic
compliance reporting process.
The opportunity to review existing practices
Although ISO 31000 does not impose any compul-
sory compliance, it would be a mistake to overlook
its usefulness as a generic reference. A risk manage-
ment team may find it helpful to compare its own
risk management framework and process to that
described in ISO 31000 and to track the similarities
and differences.
Use ISO 31000 as a means to interface more
effectively with business units
The business proposition of effective risk manage-
ment is to promote improvement in business per-
formance. It would be a mistake to use ISO 31000
as a tool for the creation of burdensome reporting
on risk. Where possible, use and leverage informa-
tion that is already captured within the normal
course of business operations.
IS0 31000 could be useful in response to credit
rating agency enquiries
Some credit rating agencies have started to look at
ERM as a factor in their credit rating analysis. field of risk management guidelines. This is not
Without being prescriptive, ISO 31000 provides a ISO’s stated aim: ISO 31000 is a non-prescriptive,
useful cross-reference framework for explaining non-compulsory generic reference tool. It does not
how risk management is structured and imple- pretend to impose best practices, but rather to har-
mented within a specific organisation. monise principles, framework and processes.
Opinions expressed about ISO 31000 should not be
Beware of national standards bodies/associations received uncritically, but checked and challenged.
looking for certification opportunities National and regional risk management associa-
ISO 31000 states that ‘this international standard is tions can help by providing clear guidance to
not intended for the purpose of certification’. their members.
The risk management Use ISO 31000 (ISO/IEC Guide 73) terminology as a
reference, not a requirement
architecture is both The ISO/IEC Guide 73 ‘Risk Management –
Vocabulary - Guidelines for Use in Standards’ was
robust and relatively first published in June 2002. Guide 73 seeks to pro-
vide a reference language for risk and risk manage-
simple to apply ment, and is the source of terms and definitions
referred to in ISO 31000. Guide 73 is being reviewed
by the same ISO committee dealing with the ISO
However, there is a danger of creeping certification, 31000 and is expected to be published at the same
especially if the ISO label is taken at superficial face time, at the end of 2009.
value. You need to monitor carefully the activities While the motivation for a common language of
of national standards bodies and others whose risk is sound, and a key attraction of a global refer-
interests may lie in finding reasons for certification. ence standard, some of the compromise definitions
that have been agreed in Guide 73 and therefore ISO
Beware misperceptions of the invasiveness of 31000 are not as useful as they could have been (see
ISO 31000 examples in box). Risk managers should not hesi-
There are some who perceive that ISO 31000 is an tate to simplify or add clearer focus to the language
attempt at some form of world domination in the that they use when crafting internal corporate risk

The risk management relationships

a) Creates value
Mandate
b) Integral part of and
organizational processes commitment (4.2)
Establishing the context
c) Part of decision making (5.3)

d) Explicitly addresses Risk assessment

uncertainty Design of
framework (5.4)
Communication and consultation (5.2)

e) Systematic, structured for managing risk

and timely (4.3) Risk identification (5.4.2)

Monitoring and review (5.6)

f ) Bases on the best
available information
Continual Implementing
g) Tailored improvement risk
of the management Risk analysis (5.4.3)
h) Takes human and framework (4.4)
cultural factors into (4.6)
account
i) Transparent and inclusive
j) Dynamic, iterative and Monitoring Risk evaluation (5.4.4)
responsive to change and review
of the
k) Facilitates continual framework
improvement and (4.5)
enhancemen of the
organization Risk treatment (5.5)

Principles for Framework for managing risk

managing risk (Clause 4)
(Clause 3) Process for managing risk
(Clause 5)

Relationships between the risk management principles, framework and process (extract from ISO/FDIS 31000)

22 StrategicRISK SEPTEMBER 2009 | www.strategicrisk.co.uk

20-24_ISO_Sep09.qxp:Value 8/28/09 11:10 AM Page 24

STANDARDS

management policies and guidelines – language that
is consistent with that used by senior executive
management and other business support functions.
Keep the risk management process simple and robust
While a two-phase risk management process
defined in terms of risk analysis and risk response
may be considered somewhat minimalist, the ISO
31000 process diagram is arguably more compli-
cated than necessary. This should not deter refer-
ence to ISO 31000 or the crafting of a similar, yet
simpler, process diagram.
Keep a critical eye out for exaggeration and
self-serving statements
Statements such as ‘There should be an organisa-
tion-wide risk management plan to ensure that the
risk management policy is implemented and that
risk management is embedded in all of the organisa-
tion’s practices and processes’ may be applicable to
a handful of organisations, but not to the vast
majority. This represents more of a text-book ideal
than a practical guideline, and should not be taken
too literally.
Communication – look out for stakeholder overkill
Statements such as ‘Communication and consulta-
tion with external and internal stakeholders should
take place at all stages of the risk management
process’ need to be examined critically in the con-
text of current business practices and controlled
communication flows. Quite apart from the practi-
cal realities of managing complex organisations,
what might appear appropriate to an academic or
an NGO may not feel so appropriate to a CFO, head
of legal department or head of communications or
investor relations in a multinational company.
Be sceptical about external consultants selling
systems on the back of ISO 31000
Try to exploit the information management systems
and platforms already in use to capture exposure
metrics. Simple web-accessible database tools can
be customised to feed the risk management process
information needs and reporting requirements
without recourse to expensive proprietary systems.
Many IT companies offer web-based GRC (gover-
nance, risk and compliance) or ERM software solu-
tions. However, ISO 31000 makes no special
demands for information management beyond
what has been already determined by good risk
management practice. ■
Alex Dali is managing partner of the consultancy
company Atlascope, www.atlascope.com, and
Christopher Lajtha is principal of independent risk and
insurance management resource Adageo,
chris.lajtha@orange.fr
WEBLINKS visit: www.strategicrisk.co.uk
Getting ready for the 31000
New ISO supply chain standards

Key definitions
Until the final version of ISO 31000 is
published in December 2009, com-
ments about key word definitions
cannot be definitive. However, analy-
sis of the most recent, close-to-final
versions reveals that some definitions
may prove to be less useful than
others. Examples where special atten-
tion, and perhaps further simplifica-
tion, may prove to be useful include:
Risk is defined as ‘the effect of uncer-
tainty on objectives’. A couple of
notes accompany this definition.
Effect is described in a note as ‘devia-
tion from the expected (positive or
negative)’. Uncertainty is described
in another note as ‘the state, even
partial, of deficiency of information
related to understanding or knowl-
edge of an event, its consequence or
likelihood’. This is a considerable
improvement over earlier definitions
of risk expressed narrowly in terms
of a combination of event impact
(severity) and likelihood (probability).
A similar, but arguably more granu-
lar, definition of risk is ‘a measure of
deviation from a range of expected out-
comes’. (Note that risk is effectively a
measure of distance by this definition.)
Risk management is defined as ‘the
co-ordinated activities to direct and con-
trol an organisation with regard to risk’.
This is a very broad definition and hence
not as useful as it should be. Real-life
experience does not suggest that risk
managers, for the most part, are
‘charged with directing and controlling
organisations with regard to risk’. This
definition appears to be rooted in aca-
demic consensus rather than practical
operational reality.
A simpler, and probably more opera-
tionally useful, definition is that risk
management is ‘a discipline for dealing
with uncertainty’.
Risk management plan is defined as
a ‘scheme, within the risk management
framework, specifying the approach,
the management components, and
resources to be applied to the manage-
ment of risk’.
Given the ISO 31000 architecture –
principles, framework and process –
the reference to a risk management
plan appears to be somewhat bureau-
cratic and confusing, especially in the
form of an organisation-wide edict
suggested in ISO 31000 (Section 4.3.4
Framework; Design; Integration).
The notion of risk transfer has been
replaced, within the generic heading
of risk treatment, by that of ‘sharing
risk with another party or parties’.
This is a positive development in that
it more correctly reflects the practical
reality that shifting responsibility and
accountability for risk management to
others is rarely fully achievable. Even
a resort to external risk financing is
more akin to risk sharing than risk
transfer, since the extent of such risk
financing is rarely 100%, and often
materially less important.
The reference to risk owner – defined
as ‘the person or entity with accounta-
bility and authority to manage the risk’
could be problematic for some risk
management practitioners. Internal
management allocation of responsibil-
ity for risk treatment initiatives does
not transfer ‘ownership’ of risk. It trans-
fers obligations to perform tasks to a
certain standard and within a certain
time frame. While people understand
the notion of task allocation and
performance obligations, confusion
may be caused by the notion of
risk ownership.
The notion of residual risk defined
as ‘the risk remaining after risk
treatment’ may have some theoretical
interest in an artificial environment
but does not seem to have much
practical application. Residual
risk should be understood as one
element of an exposure profile
snapshot that is assumption-
based and valid only at a particular
moment in time.

24 StrategicRISK SEPTEMBER 2009 | www.strategicrisk.co.uk