Professional Documents
Culture Documents
Perspective
Grant Purdy
Last year saw the publication of IS0 31000:2009, a new globally accepted standard for risk
management together with a new, associated vocabulary in ISO Guide 73:2009. These were
developed through a consensus-driven process over four years, through seven drafts, and
involving the input of hundreds of risk management professionals around the world. The
new standard supports a new, simple way of thinking about risk and risk management and
is intended to begin the process of resolving the many inconsistencies and ambiguities that
exist between many different approaches and definitions. While most decisionmakers seem
to welcome the new standard and it has so far received very good reviews, it does create
challenges for those who use language and approaches that are unique to their area of work
but different from the new standard and guide. The need for compromise and change is the
inevitable consequence of standardization
1. THE PURPOSE OF ISO 31000 different assumptions, that are described using the
same words but that have different meanings.
While people working in the many different
For these reasons, ISO, the international body
forms of risk management always have the same goal,
charged with achieving standardization, set out to
to provide a sound basis for decisions on whether
achieve consistency and reliability in risk manage-
risks are acceptable and, if necessary, obtain reliable
ment by creating a standard that would be applicable
information how they can be dealt with, there are
to all forms of risk. This would contain:
many different definitions of risk and of the risk man-
agement process elements and many different ver- 1. One vocabulary;
sions of the process to be followed. These have all 2. A set of performance criteria;
developed for good historical reasons but individuals 3. One, common overarching process for identi-
and organizations, whether they are for profit or not, fying, analyzing, evaluating, and treating risks;
regulated or regulator, need to make confident and 4. Guidance on how that process should be inte-
balanced decisions about all risks they have to deal grated into the decision-making processes of
with, on a consistent and reliable basis. Decision- any organization.
makers are uncomfortable about resolving pieces of
apparently similar but fundamentally different infor- ISO created a working group comprising ex-
mation, obtained from different processes and with perts nominated from 28 countries (up to three
from each) and from many other specialist organiza-
tions to guide the development of the standard and
Address correspondence to Grant Purdy Broodleaf Capital In- the associated vocabulary. While the experts pos-
ternational Pty Ltd., PO Box 1098, North Mitcham, VIC 3132, sess a very wide range of risk management experi-
Australia; tel: +61 3 9893 0011; purdy@broadleaf.com.au. ence gained in many sectors and applications, their
881 0272-4332/10/0100-0881$22.00/1
C 2010 Society for Risk Analysis
882 Purdy
principal role has been to represent the views of their happen and what it could lead to in terms of how ob-
respective national and sector mirror committees and jectives could be affected.
organizations. In the past, it has been common for risk to be
Through these mirror committees, a network of regarded solely as a negative concept that organiza-
hundreds of risk management specialists and their tions should try to avoid or transfer to others. How-
customers from around the world have helped cre- ever, it is now widely understood that risk is simply
ate, review, and shape the eventual ISO 31000:2009 a fact of life and is neither inherently good nor in-
and Guide 73. These documents are not therefore herently bad. To avoid it entirely is to forgo the op-
just the conclusions of a small committee, but rep- portunity of pursuing objectives. If we can success-
resent the views and experience of hundreds of fully detect and understand risk, including how it is
knowledgeable people involved in all aspects of risk caused and influenced, we can, if necessary, change it
management. so that we are more likely to achieve our objectives
and might even do this faster, more efficiently, and
with improved results.
2. WHAT IS RISK? Risks are either changed or created in all deci-
Standards are not written from the beginning, sions people make: how those decisions are made and
but from the middle out and it soon became clear the information they are based on will affect whether
to the members of the working group that little real objectives are achieved in a reasonable time scale.
progress could be made with the ISO standard un- Decision making is, in turn, an integral part of day-
til they all agreed on a definition of risk that arose to-day existence and nowhere more prominent in an
from a clear and common understanding of what risk organization than at times of change and when re-
is and how it occurs. Dozens of candidate definitions sponding to external or internal developments. This
were considered before the working group arrived at: is why risk management is an inseparable aspect
of managing change and other forms of decision
effect of uncertainty on objectives. making.
their views can be taken into account in set- Risk analysis can be undertaken with varying
ting risk criteria. degrees of detail, depending on the risk, the
Monitoring and review, so that appropriate purpose of the analysis, and the information,
action occurs as new risks emerge and exist- data, and resources available. Analysis can be
ing risks change as a result of changes in either qualitative, semiquantitative, quantitative, or
the organizations objectives or the internal a combination of these, depending on the cir-
and external environment in which they are cumstances.
pursued. This involves environmental scan-
Risk evaluation then involves making a decision
ning by risk owners, control assurance, tak-
about the level of risk and the priority for atten-
ing on board new information that becomes
tion through the application of the criteria developed
available, and learning lessons about risks and
when the context was established.
controls from the analysis of successes and
Risk treatment is the process by which existing
failures.
controls are improved or new controls are developed
The central spine of the risk management pro- and implemented. It involves evaluation of and se-
cess is concerned with preparing for and then con- lection from options, including analysis of costs and
ducting risk assessment leading, as necessary, to risk benefits and assessment of new risks that might be
treatment. The process starts through defining what generated by each option, and then prioritizing and
the organization wants to achieve and the external implementing the selected treatment through a
and internal factors that may influence success in planned process. If this process is followed, the
achieving those objectives. This step is called estab- systematic way in which the risks have been as-
lishing the context and is an essential precursor to sessed means that risk treatment can proceed with
risk identification. confidence.
Risk assessment under ISO 31000 comprises the There is a great deal of iteration between risk
three steps of risk identification, risk analysis, and evaluation and risk treatment as each set of risk treat-
risk evaluation. Risk identification requires the ap- ment options is tested until the preferred set is found
plication of a systematic process to understand what that yields the greatest benefit for the least cost.
could happen, how, when, and why. ISO 31000:2009 gives a set of general options
In ISO 31000, risk analysis is concerned with de- to be considered when risk is treated. The order of
veloping an understanding of each risk, its conse- the list reflects preference. Importantly, the options
quences, and the likelihood of those consequences. deal with both risks that have downside and/or up-
Whether the end result is expressed as a qualita- side consequences. The options are:
tive, semiquantitative, or quantitative manner, gain-
a) Avoiding the risk by deciding not to start or
ing this understanding requires consideration of the
continue with the activity that gives rise to the
effect and reliability of existing controls and any con-
risk;
trol gaps. ISO 31000 does not express a preference
b) Taking or increasing the risk in order to pur-
for either a quantitative or qualitative approach to
sue an opportunity;
risk analysis, as both have a role. Rather, it advises
c) Removing the risk source;
that:
d) Changing the likelihood;
The way in which consequences and likeli- e) Changing the consequences;
hood are expressed and the way in which they f) Sharing the risk with another party or parties
are combined to determine a level of risk (including contracts and risk financing);
should reflect the type of risk, the information g) Retaining the risk by informed decision.
available, and the purpose for which the risk
assessment output is to be used. These should
3.4. The Framework for Managing Risk
all be consistent with the risk criteria.
The confidence in determination of the level One of the recurrent themes in IS0 31000 is
of risk and its sensitivity to preconditions that to be effective, risk management must be inte-
and assumptions should be considered in grated into an organizations decision-making pro-
the analysis, and communicated effectively cesses (which, of course, is how risk is generated).
to decisionmakers and, as appropriate, other This is easily said but many organizations struggle
stakeholders. to achieve this in practice. If the number of pages
Perspective 885
indicates some measure of the importance of a sub- Of course, despite all the efforts of so many peo-
ject, then more of the standard (nine pages) is con- ple over such a long timescale, there are always op-
cerned with the implementation of risk management portunities for improvement and enhancement. The
than with the process (seven pages). most pressing need, however, is to develop some
Clause 4 of the standard concerns implementa- practical guidance on the implementation of the stan-
tion of the risk management process through inte- dard and currently ISO is considering a new work
gration by using a management framework, which item for that.
consists of the policies, arrangements, and organiza- Work on revising the standard will start in two
tional structures to implement, sustain, and improve years and my views on areas that will need attention
the process. The standard not only describes the im- then and in preparing guidance now are:
portant elements that are required in such a frame-
work but also describes how an organization should 1. The working group quite appropriately
go about creating, implementing, and keeping these avoided getting ensnared in the debate about
elements up to date and relevant. risk appetite and risk tolerance. These two
Each organization needs to design or revise the misused terms reflect confused concepts and
risk management components of its management sys- poor reasoning that has been sponsored by
tem to suit its business processes, structure, risk pro- the ill-founded COSO ERM Framework.(5)
file, and policies and this is the purpose of a risk Even a recent review of corporate governance
management plan. This implementation plan may ex- in the financial sector by the Basel Committee
tend over a considerable time as introducing soundly on Banking Supervision(6) says that there is
based risk management usually requires alignment no consensus in that sector on what they
with and even changes to the organizations culture mean and the difference between them.
and processes. Large or complex organizations may ISO 31000 has adopted a more pragmatic
require a hierarchy of risk management plans but approach that requires the organization to
there should always be an overall plan for the or- derive and set or adopt risk criteria as the
ganization that describes the broad strategies to be basis for its decisions. However, further clear
pursued. advice is needed to remove all ambiguity
The framework described in ISO 31000 can also about this concept.
be adapted and applied to managing risk associated 2. The working group left unresolved the issue
with projects. Although projects often require a dif- of whether risk treatment should continue un-
ferent timescale and specialized criteria, they are a til some risk criterion is reached or whether,
source of risk to the organizations objectives and this for even low risks, if it is cost-beneficially
risk needs to be managed to ensure that projects de- desirable, further risk treatment should take
liver the value for which they are being undertaken. place. The former approach arises in health,
safety, and environmental legislation, and the
latter from business improvement processes.
4. CONCLUSIONS
These two approaches are not necessarily in-
Initial drafts of the standard were based on many consistent but could be more smoothly recon-
sources of information. For example, the risk man- ciled.
agement process came from the Australian and New 3. The IEC Advisory Committee on Safety
Zealand Standard, AS/NZS 4360 that, over the last (ACOS) removed its support from the work-
15 or so years and through three revisions and up- ing group because it believed that (so-called)
dates, has become the most widely used standard for safety risks are a special case and should
risk management in organizations. Also, Clause 4 on be generally excluded from the generally
implementation through integration was based on an applied risk management process in ISO
elegant approach, using the organizational improve- 31000. The central argument of ACOS was
ment cycle of Plan Do Check Act(3) in Part 2 in the that any risk to people is unacceptable.
Austrian standard.(4) The final version of ISO 31000, The working group did not support this
however, contains very little of the original text from view, as it would lead to most human ac-
other standards. It was rewritten, reviewed, and re- tivities having to cease, so the published
vised so many times that it now seems quite homoge- standard applies, quite rightly, to all risks
neous and self-supporting. whatever the nature of the consequences
886 Purdy
that could occur. However, many ISO New standards, by their nature, reset goals and
standards concern safety matters and this ways of thinking and undoubtedly the publication of
difference of opinion must be amicably re- ISO 31000 now requires all risk management prac-
solved to ensure consistency and remove any titioners to examine their current ways of working
uncertainty. and the language they use so that their customers,
4. Although the description of the risk man- those who are faced with making decisions, obtain
agement framework in Clause 4 of the stan- simple, consistent, useful, and unambiguous infor-
dard is quite succinct, nevertheless there mation. Greater consistency in definitions and pro-
remain some elements that could be sim- cess can only lead to greater confidence in decision
plified so that the framework and its im- making and, ultimately, to better decisions.
plementation become more understandable
and appear less onerous for smaller, simpler
REFERENCES
organizations.
1. ISO 31000:2009, Risk ManagementPrinciples and Guide-
Although there is always room for improvement, lines. Geneva: International Standards Organisation, 2009.
the publication of ISO 31000:2009 and Guide 73:2009 2. ISO Guide 73, Risk ManagementVocabulary. Geneva: Inter-
represent a very significant milestone in mankinds national Standards Organisation, 2009.
3. Deming W. Out of the Crisis. Cambridge, MA: MIT Center for
journey to understand and harness uncertainty. An Advanced Engineering Study, 1986.
unprecedented 25 countries voted for the standard 4. ONR 490022: Risk Management for Organisations and Sys-
with only Italy voting against and, already, it has been tems, Part 2 Guidelines for the Integration of Risk Manage-
ment into the General Management System. Vienna: Austrian
formally adopted by many states to replace their na- Standards Institute, 2004.
tional standard and is causing other standard-setting 5. Enterprise Risk ManagementIntegrated Framework: Execu-
bodies to revisit their documents. As an example, the tive Summary. Committee of Sponsoring Organizations of the
Treadway Commission, 2004.
Institute of Internal Auditors has already published a 6. Basel Committee on Banking Supervision. Consultative Docu-
guide to the planning and execution of risk-based au- ment: Principles for Enhancing Corporate Governance. Basle,
dits and assurance activities using ISO 31000(7) and Switzerland: Bank for International Settlements, 2010.
7. HB 158, Delivering AssuranceBased on ISO 31000:2009.
is convening a Leadership Summit in August 2010 to Sydney: Standards Australia and the Institute of Internal
help determine its future policy on risk management. Auditors, 2010.