25In February of 2018, the International Organization for Standardization (ISO) released an updated version of its risk management guidelines, the ISO 31000:2018 standard. The 2018 update, which replaces the previous 2009 version, provides:

  • Updated and simplified language and reference structures;
  • A renewed focus on the leadership role that top management should play to ensure that risk management is fully integrated across all levels of the organization;
  • Greater attention to the iterative nature of risk management, emphasizing the notion that organizations should evaluate their risk management process in light of new information.

An overview of ISO 31000:2018

In a world where standards are usually written in documents that run hundreds of pages, the 16 pages of ISO 31000:2018 constitute a brief and concise guide to help organizations improve the way they manage risks. The document, which can be read in about 1 hour, consists of four main sections:

  • Definitions of key terms, such as risk, risk management, stakeholders, risk sources, events, consequences, probability and control;
  • The principles of risk management, in other words, that risk management is integrated, executed using a structured, comprehensive, customized, inclusive and dynamic approach based on the best information available on human and cultural factors and continuously improved;
  • A framework to ensure that risk management is properly implemented and integrated, carefully designed, regularly reviewed and continuously adapted and improved; and
  • A section on the risk management process, including the traditional elements of risk identification, analysis, assessment and handling of risks, reinforced by monitoring and reviewing, as well as the element of communication and consulting.

8 important ISO 31000:2018 topics

Although ISO 31000: 2018 is far from being the only document addressing corporate risk management, it would be hard to find a more succinct set of principles for implementing and evaluating a risk management process. But brevity is not the only strong point of this document. Below are eight of the main ISO 31000:2018 topics.

1. Executive “sponsorship” is fundamental

The document includes clear language on the importance of strong leadership and commitment to the risk management program. Executives should ensure that the risk management process is fully integrated across all levels of the organization and strongly aligned with its objectives, strategy and culture.

2. Consider risks in business decisions

ISO 31000:2018 also includes a reminder that boards are responsible for ensuring that risks are given due consideration when decisions are being made, as that those risks may affect the organization’s ability to add value.

3. Emphasize proper implementation

Boards also need to ensure that the risk management process is properly implemented and that controls have the intended effect. Directors may not have the adequate expertise to fully understand the meaning and impact that risks pose to the organization. In these cases, they should hire an outside consultant to provide this context and ensure that management’s actions are aligned with the strategic importance of the issue.

4. Risk management is not one-size-fits-all

The document clearly articulates risk management as a cyclical process, with ample room for customization and improvement. But rather than prescribing a one-size-fits-all approach, the ISO document advises senior management to customize the recommendations to fit the organization – in particular, its risk profile, culture and risk appetite.

5. Be proactive

While the document does not specifically address specific types of risks, it provides strong guidance to help executives take a proactive stance on risk and ensure that risk management is integrated into all aspects of decision making at all levels of the organization. This includes business continuity, compliance, crisis management, HR, IT and organizational resilience.

6. Standardize your vocabulary

The document provides a common language with simple and uncomplicated definitions of risks, events, consequences and probability. Managers should adopt the use of these terms to ensure that communication flows without being hindered by complex language. If a metric is too complex, it should not be emphatically shared. However, it can still be useful as part of a larger metric that represents trends in the integrity and overall resilience of the organization.

7. Use the best information available

Much of risk management centers on the best information available, with all the ambiguity and imperfections that the term implies. Rather than just trying to share absolute risk information, managers should adopt this nebulous understanding and reflect on the data they provide to reinforce their role as effective business advisors.

8. Evaluate success

The guidelines also emphasize the value of measuring, evaluating and improving the risk management system. The idea is not to get everything right the first time, but to improve it every time the cycle is completed. Even imperfect risk data can be useful, as long as it is presented together with a timeline showing a trend. Ultimately, risk reports should provide quality information for executives.

Whether you are getting ready to implement your first risk management process or improve an existing one, the ISO 31000:2018 guidelines can help you manage the uncertainty and, at the same time, protect the value of your organization.

Tobias Schroeder

Author

Tobias Schroeder

MBA in Strategic Management from UFPR. Business and market analyst at SoftExpert, a software provider for enterprise-wide business processes automation, improvement, compliance management and corporate governance.

You might also like:

  • This is a great update! Businesses should reviewed this properly in order to implement the updates. Surely, many business owners will need the help of the experts in implementing these updates on their business.

Get free content in your inbox!

Subscribe to our Newsletter and get content about corporate management's best practices produced by specialists.

By clicking the button below, you confirm that you have read and accept our Privacy Policy.