25In February of 2018, the International Organization for Standardization (ISO) released an updated version of its risk management guidelines, the ISO 31000:2018 standard. The 2018 update, which replaces the previous 2009 version, provides:
- Updated and simplified language and reference structures;
- A renewed focus on the leadership role that top management should play to ensure that risk management is fully integrated across all levels of the organization;
- Greater attention to the iterative nature of risk management, emphasizing the notion that organizations should evaluate their risk management process in light of new information.
An overview of ISO 31000:2018
In a world where standards are usually written in documents that run hundreds of pages, the 16 pages of ISO 31000:2018 constitute a brief and concise guide to help organizations improve the way they manage risks. The document, which can be read in about 1 hour, consists of four main sections:
- Definitions of key terms, such as risk, risk management, stakeholders, risk sources, events, consequences, probability and control;
- The principles of risk management, in other words, that risk management is integrated, executed using a structured, comprehensive, customized, inclusive and dynamic approach based on the best information available on human and cultural factors and continuously improved;
- A framework to ensure that risk management is properly implemented and integrated, carefully designed, regularly reviewed and continuously adapted and improved; and
- A section on the risk management process, including the traditional elements of risk identification, analysis, assessment and handling of risks, reinforced by monitoring and reviewing, as well as the element of communication and consulting.
8 important ISO 31000:2018 topics
Although ISO 31000: 2018 is far from being the only document addressing corporate risk management, it would be hard to find a more succinct set of principles for implementing and evaluating a risk management process. But brevity is not the only strong point of this document. Below are eight of the main ISO 31000:2018 topics.
1. Executive “sponsorship” is fundamental
The document includes clear language on the importance of strong leadership and commitment to the risk management program. Executives should ensure that the risk management process is fully integrated across all levels of the organization and strongly aligned with its objectives, strategy and culture.
2. Consider risks in business decisions
ISO 31000:2018 also includes a reminder that boards are responsible for ensuring that risks are given due consideration when decisions are being made, as that those risks may affect the organization’s ability to add value.
3. Emphasize proper implementation
Boards also need to ensure that the risk management process is properly implemented and that controls have the intended effect. Directors may not have the adequate expertise to fully understand the meaning and impact that risks pose to the organization. In these cases, they should hire an outside consultant to provide this context and ensure that management’s actions are aligned with the strategic importance of the issue.
4. Risk management is not one-size-fits-all
The document clearly articulates risk management as a cyclical process, with ample room for customization and improvement. But rather than prescribing a one-size-fits-all approach, the ISO document advises senior management to customize the recommendations to fit the organization – in particular, its risk profile, culture and risk appetite.
5. Be proactive
While the document does not specifically address specific types of risks, it provides strong guidance to help executives take a proactive stance on risk and ensure that risk management is integrated into all aspects of decision making at all levels of the organization. This includes business continuity, compliance, crisis management, HR, IT and organizational resilience.
6. Standardize your vocabulary
The document provides a common language with simple and uncomplicated definitions of risks, events, consequences and probability. Managers should adopt the use of these terms to ensure that communication flows without being hindered by complex language. If a metric is too complex, it should not be emphatically shared. However, it can still be useful as part of a larger metric that represents trends in the integrity and overall resilience of the organization.
7. Use the best information available
Much of risk management centers on the best information available, with all the ambiguity and imperfections that the term implies. Rather than just trying to share absolute risk information, managers should adopt this nebulous understanding and reflect on the data they provide to reinforce their role as effective business advisors.
8. Evaluate success
The guidelines also emphasize the value of measuring, evaluating and improving the risk management system. The idea is not to get everything right the first time, but to improve it every time the cycle is completed. Even imperfect risk data can be useful, as long as it is presented together with a timeline showing a trend. Ultimately, risk reports should provide quality information for executives.
Whether you are getting ready to implement your first risk management process or improve an existing one, the ISO 31000:2018 guidelines can help you manage the uncertainty and, at the same time, protect the value of your organization.