Released in 2009 as the first global standard for ERM, ISO 31000 was revised in 2018. In this section, we focus on the reasons for the revision, including the most important one: an appeal to senior leadership to increase their involvement and commitment to ensure that ERM becomes integrated into all organizational activities, including day-to-day decision-making and everyday behavior.
“The revised version of ISO 31000 focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of business.” - Jason Brown, Chair of ISO Technical Committee (TC262) for Risk Management, Feb 19, 2018 ISO Press Release
Revision of ISO 31000:2009 began in 2014 with input from many of the 60 countries that had adopted it as their standard for ERM. In February 2018, ISO issued a revised standard (31000:2018) that streamlined and enhanced the focus on the three main components of the 2009 version: principles, framework and process:
Revision of ISO 31000:2009 began in 2014 with input from many of the 60 countries that had adopted it as their standard for ERM. In February 2018, ISO issued a revised standard (31000:2018) that streamlined and enhanced the focus on the three main components of the 2009 version: principles, framework and process:
We will go through each of the three components depicted above, but it’s worth emphasizing two things at the outset. First, much of the feedback from the first decade of ISO 31000’s existence focused on how to increase the level of involvement and commitment from senior leadership to implement and integrate ERM into the organization. Hence, ISO worked hard to simplify the ERM standard, reducing the 2018 version to 16 pages that can be read in an hour or less. Second, ISO hoped the improved clarity and simplicity would allow ERM to better support decision-making across organizations, including producing greater alignment between senior leadership and those making everyday decisions or taking day-to-day action regardless of title or function. In short, the goal of the revision was to produce a high level view of what a successful ERM initiative should look like.
Principles is the first of three main sections to ISO 31000:2018. This component is designed to ask the basic question: why are we doing ERM? The goal of this section is to make clear the purpose of ERM is to create and protect value. Being viewed as enhancing value and not as a cost of doing business (e.g., the perception of insurance) has been a challenge for the risk management field since the field began to emerge in the late 1940s and early 1950s.
Principles is the first of three main sections to ISO 31000:2018. This component is designed to ask the basic question: why are we doing ERM? The goal of this section is to make clear the purpose of ERM is to create and protect value. Being viewed as enhancing value and not as a cost of doing business (e.g., the perception of insurance) has been a challenge for the risk management field since the field began to emerge in the late 1940s and early 1950s.
In addition to making value creation and protection the centerpiece and focus of ERM, ISO 31000:2018 reduced the number of core principles by three. Within the remaining eight principles, several deserve special mention: integration, inclusiveness, decision-making, human and cultural factors, and continuous improvement.
Integration means blending the ERM framework into the general management of the organization which includes leadership, employee development, and the ongoing work processes (e.g., operations, supply chain management etc.). For the senior leadership, this means asking whether there is top-level oversight and engagement with ERM. Inclusiveness is the attribute that ensures the ERM framework is the standard for decision-making at each level of the organization. Decision-making is improved with the concept of best available information; ERM strives to standardize decision-making so that decision-makers act on accurate, reliable, sufficient and timely information about events and sources of uncertainty. Human and cultural factors refer to the importance of attitudes and behaviors and the need for executive level support and a business case and plan for implementation to lessen resistance to change. Continual improvement means that ERM should be seen as a tool for enhancing organizational competitiveness and sustainability.
We turn now to the second critical element of ISO 31000:2018 – the Framework for Managing Risk:
Integration means blending the ERM framework into the general management of the organization which includes leadership, employee development, and the ongoing work processes (e.g., operations, supply chain management etc.). For the senior leadership, this means asking whether there is top-level oversight and engagement with ERM. Inclusiveness is the attribute that ensures the ERM framework is the standard for decision-making at each level of the organization. Decision-making is improved with the concept of best available information; ERM strives to standardize decision-making so that decision-makers act on accurate, reliable, sufficient and timely information about events and sources of uncertainty. Human and cultural factors refer to the importance of attitudes and behaviors and the need for executive level support and a business case and plan for implementation to lessen resistance to change. Continual improvement means that ERM should be seen as a tool for enhancing organizational competitiveness and sustainability.
We turn now to the second critical element of ISO 31000:2018 – the Framework for Managing Risk:
The purpose of the framework is to provide senior leadership with a five-part business cycle (design, implementation, evaluation, improvement and integration) for integrating risk management into the activities and function of the organization. It centers on leadership and commitment or rather what senior management and the board must do to ensure the integration of risk management in the organization. Depending on the size of the organization, top-level leadership and commitment may include the CEO, a senior executive designated to serve as the chief risk officer, department heads (business unit and critical functions (legal, finance, HR, IT, etc.), a ERM steering committee comprised of senior leaders, and ad hoc teams that work on specific ERM tasks (e.g., defining and treating cross functional risks such as cybersecurity).
The third element of ISO 31000:2018 is process or “where the rubber really meets the road.” The process steps (i.e., identification, assessment, evaluation, treatment) remain nearly the same as AS/NZS 4360 and ISO:31000:2009. The chief difference is that this section was modified to add the element of recording and reporting. Inclusion of this additional element is intended to improve dialogue with senior management and stakeholders to ensure that the ERM framework is supporting the organization’s strategic direction and to increase the availability of information to evaluate the status and level of assurance of the health of the organization and the ERM process. The process component is depicted in the diagram below:
The third element of ISO 31000:2018 is process or “where the rubber really meets the road.” The process steps (i.e., identification, assessment, evaluation, treatment) remain nearly the same as AS/NZS 4360 and ISO:31000:2009. The chief difference is that this section was modified to add the element of recording and reporting. Inclusion of this additional element is intended to improve dialogue with senior management and stakeholders to ensure that the ERM framework is supporting the organization’s strategic direction and to increase the availability of information to evaluate the status and level of assurance of the health of the organization and the ERM process. The process component is depicted in the diagram below:
RSS Feed