Released in 2009 as the first global standard for ERM, ISO 31000 was revised in 2018. In this section, we focus on the reasons for the revision, including the most important one: an appeal to senior leadership to increase their involvement and commitment to ensure that ERM becomes integrated into all organizational activities, including day-to-day decision-making and everyday behavior.
Revision of ISO 31000:2009 began in 2014 with input from many of the 60 countries that had adopted it as their standard for ERM. In February 2018, ISO issued a revised standard (31000:2018) that streamlined and enhanced the focus on the three main components of the 2009 version: principles, framework and process:
Principles is the first of three main sections to ISO 31000:2018. This component is designed to ask the basic question: why are we doing ERM? The goal of this section is to make clear the purpose of ERM is to create and protect value. Being viewed as enhancing value and not as a cost of doing business (e.g., the perception of insurance) has been a challenge for the risk management field since the field began to emerge in the late 1940s and early 1950s.
Integration means blending the ERM framework into the general management of the organization which includes leadership, employee development, and the ongoing work processes (e.g., operations, supply chain management etc.). For the senior leadership, this means asking whether there is top-level oversight and engagement with ERM. Inclusiveness is the attribute that ensures the ERM framework is the standard for decision-making at each level of the organization. Decision-making is improved with the concept of best available information; ERM strives to standardize decision-making so that decision-makers act on accurate, reliable, sufficient and timely information about events and sources of uncertainty. Human and cultural factors refer to the importance of attitudes and behaviors and the need for executive level support and a business case and plan for implementation to lessen resistance to change. Continual improvement means that ERM should be seen as a tool for enhancing organizational competitiveness and sustainability.
We turn now to the second critical element of ISO 31000:2018 – the Framework for Managing Risk:
The third element of ISO 31000:2018 is process or “where the rubber really meets the road.” The process steps (i.e., identification, assessment, evaluation, treatment) remain nearly the same as AS/NZS 4360 and ISO:31000:2009. The chief difference is that this section was modified to add the element of recording and reporting. Inclusion of this additional element is intended to improve dialogue with senior management and stakeholders to ensure that the ERM framework is supporting the organization’s strategic direction and to increase the availability of information to evaluate the status and level of assurance of the health of the organization and the ERM process. The process component is depicted in the diagram below: