Long before the COVID-19 pandemic, the field of standardization worked to develop a useable framework to help organizations manage risk and uncertainty in a holistic way. This article traces the conversion of AS/NZS 4360 to ISO 31000 which began in the late 1990s with an interim step to build a basic vocabulary of terms associated with managing risk.
The previous sections told the story of how the ERM standard known as AS/NZ 4360 was developed between 1992 and 2004. After AS/NZS 4360 was revised in 2004 as part of a routine revision performed every five years, the Joint Standards Australia/Standards New Zealand Technical Committee known as “OB/7” joined with Japan to ask ISO to promote the development of an international standard for enterprise risk management. In June 2005, the ISO Technical Management Board (“TMB”) established a working group from 25 different countries. Given the decade of experience behind AS/NZS 4360, it became the first draft standard of the working group and four years later, in 2009, AS/NZS 4360 became ISO 31000.
It is not well known, however, that the effort to convert AS/NZS 4360 to ISO 31000 actually began in 1995, shortly after publication of the first version of AS/NZS 4360. These early conversion efforts in 1995-96 proved unsuccessful because there was insufficient international momentum and consensus to develop an ERM model that was inclusive of existing ideas and approaches by those working in fields commonly associated with risk management such as safety and insurance. Undeterred and wanting to collaborate and learn from others, the OB/7 Committee approached the International Electrotechnical Commission (“IEC”) which, in 1996, expressed interest. The IEC is a sister organization of ISO that prepares and publishes international standards for electrical, electronic and related technologies.
The specific part of IEC to express interest in working with the OB/7 Committee is known as IEC Technical Committee 56 (IEC TC 56), which is dedicated to the study of dependability management (defined as the practice of coordinating the reliability, maintainability, supportability, availability and other related aspects of performance). Here, within IEC TC 56, the OB/7 Committee found interest because IEC TC 56 had already been working on standards for project-based risk management. Accordingly, in 1996, AS/NZS 4360 became a New Item Work Proposal of IEC TC 56. Meanwhile, at the urging of the Japanese Standards Association, ISO continued to debate in 1997 and early 1998 about whether to pursue the creation of an ERM framework. As mentioned, much of the deliberations were about whether an ERM framework was necessary in light of preexisting work on safety and insurance. Moreover, there was also concern that an ERM framework could be potentially misused by organizations more interested in selling certification-related services than facilitating internal skill development in risk management.
Ultimately, a middle ground was adopted. In June 1998, the ISO TMB established a working group of 12 countries to work with IEC 56. The purpose of the working group was not to develop an ERM framework but rather to take a preliminary step of creating a vocabulary of risk management terms and concepts that could promote global discussion of risk management. This vocabulary would not come to life for another four years when it was published in 2002 as ISO/IEC Guide 73:2002 Risk Management – Vocabulary – Guidelines for Use in Standards.
The Vocabulary Guidelines consist of 29 definitions across four categories: (i) 8 basic terms, (ii) 4 terms related to people or organizations affected by risk, (iii) 6 terms related to risk assessment, and (iv) 11 terms related to risk treatment and control. Simply reviewing the list of definitions across the categories is helpful to thinking about the scope and breadth of an ERM framework:
(As a reminder, ISO stands for International Organization for Standardization – an entity that was established in 1946 to serve as the global organization for the creation of voluntary international standards that support the development and maintenance of global trade.)