During the period of 2004 to 2009, the Australian-New Zealand standard for enterprise risk management (AS/NZS 4360) was converted to a global ERM standard known as ISO 31000. In this section, we take a closer look at this five-year period that would propel ISO 31000 into becoming the most well-known standard for creating and implementing an ERM framework within organizations.
As we continue to learn the story behind the creation of ISO 31000 - the most well-known ERM model used globally – it is useful to remember why so much effort was expended to create an ERM framework applicable for all types of organizations and the critical role played by the International Organization for Standardization (“ISO”). Again, ISO is a global organization comprised of national standards bodies (The American National Standards Institute (“ANSI”) is the United States member of ISO), that represent more than 119 countries around the world. ISO standards development is conducted through technical committees that focus on a developing an agreed way of doing something (making a product, managing a business process, providing a service, supplying a product etc.). While standards generally represent minimum levels of acceptability and are voluntary, adherence helps confirm that products, services, and management systems are safe, reliable, and of good quality.
ISO 31000 is a type of voluntary standard in the category of business process or management system. That is, it provides a model of ERM for an organization to follow when setting up and operating a system for ERM. As explained previously, the standards organizations in Australia and New Zealand released their ERM model (AS/NZS 4360) in 1995 and updated it in 1999 and 2004. From the beginning, AS/NZS 4360 stimulated discussion around the world about ERM as it was translated and considered by a variety of countries. Discussions about making AS/NZS 4360 an ISO global standard occurred on and off beginning in 1995 through 2004. Persistence paid off in June 2005 when the ISO Technical Management Board (“TMB”) established an ad hoc working group from 25 different countries to create a global standard for ERM. This working group would not become a permanent Technical Committee (TC 262) until 2012 – a step that would ensure ongoing development and revision of ISO 31000 well after its first publication in 2009.
Understanding IS0 31000 boils down to learning about four key attributes. First, ISO 31000 retains the risk management process of AS/NZS 4360 which consists of five process steps and two continuing stages. The first process step is evaluate the context which means consideration of all relevant aspects of the overall business environment such as objectives, timing and location etc. The next three process steps relate to risk assessment which includes risk identification (what could happen, when, how, why, and involving who), risk analysis (evaluate magnitude, consequences, and controls), and risk evaluation (decide which risks should be treated and in what order of priority). Risk treatment is the fifth process step and it involves the selection of controls which typically consist of the following options:
- avoiding the risk by deciding not to start or continue with an activity that gives rise to the risk;
- taking or increasing the risk in order to pursue an opportunity;
- removing the risk source;
- changing the likelihood;
- changing the consequences;
- sharing or addressing the financial consequences of risk with another party or parties (including use of contracts, insurance, and risk financing (bonds, captives etc.);
- retaining the risk by informed decision.
Throughout these five process steps, the activities of communication and consultation with appropriate stakeholders and monitoring and review through documentation and recording are practiced on an ongoing basis.
The second key attribute of ISO 31000 is the attempt to shift the focus of risk management away from a narrow view of safety and loss avoidance to a more neutral view of risk. This shift came about in the revision and republication of ISO/IEC Guide 73:2002 Risk Management – Vocabulary as ISO Guide 73:2009 – Risk Management – Vocabulary. In the 2009 Guide, risk is defined as the effect of uncertainty on objectives. Uncertainty is explained as having insufficient information related to, understanding or knowledge of, an event, its consequence, or likelihood. This change in definition reflected a shift from thinking about risk as the management of adverse events toward an approach of envisioning risk and ERM as helping an organization optimize decision-making so that achieving objectives becomes more likely.
The third and fourth key attributes of ISO 31000 relate to the adoption of conceptual principles for the practice of ERM and the creation of a framework on how organizations can best adopt and use ISO 31000, including the role of senior leadership. The principles – eleven in number – are a set of performance criteria that can help benchmark how effective ERM is within an organization. In another improvement over AS/NZS 4360, the principles for the first time in the field of risk management anticipate that senior management will help ensure that ERM becomes a part of the organization’s overall system of management. How senior management goes about adopting and using ERM is put forth in ISO 31000 as a framework which is a confusing term – in reality, the architects of ISO 31000 were describing a repetitive or iterative process of designing, implementing, monitoring, reviewing, and continually improving the practice of ERM.
Below is a summary overview of the key attributes of ISO 31000. The 11 foundational principles for adopting and using ERM are set forth in the left column, the framework for implementation and use of ERM is depicted in the middle column, and the day-to-day risk management process, is described in the right column.