The ISO 31000 ERM Standard – Background & Overview

Since its inception, ISO 31000 has become a widely accepted standard for enterprise risk management by private corporations, government bodies, and nonprofit organizations throughout the world.

Although the ISO standard has only been around for 10 years, its origins date back to 1995 when the AS/NZS 4360 standard from Australia and New Zealand was first published.

Following its 2004 revision, the committee responsible for developing the AZ/NZS standard decided to push for the creation of an international standard that would be applicable to a wide variety of organizations irrespective of industry, sector, local language, and culture. Shortly thereafter, the International Standards Organization (ISO) put together a working group from 25 different countries to examine existing standards and best practices.

ERM standard

The first international risk management standard was published as ISO 31000 in 2009…

However, as risk management practices continued to evolve and constructive feedback poured in from practitioners worldwide, it soon became apparent that the current standard was incomplete. For example, it didn’t include enough explanation on concepts like risk appetite and integration of risk management with other processes, nor did it provide instructions on implementation, among other things.

Therefore, a new ISO 31000 standard was developed and released in February 2018 that was dramatically different than its predecessors…

The new ISO ERM standard places greater emphasis on creating and protecting value as a key driver of risk management

As I explain here and in countless other areas on my blog, the fundamental purpose of enterprise risk management is not to just protect, but enhance and create value for the organization.

Understanding the need for risk management practices to evolve to adequately deal with today’s threats, the ISO technical committee responsible for developing the standard sought to provide a clearer, shorter, and more concise guide than the 2009 version.

As explained by Jason Brown, Chair of the technical committee, the revised ISO 31000 standard:

….focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of the business.

Sound familiar?

This quote leaped off the page at me, and if you’ve completed my questionnaire, you may understand why. Inconsistent leadership, “tone-at-the-top,” or whatever you want to call it, is considered to be the number one ERM implementation challenge according to many risk professionals.

In fact, based on the results Nathan and I have analyzed to this point, this is the biggest ERM challenge by a long shot…

Besides a greater emphasis on leadership, the 2018 standard also focuses more on the “iterative” nature of risk management. An iterative process can be defined as “repeating rounds of analysis or a cycle of operations” to arrive at a desired result.

The 2018 ISO ERM standard was developed to provide a high-level, comprehensive view of what a successful risk management initiative should look like…

If you get a copy of the standard, you will find it easy to read and something you can do in a lunch hour.

It essentially provides a bird’s eye view and not a step-by-step process for risk professionals to follow. Instead, risk professionals must determine the parts of the standard most relevant to their organization and work from there.

The standard consists of 3 main components:

  1. Principles – At its core, the fundamental principle and purpose of risk management is value creation and protection. Branching out from this core purpose are 8 principles that support this goal, including integrated, customized, inclusive, structured and comprehensive, and more.
  1. Framework – The framework goes down a level deeper by providing components for integrating risk management into the activities and function of the organization. It centers on leadership and commitment, or rather what management and the board must do to ensure the integration of risk management in the organization. Developing a framework for your organization involves integrating, designing, implementing, evaluating, and improving.
  1. Process – This is where the rubber really meets the road. As the name implies, the process is the real-world application of policies and procedures. Examples include risk identification, risk analysis, risk reporting, risk treatment or response, and more. Beyond the high-level overview the standard provides, there is a lot of information on each of these processes here on this website and other resources both online and in print.

In the end, the new ISO 31000 standard goes a long way toward bridging the gap between recommendations and implementation, delivering information that is concise, applicable, and easy to read, especially when compared to other standards like COSO and the OCEG “Red Book” among others.

Explaining why ISO 31000 is the best standard, plus additional considerations

If you determine the ISO 31000 standard will be the benchmark for your risk management activities, it’s inevitable you are going to get questions from leadership as to why you chose this one.

In many ways, I’ve already discussed these reasons…

ISO 31000 is concise and easy to follow.

It can be read in about an hour and is applicable to pretty much any industry, culture, and language.

Also, ISO 31000 doesn’t focus on audit perspective, but rather value creation and protection. As I explain here, connecting risk management to the audit functions in your organization carries a host of negative consequences in my opinion.

And as you may know, ISO develops a wide variety of standards covering things like Quality Control, manufacturing, health & safety, and more. If your organization uses any of these in its operations, it will be easier to adopt the risk management standard since all ISO standards follow roughly the same format.

Although the 2018 version is a vast improvement over the 2009 version, there are still areas that need to be addressed in future versions, including my concern below.

One word of caution…

One thing you may notice if you ever purchase the ISO 31000 standard and read through it is some of the terminology it uses.

For example, instead of saying risk appetite, ISO calls it risk criteria.

In the process component of the standard, it uses risk assessment as an umbrella term that covers risk identification, analysis, and what it refers to as evaluation.

These are a couple of examples I have noticed. Sometimes the terms ISO uses will not line up exactly with how your organization explains something.

This difference in terminology can lead to a lot of confusion among risk professionals and the organization at large.

What’s important to remember that any terminology you use internally should fit your organization. If not, risk management will definitely struggle to make a meaningful impact.

Are you using the ISO 31000 standard as the guidepost for your risk management efforts? Have you found it easy to follow and applicable to your organization?

I’m interested in your thoughts on ISO 31000 and if you find it helpful in its stated purpose of protecting and creating value. Feel free to comment below or join the conversation on LinkedIn.

This article is the first in a 3-part series examining and comparing the two most common ERM standards – ISO 31000 and COSO. I invite you to check out this overview of COSO, plus this piece examining ISO 31000 vs. COSO.

And if you have identified the ISO 31000 standard as the best fit for your organization but are struggling how to best put it to use, please don’t hesitate to contact me or complete the form below to be added to my coaching and consulting waitlist today!

Featured image courtesy of NastySensei Sens via Pexels.com

Sign Up For Our Newsletter

Sign Up For Our Newsletter

SDS-Logo
about-sidebar-v2

Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More