After three long years in the making, the new ISO 31000: 2018 international risk management standard has been released. The International Organization for Standardization (ISO) published the document earlier this month, replacing the original version created nearly a decade ago. The new version isn’t a radical departure from its predecessor, but it is shorter, easier to read, and uses simpler language.
The new version’s predecessor, ISO 31000: 2009, was developed to help organisations around the world establish a common language for risk management, but it was hindered by wonky, specialist wording. Practitioners pushed for an update to address both this and the evolving nature of the profession and risk landscape.
Every five years, ISO standards are subject to revision – a process that involves years of arduous negotiations between expert risk practitioners from all over the world. This time around, about 30 countries sent representatives to participate in the process. “It’s a bit like the UN,” said Fiona Davidge, a board member of Airmic who represented the British standards risk management committee in the revision process.
Support for revision was not unanimous, as major updates could impede the progress of burgeoning risk management programs. “A lot of countries actually really didn’t want the standard updated at all because they thought people in organisations had just gotten used to it,” said Davidge. That’s especially true for non-Western companies, where the risk profession is just beginning to grow. “You’ve got to appreciate that in different parts of the world, there are different levels of maturity and sophistication of risk management,” she said. “We had very good input, for example, from Latin America in this committee. They said they’d only just gotten people to resonate to the existing one, and that’s why they were keen that we didn’t go through any radical rewrite.”
In the end, ISO 31000 didn’t go through any major changes, which means that risk managers don’t need to make any major updates to their processes. “Largely what was there was sufficient and adequate, but it was decided that we could do a limited review, and in the end, we ended up with something that was a little bit more than that,” said Davidge. “We haven’t come up with any radical new concepts, but we did take the opportunity to wordsmith it all. It was rather more than an editorial update.”
However, even three years of negotiation weren’t enough. “We fell short of time,” said Dorothy Gjerdrum, senior managing director of Arthur J. Gallagher & Co.'s Public Sector Practice and managing director of its Enterprise Risk Management Practice. “I wish that we could have had another few months to complete a ‘finishing edit’ before publication.”
Key changes include:
Simpler and shorter
The document was reduced from 24 pages to 16, and all wording was rewritten in layman’s terms. Davidge said, “We weren’t writing it for other people who know about risk, we were writing it for people who don’t know the subject. Most organisations don’t have specialist risk people working for them, but if we want to encourage them to do risk management, then we’ve got to speak to them in language that is not unique to the risk profession.”
Simpler language will also make it easier to accurately translate the document into other languages like French, Spanish, and Arabic, thereby furthering its international reach. Currently, ISO 31000: 2018 is available in English and French.
The number of principles, which are the criteria for the success of the risk management standard were reduced from eleven to eight, with value creation and protection factoring throughout the entire standard, not solely as a principle.
Integrated risk management
The new guidelines promote the integration of risk management into all aspects of an organisation’s activities, including strategy and planning, business resilience, IT, corporate governance, HR, compliance, health and safety, business continuity, crisis management and security. “The old standard didn’t reflect that as well,” said Davidge. “It made it seem as though risk management is separate to managing the business.”
Risk management as a cycle
Risk management is now explained as an iterative, rather than linear, process, with new experiences and knowledge contributing to actions in a cyclical manner.