By Sarah Gordon, Managing Director, Satarla
The International Organization for Standardisation (ISO) released the long-awaited updates to ISO 31000. Many experts have commented on these changes. The changes impact organisations who follow ISO 31000 for better or worse.
ISO 31000 is still maturing as a standard, and the risk landscape is evolving. Let us have a look at the pros and cons of ISO 31000 – as seen by risk practitioners from a range of industries and geographies.
- ISO 31000 introduces lots of circles to show the iterative nature of risk management. This is great.
- The standard simplifies the layout of principles, framework and processes. It is now far easier to explain these to those new to risk management and ISO 31000.
- ISO focuses on value creation and protection as the leading principle. It is thus more aligned to strategic management. In the old version, “creating value” was a single principle in a long list. There is a noticeable language shift towards “managing risk” rather than “risk management”.
- The standard asks you to show what you are going to do about risks. It is output focused, rather than process and documentation focused. This is in line with other ISO standards such as ISO 9001:2015 and is very useful to the Integrated Risk Manager.
- Change of the language used for risk appetite and tolerance to risk “criteria”. We’ve only begun to get our heads around risk appetite, despite including it in many instances of regulation. ISO has changed the terminology and changed it to something that doesn’t make sense. If this terminology had to change, my vote would have been for “risk thresholds”.
- The arrows between the different components of the process flowchart? It is now more difficult to describe the flow of the process.
- The emphasis is still on risk assessment and not risk management (ie. treatment). One day we will learn!
- Despite having an accompanying dictionary, many ISO definitions lack clarity. Inventing a new term to replace old terms, and then using the old terms to define the new term, is absurd. Standards have a huge influence on shaping understanding of the risk concept. Taking an easy term like “risk appetite” or “tolerability” and replacing it with a nebulous one impairs understanding. The only logical reason for this change is to align with the concept of decision criteria. But it does not work well in this case.
- ISO could have improved the definition of risk. I don’t like how “effect of uncertainty on objectives” doesn’t speak of consequences. The uncertainty in risk is about the uncertainty of outcomes/consequences/future states, and whether that outcome deviates from objectives. The uncertainty doesn’t affect our objectives per se, it affects achieving objectives.
The new ISO 31000 certainly ushers us into new and exciting territory for integrated risk management and is overall, a great step forward.
Learn how organisations like yours have implemented risk processes in a single integrated software solution with IsoMetrix
Satarla specializes in sustainable enterprise-wide risk management. Offering consultancy, training and research services, they are a network of risk management experts based all over the world. Working with a wide range of organisations, from mining to the government, healthcare, agriculture, banking, insurance and charities, they have hands-on experience in delivering quality risk management from site to board level. www.satarla.com