The 2018 revision of the overarching industry best-practice standard ISO 31000 Risk Management should prompt healthy discussion. While the definition of risk – the “effect of uncertainty on objectives” – remains constant (with risk generally expressed in terms of risk sources, their consequences and their likelihood), the focus of the revised Standard is on tailoring risk management to the needs of the organisation.
The 2018 version is leaner, with simpler language and fewer over-arching principles. It advocates a more practical, integrated approach to risk management and advocates ‘top management’ responsibility.
The Standard revises the fundamental linear model into a principles, framework and process structure:
ISO31000:2018 Figure 1 – Principles, framework and process
(Although it is noted that there is an inherent potential layer of confusion added by having this operate as a linked trio.)
The core requirements of the Standard remain similar, with changes to the 2018 version as follows:
- The addition of an 8th element to the risk process being “Recording and Reporting”:
where the 2009 Standard focused on simply recording the day-to-day risk management decisions, ISO 31000:2018 adds the element of communicating activities and outcomes across the organisation and facilitating interaction with stakeholders.
- Responsibility is given to ‘top management’ and ‘oversight bodies’ to demonstrate leadership and ensure risk management is fully integrated with other organisational management processes:
the terms “top management” and “oversight bodies” are new concepts. Previously, the 2009 Standard only specified a management framework for commitment to risk whereas now, Clause 5.2 in ISO 31000:2018 makes top management accountable for managing risk with oversight bodies accountable for overseeing risk management. With the focus on full integration, risk management should no longer be done on a periodic basis (e.g. quarterly, annually) but rather every time a business decision is made or a key business process or activity is undertaken.
- Risk Management Commitment:
where the 2009 Standard identified establishing a risk management policy to demonstrate an organisation’s commitment, ISO 31000:2018 takes this further by asserting that top management and oversight bodies should not only demonstrate their commitment to risk management but also demonstrate continual commitment through a policy or statement that conveys the organisation’s objectives and commitment to risk management.
- Greater emphasis on the iterative nature of risk management:
drawing on new experiences, knowledge and analysis for the revision of process elements, actions and controls at each stage of the process.
- Risk Management Process:
ISO 31000:2018 significantly expands on the 2009 Standard’s discussion on risk identification by specifying 11 interrelated factors which should be considered when identifying sources of risk while also providing a list of five decisions which support the risk evaluation process.
- Recognition of the variability of human nature and organisational culture:
and that these variabilities need to be considered throughout the risk management process.
Please contact QRMC for more information.