ISO 31000: 2018 was published in February 2018, nine years after the last version. Much has been written and discussed about it. Gareth Byatt, principal consultant at Risk Insight Consulting and APAC Ambassador for the IRM, gives us his perspective on how to benefit from the new release.
In November 2017 I published an article “leveraging the value of Risk standards and guidelines”, which describes how Risk standards and guidelines provide useful advice for Risk practitioners, although they are not ready-made frameworks to be “copied and pasted” into an organisation’s procedures.
The taking and managing of risk works well when good practices to think through “what might happen” are integrated into the activities we carry out, helped by the procedures we develop, follow and maintain. ISO 31000: 2018 encourages us to embed an integrated approach to think through “what might happen” with risk-informed decision-making.
Here’s what Jason Brown, Chair of technical committee ISO/TC 262 that developed the update, said in an ISO press release about the new 2018 revision to ISO 31000:
“The revised version of ISO 31000 focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of business.”
Source: ISO website press release, 15th February 2018: https://www.iso.org/news/ref2263.html (provided with permission from Jason Brown)
My fellow independent Risk consultant Hans Laessoe wrote a good piece about ISO 31000:2018 recently for this publication. As Hans describes in his article, ISO 31000: 2018 has nine core principles which make for a strong and effective approach to risk management.
I recently enjoyed presenting a “Risk Pitch” on the relevance of Risk standards (ISO 31000: 2018 and COSO ERM 2017 in particular) to modern business at the Risk Forum APAC 2018 held by StrategicRISK on 8th May 2018 in Singapore. I was grateful for the feedback I obtained from many Risk practitioners about ISO 31000: 2018 prior to holding my Risk Pitch, and to also discussing it with many Risk practitioners who attended the Forum. You can download my Risk Pitch slides if you are a StrategicRISK member from the StrategicRISK website.
This article summarises the main points of my Risk Pitch:
Business is changing
The way business is conducted in today’s world is changing rapidly. Whilst this article is not about this change, amongst the many moves we see is the need to anticipate and adapt, and to learn new knowledge quickly as the speed of change (which Hans and I have written about) increases.
Given the change we see in the business environment, perhaps the Risk profession is at an inflection point today.
Risk needs to respond
Risk management can be a valuable aide to help people in businesses think through what might happen as they position themselves to harness the present and embrace the future. Some of the benefits that good risk management can provide include:
* Help to set successful strategy and governance
* Help to foster a good culture
* Help achieve good (risk-informed) decision-making
* Assist new innovation and technological change
* Ensure there is an appropriate level of organisational resilience
* Help operations and projects to achieve successful outcomes
Some of the actions we can undertake include:
1. Use straightforward language and help foster a good culture
2. Encourage “what if?” thinking by people in all their activities
3. Connect the dots, spot emerging patterns and be prepared
Are Risk practitioners in APAC reviewing their risk frameworks?
At the Risk Forum APAC 2018 I asked the audience whether they are currently re-evaluating their risk frameworks – here’s how people responded:
I also asked the audience whether they think ISO 31000: 2018 will be useful to them, regardless of whether they are re-evaluating their risk framework – here are the poll results:
As we can see, quite a lot of people were unsure about whether ISO 31000: 2018 will be useful to them. I think it can be useful, if the core ethos of the standard is understood and applied.
Use ISO 31000: 2018 in the right way to help your business succeed
As you help your organisation think about the uncertainty it faces in order to achieve its objectives, here are some points to draw upon from the ISO 31000: 2018 standard:
1. ISO 31000: 2018 is short and focused. Its nine principles (see diagram below) are all valid to help you think through uncertainty. You don’t need to copy these principles verbatim into a risk framework.
2. Modern and effective risk management is integrated into how an organisation operates and the decisions it makes, and integration is made crystal clear in ISO 31000: 2018. The words “integrate” and “integration” are regularly woven in to the standard. This is one of the most important points to take note of: that we must make sure the way risk is taken and managed is integrated into what people do.
3. ISO 31000: 2018 defines leadership as being critical to having effective integrated risk management in place. We all know this is the case, and we need to ensure good leadership exists in our organisations, at all levels.
4. ISO 31000: 2018 makes it clear that the risk framework and process are to be customised and proportionate to your organisation. This is key, in my view. Make your framework fit for purpose by integrating it into how your organisation works. ISO 31000: 2018 doesn’t provide details about different organisational processes, because it doesn’t have to. You know what yours are – so stitch “risk thinking” into your core processes in a simple and effective manner.
5. ISO 31000: 2018 is not prescriptive. There is no “stated expectation” to use particular Risk techniques – it leaves you to decide what works best and delivers the most value in your organisation. Remember that less is often more. By working with everyone in your organisation and using simple, straightforward practices, you will discover and learn what works best to achieve results and objectives.
6. The Risk process diagram in ISO 31000: 2018 (risk assessment, risk treatment etc.) is basically the same as it was in the old version, which is fine. It’s doesn’t need to be repeated in a business risk framework. The iterative process to look at and respond to risks occurs naturally when you use good risk management practices with people in their working environment.
In summary, we can leverage the guidance in ISO 31000: 2018 to help people think through what might happen as we collaboratively work out how to achieve our goals and objectives in a fast-changing world.
This article builds upon an article about Risk standards by the author from Nov 2017, and an article by Hans Laessoe published in April 2018. It focuses on ISO 31000 and builds upon feedback provided at the StrategicRISK APAC Forum in Singapore held on 8th May 2018. In the consultant’s experience working in various industries and sectors, many people make good use of specific industry Risk standards and guidelines (e.g. in engineering, pharmaceuticals, mining and finance) in their work, and therefore ISO 31000 must be considered in this context.