Since its adoption in 2009, the international standard on risk management, called ISO 31000, has been implemented broadly around the world. It was revised in 2018, which changed a number of related standards and created new ones as well. In this paper, we will review the key initiatives associated with the ISO 31000 standard and outline the changes resulting from the 2018 revision.
The International Standards Organization (ISO) is a global network of the world’s leading standard makers. Its members are the national standards bodies from 164 countries around the world; the U.S. member is the American National Standards Institute (ANSI). An international standard that is adopted by ISO must be approved by ANSI before it can be published as an American standard. ANSI also authorizes American participants in the standards-making process at international meetings. For the group of risk management standards, ANSI has designated the American Society of Safety Professionals (ASSP) as the secretariat to the group of U.S. experts.
In 2011, Technical Committee 262 (TC 262) was formalized to manage all standards related to risk management. The scope of TC 262 is to provide standardization in the field of risk management. The TC meets once or twice a year; ISO rules require that these meetings occur on different continents and allow participating countries to send up to three experts. TC 262 is led by a chairperson from Australia and a secretariat from the British Standards Institute.
There are currently 59 countries on the roster of TC 262. The newest members hail from Algeria, Greece, Kazakhstan and Nigeria. The U.S. has participated since 2008 (the drafting work began in 2005), and we have sent experts to every meeting since.
A Brief History of Risk Management Standards
Prior to 2002, a handful of countries had published risk management guides, including Australia, New Zealand, Canada, Japan, England and Wales. Norway had published a standard on risk assessment techniques. An international working group formed to create guidance on risk management terminology, and the first ISO risk management publication, called Guide 73, was published in 2002. Following that success, a working group was formed in 2005 to create an international standard on risk management, which became ISO 31000, published in 2009. ISO 31010, a standard on risk assessment techniques, was also published in 2009 and an implementation guide followed, in 2013. When ISO 31000 was updated in 2018, both the terminology (Guide 73) and the implementation guide (ISO 31004) became outdated.
Overview of the Revision of ISO 31000
ISO 31000 is the key standard in the family of risk management standards; all other risk management standards must be in sync with ISO 31000. It is based on best practices from around the world and was created with input from a wide range of experts from more than 40 countries. Representatives from the Institute of Internal Auditors also participated and the ISO standard is now compatible with the COSO* ERM Framework, which was also recently revised.
The revised standard was intentionally drafted to be accessible to any user, not just risk management professionals. Great pains were taken to reduce technical jargon and improve readability. The principles section was simplified, and the number of definitions was reduced from 29 to eight. The framework section changed from the outdated “plan, do, check, act” cycle to a continuous improvement model that places leadership and commitment at the heart of all risk management. The revised framework section emphasizes integration and recognizes that integrating risk management is a dynamic and iterative process that needs to be customized to the organization’s needs and culture. The risk management process clarified the first step to include scope, context and criteria, and added the important activity of recording and reporting. The graphic depiction of risk management (which outlines the “architecture” of the standard: purpose and principles, framework, and the risk management process) was updated and clarified as well.
The 2018 version states that the purpose of risk management is to create and protect value, and it should be a part of organizational decision-making, governance, leadership, strategy, objectives and operations.
Other New Risk Management Standards — Published
ISO 31010, the standard that addresses risk assessment techniques, was updated in 2019. This standard was somewhat controversial in the U.S., and many experts did not think the new revision was an improvement. As a result, even though the standard was adopted by ANSI as the U.S. standard, a group of U.S. experts is working on an American technical report that will address shortcomings.
ISO 31022 provides guidelines for the management of legal risk. It refers to a broad array of legal risks, from or to third parties, legal and contractual rights and obligations, and compliance. It follows the format of ISO 31000, with sections that address definitions, principles and the legal risk management process. The risk management framework is omitted from this standard because the framework should be established using ISO 31000 prior to implementing this model.
*COSO = the Committee of Sponsoring Organizations, an organization of financial and audit professionals that provides advice on auditing ERM programs.
Other New Risk Management Standards — in Process
ISO 31073 will replace the old vocabulary standard called Guide 73. It is currently in drafting phase, with an expected publication date in 2020 or 2021. Work on this standard is being led by a U.S. expert.
ISO 31004 will be replaced by a new handbook or guidance on the implementation of ISO 31000. Work on this new standard began in 2018, and publication is expected in 2020 or 2021. This standard will dive more deeply into key concepts and provide examples from a variety of organizations. Several U.S. experts are participating in drafting this new standard (including this article’s author).
ISO 31050 will provide guidance for managing emerging risks to enhance resilience. This working group is coordinating with another technical committee that is focused on resilience. It has an expected publication date of 2021, and the U.S. is contributing to this standard as well.
ISO 31030 is focused on the management of travel risks. It follows the format of the risk management process from ISO 31000, but is focused on all risks associated with travel. It also has an expected publication date of 2021; no U.S. experts have participated in the drafting of this standard.
What Is the Value of Risk Management Standards to My Organization?
Some segments within the public sector have oversight from regulators who scrutinize risk management practices. Financial rating agencies routinely ask about the robustness of risk management programs and the identification and treatment of key risks in their management review process, which aids in the determination of financial ratings. Forward-thinking agencies embrace the broad, systematic approach to risk management provided in the ISO 31000 family of standards, and others understand that risk management can help an organization take appropriate risks and build resilience. Even if none of those descriptions fits your entity, these standards describe the future of risk management and how it can both protect and create value for your organization, and they are worthy of consideration.
About the Author
Dorothy Gjerdrum is managing director of Gallagher’s ERM practice and senior managing director of the Public Sector practice. She has more than 30 years of risk management experience, including 11 years as a U.S. expert to the international working group that created ISO 31000 and related standards. In her consulting practice, she has created award-winning programs for all types of public entities, public and independent K–12 schools, and higher education institutions. She developed the curriculum for PRIMA and URMIA that trains risk management professionals on how to implement ERM using the ISO 31000 standard and has trained hundreds of risk management professionals.
Senior Managing Director
Gallagher Public Sector and Managing Director, ERM Practice