Return to Table of Contents

Enterprise Risk Management

ERM & ISO 31000

International standards group develops a tool to boost corporate ERM

By Michael J. Moody, MBA, ARM


Despite the fact that enterprise risk management (ERM) has been around for more than a dozen years, the concept still is slow in gaining traction. But the recent financial meltdown has certainly called attention to the failings of risk management, and now many of the new regulatory regimes are being directed at risk management activity. Recently advanced regulations in the United States include new requirements for publicly listed corporations that were recommended by the NYSE, as well as new risk management requirements that have been suggested by the U.S. Securities and Exchange Commission. And while it is still too early to determine the extent of what the federal oversight will ultimately be for risk management, most industry observers have indicated that they believe risk management may become “job one” at most companies. As a result, risk management must become involved strategically with all of the major decision making that occurs at the board level.

Over the past few years, many new and novel risk management frameworks have been introduced. One of the major shortcomings of most of these guides was that they were written by one narrow group of affected organizations. As a result, they usually lacked any universal acceptance. While the sponsoring organization(s) typically did a credible job in presenting a broad approach, all too often it was quite easy to see the vested interests that were referred to in the framework. For many of the frameworks, this shortcoming became too difficult to overcome.

However, a new framework offers much more consensus from the international risk management community. That new framework is a product of the International Organization for Standardization (ISO), which is the world’s largest developer and publisher of international standards. ISO (not to be confused with the Insurance Services Office, which also bears the same shortened name of ISO) consists of a network of 162 national standards institutes that coordinate ISO’s standards promulgations. In theory, due in large part to the diversity of the 162 institutes, ISO provides a consensus that offers solutions that meet the requirements of business as well as the broader needs of society.

The need for a common approach to risk management has been well known, and ISO set out years ago to provide such a standard. In fact, ISO notes that the ISO 31000 represents more than 20 years of development. The organization indicates that much of the 31000 guideline was based on the groundbreaking risk management theory that was presented in the mid-1980s in the Australian/New Zealand Risk Management Standard 4360 (AS/NZS 4360). So the genesis of 31000 is well founded and completely tested.

ISO 31000 basics

First, it should be noted that ISO’s risk management guidance is a “family” of standards. The main document, ISO 31000, which is titled Risk Management—Principles and Guidelines, provides the majority of the information. Also included in this family of standards is ISO 31010, Risk Management—Risk Assessment Techniques, which provides assistance on the selection and application of systematic techniques for risk assessment. The final portion of this risk management family is ISO Guide 73, Risk Management Vocabulary, which defines generic terms related to risk management. The aim is to encourage a mutual and consistent understanding of the description of activities related to the management of risks. Taken together, these three documents are ISO’s attempt to provide a best practice structure and guidance to all organizations that are concerned with risk management.

The primary document, ISO 31000, is comprised of three major sections: principles for managing risk, framework for managing risk, and processes for managing risk. And despite its scant 24 pages, it skillfully sets out a new approach for managing all forms of risks. The standard presents 11 principles to be addressed in order to effectively manage risks and achieve objectives. Among some of the more important principles are: Risk management creates value; risk management is part of decision making; and risk management is an integral part of the organizational process.

The framework section of the standards looks at the framework needed to provide the foundations and arrangements that will embed the management of risk in all levels of the organization. Key to the success of this risk management approach, according to ISO, is that there must be a mandate and commitment of an organization’s board and management to the implementation, review and continual improvement of how risks are managed.

Much of the information provided in the process section follows the previously published AS/NZS 4360. It consists of five segments:

• Communication and consultation

• Establishing context

• Risk assessment consisting of identification, analysis and evaluation

• Risk treatment

• Monitoring and review

The process needs to become an integral part of how business is managed at all levels. ISO also indicates that it must be tailored to the business processes and woven into the culture and practices of the organization that make it uniquely different from it competitors.

Early impressions

Some people may say, “Great, just what the world needs, yet another risk management framework.” But ISO 31000 is different and must be taken seriously. First and foremost, it is an international standard that has arrived through the consensus of many groups. In addition, assistance was also obtained from the Risk and Insurance Management Society (RIMS) through its recently appointed standards and practices committee.

Numbers of leading risk management experts have quickly weighed in on the new standards and, for the most part, comments have been quite positive. For example, Michael Rasmussen, long-time proponent of the Governance Risk & Compliance approach to risk management, notes, “Its beauty is its simplicity and adaptability.” He adds, “ISO 31000 is a great source of guidance for anyone developing a risk management program, which is part of an organization’s GRC initiative.”

Chris McClean, head of the Security and Risk department at Forrester Research, says, “It has received well-deserved praise for its surprising brevity and consolidated value.” And he notes that many organizations could “benefit from a commonly accepted risk vocabulary and clearly defined process framework for risk management.”

According to Bruce McCuaig, vice president of risk and compliance at Paisley Consulting, “The standard is an amazing 24 pages in length and every one of them is a reason to buy the book.” He concludes by saying, “It outlines almost everything you need to know to get started on implementing risk management in your organization and contains nothing you don’t need to know.”

Conclusion

The International Organization on Standardization has recently issued a unique ERM framework that provides yet another approach for assisting corporations in their risk manage­ment activities. Will this new international standard be the “game changer” that many had hoped it would be? Clearly, ISO 31000 and its associated family of documents will have an impact on ERM implementation. But, whether this becomes a “game changer” is doubtful.

ISO 31000 has made some important steps, which are sure to garner more senior management and board attention. And since many new, far-reaching regulations will be coming out of the current financial mess, most placing ultimate responsibility for risk oversight with the board, many organizations will be looking for additional assistance in implementing ERM. This environment is certain to have many organizations going back to the drawing board regarding ERM. The ISO standard will definitely provide some additional advice to assistance in this important task, but it is doubtful that it will become a “game changer.” Should those organizations looking for sound advice about ERM implementation review the material in 31000? Without question, it is worth a look.

 
 
 

This new framework has
arrived through the consensus of many groups.

 
 
 

 

 
 
 

 

 
 
 

 

 
 
 
 
 
 
 

 

 
 
 

 

 
 
 

 

 
 
 
 
 
 
 
 

Return to Table of Contents