Risk Management
By Randy Boss, CRA, CRM, MWCA, SHRM-SCP
THE OTHER ISO
International Standards Organization gives risk management a KISS
What is ISO?
We don’t mean the entity that we commonly refer to as ISO: Insurance Services Office. We’re talking about the International Organization for Standardization, which develops and publishes specifications for products, services, and systems. These standards are intended to ensure quality, safety, and efficiency. This ISO is instrumental in facilitating international trade.
KISS, an acronym for “keep it simple, stupid,” is a design principle that states that most systems work best if they are kept simple rather than made complicated; therefore, simplicity should be a key goal in design, and unnecessary complexity should be avoided.
“Failure to manage risks is inherently risking failure.”
—Jason Brown
Chair, Technical Committee on Risk Management
International Standards Organization
That’s what ISO did when it revised its ISO 31000 standard. The new ISO 31000:2018 standard, which replaces the 2009 version, is intended to as the organization says, “keep risk management simple” and “deliver a clearer, shorter and more concise guide that will help organizations use risk management principles to improve planning and make better decisions.” In other words, they gave it a KISS.
According to ISO, today’s threats are not adequately addressed with yesterday’s risk management practices. Organizations of all kinds and sizes increasingly are facing risks of cybercrime, political upheaval and terrorism, and damage to their reputation or brand. With this in mind, the revised standard delivers a clearer, shorter and more concise guide that will help organizations use risk management principles to improve planning and make better decisions.
Jason Brown, current chair of the ISO technical committee on risk management, which developed the standard, says: “The revised version of ISO31000 focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management, and this emphasis will help them demonstrate that risk management is an integral part of the business.”
Brown adds that the principal objective of the new standard is to help organizations ensure their long-term viability and success in the interest of all stakeholders. Organizations do so by adopting sound risk management practices because, as he notes, “failure to manage risks is inherently risking failure.”
This second edition cancels and replaces the first edition (ISO 31000:2009). The key changes are:
- Review of the principles of risk management, which are the key criteria for its success
- Focus on leadership by top management, who should ensure that risk management is integrated into all organizational activities, starting with governance
- Increased emphasis on the iterative nature of risk management, drawing on new experiences, knowledge, and analysis for the revision of process elements, actions, and controls at each stage of the process
- Streamlining of the content with an increased focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts
The definitions
I like these definitions because they are short and easy to understand. Compare the words to ones you use when you communicate with your clients and prospects and see how they differ. To enhance understanding of these definitions, I added an example for each:
- Risk: An effect of uncertainty on objectives Example: A building fire affects an organization’s ability to deliver product
- Risk management: Coordinated activities to direct and control an organization with regard to risk Example: Identify risk by interviewing a sampling of employees throughout the organization
- Stakeholder: Person or organization that can affect, be affected by, or perceive itself to be affected by, a decision or activity Example: Every employee, supplier, and customer
- Risk source: An element that alone or in combination with another has the potential to give rise to risk Example: Cell phone use causing a distraction while driving
- Event: Occurrence of or change in a particular set of circumstances Example: Standing on the top rung of a six-foot ladder because you didn’t take the time to get the eight-foot ladder
- Consequence: An outcome of an event affecting objectives Example: Having a heart attack after years of smoking, poor diet, and lack of exercise
- Likelihood: A chance of something happening Example: Getting injured or killed because you didn’t wear a seatbelt
- Control: A measure that maintains and/or modifies risk Example: An employee locking out and tagging out a machine so it can’t start on its own or be started by a fellow employee
The new standard is broken down into three categories:
- The Principles: The purpose of risk management is the creation and protection of value.
- The Framework: This includes integrating, designing, implementing, evaluating and improving risk management across the organization. It takes leadership and commitment. I like to describe it as a road map, because following a map gives you the best chance of getting where you want to go.
- The Process: The risk management process should be an integral part of management and decision-making and should be integrated into the structure, operations, and processes of the organization.
I encourage insurance agents and brokers who help their clients manage risk to get a copy of ISO 31000:2018 and become familiar with it. It is available from the American Society of Safety Professionals (ASSP). Doing this will not only demonstrate you are committed to staying current on all risk management issues, but it also lends credibility when suggesting a framework for your clients to follow.
And while you are at it, join ASSP. It’s inexpensive, it offers a treasure trove of resources and connects you with a large community of safety professionals who generously share their experience. The group publishes a monthly magazine full of articles I often share with clients and prospects to get the risk management conversation started.
The author
Randy Boss is a Certified Risk Architect at Ottawa Kent in Jenison, Michigan. As a Risk Architect, he designs, builds and implements risk management and insurance plans for middle market companies in the areas of safety, work comp, human resources, property/casualty and benefits. He has over 40 years’ experience and has been at Ottawa Kent for 37 years. He is the co-founder of emergeapps.com, which are web apps for agents to share with employers. Randy can be reached at rboss@ottawakent.com.