March 13, 2018
by Vincent Tophoff, Senior Technical Manager, IFAC
Earlier this year, the International Organization for Standardization (ISO) issued the revised standard ISO 31000 – Risk management, which provides principles, framework and a process for managing risk in any organization regardless of its size, activity or sector.
Users of the previous version will find it hard to identify substantial changes, let alone real conceptual improvements in this new edition. So, has the standard been improved? Yes, the graphs are more pleasant to the eye, but they did not substantially change, nor did the other parts of the standard: the principles, the framework, and the process.
I observe a lot of wordsmithing between the two versions, sometimes for the better, sometimes for the worse. As this revised version had to accommodate literally hundreds of proposed changes, the text feels a bit over-engineered, and may have lost its sharpness and conceptual soundness at various points.
A true disappointment, however, is that the standard is still centered on the (stand-alone) risk management process—racing the risk management “hamster wheel” but getting nowhere—instead of fully integrating the management of risk into the overall management of an organization and, thus, enabling it to better achieve its objectives.
In this sense, the revised ISO standard is now trailing the also recently revised Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework, Enterprise Risk Management–Integrating with Strategy and Performance (2017), which has indeed made the crucial turn away from the siloed nature of managing risk and toward integrating the management of risk throughout the organization (follow this link for my review of the revised COSO ERM Framework).
Consequently, I would encourage readers of the ISO Standard to also have a look at the revised COSO ERM Framework (and vise versa), and “mix and match” the guidelines that work best for their organization, as both bring different items to the table. For example, the ISO Standard is short and sweet, but the longer COSO Framework offers much more detail.
All in all, the revised ISO 31000 standard is still a good reference for organizations that would like to evaluate and further improve their risk management arrangements. As such, I would strongly recommend that those who have not yet experienced the ISO 31000 standard have a look at it.
However, if you are already using the predecessor version of the standard (2009), my instinct is that there is no rush for an immediate transition, as I am not convinced that the revised standard will bring real improvement to your risk management arrangements. On the bright side, the publication of this revised standard might be a good opportunity to motivate your organization to engage in a new round of evaluation and improvement. Just like the standard prescribes!