The new international standard ISO 31000 Risk Management
Per se, the ISO 31000 standard for risk management is nothing new. While the revised standard also emphasizes the systemic balancing of opportunities and risks, it also focuses on the multi-faceted characteristics of hazards.
The international standard ISO 31000 was a new version of ISO Guide 73 ("Risk Management - Vocabulary - Guidelines for Use in Standards"). The new standard for risk management was published at the end of 2009. The systemic approach and integration into management was new.
The 2018 standard goes even further in addressing intangible uncertainties. Be it risk processes for political enterprises, against terrorism, be it reputational or security issues, the new ISO 31000 orients public as well as private organizations about new threats.
The former management measures that were important in risk management are no longer adequate for today's threats. ISO 31000:2018 is therefore formulated even more clearly. It serves as a reference work for management principles, but also as a guide to make better decisions in practice.
The new standard ISO 31000 "Risk Management - Principles and Guidelines" comprises the following elements:
- Review of the principles of risk management, which are the key criteria for its success
- Focus on leadership by top management who should ensure that risk management is integrated into all organizational activities, starting with the governance of the organization
- Greater emphasis on the iterative nature of risk management, drawing on new experiences, knowledge and analysis for the revision of process elements, actions and controls at each stage of the process
- Streamlining of the content with greater focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts
Risk is defined as the "effect of uncertainty on objectives".
"The 2018 version places a greater focus on creating and protecting value as the key driver of risk management and features other related principles such as continual improvement, the inclusion of stakeholders, being customized to the organization and consideration of human and cultural factors." (Source. ISO.org)
The new version focuses on the consequences of incomplete knowledge of events, or on decision-making in difficult situations. It highlights changes to the traditional understanding of risk and "forces" companies to tailor risk management to their own needs and objectives - a key benefit of the new standard.
The ISO 31000 framework integrates both risk processes and management systems to ensure consistency and effectiveness across all areas of the organization. This includes strategy and planning in areas such as organizational resilience, IT, corporate governance, human resources, compliance, quality, health and safety, business continuity, crisis management and security.
ISO standard since 2015
In 2005, Australia proposed to the international standardization community that the standard AS/NZS 4360 "Risk Management" be elevated to an ISO standard. A vote within the ISO organization led to the clear result that such a standard was desirable, but that the Australian standard should not simply be adopted.
