Implementation of IS0 31000:2009

There has been a very dynamic development in risk management over the last ten years, especially in the last five years. Until 2009, there was no international ISO standard in risk management. Very often, risk management was

GenericRM standard

In the past, risk management in companies was a landscape of isolated solutions: In addition to the legally prescribed risk areas of occupational safety, product safety and process safety, risk management existed in the operational area, which was usually a company-internal solution. In larger companies, a COSO approach was also run in parallel. This made it very difficult or impossible to record, evaluate and aggregate corporate risks in a uniform manner. The integration of the different risk data was often a desideratum, but not the reality. ISO 31000:2009 has successfully solved this problem.

Implementation problems

The benefits and importance of integrating risk management based on ISO 31000:2009 with other management systems (for example ISO 9000, ISO 14000, HSE [Health, Safety & Environment]) into an overall management system were quickly recognized. However, there was one difficulty: the delta between the original, simple risk management implemented in companies and the overall approach of ISO 31000:2009 was often quite large. This problem repeatedly led to the new standard not being implemented. Maturity models provide an important methodological approach to solving this problem in risk management. The

Direction and step height

The basic idea behind the Maturity Model is that risk management systems are developed and implemented in stages. Just as it is important in everyday life that stairs help to overcome differences in height, it is the same with Maturity Models: they must be designed in the right direction and also have the right step height.

Maturity Models: old acquaintances

This methodological approach can be found in very different areas, such as safety and security management and project and quality management. Maturity models are also very common in the field of internal and external auditing, for example in the internal control system (ICS). In this respect, it is a well-known and proven methodological approach.

The development of ISO 31000:2009 was very much influenced by the Australian/New Zealand standard AS/NZ 4360:2004. The national standard was the reference standard in risk management in the entire Anglo-Saxon area. This lead can still be found today in the national implementation guidelines for ISO 31000:2009 and especially in the use of maturity models in risk management. The following national "Implementation Guidelines" are representative of this:

- United Kingdom: BS 31100:2011: Risk management. Code of practice and guidance for the implementation of BS ISO 31000.

- Canada: Q31001-11 - Implementation guide to CAN/CSA-ISO 31000, Risk management - Principles and guidelines

- Australia: HB 158-2010: Delivering assurance based on ISO 31000:2009 - Risk management - Principles and guidelines.

Since maturity models are often the great "known unknowns" in risk management, it is worth considering what concrete benefits maturity models have in risk management. There are three potential benefits in particular that are activated by maturity models:

1. tailor-made risk management

An important principle of ISO 31000:2009 is that every risk management system should be "tailored": "risk management is tailored" (Principle 7, ISO 31000:2009). On the one hand, this principle is fulfilled by the fact that the risk definition according to ISO 31000:2009 explicitly focuses on the internal and external business objectives. The focus of risk assessment thus also includes the stakeholders with their sometimes divergent expectations.

Since this broader perspective can be complex and demanding, it is imperative to consider how risk management can be implemented in a goal-oriented manner. Maturity models make it possible to implement this task well.

In such an implementation, it is not a question of leading all company divisions to the highest RM level, but rather that risk management should be "tailor-made" here as well. In the case of a five-stage maturity model, it is possible to

TripleBenefit

it may well be that certain divisions can remain at level 4, and in certain cases even at level 3.

2. measurability, comparability and consistency

The Maturity Model makes it possible to measure and compare the implementation of a risk management system. In the RM process of ISO 31000, the parallel process "Monitor and Review" is therefore very important. Only with this approach can risk management in the company retain its importance and legitimacy in the long term. Last, but not least, a maturity model makes it possible to assess whether a risk management system is internally consistent. It thus prevents risk management from becoming a patchwork over time, as was often the case in the past.

3. implementation and investment

Risk management is always an investment for every company. In times of scarce financial and time resources, it is particularly important to work with a concept that has sensible and practicable implementation steps.

First, for example, the risks that are urgent and also important can be recorded and managed. On the basis of such "quick wins", it becomes clear what the concrete benefit of risk management is. This favors the release for the next maturity model levels.

Methodology

Maturity models pursue the goal of showing, on the basis of defined RM focal points, how these can be implemented step by step. These focal points are characterized in more detail by means of risk attributes. It is important for such maturity models that the choice of these risk attributes and the choice of the maturity model, usually with three to a maximum of ten levels, is a conceptual work of the responsible risk manager. Only if the risk attributes are optimally aligned with the specific requirements and objectives of a company is the maturity model a target-oriented instrument.

Many national implementation guidelines for ISO 31000:2009 contain maturity models, which must be adapted in any case. A simple example of such a maturity model can be found in the draft of the Canadian standard "Q31001-11 - Implementation guide to CAN/ CSA-ISO 31000, Risk management - Principles and guidelines" (see Figure 1).

This example with three maturity levels is the simplest possible concretization. In many cases, a five-stage model is used. This extended model allows a more precise statement with regard to the maturity level due to the greater granularity. The five levels are defined as follows:

1. inital

2. repeatable

3. defined

4. managed

5. optimized

As is the case for ISO 31000:2009 in general, the following applies in particular to a maturity model: risk management is tailor-made. Only then is it also impact-oriented.

Trends in risk management

In recent years, the Institute of Internal Auditors (IIA) has published very interesting publications on risk management, which show how risk management according to ISO 31000:2009 and internal auditing can be coordinated. Maturity models play a central role in this. This mutual reference clearly strengthens the relevance of ISO 31000:2009.

Since 2012, a large number of standards in BCM (Business Continuity Management) have been published, such as ISO 22301:2012. This new BCM standard has been fully aligned with ISO 31000:2009. This is evident not only in the definitions and important interfaces, but also in the use of maturity models.

In summary, it can be stated that in the future, both in risk management as well as in BCM and in the Internal Control System (ICS), the methodological approach of the Maturity Models will increasingly become a decisive success factor in implementation.