Where do ISO 31000 and its implementation stand?

Dhe International Standards Organisation launched the project "ISO 31000 Risk management - Principles and guidelines" in 2005, starting from the Australian-New Zealand standard "AS/NZS 4360 Risk management". The systemic approach (Plan-Do-Check-Act) from the ONR 49000 series, which was first published in 2004, was added as a key element and established itself as the "risk management framework".

The standard "ISO 31000 Risk management - Principles and guidelines", published at the end of 2009, describes the principles, framework and process for managing risks of all types for private companies and public organizations. The application of ISO 31000 is intended to help organizations achieve their objectives, while systematically identifying opportunities and threats and effectively allocating resources to deal with risks. It thus makes an important contribution to meeting the requirements of corporate governance and to being understood and integrated as a management tool.

ISO 31000 has met with great interest internationally, so that after a short time it is ranked fifth worldwide with comparable ISO standards. From a global perspective, ISO 31000 is now on a par with the American auditing standard "COSO Enterprise Risk Management Framework". The OECD recently described ISO 31000 as a "defacto world standard". Nevertheless, the standard does not intend to be the subject of formal certification. It does, however, support the conduct of internal and external risk management assessments. Organizations using ISO 31000 can compare their own risk management with the standard's guidelines.

Short and medium-term revision

ISO reviews its standards every five years. The revision of ISO 31000 was decided in 2013 and has now been taken in hand by ISO TC 262 WG "Core Risk Management Standards". What are the directions of development now?

The Working Group "Core Risk Management Standards" has two mandates: On the one hand, a "limited revision" is to be carried out. This concerns ISO 31000 and the terminology in ISO Guide 73. On the other hand, a fundamental technical revision is to be undertaken.

The limited revision that has now begun is based on the assumption that the standard has proven itself so well in recent years that it should not be significantly changed in structure and content for the time being. Nevertheless, there are some adjustments that will be made in the sense of continuous improvement. The main issues are as follows:

• Consideration of the needs of safety: In Germany, a discussion arose which led to misunderstandings in the application of ISO 31000 to the areas of occupational and environmental safety in connection with opportunities and economic aspects. A conflict with legal requirements was feared. The current revision will clarify these misunderstandings and make the standard accessible to "safetyissues".
• Past experience also shows that a clarification of terminology is useful at certain points in the standard. The main point here is that the dual meaning of risk as an opportunity and a threat should be expressed more clearly.
• In addition, some editorial improvements and clarifications are made which do not affect the content and structure of ISO 31000.

The technical revision decided for later will only be tackled when the limited revision is in a final phase. The basis for the technical revision will be the collection of existing customer feedback and a current survey to be planned and conducted by the ISO organization. The technical revision of ISO 31000 will not start before 2016.

Integration of new topics

In parallel with the ongoing revisions, there are new issues that are already being addressed. Two are at the forefront for the extension of the ISO 31000 family of standards:

• Human factors: It is well known that risks are often caused by people. An additional standard is now to be created that describes and illuminates this important aspect of risk management on the basis of scientific and practical findings.
• Risk maturity model: The application of risk management in organizations and companies is still done in very different ways, more or less supported by top management. Today, there are already various maturity models. ISO is now striving for harmonization and will develop its own risk maturity model.

These two new topics will be specified within ISO TC 262 and dealt with in more detail by new working groups.

Application in practice

ISO 31000 is a generic standard that provides comprehensive guidelines but few specifications for the implementation of risk management in business practice. This generic character of the standard is also the deeper reason why risk management according to ISO 31000 should not be certifiable.

The specifications for ISO 31000 are provided by the ONR-49000 series "Risk management for organizations and systems, Application of ISO 31000 in practice". It has been published in its fourth version as of 1 January 2014 and is unchanged in structure from the 2010 version. However, some additions and clarifications have been made to the content, which are listed below:

• The ONRThe concept of risk: ISO 31000 defines the concept of risk as "Effects of uncertainty on objectives". The new ONR goes one step further and defines risk as "effects of uncertainty on objectives, activities and requirements". This is intended to align risk not only with the achievement of (strategic) objectives, but also to include the performance of operational activities. This creates a bridge to emergency, crisis and continuity management, which are an integral part of risk management (cf. ONR 49002-3 Guidance on emergency, crisis and continuity management). In addition, the implications of uncertainty extend to "requirements". This bridges to the issue of "compliance", i.e. conformity with requirements in the areas of occupational, product and environmental safety. Compliance extends to other areas of law such as "faithful management", the protection of assets or behaviours that are established by science and practical experience, for example in standards. These often contain "good" or "best practices". This includes, for example, ISO 26000 (social responsibility), compliance with which is more of a moral than a legal obligation.
• ONR 49001 is based on the new structure of the ISO Management System Standards (ISO MSS). The new ISO 9001 (quality management), the new ISO 14001 (environmental management) or the ISO 27001 (information security management) are structured in the same way according to this "high level structure". Nevertheless, the structure of ONR 49001 with chapter 4 as risk management system and with chapter 5 as risk management process is retained in order to correspond to the current ISO 31000 in the basic structure.
• ISO 31000 is understood as a recommendation and is written in the "should" form (in contrast to e.g. ISO 9001 as a requirement in the "must" form). ONR now takes a third approach by writing in the full verb, e.g. "the organization implements the risk management system" (not "should" and also not "must" implement). In this way, ONR creates a binding force, although as a set of rules it does not impose any hard requirements.
• Annex A (informative) describes the "Audit of the risk management system". Based on ISO 19011 "Guidance on auditing of management systems", ONR 49001 enables a system evaluation. ONR 49001 states: "Many organizations have the need to have the effectiveness of their risk management system reviewed internally or recognized externally. For this purpose, a system is required which defines the elements of the risk management system in a comprehensible and verifiable manner. These elements of the risk management system are defined and described in this ONR" (ONR 2014, p. 3).
• In chapter 4, ONR 49001 introduces James Reason's maturity model as part of the "improvement of the risk management system" (cf. Fig. 1). The top management of an organization should strive to ensure that all elements of the risk management system are fulfilled to the highest possible degree of maturity (ONR 49001, section 4.10, p. 16).
• Chapter 5 deals in detail with human factors in risk management (cf. Fig. 2). The focus is on the nature and handling of human errors (ONR 49001, section 5.5.3 "Risk management in organizations").
• ONR 49002-1, Guidance for embedding the risk management system in the management system, is supplemented with a chapter on "Risk management in complex organisations". This shows how risks are consolidated and how cross-cutting risks are dealt with.
• Finally, in ONR 49002-2 the methods of risk assessment are supplemented with the loss event analysis according to the London Protocol and other supplements that are used in clinical risk management.
• The informative annex on the methods expands the examples of risk criteria, which is mainly understood as the parameterisation of the probability of occurrence and the impact of the risks.

Outlook

The ISO 31000 and also the ONR 49000 series can be considered as two mature, stable and complementary sets of rules that allow companies and organizations to bring risk management to a level that meets their individual needs. This is particularly important because other important standards, such as ISO 9001, will be risk-based from 2015 onwards, which means that access to risk management standards and the practical application of risk management techniques will meet an increased need.

Literature reference: Brühwiler, Bruno: Risikomanagement als Führungsaufgabe, 3rd ed.

Standards

• ISO 31000 Risk management - Principles and guidelines, 2009
• ISO 19011 Guide to the auditing of management systems, 2011
• ONR-49000 series Risk management for organizations and systems, version 2014
• ISO/IEC Directives, Part 1: Consolidated ISO Supplement Procedures specific to ISO, Annex SL (normative), Proposals for management system standards, 2014, p. 115 ff.