Home > Risk > ISO provides additional and useful risk management guidance

ISO provides additional and useful risk management guidance

October 17, 2013 Leave a comment Go to comments

Hopefully, you are familiar with the global risk management standard, ISO 31000:2009.

ISO has now developed and just published ISO 31004. This is a “Technical Report” titled “Risk management – guidance for the implementation of ISO 31000”.

Because it is a global document, you can download it from your national standards board’s site. In the US, you can find it on the ANSI site as well as on the ISO Swiss site. It is not free, but it is not expensive either.

The Technical report “provides:  a structured approach for organizations to transition their risk management arrangements in order to be consistent with ISO 31000, in a manner tailored to the characteristics of the organization; an explanation of the underlying concepts of ISO 31000; [and,] guidance on aspects of the principles and risk management framework that are described in ISO 31000”.

In addition to advice on upgrading risk management using ISO 31000, the Technical Report has useful appendices including a discussion of underlying concepts and principles. This latter starts by explaining that “Organizations of all kinds face internal and external factors and influences that make it uncertain whether, when and the extent to which, they will achieve or exceed their objectives. The effect that this uncertainty has on the organization’s objectives is risk”.

Another useful section says “Controls are measures implemented by organizations to modify risk that enable the achievement of objectives. Controls can modify risk by changing any source of uncertainty (e.g. by making it more or less likely that something will occur) or by changing the range of possible consequences and where they may occur.”

It concludes this appendix with “Risk management is an integral component of management, as it involves coordinated activities concerned with the effect of uncertainty on those objectives. That is why, in order to be effective, it is important that risk management is fully integrated into the organization’s management system and processes.”

Perhaps of most use is the discussion and explanation of risk management principles. I am not going to list or discuss them here, as you should really read and consider themselves for yourself.

I recommend purchase of ISO 31000:2009 (if you don’t already own it) and the new 31004:2013.

I welcome your comments.

  1. October 17, 2013 at 9:33 PM

    This is poorly written: “Controls can modify risk by changing any source of uncertainty (e.g. by making it more or less likely that something will occur) or by changing the range of possible consequences and where they may occur.”

    The likelihood (frequency) of a threat cannot be influenced by a control. A control can influence ones resistance (vulnerability) to a threat. Just saying…

  2. Norman Marks
    October 17, 2013 at 9:36 PM

    Alan, when I hired you I reduced the likelihood that we would fail to identify a significant operating system vulnerability. Just saying….

  3. Mike Corcoran
    October 18, 2013 at 9:38 AM

    Value management is the rage and the fundamental point of the integrated reporting movement. Why should we devote our time toISO 31004:2013?

  4. arnold schanfield
    October 18, 2013 at 9:46 AM

    value management is contained within 31004:2013 and if you provide an example of what value management means, I can demonstrate how it does this.

    Having said this, I am terribly disappointed in this end product of ISO 31004:2103 and will demonstrate shortly in upcoming blogs how it misses quite important things in an implementation that are being satisfactorily addressed by HB 436 just released. However, procuring it is probably still a good thing because the thinking is good but just does not go far enough

  5. October 19, 2013 at 4:03 AM

    “Not expensive” may be relative to other standards. To me, it is far to expensive, looking at the number of pages, to goal that standards setting organisations should have, etc..

  1. October 25, 2013 at 3:29 PM
  2. November 11, 2013 at 1:06 PM
  3. November 29, 2013 at 8:17 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: