The updated ISO risk management standard merits our attention
You can purchase the ISO 31000:2018 global risk management standard from a number of sources. I got my copy from the US standards organization, ANSI. The ISO press release includes a link to their Swiss site.
There are pluses and minuses, IMHO.
To start with, I like the first part of the Introduction:
This document is for use by people who create and protect value in organizations by managing risks, making decisions, setting and achieving objectives and improving performance.
Organizations of all types and sizes face external and internal factors and influences that make it uncertain whether they will achieve their objectives.
Managing risk is iterative and assists organizations in setting strategy, achieving objectives and making informed decisions.
- It is not limited to protecting value, but helps organizations and their people create Traditional risk management is focused on the review of a list of risks – what I now refer to as ‘doom management’ and Jim DeLoach calls ‘enterprise list management’ – whereas effective risk management (if we retain that term) should help people take the right level of the right risks to objectives, make informed decisions, and increase the extent and likelihood of success: ‘success management’.
- Right from the start, it highlights the need to make quality decisions. By the way, setting an objective or selecting a strategy is a decision and is frankly little different in how it should be done than any other major decision (COSO, please take note).
- The second paragraph removes some of the confusion about the meaning of the word ‘uncertainty’ in the 2009 version (where it says “risk is the effect of uncertainty on objectives”, a definition retained in the 2018 update). We are concerned with what might happen (‘external and internal factors and influences’) as we strive to achieve our objectives – and we don’t and never will have a crystal ball so it is uncertain.
- Managing risk (a term I greatly prefer to risk management) is an essential part of effective management, and this is at least strongly inferred in the third paragraph.
I also like the brevity and simple (for the most part) language of the updated standard.
But the update shares some less positive features with the COSO ERM update:
- It still focuses on and talks about “managing risk” when we should be talking about improving the extent and likelihood of success. The common vernacular treats the word ‘risk’ as something negative and ‘managing risk’ as limiting risk – when often we should be taking more! So continuing to talk about risk management and using the ‘r’ word is talking in a language that only ISO devotees are likely to understand the way ISO intends. We should be talking about helping people make informed decisions that take the right level (not too little and not too much) of the right risks!
- There really isn’t much help on how you should make informed decisions and take the right level of the right risks, balancing the upside and potential downside consequences of your decision. (See more in my books.)
- It still talks about how you identify, assess, and address risk as a one-by-one activity – but in real life there are multiple potential effects. There is no guidance on how to assess the combination of risks, some of which might have positive while others have potential adverse effects.
- There is no recognition that the level of risk is not a point. There is no single value for the magnitude of the effect, nor of the likelihood of that level of effect. It’s a range of values and their likelihoods. (Again, see my books.)
- The regulators are driving organizations, especially in financial services, to have a risk appetite statement. While I believe this is a concept that does not have practical value for every source of risk, the pressure to have one and measure your levels of risk against it has to be addressed. ISO ignores this reality and the guidance in COSO is poor.
- I am starting to dislike the idea of ‘risk oversight’ (mentioned in passing by ISO in the update and more prominent in COSO) or ‘risk governance’. Again, we should be looking at how management assures the board that it is making informed and intelligent decisions that result in taking the desired level (not too much and not too little) of the right risks. ‘Risk governance’ implies oversight of doom management.
- It no longer provides useful principles for assessing the effectiveness of what we are doing (risk management, if you like). The COSO principles are too many and include items I would omit, and the ISO principles are a downgrade from those in the 2009 edition. The former ISO principles were crisp and pretty much stood on their own. The update’s principles are more like chapter headings.
Overall, neither the ISO nor the COSO updates will, in my opinion, move the understanding and practice of ‘risk management’ to where they need to be. The updates are small steps when leaps were required.
As I wrote in my earlier post, I see no need to update World-Class Risk Management and instead am trying to stimulate discussion with leadership through Risk Management in Plain English: A Guide for Executives: Enabling Success through Intelligent and Informed Risk-Taking.
What do you think?
I welcome your comments.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman, where have you found the expression “risk governance” in the ISO 31000 update?
Mea culpa. It mentions risk oversight and not risk governance. I have corrected the post.
Thanks Norman for another piece on RM.
Norman
I enjoy your perspectives and agree with most. While I’m no expert in the management of risk, I’ve followed the work of COSO since it’s inception. I have not followed ISO at the same level of detail.
IMHO, its clear that often those who are true connosours of risk frameworks, typically GRC professionals, are in dialog with each other, often about definitions and technical issues that, to the less indoctrinated, are differences without meaningful distinction.
These discussions, while certainly important, can be viewed as myopic in the eyes of those charged with the decisions that determine strategy, risk and results.
This fuels a growing negative perception of such frameworks as written by and for auditors and regulators as opposed to valuable tools business leaders and their organizations can easily use to improve decision making and performance.
Too often lost are practical perspectives and concerns of business leaders who actually own management of risk and results. These are people who wake up every day asking how they will achive performance objectives, profit and growth targets.
I believe framework makers (ISO, COSO or others) need to elevate their sights and begin to answer “What’s in it for me?” question in simple terms and context business leaders understand, embrace and use.
Short of that, I fear such frameworks may be relegated to the domain of auditors, regulators and others not directly making live business decisions and delivering results in real time. That would be an error and a shame.
IMHO its time for all framework makers to step to the plate and answer “What’s in it for me?” for business owners.
Lock, that is precisely what I tried to address in the new book. Thanks for the affirmation!
Lock, you are great observer for a long time and appreciate your insights. We all need to elevate our game not to exclusively serve the privileged, but to make sure we help all of our fellow human beings.
Norman I really like many of your comments and they are valuable contribution to discussion. I am sure we kept the rather silly term “risk governance” out of the document. I cannot find it in the recently published version can you tell me where it is please.
Mea culpa. It mentions risk oversight and not risk governance. I have corrected the post.
Hello Norman,
Thanks you for your constructive comments many of which I hope will be explored in the development of the implementation handbook. In ISO TC262-Risk management, we are finalising a strategy and work plans to develop additional documentation to assist all decisions makers to have the specific guidance needed for their relevant professional discipline. This is part of a desire to show that “risk” is every bodies business not just only that of risk management specialists.
A strategy group has already been set up in the Committee and my role as Chair will have an advisory group to ensure that the work does not “drift”.
Regards
Jason Brown
Norman, what can be done to get rid of the ‘iterative’ idea? The plan-do-check-act ‘phases’ that we see everywhere (ISO gospel) leads to so many zealous but wrong implementations The good, do it well, the mass of others, not so much: “What you flag now can’t possibly be an incident because we’re in the Planning phase! Come back in two months and we’ll be Operating.”
There is no iterations. There everything, all the time…?
I actually like the word. Perhaps it needs to be explained, but for me it conveys the message that you have to continuously monitor what is happening and check that your decision remains appropriate.
Hi Norman, my review of the revised ISO 31000 standard has been published: https://www.linkedin.com/pulse/revised-iso-31000-risk-management-standard-still-good-vincent-tophoff/?trackingId=v0rqMVYRZ4W8HDudTts85Q%3D%3D
Vincent, I too am disappointed. But I think some of your criticisms are a bit harsh. For example, both the prior and current version emphasis that the consideration of risk should be a driver of decision-making and integrated into how the organization is run. There’s no real detail, and there is no discussion of how to assess the multiple potential effects that might flow from a decision.
Is it behind COSO ERM? Not really, IMHO, because at least it doesn’t encourage a risk profile (aka risk register or list of risks) or the use of a heat map.
Thanks for your reply Norman! Note my remark that “the revised ISO 31000 standard is still a good reference for organizations that would like to evaluate and further improve their risk management.”
However, while the revised ISO 31000 standard continues to SAY that consideration of risk is a driver for decision making and should be integrated, it DOES the opposite by serving up – once more – the stand-alone risk management hamster wheel, setting people up for managing risks without much reference to underlying objectives or decisions. At least, the revised COSO ERM framework has made this crucial turn: see how the DNA string is now wrapped around the business process in the new signature graph.
Does this mean that I am now an ISO deserter turned into a COSO convert? Not really, as I write in my COSO review [1*]: “There is still a fair bit of inevitable “risk hunting” to satisfy those organizations that cannot say (yet?) goodbye to the old guard (think risk registers).” Exactly those issues that you highlight. Hence I recommend to “’mix and match’ the guidelines, as both bring different items to the table.”
[1*] see: https://www.ifac.org/global-knowledge-gateway/risk-management-internal-control/discussion/important-improvements-included
Love the ‘hamster wheel’ analogy, Vincent. I agree that both updates are huge disappointment and that practitioners should take the best of each and leave the rest behind.