Building a Common Approach to Managing Risk The Challenge of ISO 31000

Printer version  PDF

by Mathew Allen

With uncanny predictability, the global economic crisis and resulting wave of corporate failures has produced a hue and cry for both judgment against those responsible and quick fixes to the problems they have created. Anecdotal stories of executive excess, regulatory breakdowns, and downright incompetence are not only excessively simple, but are also dubious "rush-to-judgments" in the case of the failed corporation.

History tells us – if the current economic crisis has not already drilled it into our heads – that risk and the absence of risk management are at the root of each and every corporate failure that we have seen. But just as there can be no single reason for the current global economic malaise, better risk management alone could not have prevented the crisis. Few would argue against the merits of a set of global risk management standards designed to ensure that risk is effectively managed. To date, there has been no meaningful centralization of risk management standards and, as a result, few examples of meaningful risk management applied. For the most part, risk management has been delivered in terms of guidelines that are not certifiable – there is no risk management version of the accounting profession’s generally accepted accounting principles (GAAP) or the equivalent of the Financial Accounting Standards Board in the United States.

With the release of ISO 31000: Risk Management – Principles and Guidelines, the International Organization for Standardization (ISO) is attempting to provide the global marketplace with a long overdue view of how to effectively manage cross-organizational risk. The Risk Management Standard (“the Standard”), issued by the ISO in November 2009, is built around three fundamental pillars: risk management principles, risk management framework, and risk management process. In practical terms, this Standard will unify a range of fragmented terms, concepts, and practices that have long been a source of confusion within virtually every enterprise risk management (ERM) discussion. While there is currently no certification mandate or prescriptive compliance requirement, the articulation of a common approach to risk management practices will facilitate a broad adoption of what is likely to become recognized as the international best practice standard for risk management.

To become the international best practice standard, however, the ISO will clearly need to continue to adopt best practice-based enhancements to the 31000 family of standards. In doing so, the Standard will reinforce the comprehensiveness of the framework that will provide practical value and ensure that risk is managed effectively, efficiently, and coherently across an organization. Risk in all forms – financial, security, operational, safety, environmental, strategic – is included, and a unified view of the principles, framework, and processes used to manage those risks is outlined. The global marketplace will now have a standards-based set of principles for managing any form of risk in a systematic, transparent, and credible manner, within any scope and context of an organization. For those organizations that have already invested in advancing risk management activities, ISO 31000 represents a meaningful benchmark for assessing the maturity and effectiveness of those investments.

The ISO Standard states that risk management principles for any organization should:

• Create value;
  
  
• Be an integral part of the organizational process;
  
  
• Be a part of decision-making;
  
  
• Address uncertainty explicitly;
  
  
• Be systematic, structured, and timely;
  
  
• Be based on the best available information;
  
  
• Be tailored to the needs of the organization;
  
  
• Take human and cultural factors into account;
  
  
• Promote transparency and inclusiveness;
  
  
• Be dynamic, iterative, and responsive to change; and
  
  
• Facilitate continual improvement and enhancement of the organization.
  
  

Each of the principles is supported with detailed descriptions and is easily recognized as a means of defining best practices. This will make it far simpler for organizations grappling with an understanding of risk management and how to approach risk management from a cross-enterprise perspective. In functional terms, the principles act as an attribute or end-state characterization that guides the user in framing expected outcomes.

The framework for managing risk within the Standard is efficient, effective, and intended to be repeated regularly
(Exhibit 1).

With engagement, there is a feedback loop oriented to a series of activities that include: (1) designing the framework; (2) implementing risk management; (3) monitoring and reviewing the framework; and (4) continually improving the framework. Each component is supported with detailed attributes and outcomes that are achieved in an iterative fashion.

The process within the Standard (Exhibit 2) should be familiar to advanced risk management professionals. While some of the terminology may be different, the applied meanings remain much the same for those who have executed an ERM process.

The risk management process has five primary activities: (1) communication and consultation; (2) establishing the context; (3) risk assessment, where risk is identified, analyzed, and evaluated; (4) risk treatment; and (5) monitoring and review.

This process has been deployed in a relatively consistent fashion throughout the evolution of “modern” risk management or ERM. It is intended to be used by decision makers throughout an organization and should align with the policies and procedures within their particular organization. Deployment timing and sequence may vary by organization, but it serves to reinforce the concept of formality and structure.

Where so many efforts to unify the global view of risk management have fallen short, the Standard is expected to succeed. By simplifying complex concepts and coupling the framework with the process and principles of crossorganizational risk management efforts, the Standard is likely to subsume most, if not all, of the existing independent and national risk management standards. To that end, the Standard will provide organizations with a tool to adhere to best practice and, if implemented, will provide a platform for developing effective management of risk no matter where a company’s operations are located.

Every organization has its own unique risk footprint and its own risk management challenges; the Standard has been developed so that it is not specific to any industry or sector. It can be applied to enterprises of all sizes, public or private, as well as to a wide range of processes, issues, decisions, and operations. While there is no immediate legal or compliance obligation for organizations to take action, business leaders would be well served to become familiar with the Standard and, at a minimum, be capable of comparing it to their existing risk management framework. Given the heightened sensitivity to risk and the absence of any meaningful global risk management standard, any key stakeholder should expect board members, customers, vendors, and regulatory bodies to move toward some form of alignment with the new ISO Standard.

Mathew Allen is the New York-based leader of Marsh’s Enterprise Risk Services & Solutions Practice. He can be reached at .