February 2010

Building a common approach to managing risk: The challenge of ISO 31000

With uncanny predictability, the global economic crisis and resulting wave of corporate failures has produced a hue and cry for both judgment against those responsible and quick fixes to the problems they have created. Anecdotal stories of executive excess, regulatory breakdowns, and downright incompetence are not only excessively simple, but are also dubious "rush-to-judgments" in the case of the failed corporation.

History tells us – if the current economic crisis has not already drilled it into our heads – that risk and the absence of risk management are at the root of each and every corporate failure that we have seen. But just as there can be no single reason for the current global economic malaise, better risk management alone could not have prevented the crisis. Few would argue against the merits of a set of global risk management standards designed to ensure that risk is effectively managed. To date, there has been no meaningful centralisation of risk management standards and, as a result, few examples of meaningful risk management applied. For the most part, risk management has been delivered in terms of guidelines that are not certifiable – there is no risk management version of the accounting profession’s generally accepted accounting principles (GAAP) or the equivalent of the Financial Accounting Standards Board in the United States.

With the release of ISO 31000: Risk Management – Principles and Guidelines, the International Organization for Standardization (ISO) is attempting to provide the global marketplace with a long overdue view of how to effectively manage cross-organisational risk. The Risk Management Standard (“the Standard”), issued by the ISO in November 2009, is built around three fundamental pillars: risk management principles, risk management framework, and risk management process. In practical terms, this Standard will unify a range of fragmented terms, concepts, and practices that have long been a source of confusion within virtually every enterprise risk management (ERM) discussion. While there is currently no certification mandate or prescriptive compliance requirement, the articulation of a common approach to risk management practices will facilitate a broad adoption of what is likely to become recognised as the international best practice standard for risk management.

To become the international best practice standard, however, the ISO will clearly need to continue to adopt best practice-based enhancements to the 31000 family of standards. In doing so, the Standard will reinforce the comprehensiveness of the framework that will provide practical value and ensure that risk is managed effectively, efficiently, and coherently across an organization. Risk in all forms – financial, security, operational, safety, environmental, strategic – is included, and a unified view of the principles, framework, and processes used to manage those risks is outlined. The global marketplace will now have a standards-based set of principles for managing any form of risk in a systematic, transparent, and credible manner, within any scope and context of an organization. For those organizations that have already invested in advancing risk management activities, ISO 31000 represents a meaningful benchmark for assessing the maturity and effectiveness of those investments.

An extract from an article by Mathew Allen, Enterprise Risk Services and Solutions Practice at Marsh, published in 'Viewpoint', January 2010.