It’s finally here! It’s been years in the making, but we finally have a revision to the 2009 ISO 31000 risk management standard.
For those of you who saw the Exposure Draft or the Final Draft International Standard in 2017, this final version probably won’t come as much of a surprise. I’ve been reading it in the past few days and doing a quick and dirty comparison between the 2009 and 2018 versions.
What I really like
- That ‘establishing the context’ has been better explained. I particularly like the ‘scope, context, criteria’ part of the risk management process diagram. I’ve seen plenty of blank faces when you tell people that the standard tells them to establish the context. I also like the stronger emphasis on needing to understand objectives, given that risks don’t exist in a vacuum.
- That the entire document is more concise. It’s down to 24 pages (and that’s including a couple of blank pages at the end) and most of the sections are much clearer. I really like fact it has fewer blocks of text and more dot points describing the minimum requirements.
- The list of factors to consider as part of risk analysis. This is a bit of an ancillary to my previous point, but previously, we’ve had to delve through six dense paragraphs of text to figure out what makes up risk analysis.
What I’m so-so about
- The potential tension between some of the principles and the process. In particular the tension between the ‘integrated’ principle and the risk management process. I agree 100% with the principle. Risk management should be an integral part of all organisational activities, particularly decision-making.
But the risk management process itself doesn’t always lend itself to be easily integrated into the activities and processes of an organisation. Because of this, most people just tack it on as something extra to do. I would have like to see the ideas behind the ‘integrated’ principle explored further.
What I would like to see improved
- That the risk assessment process still looks and feels linear. For those of you who haven’t compared it yet, it’s very close to the previous 2009 version of the standard with the addition of ‘recording and reporting’ at the bottom. Yes, most of the arrows are gone, which makes it seems less linear, but I don’t think that it’s gone far enough.
I know if you read the text of the standard, it’s clear that it’s an iterative process. But I know a lot of people will just look at the diagram and think that it’s a step-by-step process.
I liked what the Exposure Draft diagram was trying to do better. It shows visually that there were three central elements to any risk management process (establishing the context, risk assessment and risk treatment) and that the other parts support the core elements.
From the Final ISO 31000 Standard
From the Exposure Draft
- There still seems to be a preference towards the risk matrix. I know the risk matrix isn’t mentioned anywhere in the standard. However, despite a great list of factors to consider in the risk analysis section, the earlier section about defining risk criteria still notes ‘how likelihood and consequences (both positive and negative) will be defined and measured’ as one of the risk criteria. Similarly Note 3 to the definition of risk explains ‘Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.’ This implies that the other factors, such as timeframes and volatility, are less important.
- And just a tiny nitpick. The standard states that “risk analysis should consider factors such as … the likelihood of events and consequences.” Those are quite different things. I know that people use either one or the other, which can come up with quite different levels of likelihood.
You can get your own copy of the standard on the ISO website.
The views expressed in this article are solely that of the author.
If you have any suggestions on future topics for this series, please contact the author on Dannya.Hu@callida.com.au or via LinkedIn