On 15 February 2018, a new International Risk Management Standard ISO 31000:2018 was released. This second edition replaces AZ/NZS ISO 31000:2009 (the 2009 Standard). A new Australia/New Zealand Standard (which adopts the 2018 International Standard in full) was adopted by Standards Australia on 30 October (2018 Standard).
The ISO 31000 Standard should be used by people who create and protect value in organisations by managing risks, making decisions, setting and achieving objectives and improving performance.
What Has Changed in the 2018 Review?
The messages in the revised 2018 Standard reinforce the practical integration of risk management into business activities and key decision-making processes as well as streamlining the framework and principles that already exist. For risk practitioners, the changes reflect what they already know needs to happen in order to ensure the creation of a sustainable and enterprise wide risk management program.
The 2009 Standard has been somewhat simplified with 21 key terms being moved to ISO Guide 73:2009 - Risk management - Vocabulary. Other key changes in the 2018 Standard include:
- the reduction of the number of Principles from 11 to eight. Some Principles have been integrated into others however overall the key criteria with respect to value creation and protection have been maintained
- revised diagrams to reflect a more streamlined approach across the Principles, Framework and Process
- the addition of an 8th element to the risk process being "Recording and Reporting"
- an increased focus on leadership by "top management" who should ensure that risk management is integrated into all organisational activities, starting with the governance of the organisation
- greater emphasis on the iterative nature of risk management, drawing on new experiences, knowledge and analysis for the revision of process elements, actions and controls at each stage of the process
- streamlining of the content with greater focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts.
The following comparative table sets out the differences between the Principles as set out in two standards:
Jason Brown, chair of the technical committee, noted, "The revised version of ISO 31000 focuses on the integration with the organization[sic] and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of business."
The Key Differences in More Detail
Leadership and Commitment
The 2018 Standard incorporates a firm commitment to ensuring support from stakeholders, identifying "top management" and "oversight bodies" to lead the integration of risk management in the organisation. The terms ''top management" and ''oversight bodies" are two new and undefined concepts. Previously, the 2009 Standard only specified a management framework for commitment to risk whereas now, Clause 5.2 in the 2018 Standard makes top management accountable for managing risk with oversight bodies accountable for overseeing risk management. It also incorporates particular responsibilities relating to accountability of risks that were previously contained in Annex A of the 2009 Standard.
Articulating Risk Management Commitment
Where the 2009 Standard identified establishing a risk management policy to demonstrate an organisation's commitment to risk management, the 2018 Standard takes this commitment further by stating that top management and oversight bodies should not only demonstrate their organisation's commitment to risk management but also demonstrate continual commitment through a policy, statement or other forms that clearly convey an organisation's objectives and commitment to risk management.
Where the 2009 Standard in Clause 5.4.2 provided broad areas of risk identification including identifying sources of risk, areas of impacts, events and their causes and potential consequences, Clause 6.4.2 of the 2018 Standard significantly expands on risk identification by specifying a list of interrelated factors which should be considered when identifying sources of risk within an organisation. These factors include:
- the purpose for managing risk and links to its objectives and other policies
- the need to integrate risk management into the overall culture of the organisation
- the integration of risk management into core business activities and decision-making
- authorities, responsibilities and accountabilities
- making the necessary resources available
- the way in which conflicting objectives are dealt with
- measurement and reporting
- review and improvement.
In the 2009 Standard, risk evaluation broadly defined the actions which could result from a risk evaluation. In the 2018 Standard, at Clause 6.4.4, there is a specific list of five decisions which support the risk evaluation process including:
- do nothing further
- consider risk treatment options
- undertake further analysis to better understand the risk
- maintain existing controls
- reconsider objectives.
General Risk Treatment
The description and selection of risk treatment in the 2018 Standard has been simplified and condensed. Specifically, where the 2009 Standard detailed both specific risk treatments and the general risk treatment cyclical process in Clause 5.5.1, they have been further separated and clearly listed in separate Clauses 6.5.1 and 6.5.2 in the 2018 Standard. The cyclical risk treatment process has also had the phrasing changed from "tolerable" risk to "acceptable" risk. While there has been no definition provided, a simple dictionary search indicates that this involves a movement from an endurable (negative) risk treatment towards a pleasing (positive) risk treatment.
Recording and Reporting
The old reporting processes contained in Clause 5.7 of the 2009 Standard have been expanded to include a reporting element in the 2018 Standard. Where the 2009 Standard focused on simply recording the day to day decisions associated with risk management in the organisation, the 2018 Standard also adds the element of communicating activities and outcomes across the organisation and assisting interaction with stakeholders, including the quality of the dialogue with top management and oversight bodies to meet their responsibilities for risk management.
How CompliSpace can Help
No business is risk free, and failure to properly manage the risks to which an organisation is exposed can result in significant losses including major injuries to people, damage to the environment, loss of revenue and loss of customer and stakeholder confidence. CompliSpace has a detailed suite of policies and procedures for risk management and an Enterprise Risk Management Program developed in line with International Risk Management Standard ISO 31000, which is kept up-to-date as required to comply with regulatory change and meet industry standards as they develop. CompliSpace also helps financial services entities systematically identify, analyse and address the risks that exist within their business, including by providing sample risk appetite statements and legal and regulatory risk registers, specifically designed for financial services entities. CompliSpace can also help financial services entities with risk facilitation including running facilitation workshops with boards to produce risk appetite statements and running risk management training for staff, management and boards, as required.
If you are interested in this module, please do not hesitate to contact us.
P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)