Professional Documents
Culture Documents
EDPACS: The EDP Audit, Control, and Security Newsletter
EDPACS: The EDP Audit, Control, and Security Newsletter
To cite this article: Alex Dali & Christopher Lajtha (2012) ISO 31000 Risk Management— “The Gold Standard”, EDPACS: The
EDP Audit, Control, and Security Newsletter, 45:5, 1-8, DOI: 10.1080/07366981.2012.682494
Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.
This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions
THE EDP AUDIT,
INTRODUCTION
The ISO 31000 ‘‘Risk Management—Principles & Guidelines’’ was
published in November 2009. It marked the end of a four-year
development period during which time representatives of 29 coun- IN THIS ISSUE
tries, including the United States and many other international n ISO 31000 Risk
interests groups, worked within an ISO international working Management— ‘‘The
group. ISO 31000 went through three reviews and each version Gold Standard’’
was therefore considered and commented on by many thousands n Progress and Evolution of
of risk management professionals and users from around the Critical Infrastructure
world. In that sense, we can claim that it is a consensus document Protection over the Last 10
that represents the collective wisdom of many, many people on Years?
what good risk management should look like.
The ISO guidelines are designed for a wide range of risk manage-
ment practitioners, experienced or novice, and those responsible
for risk management oversight interested in benchmarking their Editor
DAN SWANSON
risk management organization and practices against a recognized
international reference.
Editor Emeritus
It is important to understand both the usefulness and the limita- BELDEN MENKUS, CISA
tions of such a generic reference. ISO 31000 describes voluntary
risk management guidelines, not a prescriptive compliance
requirement.
POSITIVE FEATURES
Downloaded by [New Jersey Institute of Technology] at 13:20 03 February 2015
If you have information of interest to EDPACS, contact Dan Swanson (dswanson_2008@yahoo.ca). EDPACS (Print ISSN 0736-
6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800,
Philadelphia, PA 19106. Periodicals postage is paid at Philadelphia, PA and additional mailing offices. Subscription rates: US$
347/£210/E279. Printed in USA. Copyright 2012. EDPACS is a registered trademark owned by Taylor & Francis Group, LLC. All
rights reserved. No part of this newsletter may be reproduced in any form — by microfilm, xerography, or otherwise — or
incorporated into any information retrieval system without the written permission of the copyright owner. Requests to publish
material or to incorporate material into computerized databases or any other electronic form, or for other than individual or
internal distribution, should be addressed to Editorial Services, 325 Chestnut Street, Suite 800, Philadelphia, PA 19106. All
rights, including translation into other languages, reserved by the publisher in the U.S., Great Britain, Mexico, and all countries
participating in the International Copyright Convention and the Pan American Copyright Convention. Authorization to photo-
copy items for internal or personal use, or the personal or internal use of specific clients may be granted by Taylor & Francis,
provided that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00+$0.00. The fee is
subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of
payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and are only used for
identification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS, Taylor & Francis
Group, LLC., 325 Chestnut Street, Suite 800, Philadelphia, PA 19106.
ISO 31000. There are some who perceive that ISO 31000 is an
attempt at some form of world domination in the field of risk
management guidelines. This is not ISO’s stated aim—ISO 31000
is a non-prescriptive, non-compulsory generic, reference tool.
It does not pretend to impose best practices but rather to harmo-
nize principles, framework, and processes. Opinions expressed
about ISO 31000 should not be received uncritically, but checked
and challenged. National and regional risk management associa-
tions can help by providing clear guidance to their members.
APPENDIX 1
Twenty-nine definitions extracted from the ISO Guide 73 are
included in the ISO 31000 document. However, some definitions
may prove to be less useful than others.
Examples where special attention may prove to be useful
include:
% Risk. Defined as ‘‘effect of uncertainty on objectives,’’ A couple
of notes accompany this definition. ‘‘Effect’’ is described in a note
as ‘‘deviation from the expected (positive or negative).’’
‘‘Uncertainty’’ is described in another note as ‘‘the state, even
partial, of deficiency of information related to understanding or
knowledge of an event, its consequence or likelihood.’’ This is a
considerable improvement over earlier definitions of risk
expressed narrowly in terms of a combination of event impact
(severity) and likelihood (probability). A similar, but arguably
more granular, definition of risk is ‘‘a measure of deviation from
a range of expected outcomes.’’ (Note that risk is effectively a
measure of distance by this definition.)
ACKNOWLEDGMENTS
First published on September 15, 2009 in StrategicRisk magazine
under the title ‘‘ISO 31000 The Gold Standard’’ and updated in
June 2011 for ANSI/ASSE publications. Reprinted with permis-
sion. The first international conference on ISO 31000 Risk
Management Standard was May 21 and 22, 2012 in Paris, France
(www.G31000conference2012.org).
Notes
1. Assembled by a handful of sponsoring organizations—essen-
tially U.S. accounting associations—that shared a common
interest in developing a heavyweight, compliance-focused
ERM process that promotes the importance of internal con-
trol and internal audit functions.
2. Felix Kloman, an outspoken risk management commentator,
calls it risk response.