This article was downloaded by: [New Jersey Institute of Technology]

On: 03 February 2015, At: 13:20

Publisher: Taylor & Francis
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,
37-41 Mortimer Street, London W1T 3JH, UK

EDPACS: The EDP Audit, Control, and Security

Newsletter
Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/uedp20

ISO 31000 Risk Management— “The Gold Standard”

Alex Dali & Christopher Lajtha
Published online: 07 May 2012.

To cite this article: Alex Dali & Christopher Lajtha (2012) ISO 31000 Risk Management— “The Gold Standard”, EDPACS: The
EDP Audit, Control, and Security Newsletter, 45:5, 1-8, DOI: 10.1080/07366981.2012.682494

To link to this article: http://dx.doi.org/10.1080/07366981.2012.682494

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.

This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions
 THE EDP AUDIT,

EDPACS CONTROL, AND SECURITY

NEWSLETTER

MAY 2012 VOL. 45, NO. 5

ISO 31000 RISK

MANAGEMENT— ‘‘THE
GOLD STANDARD’’
ALEX DALI and CHRISTOPHER LAJTHA
Downloaded by [New Jersey Institute of Technology] at 13:20 03 February 2015

Abstract. ISO 31000 – Risk Management Principles and Guidelines was

issued in 2009 and has been widely adopted around the world by most of G20
countries, including the US and all BRICS countries. This article presents a
balanced view on how the discipline of risk management is developing. It
scrutinized the ISO 31000 guidance standard looking at both, positive
features and aspects to watch out for. The document represents a shift from
compliance-driven risk management to practical performance-driven risk
management undertaken by decision makers across all sectors worldwide. A
major achievement in today’s environment.

INTRODUCTION
The ISO 31000 ‘‘Risk Management—Principles & Guidelines’’ was
published in November 2009. It marked the end of a four-year
development period during which time representatives of 29 coun- IN THIS ISSUE
tries, including the United States and many other international n ISO 31000 Risk
interests groups, worked within an ISO international working Management— ‘‘The
group. ISO 31000 went through three reviews and each version Gold Standard’’
was therefore considered and commented on by many thousands n Progress and Evolution of
of risk management professionals and users from around the Critical Infrastructure
world. In that sense, we can claim that it is a consensus document Protection over the Last 10
that represents the collective wisdom of many, many people on Years?
what good risk management should look like.
The ISO guidelines are designed for a wide range of risk manage-
ment practitioners, experienced or novice, and those responsible
for risk management oversight interested in benchmarking their Editor
DAN SWANSON
risk management organization and practices against a recognized
international reference.
Editor Emeritus
It is important to understand both the usefulness and the limita- BELDEN MENKUS, CISA
tions of such a generic reference. ISO 31000 describes voluntary
risk management guidelines, not a prescriptive compliance
requirement.

CELEBRATING OVER 3 DECADES OF PUBLICATION!

 E D P A C S MAY 2012

ISO 31000 CHAPTER HEADINGS

1. Scope
2. Terms and definitions
3. Principles
4. Framework
5. Process

Arguably chapter 2 would be better positioned in an Appendix—

leaving just four core chapters.

POSITIVE FEATURES
Downloaded by [New Jersey Institute of Technology] at 13:20 03 February 2015

 Can apply to any activity or domain in any organization—public

or private
 Will supplement or replace a variety of independent, national
risk management standards (e.g., Australia/New Zealand,
Canada, Japan, UK).
 Provides an ‘‘umbrella’’ for more than 60 recognized standards
and guidelines that refer to risk management (according to the
European Committee for Standardisation—CEN)
 Despite being labeled as an ISO standard, it is:
% A set of guidelines—‘‘Risk Management—Principles and
Guidelines’’
% Voluntary application—not prescriptive—no legal require-
ment,
% Specifically not intended for certification
 Provides a globally applicable risk management reference guide
with generic
% three-pillar architecture (principles; framework; process;
Figure 1),
% risk management terminology (tree-structure)—ISO
Guide 73
 Represents an international consensus
 Provides for a continuum of improvement through the iterative
process and feedback loops/opportunities for ‘‘lessons learned’’
at each stage in the process,

If you have information of interest to EDPACS, contact Dan Swanson (dswanson_2008@yahoo.ca). EDPACS (Print ISSN 0736-
6981/Online ISSN 1936-1009) is published monthly by Taylor & Francis Group, LLC., 325 Chestnut Street, Suite 800,
Philadelphia, PA 19106. Periodicals postage is paid at Philadelphia, PA and additional mailing offices. Subscription rates: US$
347/£210/E279. Printed in USA. Copyright 2012. EDPACS is a registered trademark owned by Taylor & Francis Group, LLC. All
rights reserved. No part of this newsletter may be reproduced in any form — by microfilm, xerography, or otherwise — or
incorporated into any information retrieval system without the written permission of the copyright owner. Requests to publish
material or to incorporate material into computerized databases or any other electronic form, or for other than individual or
internal distribution, should be addressed to Editorial Services, 325 Chestnut Street, Suite 800, Philadelphia, PA 19106. All
rights, including translation into other languages, reserved by the publisher in the U.S., Great Britain, Mexico, and all countries
participating in the International Copyright Convention and the Pan American Copyright Convention. Authorization to photo-
copy items for internal or personal use, or the personal or internal use of specific clients may be granted by Taylor & Francis,
provided that $20.00 per article photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA
01923 USA. The fee code for users of the Transactional Reporting Service is ISSN 0736-6981/06/$20.00+$0.00. The fee is
subject to change without notice. For organizations that have been granted a photocopy license by the CCC, a separate system of
payment has been arranged. Product or corporate names may be trademarks or registered trademarks, and are only used for
identification and explanation, without intent to infringe. POSTMASTER: Send address change to EDPACS, Taylor & Francis
Group, LLC., 325 Chestnut Street, Suite 800, Philadelphia, PA 19106.

2 Ó Copyright Alex Dali and Christopher Lajtha

 MAY 2012 E D P A C S

Figure 1 Relationships between the risk management principles,

framework, and process (extract from ISO/FDIS 31000).
Downloaded by [New Jersey Institute of Technology] at 13:20 03 February 2015

 Provides a single global reference for stakeholders in an organi-

zation who have an interest in risk management,
 Provides a useful communication tool about both the organiza-
tional context and scope of risk management, and
 Will facilitate the teaching risk management education and train-
ing programs

THINGS TO WATCH OUT FOR

 ISO 31000 will provide an internationally recognized reference

for many organizations. ISO 31000, like it or not, will become a
common reference for stakeholders concerned with the risk man-
agement. Familiarity with the content and adoption of the risk
management framework and process described (or something
developed by the organization but sufficiently similar to be tracked
to ISO 31000) will be advantageous to risk management profes-
sionals, especially in large and/or complex organizations.

 Standard versus Guideline. Although ISO’s name indicates that it

is an international standards body, ISO 31000 has been issued as a
generic guideline and specifically not as a certifiable standard.
Indeed, Standards can be Technical Specifications, Management
Systems, Certification or Guidance. ISO 31000:2009 is a Guidance
Standard. Risk management professionals should take care to
make this distinction clear to senior executives in their organiza-
tions and when they make presentations more generally that refer
to ISO 31000.

Ó Copyright Alex Dali and Christopher Lajtha 3

 E D P A C S MAY 2012

 ISO 31000 is a user-friendly tool, notably compared with COSO

II. Even if the risk management process has been made more
elaborate than strictly necessary, the ISO 31000 two-dimen-
sional, graphic triptych is vastly more helpful to the risk man-
ager than the cumbersome and confusing COSO II cube.1

 Keep the risk management architecture simple. ISO 31000 is

built around a three-pillar structure: risk management princi-
ples; risk management framework; and risk management pro-
cess. This architecture is both robust and relatively simple to
apply. The principles address the issue of risk management pur-
pose and objectives. The framework establishes the mandate and
commitment at senior management and board levels. It also
requires a description of the internal and external organizational
contexts. The process describes the implementation of risk man-
Downloaded by [New Jersey Institute of Technology] at 13:20 03 February 2015

agement at the business unit level for day-to-day activities of

‘‘risk assessment’’ and ‘‘risk treatment.’’

 Avoid the creation of a parallel management system. ISO 31000

clearly states (when addressing the risk management framework):
‘‘This framework is not intended to prescribe a management sys-
tem, but rather, to assist the organisation to integrate risk manage-
ment into its overall management system. Organisations should
adapt the components of the framework to their specific needs’’.
Lessons should be learned from the troubled implementation of the
ISO 9000 series during the early years, and problems encountered
with the creation of parallel quality management systems. Many
companies that have implemented ISO standards on a large scale
are wondering, after a few years, if the benefits are really worth
the costs involved. ISO standards can be expensive to implement
and to maintain if parallel management systems are set up to
support a bureaucratic compliance reporting process. Therefore,
the management of risk must be part of the organization manage-
ment system rather than a stand-alone add-on activity.

 ISO 31000 provides an opportunity to review existing risk

management practices in the organization. Although ISO
31000 does not impose any compulsory compliance, it would be
a mistake to overlook its utility as a generic reference. A risk
management team may find it useful to compare its risk manage-
ment framework and process to that described in ISO 31000 and
to track the similarities and differences.

 Use ISO 31000 as a means to interface more effectively with

business units, not as an excuse for increasing the burden of
management reporting. The business proposition of effective
risk management is to promote improvement in business perfor-
mance. It would be a mistake to use ISO 31000 as a tool for the
creation of burdensome reporting on risk. To the extent possible,
use and leverage information that is already captured within the
normal course of business operations and/or within the various
business support functions.

 IS0 31000 could be useful in response to Credit Rating Agency

enquiries. Some credit rating agencies have started to look at

4 Ó Copyright Alex Dali and Christopher Lajtha

 MAY 2012 E D P A C S

ERM as a factor in their credit rating analysis. Without being

prescriptive, ISO 31000 provides a useful cross-reference frame-
work for explaining how risk management is structured and
implemented within a specific organization.

 Keep an eye out for national standards bodies/associations look-

ing for certification opportunities. ISO 31000 states that ‘‘this
international standard is not intended for the purpose of certifica-
tion.’’ However, there is a danger of ‘‘creeping certification’’—espe-
cially if the ISO label is taken at superficial face value. There is a
need to monitor carefully the activities and political agendas of
national standards bodies and other parties whose interests may
be served by finding reasons for certification in the future.

 Keep an eye out for misperceptions about the invasiveness of

Downloaded by [New Jersey Institute of Technology] at 13:20 03 February 2015

ISO 31000. There are some who perceive that ISO 31000 is an
attempt at some form of world domination in the field of risk
management guidelines. This is not ISO’s stated aim—ISO 31000
is a non-prescriptive, non-compulsory generic, reference tool.
It does not pretend to impose best practices but rather to harmo-
nize principles, framework, and processes. Opinions expressed
about ISO 31000 should not be received uncritically, but checked
and challenged. National and regional risk management associa-
tions can help by providing clear guidance to their members.

 Use ISO 31000 (ISO Guide 73) terminology as a reference, not a

requirement. Use language that is meaningful to your organi-
zation. The ISO Guide 73, ‘‘Risk Management—Vocabulary—
Guidelines for Use in Standards’’ was first published in June
2002. ISO Guide 73 seeks to provide a reference language for
risk and risk management and is the source of terms and defini-
tions referred to in ISO 31000. ISO Guide 73 is being reviewed by
the same ISO committee dealing with the ISO 31000. While the
motivation for a common language of risk is sound, and a key
attraction of a global reference standard, some of the compro-
mise definitions that have been agreed in ISO Guide 73 and, there-
fore, ISO 31000 are not as useful as they could have been (see
examples in Appendix 1). Risk managers should not be hesitant
to simplify or add clearer focus to the language that they use
when crafting internal corporate risk management policies and
guidelines—language that is consistent with that used by senior
executive management and other business support functions.

 Keep the risk management process as simple and robust as

possible. While a two-phase risk management process defined
in terms of risk assessment and risk treatment2 may be consid-
ered somewhat minimalist, one could be tempted to simplify it
further, which could lead to important matters being overlooked.

 Keep a critical eye out for exaggeration and self-serving state-

ments. Statements such as ‘‘There should be an organisation-
wide risk management plan to ensure that the risk management
policy is implemented and that risk management is embedded in
all of the organisation’s practices and processes’’ may be applic-
able to a handful of organizations, but not the vast majority. This

Ó Copyright Alex Dali and Christopher Lajtha 5

 E D P A C S MAY 2012

represents more of a textbook ideal than a practical guideline and

should, therefore, not be taken too literally.

 Communication—Look out for ‘‘stakeholder’’ overkill.

Statements such as ‘‘Communication and consultation with exter-
nal and internal stakeholders should take place at all stages of the
risk management process’’ need to be examined critically in the
context of current business practices and controlled communica-
tion flows. Quite apart from the practical realities of managing
complex organizations, what might appear appropriate to an
academic or a nongovernmental organization may not feel so
appropriate to the CFO, Head of Legal Department, or Head of
Communications/Investor Relations in a multinational company.
Therefore, the Communications and Consultation process should
be approved at the highest levels of the organizations as a policy
Downloaded by [New Jersey Institute of Technology] at 13:20 03 February 2015

decision rather than something done on an ad hoc basis at various

levels of the organization.

 Be sceptical about external consultants selling RMIS/infor-

mation management systems on the back of ISO 31000. Try to
exploit the information management systems and platforms
already in use to capture exposure metrics. Simple Web-accessi-
ble database tools can be customized to feed the risk management
process information needs and reporting requirements without
recourse to expensive proprietary systems. Many IT companies
offer Web-based GRC (governance, risk, and compliance) or ERM
(enterprise-wide risk management) software solutions.
However, ISO 31000 makes no special demands for information
management beyond that which has been already determined by
good risk management practice. In practice, until you know
exactly what types of reports the organization requires and
where the information has to be gathered from within the orga-
nization stay away from vendors. When you can develop a clear
specification for what you need, then go to the market.

APPENDIX 1
Twenty-nine definitions extracted from the ISO Guide 73 are
included in the ISO 31000 document. However, some definitions
may prove to be less useful than others.
Examples where special attention may prove to be useful
include:
% Risk. Defined as ‘‘effect of uncertainty on objectives,’’ A couple
of notes accompany this definition. ‘‘Effect’’ is described in a note
as ‘‘deviation from the expected (positive or negative).’’
‘‘Uncertainty’’ is described in another note as ‘‘the state, even
partial, of deficiency of information related to understanding or
knowledge of an event, its consequence or likelihood.’’ This is a
considerable improvement over earlier definitions of risk
expressed narrowly in terms of a combination of event impact
(severity) and likelihood (probability). A similar, but arguably
more granular, definition of risk is ‘‘a measure of deviation from
a range of expected outcomes.’’ (Note that risk is effectively a
measure of distance by this definition.)

6 Ó Copyright Alex Dali and Christopher Lajtha

 MAY 2012 E D P A C S

% Risk management. Defined as ‘‘coordinated activities to direct

and control an organization with regard to risk.’’ This is a very
broad definition and, hence, not as useful as it should be. Real life
experience does not suggest that risk managers, for the most part,
are ‘‘charged with directing and controlling organisations with
regard to risk.’’ This definition appears to be rooted in academic
consensus rather than practical operational reality. A simpler,
and probably more operationally useful, definition is that risk
management is ‘‘a discipline for dealing with uncertainty.’’

% Risk management plan. Defined as ‘‘scheme, within the risk

management framework, specifying the approach, the manage-
ment components, and resources to be applied to the manage-
ment of risk.’’ Given the ISO 31000 architecture—principles,
framework, and process—the reference to a ‘‘risk management
Downloaded by [New Jersey Institute of Technology] at 13:20 03 February 2015

plan’’ appears to be somewhat bureaucratic and confusing—

especially in the form of an organization-wide edict suggested
in ISO 31000 [Section 4.3.4 Framework; Design; Integration]

% Risk sharing. The notion of risk transfer has been replaced,

within the generic heading of ‘‘risk sharing,’’ by that of ‘‘form
of risk treatment involving the agreed distribution of risk with
other parties.’’ This is a positive development in that it more
correctly reflects the practical reality that shifting responsibility
and accountability for risk management to others is rarely fully
achievable. Even a resort to external risk financing is more akin
to risk sharing than risk transfer since the extent of such risk
financing is rarely 100%, and often materially less important.

% Risk owner. Defined as ‘‘person or entity with accountability

and authority to manage the risk’’ could be problematic for
some risk management practitioners. Internal management allo-
cation of responsibility for risk treatment initiatives does not
transfer ‘‘ownership’’ of risk. It transfers obligations to perform
tasks to a certain standard and within a certain time frame.
While people understand the notion of task allocation and per-
formance obligations, unnecessary confusion may be caused by
the notion of risk ‘‘ownership.’’ Moreover, the ‘‘risk owner’’
should not only have the accountability and authority, but also
the adequate resources to manage the risk.

% Residual risk. Defined as ‘‘risk remaining after risk treatment’’

may have some theoretical interest in an artificial environment
but does not seem to have much practical application. ‘‘Residual
risk’’ should be understood as one element of an exposure profile
snapshot that is assumption-based and valid only at a particular
moment in time.

ACKNOWLEDGMENTS
First published on September 15, 2009 in StrategicRisk magazine
under the title ‘‘ISO 31000 The Gold Standard’’ and updated in
June 2011 for ANSI/ASSE publications. Reprinted with permis-
sion. The first international conference on ISO 31000 Risk
Management Standard was May 21 and 22, 2012 in Paris, France
(www.G31000conference2012.org).

Ó Copyright Alex Dali and Christopher Lajtha 7

 E D P A C S MAY 2012

ANSI/ASSE/ISO RISK MANAGEMENT STANDARD package

ANSI/ASSE/ISO Guide 73 (Z690.1-2011) Vocabulary for Risk Management

ANSI/ASSE/ISO 31000 (Z690.2-2011) Risk Management—Principles and Guidelines

ANSI/ASSE/IEC/ISO 31010 (Z690.3-2011) Risk Assessment Techniques

Shop online : https://www.asse.org/shoponline/products/EZ690-PKG.php

Discussion forum online: http://www.linkedin.com/groups?mostPopular=&gid=1834592

Downloaded by [New Jersey Institute of Technology] at 13:20 03 February 2015

Notes
1. Assembled by a handful of sponsoring organizations—essen-
tially U.S. accounting associations—that shared a common
interest in developing a heavyweight, compliance-focused
ERM process that promotes the importance of internal con-
trol and internal audit functions.
2. Felix Kloman, an outspoken risk management commentator,
calls it risk response.

Alex Dali is President of the international non-for-profit association G31000 and

moderator of the discussion forum on ISO 31000. He can be reached at
alex.dali@G31000.org. Website: www.G31000.org
Christopher Lajtha is principal of independent risk and insurance management
resource Adageo. He can be reached at chris.lajtha@orange.fr. Website:
www.adageo.eu

8 Ó Copyright Alex Dali and Christopher Lajtha