Professional Documents
Culture Documents
ISO 31000:2009-The New International Standard On Risk Management
ISO 31000:2009-The New International Standard On Risk Management
ISO 31000:2009-The New International Standard On Risk Management
Perspective
Matthew Leitch∗
[This article has been updated since it’s original online publication on April 8, 2010.]
In November 2009 the International Organization So what is in ISO 31000:2009 and will it help or
for Standardization (ISO) published ISO 31000:2009 not?
Risk management—principles and guidelines.(1) Al-
though ISO standards in the area of risk management
have been produced before, this is the first that claims 1. OVERVIEW OF THE NEW STANDARD
to be a standard for managing all risk everywhere.
It is not easy to evaluate ISO 31000:2009 by read-
The consequence of this is that certain ideas
ing it. The intended meaning of its rather abstract
about risk and its management have got a boost in
text is frustratingly hard to pin down. Key words
credibility and prominence while others have lost
and phrases are either vague, have meanings differ-
out. ISO 31000 will be quoted endlessly and will in-
ent from those of ordinary language, or even change
fluence the concepts and language used by important
their meaning from one place to another. The defini-
people such as company board members and politi-
tions provided rarely help.
cians. Gradually these ideas will spread.
However, the origins of the “new” standard are
We have seen this happen already with docu-
illuminating. According to the preface of the Aus-
ments produced by a collection of accountancy bod-
tralian edition of ISO 31000:2009, the first draft of the
ies known as the Committee of Sponsoring Organi-
standard was the text of AS/NZS 4360:2004, the risk
zations of the Treadway Commission, or COSO for
management standard published jointly by Standards
short. While originally aimed at preventing financial
Australia and Standards New Zealand, which had a
fraud in companies, the powerful boardroom influ-
much longer companion volume called HB436 Risk
ence of accountants and, in particular, the big audit
management guidelines that explains things more
firms, drove the ideas in COSO’s documents into the
fully.(2,3) In fact HB 436 even goes so far as to offer
boardrooms of major companies around the world,
designs for forms that will support the risk manage-
which then filtered into guidance and expectations
ment process envisaged.
applied to government departments and third-sector
Here at last is some real insight into what sort
organizations.
of process the authors of AS/NZS 4360:2004 had in
Given the right backing, a set of ideas perceived
mind, which in turn gives us some idea of what ISO
as agreed by experts can achieve incredible promi-
31000:2009 is trying to say. People looked at the HB
nence and acceptance, even if they are bad ideas,
436 guide and realized that if they had a risk reg-
potentially helping or hindering efforts to manage
ister (perhaps similar to the ones in the appendix),
risk.
probability-impact matrices (similar to those shown
in the guide), and some way to plan risk treatments,
then they were pretty much compliant with AS/NZS
∗ Address correspondence to Matthew Leitch, MLA Ltd, 29 Ridge- 4360:2004.
way, Epsom, KT19 8LD UK; tel: 44 (0)1372 815 856; matthew@ It is true that the guide also refers to quanti-
internalcontrolsdesign.co.uk. tative methods that are more sophisticated, but its
887 0272-4332/10/0100-0887$22.00/1
C 2010 Society for Risk Analysis
888 Leitch
focus and the bulk of its advice concern running a Table I. Page Counts of Clauses in ISO 31000:2009
risk register.
Pages (Excluding
I believe this remains the concept underlying Clause Diagrams) % of Total
most of what is now the text of ISO 31000:2009.
The result of the ISO standard development process, 1 Scope 0.5 2
which involves responding to comments from other 2 Terms and definitions 6 30
3 Principles 1 5
national standards bodies represented at the ISO
4 Framework 4.25 21
level, was a standard with some additions and some 5 Process 7 35
modifications, but largely the same content as the Appendix A, Attributes of 1.5 7
first draft. enhanced risk management
Having gained a sense of what the new standard
is describing, we can look in more detail at what it
says and how, covering the contents of each clause cal of the terminology in ISO 31000. What are the
of the standard, its terminology, and its handling of problems?
topics often done badly in guidance. Section 2 is a collection of definitions for terms
used in the standard. On several occasions it defines
a term using words whose meaning is even less clear
2. CLAUSES OF THE STANDARD
than the term to be defined. Explanations are not
Clause 1, Scope, defines the scope as generic risk provided.
management and says the standard contains princi-
ples and guidelines. (In fact it provides principles • “Risk management framework” is defined as a
and two processes, one for longer-term development set of “components.”
of risk management within an organization and the • Objectives are said to have different
other for management of particular sets of risks.) “aspects.”
Clause 2, Terms and definitions, provides defini- • “Establishing the context” is defined as includ-
tions of 29 terms used in the standard, all sourced ing definition of “parameters.”
from another ISO document, a glossary of risk man- • A “risk source” is defined as an “element” hav-
agement terms called ISO Guide 73:2009.(4) ing the “intrinsic potential” to give rise to risk.
Clause 3, Principles, lists 11 principles for risk • “Level of risk” is the magnitude of risk “ex-
management, each with a paragraph of explanation. pressed in terms of the combination of” conse-
Clause 4, Framework, describes a cyclical pro- quences and their likelihood.
cess for developing risk management within an Another problem is that the terminology tries to
organization. avoid using mathematical words. No definition for
Clause 5, Process, describes a cyclical process for “probability” is offered and the reader is warned that
managing particular risks. this word is often “narrowly interpreted as a math-
Appendix A, Attributes of enhanced risk man- ematical term.” The solution the standard offers is
agement, calls itself “informative” and sets out some to use the word likelihood, which it says can be “de-
idealistic characteristics that would be desirable in an scribed in terms of” probability or frequency, or in
organization’s approach to managing risk. “general terms.”
There are three diagrams in the standard, though What we want from a definition of terms is preci-
the first just repeats the other two. The diagrams fea- sion, not encouragement to be vague and ambiguous,
ture boxes and arrows, but there is no explanation of which is what “general terms” implies.
what types of object the boxes and arrows represent, There are also terms whose definition seems to
making it impossible to deduce their meaning. be putting new interpretations on familiar words. For
Some sense of the relative importance given to example:
each part of the standard may be gained from the
number of pages used (see Table I). • “Risk attitude” is defined as being an “ap-
proach.”
• “Risk criteria” are defined as “terms of ref-
3. TERMINOLOGY
erence” (when the word “criteria” is clear
Clear, well-chosen terminology is the foundation enough on its own and what we want to know
of a good standard and a moment ago I was criti- is what the criteria are specifying).
ISO 31000:2009 889
• “Risk profile” turns out to be any description As previously noted this is undermined by the
of a set of risks, not just a summary or outline ambiguity of the word “expected” and it is unclear
of some kind. how a single deviation can be simultaneously posi-
• “Risk management policy” is defined as a tive and negative. Are the effects negative and pos-
statement of overall intentions and directions. itive in a purely numerical sense or do these words
refer to whether the deviation is welcome or unwel-
There are also terms and definitions that are am- come? What if you have no expectation? Does that
biguous. mean there is no risk?
• The definition of “risk” is artfully worded so The ambiguity between “an effect” and “the ex-
that it can refer to risk generally, an amount of tent of effect” maintains the ambiguity of the word
risk, or to a risk item in a risk register. While “risk” I mentioned earlier.
reading the standard it is usually possible to In summary, many of the definitions in ISO
guess from the context what meaning is in- 31000:2009 are not clear and meaningful, let alone
tended, but not always. close to the actual usage of the terms.
• An effect is explained as a deviation from “ex-
pected” without explaining if this is a mathe-
4. HANDLING OF DIFFICULT TOPICS
matical expectation, a best guess forecast, or a
view about what ought to happen. In the last 20 years a number of guides and stan-
• “Establishing” the context could mean finding dards on risk management have been produced with
out the context or putting it in place, and seems similar scope to ISO 31000:2009 and so it is not hard
to mean either or both. to identify areas that have been troublesome in the
• A control is defined as a “measure”, which past. Has the new standard brought clarity and so-
could, of course, mean a measurement or an lutions to these difficult topics or repeated past mis-
action. takes?
An example would be where risks surrounding Two common weaknesses in past guidance are:
a new business venture are not so severe as to stop
(1) Defining risk as including potential nice sur-
a company going ahead with it, but still the venture
prises but then writing the guidance as if only
will be better off with improved controls.
potential nasty surprises are involved.
(2) Splitting risks into nice ones and nasty ones
and dealing with each in a different way, per-
4.2. Aggregation haps even with different processes. This over-
looks the fact that often risks have a mixture
Another problem has to do with the aggregation
of consequences, some good and some bad,
of risks. Total risk can be analyzed into different risks
we do not always know if consequences are
depending on your point of view, purpose, and so
good or bad, and some risks that are bad over-
on. Consider almost any risk on any risk register and
all may become good overall if managed in a
you will find there is at least one way to split it into
particular way. The logic needs to deal with
two parts, or combine it with another item on the
these complications.
list.
It is rare for guidance to give any advice on how The approach taken by ISO 31000:2009 is to de-
to choose between alternative analyses or how to fine risk as including potential nice surprises too and
control aggregation in some way. On top of this, deci- to try to write a process that incorporates both in one
sions about when to treat risks may be very different approach. The language in most sections of the Pro-
depending on how risks are aggregated, which is not cess part is careful to recognize all types of surprise.
controlled. This is undesirable. It mentions the possible mix of positive and nega-
ISO 31000:2009 has no advice on aggregation, tive consequences and talks about “modifying” risks
though it does say that risk criteria could consider rather than the more traditional “mitigating.”
more than one risk at a time. The standard writes Unfortunately, this breaks down when it gets to
about risks as if they are naturally occurring phenom- its process for deciding when risk treatment is nec-
ena that define themselves and only need to be iden- essary. Suppose there was a risk that was a poten-
tified and described. tial nice surprise (i.e., little if any downside but lots
With the standard’s approach to deciding when of upside). Conceivably, one might define risk crite-
risk treatment is required and the lack of advice ria that make treatment required if an upside seems
on aggregation it would be easy for an organization important enough. However, would you say that
to adopt a compliant process that leads to illogical this treatment resulted in a “residual risk” that was
decisions. “tolerable”?
Both terms are natural only for risks that are neg-
ative and will be reduced by treatment.
4.3. The Upside
4.4. Uniformity
The word “risk” used in ordinary conversation
refers to potential nasty surprises. Discovering you As pointed out by Ward (p. 150) a common am-
have cancer or that your house has burned down are biguity in risk management guides and standards is
exemplars of this kind of surprise and of “risk.” whether they are suggesting one, monolithic process
However, there has been a trend toward pro- with one set of meetings, techniques, documenta-
cesses for risk management that also include man- tion, and schedule, or a multitude of processes, each
agement of potential nice surprises. If you are work- with their own meetings, techniques, documents, and
ing on safety or health risks this idea is of little use schedules.(5) And if it is a multitude of processes,
and probably seems a bit odd. However, in some are they all identical or adjusted to fit the needs of
other areas where risk must be managed, such as in each management team (e.g., managers of different
stock market investment or marketing, unexpectedly projects)?
good turns of events are extremely important and it ISO 31000:2009 is ambiguous on this point. On
is easier to consider all relevant uncertainty together. the one hand it talks about “the” process as if there
Since standards like ISO 31000:2009 are intended to is only one, and while describing the process it talks
be useful to everyone they usually try to include the about “the organization” doing things rather than
“upside.” just the management team involved in managing
ISO 31000:2009 891
particular risks. On the other hand it repeatedly say “all risks” and there is no generally ac-
states that the risk management process should be an cepted solution to this problem.
integral part of business processes. (5) The second paragraph of clause 5.4.2 ends
In clause 4.1, which introduces the Framework, with the sentence “[a]ll significant causes and
there is a sentence that says: “The framework as- consequences should be considered,” which
sists in managing risks effectively through the appli- implies studying the causal chain back to the
cation of the risk management process (see clause 5) beginning of time and forward to its end. Even
at varying levels and within specific contexts of the eliminating causal tributaries and branches
organization.” This is typical of the tantalizingly am- that are not “significant” does not remove this
biguous wording throughout. problem.