Risk Analysis, Vol. 30, No. 6, 2010 DOI: 10.1111/j.1539-6924.2010.01397.

Perspective

ISO 31000:2009—The New International Standard

on Risk Management

Matthew Leitch∗

[This article has been updated since it’s original online publication on April 8, 2010.]

In November 2009 the International Organization So what is in ISO 31000:2009 and will it help or
for Standardization (ISO) published ISO 31000:2009 not?
Risk management—principles and guidelines.(1) Al-
though ISO standards in the area of risk management
have been produced before, this is the first that claims 1. OVERVIEW OF THE NEW STANDARD
to be a standard for managing all risk everywhere.
It is not easy to evaluate ISO 31000:2009 by read-
The consequence of this is that certain ideas
ing it. The intended meaning of its rather abstract
about risk and its management have got a boost in
text is frustratingly hard to pin down. Key words
credibility and prominence while others have lost
and phrases are either vague, have meanings differ-
out. ISO 31000 will be quoted endlessly and will in-
ent from those of ordinary language, or even change
fluence the concepts and language used by important
their meaning from one place to another. The defini-
people such as company board members and politi-
tions provided rarely help.
cians. Gradually these ideas will spread.
However, the origins of the “new” standard are
We have seen this happen already with docu-
illuminating. According to the preface of the Aus-
ments produced by a collection of accountancy bod-
tralian edition of ISO 31000:2009, the first draft of the
ies known as the Committee of Sponsoring Organi-
standard was the text of AS/NZS 4360:2004, the risk
zations of the Treadway Commission, or COSO for
management standard published jointly by Standards
short. While originally aimed at preventing financial
Australia and Standards New Zealand, which had a
fraud in companies, the powerful boardroom influ-
much longer companion volume called HB436 Risk
ence of accountants and, in particular, the big audit
management guidelines that explains things more
firms, drove the ideas in COSO’s documents into the
fully.(2,3) In fact HB 436 even goes so far as to offer
boardrooms of major companies around the world,
designs for forms that will support the risk manage-
which then filtered into guidance and expectations
ment process envisaged.
applied to government departments and third-sector
Here at last is some real insight into what sort
organizations.
of process the authors of AS/NZS 4360:2004 had in
Given the right backing, a set of ideas perceived
mind, which in turn gives us some idea of what ISO
as agreed by experts can achieve incredible promi-
31000:2009 is trying to say. People looked at the HB
nence and acceptance, even if they are bad ideas,
436 guide and realized that if they had a risk reg-
potentially helping or hindering efforts to manage
ister (perhaps similar to the ones in the appendix),
risk.
probability-impact matrices (similar to those shown
in the guide), and some way to plan risk treatments,
then they were pretty much compliant with AS/NZS
∗ Address correspondence to Matthew Leitch, MLA Ltd, 29 Ridge- 4360:2004.
way, Epsom, KT19 8LD UK; tel: 44 (0)1372 815 856; matthew@ It is true that the guide also refers to quanti-
internalcontrolsdesign.co.uk. tative methods that are more sophisticated, but its

887 0272-4332/10/0100-0887$22.00/1 
C 2010 Society for Risk Analysis
888
focus and the bulk of its advice concern running a
risk register.
I believe this remains the concept underlying
most of what is now the text of ISO 31000:2009.
The result of the ISO standard development process,
which involves responding to comments from other
national standards bodies represented at the ISO
level, was a standard with some additions and some
modifications, but largely the same content as the
first draft.
Having gained a sense of what the new standard
is describing, we can look in more detail at what it
says and how, covering the contents of each clause
of the standard, its terminology, and its handling of
topics often done badly in guidance.
2. CLAUSES OF THE STANDARD
Clause 1, Scope, defines the scope as generic risk
management and says the standard contains princi-
ples and guidelines. (In fact it provides principles
and two processes, one for longer-term development
of risk management within an organization and the
other for management of particular sets of risks.)
Clause 2, Terms and definitions, provides defini-
tions of 29 terms used in the standard, all sourced
from another ISO document, a glossary of risk man-
agement terms called ISO Guide 73:2009.(4)
Clause 3, Principles, lists 11 principles for risk
management, each with a paragraph of explanation.
Clause 4, Framework, describes a cyclical pro-
cess for developing risk management within an
organization.
Clause 5, Process, describes a cyclical process for
managing particular risks.
Appendix A, Attributes of enhanced risk man-
agement, calls itself “informative” and sets out some
idealistic characteristics that would be desirable in an
organization’s approach to managing risk.
There are three diagrams in the standard, though
the first just repeats the other two. The diagrams fea-
ture boxes and arrows, but there is no explanation of
what types of object the boxes and arrows represent,
making it impossible to deduce their meaning.
Some sense of the relative importance given to
each part of the standard may be gained from the
number of pages used (see Table I).
3. TERMINOLOGY
Clear, well-chosen terminology is the foundation
of a good standard and a moment ago I was criti-
Leitch
Table I. Page Counts of Clauses in ISO 31000:2009
Pages (Excluding
Clause Diagrams) % of Total
1 Scope 0.5 2
2 Terms and definitions 6 30
3 Principles 1 5
4 Framework 4.25 21
5 Process 7 35
Appendix A, Attributes of 1.5 7
enhanced risk management
cal of the terminology in ISO 31000. What are the
problems?
Section 2 is a collection of definitions for terms
used in the standard. On several occasions it defines
a term using words whose meaning is even less clear
than the term to be defined. Explanations are not
provided.
• “Risk management framework” is defined as a
set of “components.”
• Objectives are said to have different
“aspects.”
• “Establishing the context” is defined as includ-
ing definition of “parameters.”
• A “risk source” is defined as an “element” hav-
ing the “intrinsic potential” to give rise to risk.
• “Level of risk” is the magnitude of risk “ex-
pressed in terms of the combination of” conse-
quences and their likelihood.
Another problem is that the terminology tries to
avoid using mathematical words. No definition for
“probability” is offered and the reader is warned that
this word is often “narrowly interpreted as a math-
ematical term.” The solution the standard offers is
to use the word likelihood, which it says can be “de-
scribed in terms of” probability or frequency, or in
“general terms.”
What we want from a definition of terms is preci-
sion, not encouragement to be vague and ambiguous,
which is what “general terms” implies.
There are also terms whose definition seems to
be putting new interpretations on familiar words. For
example:
• “Risk attitude” is defined as being an “ap-
proach.”
• “Risk criteria” are defined as “terms of ref-
erence” (when the word “criteria” is clear
enough on its own and what we want to know
is what the criteria are specifying).
ISO 31000:2009
• “Risk profile” turns out to be any description
of a set of risks, not just a summary or outline
of some kind.
• “Risk management policy” is defined as a
statement of overall intentions and directions.
There are also terms and definitions that are am-
biguous.
• The definition of “risk” is artfully worded so
that it can refer to risk generally, an amount of
risk, or to a risk item in a risk register. While
reading the standard it is usually possible to
guess from the context what meaning is in-
tended, but not always.
• An effect is explained as a deviation from “ex-
pected” without explaining if this is a mathe-
matical expectation, a best guess forecast, or a
view about what ought to happen.
• “Establishing” the context could mean finding
out the context or putting it in place, and seems
to mean either or both.
• A control is defined as a “measure”, which
could, of course, mean a measurement or an
action.
The definition of “risk” suffers from some of the
weaknesses mentioned above, and more. Definitions
in standards are written as phrases that could, in the-
ory, be substituted for the word or phrase being de-
fined. The definition given for “risk” is:
Effect of uncertainty on objectives.
Taken literally this suggests a radical new focus
on the way objectives are formulated but it is al-
most certain that the intended meaning is something
else. It is something to do with the potential effect of
events that are currently uncertain on the extent to
which objectives are achieved.
The standard repeatedly mentions objectives but
this is another word with wide differences in inter-
pretation between people. For some, objectives have
to be conscious and clearly stated to be regarded as
objectives. For others the mere awareness of what is
in our interests and what is against them is sufficient
evidence that an objective of some kind exists. Peo-
ple also differ in whether they regard objectives as
including goals, or vice versa, see them as essentially
the same, or see them as different levels in some hi-
erarchy.
Note 1 to the definition of risk says:
An effect is a deviation from the expected—positive
and/or negative.
889
As previously noted this is undermined by the
ambiguity of the word “expected” and it is unclear
how a single deviation can be simultaneously posi-
tive and negative. Are the effects negative and pos-
itive in a purely numerical sense or do these words
refer to whether the deviation is welcome or unwel-
come? What if you have no expectation? Does that
mean there is no risk?
The ambiguity between “an effect” and “the ex-
tent of effect” maintains the ambiguity of the word
“risk” I mentioned earlier.
In summary, many of the definitions in ISO
31000:2009 are not clear and meaningful, let alone
close to the actual usage of the terms.
4. HANDLING OF DIFFICULT TOPICS
In the last 20 years a number of guides and stan-
dards on risk management have been produced with
similar scope to ISO 31000:2009 and so it is not hard
to identify areas that have been troublesome in the
past. Has the new standard brought clarity and so-
lutions to these difficult topics or repeated past mis-
takes?
4.1. Decisions About Treatments
A problem with some past guidance has been
that it puts forward decision-making procedures that
lead to choices that are clearly illogical.
The approach in ISO 31000:2009 is as follows:
(1) Define risk criteria—specifically, the level of
risk that is acceptable or tolerable. This is
done before considering any specific risks.
(2) Identify risks and assess their level of risk.
(3) Compare the level of risk with the risk criteria
and decide if treatment is required, ignoring
possible treatments.
(4) If treatment is required, consider alternative
risk treatments until you find one that would
reduce the risks to a tolerable level.
(5) If alternative treatments are being considered
(which does not seem possible following the
preceding process) then select the best on a
cost-benefit basis.
In addition to the obvious inconsistency between
steps 4 and 5, this approach means that there is no
reason to implement any treatment that modifies risk
that is already tolerable, even if that treatment would
be immensely helpful on a cost-benefit basis.
890
An example would be where risks surrounding
a new business venture are not so severe as to stop
a company going ahead with it, but still the venture
will be better off with improved controls.
4.2. Aggregation
Another problem has to do with the aggregation
of risks. Total risk can be analyzed into different risks
depending on your point of view, purpose, and so
on. Consider almost any risk on any risk register and
you will find there is at least one way to split it into
two parts, or combine it with another item on the
list.
It is rare for guidance to give any advice on how
to choose between alternative analyses or how to
control aggregation in some way. On top of this, deci-
sions about when to treat risks may be very different
depending on how risks are aggregated, which is not
controlled. This is undesirable.
ISO 31000:2009 has no advice on aggregation,
though it does say that risk criteria could consider
more than one risk at a time. The standard writes
about risks as if they are naturally occurring phenom-
ena that define themselves and only need to be iden-
tified and described.
With the standard’s approach to deciding when
risk treatment is required and the lack of advice
on aggregation it would be easy for an organization
to adopt a compliant process that leads to illogical
decisions.
4.3. The Upside
The word “risk” used in ordinary conversation
refers to potential nasty surprises. Discovering you
have cancer or that your house has burned down are
exemplars of this kind of surprise and of “risk.”
However, there has been a trend toward pro-
cesses for risk management that also include man-
agement of potential nice surprises. If you are work-
ing on safety or health risks this idea is of little use
and probably seems a bit odd. However, in some
other areas where risk must be managed, such as in
stock market investment or marketing, unexpectedly
good turns of events are extremely important and it
is easier to consider all relevant uncertainty together.
Since standards like ISO 31000:2009 are intended to
be useful to everyone they usually try to include the
“upside.”
Leitch
Two common weaknesses in past guidance are:
(1) Defining risk as including potential nice sur-
prises but then writing the guidance as if only
potential nasty surprises are involved.
(2) Splitting risks into nice ones and nasty ones
and dealing with each in a different way, per-
haps even with different processes. This over-
looks the fact that often risks have a mixture
of consequences, some good and some bad,
we do not always know if consequences are
good or bad, and some risks that are bad over-
all may become good overall if managed in a
particular way. The logic needs to deal with
these complications.
The approach taken by ISO 31000:2009 is to de-
fine risk as including potential nice surprises too and
to try to write a process that incorporates both in one
approach. The language in most sections of the Pro-
cess part is careful to recognize all types of surprise.
It mentions the possible mix of positive and nega-
tive consequences and talks about “modifying” risks
rather than the more traditional “mitigating.”
Unfortunately, this breaks down when it gets to
its process for deciding when risk treatment is nec-
essary. Suppose there was a risk that was a poten-
tial nice surprise (i.e., little if any downside but lots
of upside). Conceivably, one might define risk crite-
ria that make treatment required if an upside seems
important enough. However, would you say that
this treatment resulted in a “residual risk” that was
“tolerable”?
Both terms are natural only for risks that are neg-
ative and will be reduced by treatment.
4.4. Uniformity
As pointed out by Ward (p. 150) a common am-
biguity in risk management guides and standards is
whether they are suggesting one, monolithic process
with one set of meetings, techniques, documenta-
tion, and schedule, or a multitude of processes, each
with their own meetings, techniques, documents, and
schedules.(5) And if it is a multitude of processes,
are they all identical or adjusted to fit the needs of
each management team (e.g., managers of different
projects)?
ISO 31000:2009 is ambiguous on this point. On
the one hand it talks about “the” process as if there
is only one, and while describing the process it talks
about “the organization” doing things rather than
just the management team involved in managing
ISO 31000:2009
particular risks. On the other hand it repeatedly
states that the risk management process should be an
integral part of business processes.
In clause 4.1, which introduces the Framework,
there is a sentence that says: “The framework as-
sists in managing risks effectively through the appli-
cation of the risk management process (see clause 5)
at varying levels and within specific contexts of the
organization.” This is typical of the tantalizingly am-
biguous wording throughout.
5. COMPLYING WITH THE STANDARD
The standard is “not intended for the purposes of
certification.” In other words, you can’t be indepen-
dently audited against it. People are more likely to
say that their approach to risk management is “based
on” the standard than compliant with it.
This is just as well because the standard includes
some idealistic requirements that, taken literally, are
impossible to comply with. Here are some examples
from the clause on Process:
(1) In the first paragraph of clause 5.2 it says:
“Communication with internal and external
stakeholders should take place during all
stages of the risk management process.” Most
organizations will realize that “all stages” im-
plies too much consultation, especially with
external stakeholders.
(2) In the first paragraph of clause 5.3.5 it says:
“Risk criteria should be . . . continually re-
viewed.” Continual review may be the ideal
but in practice “frequently” will have to
do.
(3) The final bullet point in clause 5.3.5 says that
when defining risk criteria, factors that should
be considered include “whether combinations
of multiple risks should be taken into account
and, if so, how and which combinations should
be considered.” To comply with this literally
involves anticipating what specific risks will be
identified in the next stage and listing combi-
nations of specific risks that should be taken
in combination.
(4) Clause 5.4.2 on risk identification is keen to
stress the importance of identifying all risks.
This continues with the habit of writing about
risks as if they are naturally occurring physical
objects that appear in finite numbers, rather
than uncertainties in our thinking. The stan-
dard offers no definition of what it means to
891
say “all risks” and there is no generally ac-
cepted solution to this problem.
(5) The second paragraph of clause 5.4.2 ends
with the sentence “[a]ll significant causes and
consequences should be considered,” which
implies studying the causal chain back to the
beginning of time and forward to its end. Even
eliminating causal tributaries and branches
that are not “significant” does not remove this
problem.
6. STRONG POINTS
So far this analysis has revealed only weaknesses
in the new standard. Happily, there are some things
about it we should welcome, and some will be a step
forward for many organizations.
The standard repeatedly stresses that risk man-
agement should be integral to management processes
at all levels, and lists processes of particular signifi-
cance. This is an important point, though it is disap-
pointing that no specific guidance is provided on how
it can be done and all other text in the standard is as
if risk management stands alone.
The clause on risk analysis calls for more think-
ing than many organizations bother with and three
specific points in particular will raise the bar for
many:
(1) It states that risk analysis can be taken to vary-
ing levels of detail depending on the risk. It’s
a simple and obvious point but many organi-
zations expect to cover all risks with the same
workshops.
(2) Also in the risk analysis clause it says that it
is important to consider “the interdependence
of different risks and their sources,” which is
often not done in a risk-register-driven pro-
cess, which tends to consider risks one at a
time.
(3) Confidence in assessments of risk should be
considered and communicated, it says. Many
organizations do not do this so complying with
the standard will also require this significant
and beneficial change.
Furthermore, the material in AS/NZS 4360:2004
equating desirable risks with “opportunities” did not
survive into ISO 31000:2009.
892
7. RESPONDING TO ISO 31000:2009
Despite its positives the overall conclusion must
be that ISO’s new standard on risk management
is disappointing. We must remember that it is the
work of a committee of people from different coun-
tries and speaking different languages. We must also
remember that an abstract topic like risk manage-
ment is far harder to write about clearly than, say,
the size and electrical properties of a new electronic
socket.
Perhaps the next version will be better but for
the next five years or so we can expect the stan-
dard to be influential and much quoted, despite its
quality.
If your view is that this new standard will not
help you in your work but others want to know why
you think that then perhaps a useful summary is that
Leitch
ISO 31000:2009:
(1) is unclear;
(2) leads to illogical decisions if followed;
(3) is impossible to comply with; and
(4) is not mathematically based, having little to
say about probability, data, and models.
REFERENCES
1. ISO 31000:2009. Risk management—Principles and guidelines.
2. AS/NZS 4360:2004. Risk management. Standards Australia and
Standards New Zealand, 2004.
3. AS/NZS HB436: 2004. Risk management guidelines. Standards
Australia and Standards New Zealand, 2004.
4. ISO Guide 73:2009. Risk management—Vocabulary.
5. Ward SC. Risk Management: Organization and Context. Lon-
don: Witherbys Publishing, 2005.