ISO 31000 – a review of the 2018 standard

Yawn!

Aside from GDPR-inspired emails with news of updated terms and conditions , this will be the most boring thing you will read all week….

However, it might be one of the more important if you are a risk manager because one of the core risk management references has just been updated and there are a few changes to be aware of. 

I had to review these documents to ensure that my material was up to date so I thought I should keep some notes as I want to save you from having to go through the same ‘compare and contrast’ exercise. Plus, I love standards.  : )

So here are my notes.  But seriously, this is really dull so buckle up.

Summary of the changes

ISO 31000:2018 was published in early 2018 and replaced the 2009 version of the standard. (From now on when I refer to ISO 31000 I am referring to the 2018 version unless specified otherwise.) The introduction to the 2018 version notes the main areas of change:

The main changes…are as follows:

  • review of the principles of risk management, which are the key criteria for its success;
  • highlighting of the leadership by top management and the integration of risk management, starting with the governance of the organization;
  • greater emphasis on the iterative nature of risk management, noting that new experiences, knowledge and analysis can lead to a revision of process elements, actions and controls at each stage of the process;
  • streamlining of the content with greater focus on sustaining an open systems model to fit multiple needs and contexts.

ISO 31000:2018 Introduction

The TL;DR version is that the 2018 version of ISO 3001 is very similar to the 2009 version so any system built using the older version of the standard will broadly match the 2018 version.

Note that I am not an ISO auditor, nor have I seem your risk management system, so this is a broad generalization but if you conformed with ISO 31000:2009, then your system should broadly conform with the 2018 version.  Where there is a legal or contractual requirement to conform with the most up to date standard, you will have some work to do to align with the 2018 version.

Outlined below is a more detailed comparison of the two versions of the standard and notes on the changes that might be necessary.

ISO 31000:2018 in detail

Who is the standard for?

“This document is for use by people who create and protect value in organizations by managing risks, making decisions, setting and achieving objectives and improving performance.”

ISO 3001:2018 Introduction

Note that the introduction does not specify a specific industry, sector or geography. ISO 31000 is the standard reference for all risk managers. So even if you are going to work in something specialized, like project risk or develop a enterprise security risk management (ESRM) program, I believe that you should start with ISO 31000.

Having this common reference helps avoid the situation where we have different interpretations of risk and slightly different processes as departments or functions tailor things to their own needs. This customization moves us away from the spirt of ERM and can result in multiple, different risk management systems running in parallel. (I’m not saying that you don’t need to adapt things to fit your needs but avoid making significant changes which move you away from the core content of a standard.  Read more about adapting and implementing an ERM system here.)

So unless there is a regulatory requirement to do something different, treat ISO 31000 as the core reference.

What’s in it?

ISO 31000 is broken into 5 main parts:

  • Introduction and document references including terminology and definitions
  • Risk management principles (Section 4)
  • The risk management framework (Section 5)
  • Risk management processes (Section 6)
  • Bibliography

The remainder of this article will focus on Sections 4, 5 and 6 and compare these to the 2009 version of the standard.

Risk management principles (Section 4)

ISO 31000:2018 identifies eight principles for effective risk management, all of which fall under the overall purpose that risk management:

“creates and protects value. It improves performance, encourages innovation and supports the achievement of objectives.”

This is very close to the first principle in the 2009 version that “Risk management creates and protects value”.

The other eight principles are shown below with the associated principle from the 2009 version shown in brackets.

ISO 31000 risk management principles

  • Integrated (P2)
  • Structured and comprehensive (P5)
  • Customized (P7)
  • Inclusive (P9)
  • Dynamic (P10)
  • Best available information (P6)
  • Human and cultural factors (P8)
  • Continuous improvement (P11)

Note that two of the 2009 principles have been dropped: Decision-making (P3) and Uncertainty (P4) . However, both are referenced in other parts of the 2018 standard: Uncertainty remains part of the definition of risk and decision-making is addressed in the process section (6.1).

Therefore, if your risk management system was based on the 2009 principles, you will overlap with the requirements of the 2018 standard comfortably.

The risk management framework (Section 5)

N.B. I confess that this section left me a little confused because it feels as though it mixes principles and process. So while I think I understand the intent, how I should apply this section was a little unclear.

The Framework section begins as follows

“The purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions.”

Initially, the section notes the importance of Leadership and Commitment for success of the risk management system and it is good to see this given such prominence. Likewise, the second elements tackled here is the importance of effectively integrating risk management into the whole organization and again it is good to see this given prominence.

Both are important points but integration is a repetition of Principle 2 and the statement on Leadership and Commitment also reads like a principle. 

However, the next two other elements in the framework – design and implementation – are written in the form of processes, explaining how to design the system, implement the system, and so on.  The final two elements – evaluation and improvement – also read like processes, providing guidance on how to develop the risk management framework and how to design a risk management system.

This misunderstanding may be me not fully appreciating the application of this section so I may have gotten lost in the woods a little here.

However, if the mix of what feel like principles alongside processes is also foxing you, I recommend that you treat Leadership and Commitment and Integration as additional principles and use the process-style elements to develop your framework.


If anyone can shine some light on this section, please leave a comment


Risk management processes (Section 6)

The final section of the standard contains processes and guidance for the core elements of the risk management system:

  • Communications and consultation
  • Processes for developing the scope, content and defining risk criteria
  • A process for risk assessments
  • Guidelines for risk treatment
  • A process for monitoring and review
  • Recording and reporting guidelines.

These processes are broadly the same as the processes detailed in the 2009 version of the standard although Recording and Reporting has been elevated slightly and is now included in the overall process diagram. Again, if you are using processes based on ISO 31000:2009, then these will be very closely aligned with the 2018 version.

Summary

ISO 31000 was nine years old and due for a review but I think that the 2008 version was still pretty robust so I’m pleased that the revised version didn’t make too many major changes.   Other than my confusion as to what to do with the framework section, the document is pretty clear and straightforward.  Moreover, it has a lot of clear processes that you can use as the basis for your risk management system so ISO 31000 is a highly functional standard and definitely falls into the ‘love’ column.

So if you have a system based on the 2008 version, then you should have no problem conforming to the 2018 version.  Importantly, a lot of the changes will be at the top-level policy / procedure level leaving individual process largely untouched which will significantly limit the disruption caused by any changes.

Still here?  Congratulations! You made it  : )


A short note on the material on the Tarjuman website

As I noted at the beginning, the initial impetus behind this article was selfish: what impact does the new standard have on the material in my site?  In short, not a huge amount as a lot of the material here is quite tactical, process-driven but there are three big changes and I am working on.

  • The biggest change is that the ERM maturity model is based on the 2009 principles and these need to be updated completely to match ISO 31000:2018.  I still need to decide what to do with decision-making, uncertainty and leadership and commitment but as soon as I get that worked out, I will update the model.

If you have used the ERM maturity tool to assess your risk management system, I still think it is 75%+ relevant.  Most importantly, if your system was weak when compared to the 2009 version of the standard, it will still be weak compared to the 2018 version.  So don’t wait – get your system in order ASAP.

  • References to ISO 31000:2009 remain in the presentations and videos in the Risk Management Basics Course and need to be updated.  Frankly, I am dreading this but the course needs freshening up more generally so I plan to roll out an updated course in Fall 2018.  Again, the vast majority of this material remains extant but I want to make sure things are 100% accurate.
  • The resources and templates need to be reviewed for any references to the old standard and some articles also need updating.

Good? Bad? Ugly? Tell me what you think.