A new version of ISO 31000 is due to be unveiled early next year. As the threat of risks grows for governments, organizations and the public alike, how can the new, streamlined standard help to make our future more secure?
Ten years ago, the boardrooms of banks and financial institutions around the world were rattled to hear the news of the collapse of prestigious and highly respected names, such as Lehman Brothers, Bear Stearns and Northern Rock. Alan Greenspan, the former Chairman of the Federal Reserve, described the shock waves that swept the world as a “credit tsunami”.
In family businesses, governments and industry, the aftermath of the global financial crisis is still being felt. Since then, the spotlight has been turned on risk and exposure to risk – how to manage it; how to prepare for it; how to benefit from it; how to learn from it. In our increasingly complex and interconnected world, one of political uncertainty and economic unease and austerity, these questions are more pertinent than ever and the need for best practice even more compelling.
How to manage risk
Kevin Knight, Chair of the ISO working group that developed the ISO 31000 standard on risk management, published as a standard in 2009, summed it up succinctly. “Risk is inherent in all activities. And it can be argued that the global financial crisis resulted from the failure of boards and executive management to effectively manage risk. ISO 31000 is expected to help industry and commerce, public and private, to confidently emerge from the crisis.”
Risks, of course, can come from various sources – uncertainty in financial markets, threats from project failures (during design, development or production), legal liabilities, credit risk, accidents, natural causes and disasters – and can take a heavy toll. Look at the havoc and loss of life wreaked by Irma in the Caribbean and the devastating floods in India and Bangladesh.
Turning risk into opportunities
Lessons are learned the hard way – but they are learned, and risks can be turned into opportunities. In Japan, for instance, the constant threat of earthquakes and typhoons has led to the development of one of the world’s most sophisticated emergency management systems. In turn, this has been repurposed for missile defence. Officials can now send messages to every mobile phone in the country as well as interrupting TV and radio broadcasts.
As the world enters a new “smart” era, technology poses a new set of risks, from robotics, artificial intelligence and machine learning, to the Internet of Things. Here, too, the response to challenges has led to innovative solutions. Take blockchain technology, a complex set of algorithms that allows so-called crypto-currencies to be traded electronically with a central ledger. Despite concerns about the digital currency’s volatile nature and fraud fears, banks are now exploiting the technology to speed up back-office settlement systems.
To meet this wide array of new challenges, organizations, big and small, around the world, have realized the importance of integrating risk management into their business strategy. Accordingly, the general scope of ISO 31000 – the first-born in the family of risk management standards – was not developed for a particular industry group, management system or subject matter field, but rather to provide best-practice structure and guidance to all operations concerned with risk management.
Moving with the times
The Thales Group, for example, is a leading organization in the security sector. It states that managing social and environmental risks and developing new standards and procedures are key to risk prevention. Jason Brown, National Security Director of Thales Australia and New Zealand, is Chair of ISO technical committee ISO/TC 262, Risk management. He says of ISO 31000: “The standard is now used to assist planning and decision making in areas as diverse as finance, engineering, space flight and international security.”
Moving with the times, ISO’s trailblazing standard on risk management is now being revised and a new edition is scheduled for early 2018. In order to ensure that the principles and guidelines in the standard remain relevant to users, ISO 31000 and ISO Guide 73, which lays down the operative terminology, were revised in 2015 and the 2018 revision is the next step in making risk management easier and clearer and keeping it simple. The text has been reduced to its fundamental concepts to create a shorter, clearer and more concise document that is easier to read while remaining widely applicable.
Brown highlights the fact that ISO 31000’s principles-based model and open-system approach, with the renewed emphasis on the iterative nature of risk assessment, maintains and ensures the standard’s relevance across multiple disciplines. “Governments, large and small businesses, and in fact all those who have objectives they would like to achieve in our increasingly complex world, will benefit from using 31000 as their guide to managing the risks to their endeavours,” he says.
He advises that the new version has streamlined and refined the key elements and emphasized the iterative nature of the process. “The important issue of a recursive, iterative model is its relevance to reducing uncertainty in a highly volatile and uncertain operational environment, where the requirement for monitoring and continuous assessment of risk is often driven by external events.”
One region that is reaping the benefits of ISO 31000 is Latin America. Jorge Escalera, member of the Mexican delegation for ISO/TC 262, Risk management, and ISO/TC 292, Security and resilience, points out that the topic of risk management may be relatively new in Latin America but it is significantly growing. Organizations, he reveals, are increasingly proactive in considering ISO 31000 in the implementation of risk management in their general management systems.
Escalera is also a director of Risk Mexico, a company offering solutions for education, certification and consulting in the public and private sectors. “Risk Mexico promotes the implementation of risk management (RM) according to ISO 31000, and in each consultancy we carry out, the fundamental principles of our operation are based on implementing an RM that creates value for our clients and generates benefit for our community,” he says.
No easy task
Cooperation and collaboration are all-important. And although developing a cohesive culture is no simple task, ISO 31000 is a big step in that direction. Of course, it will take more than the application of the revised ISO 31000 to avoid things like another global financial crash, but it will be a help in understanding the causes and identifying the treatments needed to reduce the uncertainty about our financial future. Jason Brown says: “It will, however, take a willingness by all partners to take the actions necessary to reduce uncertainty. Some of these actions must include transparency of financial operations, good regulations and compliance, integrity and responsibility and, importantly, good governance.”
And what about the future – the next steps for ISO 31000? Among them, technical committee activities will focus on the increasing uptake of the standard globally. Indeed, one example of the growth of interest comes from Latin America. Brown says: “There are more ideas in the pipeline from a number of member countries. These include a special Spanish translation task force, which will provide a unified Spanish language approach for the 400 million native speakers, and with official status in a staggering 21 countries, spanning South, Central and North America, Spain, as well as Africa and Europe.” Watch this space.
- ISO 31000:2009 [Withdrawn]Risk managementPrinciples and guidelines
- Risk managementVocabulary