Good Risk Management Guidance – Here At Last in ISO 31000
We interrupt this broadcast . . . yes, I know many of you have been waiting in eager participation for my next installment of the GRC Reference Architecture which is to focus on the application taxonomy of specific business roles/functions that are part of GRC (in previous weeks we looked at the core enterprise GRC data framework and applications). This installment will be out next week. This week something particularly relevant has come up: ISO 31000:2000(E).
The world has an overwhelming menu of standards of all formats and varieties for business to use – navigating them can be difficult. In fact, many standards are inferior and not worth their weight in paper (or bytes if you are like me and keep them on your Amazon Kindle). Then there are exceptions – and ISO 31000 is one of those standards I have been waiting to be finalized for quite some time.
ISO 31000 is the new international standard on Risk Management. As we learn – a good house is build on a solid foundation, ISO 31000’s foundation was largely on the AS/NZS 4360:2004 risk management standard. It has been years as an ISO standard and has now arrived.
Its beauty is its simplicity and adaptability. ISO 31000 provides a risk management approach that can be used across the silos/domains of risk scattered across the organization. It is just as relevant to areas such as legal risk management as it is to information security, quality, or environmental, health & safety.
It is also very concise – just 34 pages! It amazes me that we push children to write papers of a certain length in which they learn bad writing in long sentences and filler language and then turn and tell them to be successful in the real world they need to write concisely (yes this is a long boring sentence). As many of you know – I am NOT an advocate of COSO ERM Integrated Framework. ISO 31000 communicates more practically and adaptability to the organization what it takes the COSO ERM Framework to do in 125 pages of poorly written confusion. I read COSO ERM and am left with no guidance and practical approach to risk management. While inspiring and thought provoking in parts, it lacks the pragmatic simplicity and agility that ISO 31000 delivers.
A few things I particularly like about ISO 31000:
- Correct definition of risk. ISO 31000 defines risk as the “effect of uncertainty on objectives.” Simple and right to the point. It also allows for different views of risk whether you focus on just avoiding loss to the organization or if you take risk to seek return to the organization.
- Starts with establishing the context. I see too many risk management programs that are nothing more than SOX on steroids. These programs are encumbered by a myopic view of internal control and context. While the internal context is important, many organizations fail to comprehend the external context business operates in – which introduces significant risk. The context guidance in ISO 31000 provides a holistic approach to make sure the full view of context is set.
- Monitoring and review is more than a life-cycle. While ISO 31000 loops through monitor and review at the beginning and end of the risk management process it is also part of every stage of the risk management process.
- Communication and consultation are integrated throughout the process. The risk management function does not own risk, the business owns risk. It is necessary that every stage of the risk management process involve the risk owners.
Of course I have already referenced the simplicity and adaptability of the standard as well.
ISO 31000 is a great source of guidance for anyone developing a risk management program – which is part of an organization’s GRC initiative. From the broader GRC perspective, my favorite guidance is OCEG’s Red Book 2/GRC Capability Model. ISO 31000 (in draft at the time) as well as the AS/NZS 4360:2004 were source documents in developing Red Book. Red Book provides the GRC ‘Rosetta Stone’ which links the various groups of governance, risk, and compliance across the organization into a common collaboration and architecture.
Don’t worry – next week we will get back to the GRC Reference Architecture. In the mean time, for those in the United States, go out and buy yourself a copy of ISO 31000 to read as you digest your Thanksgiving turkey dinner!
Detailed training on the risk management, Red Book, and the GRC Reference Architecture can be found in Corporate Integrity & OCEG’s GRC Strategy & Technology Bootcamps.