ISO 31000:2009 on risk management is intended for people who create and protect value in an organization by managing risks, making decisions, setting and achieving objectives and improving performance. The standard’s revision process discovers the virtues of keeping risk management simple.
The revision of ISO 31000:2009, Risk management – Principles and guidelines, has moved one step further to Draft International Standard (DIS) stage where the draft is now available for public comment. What does it mean? And what happened in the revision process since the Committee Draft (CD) stage in March 2015?
The revision work follows a distinct objective: to make things easier and clearer. This is achieved by using a simple language to express the fundamentals of risk management in a way that is coherent and understandable to users.
The standard provides guidelines on the benefits and values of effective and efficient risk management, and should help organizations better understand and deal with the uncertainties they face in the pursuit of their objectives.
The major task was finding the right balance between giving sufficiently detailed guidance and writing an entire textbook. With this in mind, the text has been reduced to its fundamental concepts to create a shorter, clearer and more concise document that is easier to read whilst remaining widely applicable.
That’s not to say that the specific meanings or sectorial jargons that are important to certain users have disappeared. On the contrary, providing more detail and precise information has been an essential aspect of the revision.
To avoid weighing down the standard and making it too complex, it was decided to reduce the terminology of ISO 31000 to the barebone concepts and move certain terms to ISO Guide 73, Risk management – Vocabulary, which deals specifically with risk management terminology and is intended to be read alongside ISO 31000.
Strengthened by its generic quality, the standard provides the basis for renewed confidence between experts and end users, who each face specific challenges in terms of risk but need to understand and communicate with others stakeholders. As such, the clause on building a risk management framework, which contains guidance that is relevant for every possible user, has since been augmented with additional concepts or examples that are specific to countries and industries.
“The message our group would like to pass on to the reader of the DIS is to critically assess if the current draft can provide the guidance required while remaining relevant to all organizations in all countries. It is important to keep in mind that we are not drafting an American or European standard, a public or financial services standard, but much rather a generic International Standard,” explains Jason Brown, Chair of ISO technical committee ISO/TC 262, Risk management, that developed the standard.
A lot of the complicated language has been eliminated, so the text is leaner and more precise with the expectation that the reader will find it simpler to understand. The new draft is shorter than the CD, but it gains in clarity and precision and is much easier to read. It also includes some substantial improvements, such as the importance of human and cultural factors in achieving an organization’s objectives and an emphasis on embedding risk management within the decision-making process. That said, the overall message of ISO 31000 remains the same – integrating the management of risk into a strategic and operational management system.
The next step in the process will be to finalize the revision work to reach the Final Draft International Standard (FDIS) stage. The new version of ISO 31000 is expected to be published at the end of 2017 or early 2018.