As Mike Hoefgen reported in his recent post “Risk, Risk and More Risk," the International Standards Organization recently published a new international standard on risk management, called ISO 31000.  The availability of this new standard is likely prompting key questions from many GRC professionals as they attempt to make sense of how the standard may impact them.  In this post, I will provide a brief overview and answer a couple of key questions GRC and risk pros may be asking.

What is ISO 31000?

As you are all generally aware at this point, ISO 31000:2009 (an untypically brief 34 pages) is the new international standard on risk management.  Its foundation is AS/NZS 4360:1999, the Australian standard originally published in 1995. ISO 31000 provides a generic framework for establishing the context of, identifying, analyzing, evaluating, treating, monitoring and communicating risk.  It is the first document published in the ISO 31000 Risk Management series, which also includes the following:

• ISO Guide 73:2009, Risk management — Vocabulary: Provides the definitions of generic terms related to risk management and  aims to encourage a consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk, as well as uniform risk management terminology.
• ISO/IEC 31010, Risk management — Risk assessment techniques:  A supporting standard for ISO 31000 offering guidance on the selection and application of systematic techniques for risk assessment.

What if my organization uses COSO ERM for SOX compliance?  Is ISO 31000 compatible with COSO?

Yes, the good news is that ISO 31000 is compatible with COSO ERM.

ISO 31000 could be considered an update to COSO that reflects current risk management thinking internationally. In general, ISO 31000 has some significant advantages over COSO:

1. It is more practical (and less theoretical)
2. More detail is provided
3. Terms are explicitly defined
4. It is more clearly written, and easier for CEOs, CIOs, and risk pros to understand
5. The information in the standard can be adapted to develop guidelines to assess existing risk management methodologies
6. It provides a foundation for implementing other ISO risk management standards and guidelines

The most significant difference is in the definition of risk for ISO 31000 and COSO ERM.

The ISO risk definition is the “effect of uncertainty on objectives.”  The ISO standard has more focus on the consequences of uncertainty and allows for different views of risk than COSO.  The focus on consequences provides a framework to help consider the 'flow on' consequences of an event occurring.

COSO ERM defines risk as “the possibility that an event will occur and adversely affect the achievement of objectives.”  This definition is more focused on events rather the consequences of events.

What are the additional benefits of ISO 31000?

I am in the process of reviewing ISO 31010, the supporting standard, and I am pleased to note that the two are integrated.  I particularly like the fact that neither standard says that there is a right way or a wrong way to perform risk management.  ISO 31000 discusses the general principles of risk management.  The ISO 31010 introduction discusses the general principles of risk management and the annexes go into more detail on different types of risk assessment techniques and the pros and cons of each.

I like the clear explanation of the ISO3100 risk management principles.  The ISO risk management principles are as follows (pulled directly from the published document):

For risk management to be effective, an organization should at all levels comply with the principles below.

Risk management:

a) creates and protects value.
b) is an integral part of all organizational processes.
c) is part of decision making.
d) explicitly addresses uncertainty.
e) is systematic, structured and timely.
f) is based on the best available information.
g) is tailored.
h) takes human and cultural factors into account.
i)  is transparent and inclusive.
j) is dynamic, iterative and responsive to change.
k) facilitates continual improvement of the organization.

What should my key take-aways be?

I see the new ISO 3100 risk management series as a very positive development in the risk management standards landscape.  Both ISO 31000 and ISO 31010 are concise and well written.  While there are no bold new concepts presented, the standards reflect current international thinking, and they also reflect the changes in risk management thinking since COSO ERM was introduced nearly 15 years ago.  The conciseness of the standards is also a big plus.  While COSO ERM talks about risk, it does not define risk until well into the guidelines, and even then, you have to do some searching to find the definition.  I encourage GRC and risk pros to take a closer look at the new ISO 31000 standard and how it can be applied in their organizations to help streamline risk management on a global scale.