Risk Insider: Dorothy Gjerdrum
A Brief History of ISO 31000 – and Why It Matters
By the end of 2015, national standards organizations in 57 countries (including the United States) adopted ISO 31000 as their country’s national standard for the management of risk. ISO 31000 is broadly accepted by public and private companies, governments, nonprofits and charitable organizations.
The work to standardize the risk management process, and make it applicable to any size or type of organization in any country of the world, began a decade ago.
The International Organization for Standardization (ISO) organized a work group representing approximately 25 countries, led by an Australian Chairman and Japanese Secretariat.
The group reviewed existing standards and best practices (from Australia, New Zealand and Canada, among others), created a new architecture, agreed upon updated terminology, and worked to assure that the standard would be broadly applicable to various cultures and languages.
The first international standard on the practice of risk management was published in 2009 as ISO 31000.
Risk management practices continued to evolve, and within a couple of years people began to realize there were some key concepts missing from the standard. Issues like risk appetite, attitude and tolerance needed further explanation. Risk maturity and integration with business continuity, supply chain processes and other management processes needed deeper development.
We need the participation of risk practitioners to help us shape the future of risk management, as expressed through international standards.
Although the standard was lauded for its broadly applicable, elegant format, many expressed desire for more explicit implementation instructions and examples of best practices.
In response, ISO created a project committee in 2011, which quickly expanded into a full Technical Committee (TC 262). Changing into a technical committee allowed the group to consider additional risk management projects and publications (beyond one project); its charge is now standardization in the field of risk management.
Although many of the same experts that participated in the creation of ISO 31000 continued to work with TC 262, the leadership changed slightly, with the Japanese Secretariat replaced by a standards expert from the British Standards Institute.
TC 262 created a Work Group to dive into drafting an Implementation Guide. Progress on the Implementation Guide was slow as the Work Group leadership changed multiple times, the purpose and intent were revisited numerous times, and Working Group experts disagreed about the overall purpose and specific details.
Nevertheless, the Work Group created a Technical Report, ISO 31004 – Guidance for the Implementation of ISO 31000, which was published in 2013.
ISO standards are subject to revision every five years. TC 262 began working on technical revisions to ISO 31000 in 2014.
After robust debate at the March 2015 meeting, the Work Group recommended that TC 262 proceed with the full-scale review and revision of ISO 31000. This work recognizes that user needs are evolving and the standard needs updating to reflect current risk management practices.
Work on full-scale review and revision began in earnest at the November 2015 meeting and it will incorporate the discussions, ideas and technical revisions that took place over the past two+ years.
The next year will be extremely busy for TC 262 as it works to revise ISO 31000 and meet the proposed publication date in 2017. This is an opportune time to get involved (each participating country has technical advisory groups that review proposed changes).
We need the participation of risk practitioners to help us shape the future of risk management, as expressed through international standards.