The new ISO 31000 risk management standard . . . well-written, but not earth-shattering

By now, many of you have read the newly released ISO 31000 Risk management - Principles and guidelines standard. (Others may have seen its release draft or be familiar with its predecessor the AS/NZS 4360 standard.)

It provides a well-written, step-by-step guide to risk management processes that can be applied to whole organizations, or any part thereof. So far, it has received well-deserved praise for its surprising brevity and consolidated value. These are especially important characteristics for a document with as lofty a goal as standardizing what it calls “an integral part of all organizational processes.”

But if we expect the availability of ISO 31000 to have any sort of revolutionary or game-changing impact in the immediate future, we’re getting way ahead of ourselves.

In my work with Forrester’s clients in risk management roles, I certainly come across organizations that would benefit from a commonly accepted risk vocabulary and a clearly defined process framework for risk management. This will also help facilitate better industry communication and sharing of best practices. However the biggest hurdles in risk management do not usually come from a misunderstanding of concepts, but rather from a difficulty translating those concepts into practical tools and processes. How should we measure risk based on available information? What forms and reports do other organizations use? A lot of risk professionals with questions like these about practical techniques will have to continue relying on their own ingenuity, consultants, vendors, and industry peers.

I will be publishing a report that discusses ISO 31000 in much more detail, and I’m curious to hear from others who have read through it. Is this something you expect will significantly improve risk management practices? Are there specific elements you wish the standard had included?

Categories:

Comments

re: The new ISO 31000 risk management standard . . . well-writt

ISO 31000 - together with ISO Guide 73 - is the foundation of a new age in Risk Management. Providing vocabulary and concepts for a common language across organizations of different sizes and industries concentraded in only 24 pages ISO 31000 will help organizations to integrate their different risk management functions and areas.Similar to ISO 9000 and ISO 14000, which became references for managing quality and environmental issues within organizations, the launch of ISO 31000 will provide countries worldwide with a set of internationally recognized guidelines for managing risk.Hereafter, lot of standards and frameworks related to risk management should be reviewed to align with ISO 31000 and also new specific standards for more detailed and practical guidelines, for instance IEC/ISO 31010 - Risk management - Risk assessment techniques (published this week).