Friday, 8 June 2012
ISO 31000 set to spread risk management culture
The ISO 31000:2009 Risk Management—Principles and guidelines standard is a powerful tool for risk managers that can help spread the culture of risk throughout an organisation and convince top executives to embrace risk management, according to risk practitioners who gathered in Paris at the end of May.
Kevin W Knight, chair of the working group that developed the ISO 31000
Hundreds of experts from all over the world met for two days to debate how the standard can best be used to consolidate risk management programmes. They also discussed the advantages that, in their view, the ISO 31000 brings compared with other standards such as the COSO guidelines.
The conference was organised by the Global Institute for Risk Management Standards, an entity that evolved from a social media community that discusses risk management in relation to the ISO 31000. Participants came from around the world including from Colombia, Saudi Arabia, South Africa and Lesotho.
As a rule, participants were supportive of the approach to risk management enshrined in the standard. For example, Jacquetta Goy, Risk Manager at Canada’s British Columbia Lottery Corporation, BCLC, said it provides a simple but solid starting point upon which the risk management culture can be built.
The standard also introduces terms and concepts that are likely to sound strange but enticing to many within an organisation, she noted. “I like that some of the ISO 31000 terms are quite challenging,” she said. “It creates a good opportunity to trigger debate and to discuss with people the meaning of terms.”
Ms Goy, like other participants, also stressed that ISO 31000 emphasises the need to have clear risk criteria so that different parts of an organisation are aware of the risks they must deal with.
Jan Mattingly, Chairman of Canadian consultancy Risk Results and the project leader for ISO 31004, the implementation guide to ISO 31000, said that companies must focus on real risks and be selective on their mitigation strategies. “Some companies are still trying to manage risks down to zero,” she said.
Clarity is an aspect of the ISO 31000 that risk practitioners most appreciate, as the standard puts forward specific concepts that should help convince stakeholders about the importance of risk management practices.
According to Kevin W Knight, Chairman of the working group at ISO that drafted the common definitions contained in the standard, deciding upon specific terms was a long and arduous process because sometimes it seemed that participants were talking about completely different things.
Mr Knight recalled that at one point the working group was handling 14 different definitions of the very concept of risk.
It was only after much debate, he said, that the group opted for a simple definition of risk as the effect of uncertainty on objectives.
Mr Knight told delegates that risk management must create value. He warned that in too many organisations risk managers are seen merely as the people who say no. Risk managers must help organisations to achieve their goals and strategic objectives, he added.
Mr Knight stressed that risk assessment must reach top executives so that they can take informed decisions for the company.
Ms Mattingly, for her part, said that risk managers must adopt a tactical and incremental approach to the implementation of the standards, earning victories whenever possible and not trying to convert the whole company in a single stroke.
The standard appears to be gaining traction within large companies, as illustrated by practical case studies given during the conference.
Rico Ferrarese, Senior Strategic Risk Manager at LEGO System, the toy company, said that ISO 31000 was instrumental in the achievement of an enterprise risk management (ERM) programme within his company.
He said that Lego started looking into ERM back in 2006. By the start of 2010 a whole set of risk controls had already been audited and risk ownership across the company had been established, he explained.
“Our auditors wanted us to implement COSO,” Mr Ferrarese said. “But we found out that it was so expensive, that the company could hire me for the next 20 years spending the same kind of money.”
He said that Lego also wanted a more proactive risk management tool to help prepare for the future. The ISO 31000 met 99% of his company’s risk management needs, said Mr Ferrarese. “We also wanted something that was well-written,” he added. “So goodbye COSO.”
Carol Fox, Director of Strategic and Enterprise Risk Practice at RIMS, the American risk management association, said that plenty of companies in the US are already switching to ISO 31000 or adopting the norm alongside COSO.
Some countries have embraced the norm more readily, said Geraint Bermingham, Director of Navigatus Consulting.
“Uptake of ISO 31000 in New Zealand has been very rapid,” he explained. However even there government bodies are lagging behind the private sector in adoption and implementation, he added.
But in Spain, there is still a way to go, according to risk consultant Angel Escorial. There most risk managers remain closer to the COSO standards than to ISO 31000.
France is also moving slowly, said Gilles Motet, Scientific Director at Foncsi, a French industrial think tank. But he expressed hopes that the recent implementation of an ISO 31000 programme by GDF Suez, a large utility, could change the situation. “The adoption of the norm by a large company can give a boost to ISO 31000 in France,” he said.
In Turkey the approval of a new Code of Commerce, which will start biting in July, is set to boost risk management, said Alpaslan Menevse, Operational Risk Manager at Sekerbank bank.
He said that the new rules mandate ERM implementation for all publicly traded companies and require the setting up of a Risk Oversight Committee at board Level. “It is a volume of more than 1500 pages, but it is an evolution,” Mr Menevse said. “ISO 31000 is in practice embedded to the Code of Commerce, which is encouraging for us.”