The major difference between the ISO 31000 and previous risk management standards is that it first advises organisations to establish the principles and framework that highlight where the management of risk must take place.

This is at management level, explained Mr. Knight, and the standard is very much focused on how its principles must be woven into the management system.

“And critically the ISO 31000 needs to be tailored to meet individual organisational structures and systems. It is not a one size fits all document,” Mr. Knight explained.

It was written in management terminology and should help them to gain a better understanding of risk management and thus enable risk professionals to more easily enter into dialogue with risk owners, Mr. Knight noted. It is as much a document for managers as traditional risk professionals, he added.

“It is a better document for directors and senior officers to read and it now provides room for the risk champion to actually start a new conversation at a higher level. If you are the traditional risk manager the challenge for you is ‘can you make the leap from where you are now to talking to the bosses?’” Mr. Knight told Commercial Risk Europe during the meeting.

And Mr. Knight believes that the ISO 31000 is already helping to raise the profile of risk management throughout organisations and at board level.

“In Australia it is having that effect both in the public and the private sector and actually enabling risk professionals to restart the conversations around risk all over again at senior management level. Increasingly independent directors are becoming more concerned about how the organisation is managing its risk and requiring management to satisfy them that they understand risk,” explained Mr. Knight.

The standard then places the risk process in its proper context, which is to allow for information to come from management and then, after being processed, be fed back into decision-making on objectives and risk, he added.

The traditional role of the risk manager is evolving and will continue to do so under the guidance of the ISO 31000, he said.

“I see the role very much as an advisor, a champion, a facilitator or coordinator. I am totally opposed to anyone being called a risk manager, just as I do not like safety manager or quality manager, because all of these activities are line management accountability,” said Mr. Knight.

“Therefore the role of the risk professional is to help them manage risk and to coordinate reporting and to provide advice and service up the line to the risk management committee or board committee of management. They need to be able to have a good understanding of the business and be able to provide a lot of advice themselves or know where to get expert assistance from,” continued Mr. Knight.

And increasingly, insurance is not the answer to the management of corporate risk, he added.

It is just one treatment of risk and therefore is not dealt with by the ISO 31000 any further than to say it is just one part of risk sharing, he continued.

“Because only 20-25% of your risk is capable of being covered or helped by insurance. Even business interruption insurance, for example, doesn’t necessarily mean you will survive a disaster—you cannot insure the retention of your customers,” he explained.

So, for example, organisations need to work out how to protect their reputation if it cannot be insured, he added.

“It is about how you look at risks, particularly when it comes to opportunities. How do you understand the strengths and weaknesses of your organisation so that you are able to leap in and respond when opportunity presents itself,” noted Mr. Knight.

“And once you start to talk to boards and senior management about what they are doing to manage the risks to their organisation, rather than just providing an insurance function, you suddenly find they start to show a lot of interest,” Mr. Knight continued.

Mr. Knight’s assertion that the term risk manager should be redundant, reflective of the management of risk as set out in the ISO 31000, and that the role should be focused on achieving objectives and formulating strategies was welcomed by PolRisk.

“This is something that was a big surprise, but a positive surprise for me. The fact that you do not have to anchor on risk management control or insurance buying,” said Slawomir Pijanowski, Vice President of PolRisk and Director in charge of Identity & Access Management Program at Telekomunikacja.

“If we narrowly think about risk it cannot be perceived by financial markets or strategic people. Our perception here is that risk management must be sold as enhancing management practice itself by leading to better performance results and better realisation of objectives. What is the added value if you buy insurance? Buying insurance is not going to get the board excited,” he added.

Mr. Pijanowski stressed the need for risk profess-ionals to prove the added value of Enterprise Risk Management to help achieve organisational objectives.

“If we do not prove the concept of Enterprise Risk Management and the fact that it provides value it cannot work as it will still be perceived as a process that just produces paper and does not help to achieve company objectives,” he explained.

“We have to show that risk management is helping to better formulate better strategies and help people to realise the risk of non-realisation of those strategies. This has to be reflected in the pricing value of a company or on the stock exchange. If you cannot say that Enterprise Risk Management is a value driver for a company’s shares, the financial markets, and perhaps the CEO, will reject the concept,” Mr. Pijanowski added.

Mr. Pijanowski acknowledged that changes to risk culture within organisations is likely to be a 3 to 5 year process. But he stressed that one really important issue is how to prove the effects and value of benefits of ERM in the short term.

This is important as often chief executive officers have a contract for only 2 or 3 years and they are accountable for the delivery of value in that short time frame, he said.

“And, we must prove that the concept is fruitful and can deliver pragmatic benefits after a short time period. Of course that does not mean that the culture will change after a quarter or six months, that is a long-term goal, but we can still influence and affect management decisions over this short period,” he continued.

PolRisk’s holistic approach towards risk management is a good example to other more established associations, noted Mr. Knight.

“They are focused on holistic risk management rather than insurance buying, which I think is a very good approach. They are looking at how they can work with risk management practitioners, whether they are insurance buyers, company secretaries or directors and owners of companies, to help people understand the need to manage risk.

To understand risk in organisations and to manage it with the emphasis on maximising your opportunity whilst you minimise your threats,” noted Mr. Knight.

“This is the position of our association. We thought we were going in the wrong direction because we are different from other associations, but it seems that our position is not so bad,” said Tomasz Miazek, President of PolRisk and risk manager for Telekomunikacja, the telecommunications company.

And Mr. Miazek welcomed the new international standard and praised its role in creating a common risk language across the world and amongst organisations.

“It is a good document because the borders between internal audit, risk management and other control functions were previously not very clear. I also get the impression that there was a lot of chaos in managing risk itself, its processes and terminology, and here is a chance for everyone to think and speak in the same language,” said Mr. Miazek.

‘This is important because if risk experts cannot work out a common language then how can we sell the idea of risk management to top management who are only interested in revenue and the bottom line,” he added.

Please sign up here to our full-time mailing list to ensure that you receive our weekly newsletter.

• More Poland News
• More POLRISK News
• More Risk Management News
• More Behind The News