Wednesday, 24 April 2013
Changes to ISO 31000 on horizon, implementation guide due in months
A guide to help risk managers and other professionals implement international risk management standard ISO 31000 is set for publication this September and is likely to be followed by changes to the standard itself, a leading player involved in both processes told risk managers yesterday.
Speaking at the RIMS conference in Los Angeles, Dorothy Gjerdrum, Executive Director, Arthur J Gallagher RM Services and ISO 31000 US TAG Chair, predicted that there will soon be changes made to ISO 31000 following a vote that closes on June 18.
As is general practice in the standards world, ISO 31000 is up for review following its publication in 2009 and based on feedback from risk practitioners Ms Gjerdrum believes there is a need for update and revision.
“The question first is do we need a review and that is being asked right now. We believe because of the conversations that we have had that everyone will agree that we need to revisit this,” said Ms Gjerdrum, who is a member of the ISO 31000 International Working Group.
“There are a variety of reasons about why that is. I know some of the issues were given short shrift the first time though and we may want to spend time expanding or qualifying those areas. Some of those have to do with risk appetite and fully developing criteria. How we are going to do that is not yet clear. I hope in the US we can run some surveys as we need more input,” she said.
For his part, Michael Miller, Director, Risk Assessment & Mitigation at The Walt Disney Company and ISO 31000 US TAG Delegate, said that any changes to the standard would need to be carefully thought out. Not least because of concern over the amount of potential change amongst those that have already implemented the standard.
“Certain groups or companies have already implemented 31000 so there is a little bit of concern over how much is going to change. ISO understands that this is an active standard and not something that is going to peter out now we might rebuild it. Every few years you do need to do a quick check in and ask is it current? Do we need to modify it in any way? Yes or no, and then you take action. But discussions have taken place and people understand that 31000 is implemented across the world and any major changes would need to be considered because of their impact,” he said.
It seem likely that changes to ISO 31000 will come as a result of misgivings held by some organisations, risk professionals and other decision makers over the standard.
It is certainly clear from the forthcoming implementation guide that, following its publication, some practitioners sought further advice on how to implement the standard.
The ISO 31000 International Working Group re-engaged in 2011 to address this need and in March 2013 risk management experts from around the world met in the US to complete the draft of ISO 31004, or the implementation guide to ISO 31000.
ISO 31004 is set for publication in September and is in the final stages of development. It is approved as a Technical Report rather than a standard and therefore should be regarded more as advice and guidance, said Ms Gjerdrum.
Its purpose is twofold. Firstly, to help organisations align their risk management with ISO 31000 by providing guidance, explanation, examples and illustrations. Secondly, it is designed to assist standards-making organisations so that they can harmonise risk management processes with ISO 31000.
It will be suitable for use by any public, private or community enterprise and association, group or individual. The Technical Report is not specific to any industry or sector.
It can be applied to all types and sizes of organisations, their stakeholders and to all activities, explained the ISO insiders. It can also be applied to any type of risk, whatever its nature, whether having positive or negative consequences.
ISO 31004 will have four Annexes that offer guidance for implementation. These annexes focus on application of the ISO 31000 principles, how to evidence mandate and commitment, and how to monitor, review and integrate risk management within a management system.
Annex A, Application Of The ISO 31000 Principles, will provide direction on how to apply each of the standard’s 11 principles and provide practical tips, explained Ms Gjerdrum.
Annex B, How To Evidence Mandate And Commitment To ISO 31000, gives guidance and examples to help with characteristics, policy and reinforcement.
It will provide specific questions to help check that mandate and commitment is as strong as it could be. But the annex is not prescriptive and stresses that there is no ‘one size fits all’ approach, explained the risk professional.
Annex C, How To Give Effect To Monitoring and Review, provides a general explanation and considers accountability, the use of independent reviews and how best to monitor and review the framework and process.
Finally Annex D, Integrating Risk Management With A Management System, will provide useful tips and helpful tools to get this job done.