ISO Standard 31000: Managing Risk

News

ISO Standard 31000: Managing Risk - All the Risks

Published in December of last year, the new ISO standard 31000:2009 repositions risk management by integrating it into the governance of organizations and projects of all types. It is a lever for continuous improvement in every domain: corporate social responsibility (CSR), health & safety, environment, quality, finance, legal and even politics. Risk management is not about “zero risk” but optimising risk taking! We interviewed one of the members of the working group that developed this new standard, Professor Jean-Paul Louisot, who teaches risk management at Paris 1 Panthéon/Sorbonne University and trains future risk managers for a professional designation (ARM – Associate in Risk Management) at CARM Institute.

What were the circumstances that led to your participation in creating the ISO 31000 standard?
Jean-Paul Louisot: I have been involved in risk management for more than 30 years. Since 1999, my courses have included the Australian standard (AS/NZ 4360), which served as the basis for ISO standard 31000. In fact, Australians along with the Japanese, are among those who pushed for this new standard, while Europe, and particularly France, and the United States, have stood back.

Why did you accept this challenge?
JPL: In Europe the trend is to address the issue of risk management standards within the scope of Health, Safety and the Environment, in other words, zero risk, and the attempt to manage risks through regulations. This approach is absurd for an Anglo-Saxon "Risk Manager" for whom risk is everywhere, and it's increasingly more present due to more global connections of economies and their interdependence on economic agents. Taking risk is routine for an Anglo-Saxon. Don’t we say "take a chance!" in English and "prenez le risque!" (take the risk) in French? I think this standard is both inevitable and necessary, and I wanted the needs and expectations of European "Risk Managers" to be represented.

Why was this norm indispensable?
JPL: We are no longer isolated in the world, and we need a common language, a dialogue between all the key players, a risk management method that: establishes the risk management context to determine the goals of the organization, identify risks, analyze (severity, probability), assess (level of risk control), and ensure compliance with regulatory requirements, and those of the organization and its partners, and manage the risk. This frame of reference will serve as a marker in international exchanges so everyone who is managing risk does it with the same principles. Procurement risk management, which is currently a hot issue, is a classic example: we are confronted with a network with unknown boundaries and for which we absolutely must establish reference points that will spread, working from one player to another, from a major buyer to a sub-contractor, from one subcontractor to another, from one country to another, etc. This is what ISO 28000 is about.

Could you please define what you mean by risk?
JPL: Organizations of any type and any size have to deal with internal and external factors and influences that interfere with their ability to predict whether they will reach or exceed their goals and when. In daily operations, uncertainty exists. The occurrence of this uncertainty regarding reaching goals is what constitutes risk. If we accept this definition, everything is a risk: a reputation tainted by a defective product (ISO 9001), a river polluted with chemical products (14001), work related accidents and illnesses (OHSAS 18001), and failure to respect labor laws (ISO 26000) is the result of poor understanding and a lack of risk management.

Why do we say that ISO 31000 is the standard of standards?
JPL: By offering a few principles, an organizational framework, and risk management and continuous improvement process applicable to all business activities in any country, the non-certifiable ISO standard 31000:2009, accompanied by a glossary (ISO guide 73), provides context to other standards and improves general coherence among the 60 ISO standards covering “risks” currently in existence.

Based on ISO 31000, does risk management apply to all levels of an organization or project?
JPL: Actually, according to ISO 31000, risk management applies to governance processes, strategy, planning, management, and reporting, as well as policies, values and the company’s culture as a whole. However, we have observed that with the financial crisis, risk management did not need the standard to make inroads into the corporate boards of Europe. However, ISO 31000 recommends the variation of all uncertainties at all functions, at all levels. Top managers at the highest level consider risks as serious consequences for strategy, and each operating level concentrates on their own risks that could affect strategy in order to optimize both its development and its execution. Certifiable standards are opened such as ISO 27000 for information security, ISO 28000 for the supply chain security or ISO 9000 for quality, etc. ISO 31000 brings them together: after laying the foundation, you build the roof.

Did you experience any difficulties during the preparation of this standard?
JPL: Diversity in national cultures and business activities prompted us to review guide 73, a glossary that standardizes risk vocabulary for all sectors: energy, banking, insurance, non-profit organizations, industry, etc. It relates to sentinel event¹ , or low noises, safety operation, business continuity plan, quality, etc. This glossary must provide a common risk language to all business lines, all operations, in all countries.

Why does this standard concern companies?
JPL: ISO 31000 provides the best way to ensure sustainable development for an existing organization; it enables to consider new opportunities, the ability to cope with unforeseen events (rebound during a crisis) or transform a mistake into an opportunity (resiliency). The Australians have lived for nearly 20 years with standardized risk management; in Europe we do not have a version of the overall standard. ISO 31000 should be taken not as a standard, since it is not certifiable, but rather as a reference framework. It provides: an organizational framework, and a process but falls short of a proper methodology for the identification, analysis and evaluation of risk which should be offered in the future ISO 31010. However, ISO 31000 will help organizations and their board fulfil their responsibility towards its stakeholders in term of risk communication and consultation. The development of this standard is taking place at the same time as the emergence in the United States of what we call enterprise-wide risk management or ERM, the integrated overall management of risk. Since the financial crisis began, ERM has exploded in Europe…and in the United States!

And finally, what is your opinion concerning the recent Icelandic volcano and the impact it had on the airlines industry?
JPL: As a matter of fact I was directly impacted as I landed in Paris six hours more than originally planned and my next trip to Morocco is uncertain... For the airlines industry in general, their CEOs should have a better perspective but clearly this has disrupted all their recovery plans and it may even hinder the economic rebound that seemed to take place as the impact of this “cloud of the unknown” spread far beyond the industry. This event again poses the question of the “precaution principle”, are the authorities too “prudent”; maybe, but as a frequent traveller I would not want the engines to shut down in mid air; indeed not all planes are gliders and not all pilots are experienced gliders... The second lesson learned is that the resiliency of the economy requires all players to be prepared for the unexpected... Another “Black Swan” may always be around the corner!

Bureau Veritas Certification objective is to support its clients with a robust risk management process through IS0 31000 training and compliance assessment.
¹ Sentinel event: unexpected occurrence of an event involving or with a risk of involving death or serious physical and/or psychological consequences for a patient.

>Request for a quotation

>E-mail to a colleague

>Subscribe free
to BUSINESS VISION