The ABC's of Risk: The ISO 31000 Risk Management Standard

Risk Management: NEW versus OLD.

Historically, risk been defined as the potential for failure and losses. In fact, that's the natural English language usage of the term risk. If you turn to wikipedia, you'll find that risk can be defined in six different ways:

1. A probability or threat of damage, injury, liability, loss, or any other negative occurrence...
2. Finance: The probability that an actual return on an investment will be lower than the expected...
3. Food industry: The possibility that due to a certain hazard in food there will be an negative effect...
4. Insurance: A situation where the probability of a variable (such as burning down of a building)...
5. Securities trading: The probability of a loss or drop in value...
6. Workplace: Product of the consequence and probability of a hazardous event or phenomenon...

Governments, corporate boards and other vested parties are all very concerned that the people they entrust with their assets do not "gamble" them away, engaging in excessive risk. Indeed, many industries have developed or adopted standards and systems to manage these risks.

Some of the most prominent guidance for risk management are:
The GRC Capability Model which achieved widespread interest after the US Sarbenes-Oxley Act was imposed on the securities industry.

The COSO II Integrated Framework is jointly sponsored and funded by the five main professional accounting associations. It's Internal Control Framework is specifically recognized by the SEC.

Other organizations provide guidance for risk management, such as the Institute of Risk Management and the Risl Management Society.

Each of these systems work well when implemented correctly. They are focused on internal controls, compliance and often, regulation. These systems are also all highly respected, although specialized to their respective industry.

None of the above are easily applied to other industries or to emerging hybrid industries. These are all very good, but comprise the "old way" for Risk Management.

In 2009, the ISO Group, the International Organization for Standardization, published ISO 31000:2009 "Risk Management - Principles and Guidelines", a more concise, logical and easier to explain architecture, which can be applied to any industry and to all existing management systems.

When you study and learn this architecture, you quickly realize that Risk Management is a principle-based, framework and process for decision-making for all levels of an organization in any industry. Would you like it if all of your personnel made consistantly better decisions?

What is really different about ISO 31000 are the new definitions regarding risk. Risk is defined as, the "effect of uncertainty on objectives." Therfore, ISO 31000 concerns itself with the importance of identifying the risks associated with not pursuing an opportunity and likewise, taking or increasing the risk in order to pursue an opportunity.

Additionally, ISO is not limited to the strategic levels of an organization. Every decision maker can benefit from the "new way."

1) Companies which are initiating a new risk management program will be wise to begin with the standard that is most recognized, both nationally and internationally.

2) Companies which are hybrids, i.e whose risk cross over multiple industry sectors, will be best served implementing ISO 31000.

3) If, like many companies, your company has difficulty explaining the COSO ERM to stakeholders who are not finance oriented, you can utilize ISO 31000 as an able adjunct to your existing process.

4) Many companies have Risk Managers or a Chief Risk Officers whom are very challenged in fullfilling their primary role; to champion good decision making throughout their organization. The ISO 31000 guidance can be easily understood by most people who take the time to be trained.

5) If you have been frustrated by the rigidity of your risk management processes and are doubtful of its value, it is time for you to explore ISO 31000.

Are You Happy With Your Decision Making Process?


For risk management (RM) to be effective, an organization should, at all levels, comply with these eleven principles.

1) Risk management creates and protects value.

2) Risk management is an integral part of all organizational processes.



The success of risk management will depend on the effectiveness of the management framework you put in place.

The 5 step framework, assists in managing risks effectively through the application of the risk management process.



The 7 step, RM process should be an integral part of management, embedded in the culture and practices, and tailored to the business processes of the organization.

Logically, it is an "inset" of the framework, i.e. implementing the framework for managing risk and the risk management process.