ISO has published an updated version of ISO 31000, Risk management – Guidelines. ISO 31000:2018 is intended as “a clearer, shorter and more concise guide” to help organisations use risk management principles in their planning and decision making.
FERMA participated in the consultation phase and submitted over 70 comments. Ten were retained, including reordering ideas, adding precision on data, external and internal contexts, risk criteria and enlarging the scope beyond businesses.
ISO says that the 2018 version places a greater emphasis on creating and protecting value as the key driver of risk management and features other related principles such as continual improvement, the inclusion of stakeholders, adaptability to the organisation and consideration of human and cultural factors.
Risk is still defined as the “effect of uncertainty on objectives”, which focuses on the effect of incomplete knowledge of events or circumstances on decision-making. The following are the main changes since the previous edition:
-
Focus on leadership by top management who should ensure that risk management is integrated into all organisational activities, starting with governance.
-
Greater emphasis on the iterative nature of risk management, using new experiences, knowledge and analysis for the revision of process elements, actions and controls at each stage of the process.
-
Streamlined content with greater focus on sustaining an open systems model that regularly exchanges feedback with its external environment.
ISO 31000:2018 provides guidelines, not requirements, and does not contain any normative references. This gives managers the flexibility to implement the standard in a way that suits the needs and objectives of their organisation, explains ISO.