O
n 15 February 2018, a new International Risk Management Standard ISO 31000:2018 was released. This second edition replaces AZ/NZS ISO 31000:2009 (the 2009 Standard). At this point in time, ISO 31000:2018 hasn't been adopted as the Australian Standard however it is likely to be in the near future. ISO 31000:2018 should be used by people who create and protect value in organisations by managing risks, making decisions, setting and achieving objectives and improving performance.
Background to ISO 31000:2018
In September 2013, the ISO Strategic Advisory Group and Committees responsible for the risk management standard decided to carry out a limited review and revision of the 2009 Standard. Since then, and over a period of 5 years with comments received from over 54 participating and observing countries as well as multiple liaison organisations, the newly revised ISO 31000:2018 has been released. The intention of the revision process was to focus on the fundamentals of risk management and, in doing so, create a shorter, clearer and more concise document that is easier to read and apply.
What has changed in the 2018 review?
The messages in the revised ISO 31000:2018 reinforce the practical integration of risk management into business activities and key decision-making processes as well as streamlining the framework and principles that already exist. For risk practitioners, the changes reflect what they already know needs to happen in order to ensure the creation of a sustainable risk management program.
The standard has been somewhat simplified in that the document itself is shorter (only 15 pages) and the vocabulary section is much shorter, with 21 key terms being moved to ISO Guide 73:2009 - Risk management - Vocabulary.
Other key changes include:
- The reduction of the number of Principles from 11 to 8. Some Principles have been integrated into others however overall the key criteria with respect to value creation and protection has been maintained.
- Revised diagrams to reflect a more streamlined approach across the Principles, Framework and Process.
- The addition of an 8th element to the risk process being "Recording and Reporting".
- An increased focus on leadership by "top management" who should ensure that risk management is integrated into all organisational activities, starting with the governance of the organisation.
- Greater emphasis on the iterative nature of risk management, drawing on new experiences, knowledge and analysis for the revision of process elements, actions and controls at each stage of the process.
- Streamlining of the content with greater focus on sustaining an open systems model that regularly exchanges feedback with its external environment to fit multiple needs and contexts.
The following comparative table sets out the differences between the Principles as set out in the two standards:
AZ/NZS 2009 Principles |
ISO 2018 Principles |
Risk Management creates and protects value |
No longer a principle but incorporated into the remainder of the Standard |
Risk Management is an integral part of all organisational processes |
Integrated - The same with language simplified |
Risk Management is part of decision making |
No longer a principle but incorporated into the remainder of the Standard |
Risk Management explicitly addresses uncertainty |
No longer a principle but incorporated into the remainder of the Standard |
Risk Management is systematic, structured and timely |
Structured and comprehensive - The same with language simplified |
Risk Management is based on the best available information |
Best available information - The same with language simplified |
Risk Management is tailored |
Customized [sic] - wording change from "tailored" to "customized" |
Risk Management takes human and cultural factors into account |
Human and cultural factors - The same with language simplified |
Risk Management is transparent and inclusive |
Inclusive - The same with language simplified |
Risk Management is dynamic, iterative and responsive to change |
Dynamic - The same with language simplified |
Risk Management facilitates continual improvement of the organization |
Continual Improvement - The same with language simplified |
Within ISO 31000:2018 there is also a key focus on the purpose of risk management, being, as the authors have stated, "the integration of risk management into all activities and functions which will determine its effectiveness".
Jason Brown, Chair of the technical committee, noted, "The revised version of ISO 31000 focuses on the integration with the organization[sic] and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of business."
The key differences in more detail
Leadership and Commitment
ISO 31000:2018 incorporates a firm commitment to ensuring support from stakeholders, identifying "top management" and "oversight bodies" to lead the integration of risk management in the organisation. The terms ''top management" and ''oversight bodies" are two new and undefined concepts. Previously, the 2009 Standard only specified a management framework for commitment to risk whereas now, Clause 5.2 in ISO 31000:2018 makes top management accountable for managing risk with oversight bodies accountable for overseeing risk management. It also incorporates particular responsibilities relating to accountability of risks that were previously contained in Annex A of the 2009 Standard. Annex A does not exist in ISO 31000:2018 and is further discussed below.
Articulating Risk Management Commitment
Where the 2009 Standard identified establishing a risk management policy to demonstrate an organisation's commitment to risk management, ISO 31000:2018 takes this commitment further by stating that top management and oversight bodies should not only demonstrate their organisation's commitment to risk management but also demonstrate continual commitment through a policy, statement or other forms that clearly convey an organisation's objectives and commitment to risk management.
Risk Identification
Where the 2009 Standard in Clause 5.4.2 provided broad areas of risk identification including identifying sources of risk, areas of impacts, events and their causes and potential consequences, Clause 6.4.2 of ISO 31000:2018 significantly expands on risk identification by specifying a list of 11 interrelated factors which should be considered when identifying sources of risk within an organisation.
Risk Evaluation
In the 2009 Standard, risk evaluation broadly defined the actions which could result from a risk evaluation. In ISO 31000:2018, at Clause 6.4.4, there is a specific list of five decisions which support the risk evaluation process.
General Risk Treatment
The description and selection of risk treatment in ISO 31000:2018 has been simplified and condensed. Specifically, where the 2009 Standard detailed both specific risk treatments and the general risk treatment cyclical process in Clause 5.5.1, they have been further separated and clearly listed in separate Clauses 6.5.1 and 6.5.2 in ISO 31000:2018. The cyclical risk treatment process has also had the phrasing changed from "tolerable" risk to "acceptable" risk. While there has been no definition provided, a simple dictionary search indicates that this involves a movement from an endurable (negative) risk treatment towards a pleasing (positive) risk treatment.
Recording and Reporting
The old reporting processes contained in Clause 5.7 of the 2009 Standard have been expanded to include a reporting element in ISO 31000:2018. Where the 2009 Standard focused on simply recording the day-to-day decisions associated with risk management in the organisation, ISO 31000:2018 also adds the element of communicating activities and outcomes across the organisation and assisting interaction with stakeholders, including the quality of the dialogue with top management and oversight bodies to meet their responsibilities for risk management. Recording and Reporting has been added to the Risk Process diagram.
Attributes of Enhanced Risk Management
The 2009 Standard contained Annex A which outlined the attributes of enhanced risk management including continual improvement, full accountability, continual communication and integration of risk management across the organisation, especially in all levels of decision making. Annex A has been removed from ISO 31000:2018, with the principles being integrated across its entirety, which clearly achieves the goals of simplification and clarification of the Standard.
What does this mean for schools?
All schools would be aware of the myriad risks that exist in their school environment whether they be strategic risks considered by the governing body or operational risks managed on a day-to-day basis by a school leadership team. Operational risks associated with child safety are particularly topical today with Victorian schools now having to undertake Child Protection risk assessments in much the same way organisations are required to undertake workplace safety hazard assessments. By putting in place appropriate systems of risk oversight and internal controls, schools can help to increase the likelihood that their school will deliver on its purpose, to ensure that duties and obligations to their students with respect to teaching, learning and care are being met every day. ISO 31000:2018 provides a clear roadmap and structure for schools to use to ensure they meet their risk management registration obligations and establish a risk management framework that actually works to manage risk in their school.