I was pleased to receive a request from Peter Blokland, PhD. to share my views on how the global risk management standard, ISO 31000:2018, should be improved.
It’s a standard that I prefer to COSO’s 2017 Enterprise Risk Management Framework (although I prefer the principles in the ISO 31000:2009[1] version[2]).
I think the best way to start is to consider why we need a standard at all. (COSO may call their guidance a framework, but since people talk about complying with it, it is essentially a standard.)
My view is that a standard should establish the criteria for determining whether a minimum level of effectiveness has been achieved.
A risk management standard should help people understand what effective risk management is, and how it has value to an organization.
It can also provide a common language for management (including the board) and practitioners (of all stripes) to use.
That language starts with definitions of risk and risk management.
The ISO definition of risk is “the effect of uncertainty on objectives”.
I think this needs to be reconsidered, because:
- There is generally a range (or distribution) of potential effects on the achievement of enterprise objectives, each with its separate likelihood.
- A single source of risk may have a different level of effect on different objectives. They may…
