I have been open for years about my preference for the ISO:31000 global risk management standard over the COSO products. (I first explained my position at Alex Dali’s ISO 31000 Conference in Paris in 2011.)
Back then, we had the 2009 version, which included a definition of risk and a set of principles. The definition then and now is:
The effect of uncertainty on objectives.
The principles were truly outstanding:
a. Risk management creates and protects value.
Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation.
b. Risk management is an integral part of all organizational processes.
Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
c. Risk management is part of decision making.
Risk management helps decision makers make informed choices, prioritize actions and distinguish among…
