#193 – NEW ISO 31000 COMING THIS YEAR: ARE YOU READY? – ALEXEI SIDORENKO

SIDORENKOAfter more than 5 years in the making and thousands of comments received from representatives of 54 participating and observing countries as well as multiple liaison organizations, updated ISO 31000 standard is going through the final stages of feedback and will likely be published in early 2018.

In this short article I will attempt to summarize key changes to the most popular in the world risk management standard ISO31000 and how will the changes impact businesses.

Key changes proposed in 2018 version

No significant changes.

That’s right. 5 years in the making and thousands of comments received and processed and at the end all changes are either cosmetic or reinforcing the messages that were always in there since the 2009 version. This could either mean the 2009 version was already great and just needed more emphasis or it could mean that the members of the ISO TC262 did not have an appetite for change or innovation. It’s actually both and full credit should go to the authors of the ISO31000 2009 version, because the document in its original form already listed all the right principles and concepts.

So, what has changed?

Here are some of the most important changes:

  • The document is shorter. It is now only 15 pages (excluding covers and bibliography)
  • Number of principles has reduced from 11 to 8without losing any of the important messages
  • The standard reinforces the purpose of risk management. According to the authors, the purpose of the risk management framework is to assist the organization in integrating risk management into all its activities and functions. The effectiveness of risk management will depend on its integration into the governance and all activities of the organization, including decision-making.
  • Top management and oversight bodies responsibility is added. They should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment.
  • The concept of integration is reinforced throughout the document, here are just few examples:
    • Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations.
    • Properly designed and implemented, the risk management framework will ensure that the risk management process is a part of all activities throughout the organization, including decision-making, and that changes in external and internal contexts will be adequately captured.
    • The organization should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.
    • The risk management process should be an integral part of management and decision-making and should be integrated into the structure, operations and processesof the organization.
  • The new standard explicitly states that there can be many applications of the risk management process within an organization, customized to achieve objectives and to suit the external and internal context in which they are applied.
  • The standard also addresses the dynamic and variable nature of human behavior and culture which should be considered throughout the risk management process.

These messages are very powerful. They are not new, but they reinforce the type of risk management that is integrated into business activities and key decision-making processes. The type of risk management that is not done on a pre-determined periodic basis (quarterly, monthly, etc.), but instead done at the time of making an important business decision or as part of the business process or activity.

What does it mean for businesses?

Since all the changes are either reinforcing existing ideas or cosmetic, does that mean risk managers don’t have to do anything? I wish I could say that was true for all.

This is true for some risk managers who have been applying the ISO31000 principles since its publication in 2009. In 14 years in risk management, I have probably met less than 10 people like that globally. Nevertheless, here are some examples of successful practices:

  • Integrating risk management into strategic planning– the effect of uncertainty on the strategic objectives is assessed at the time the strategy is formulated and not after it was approved by the Board. Risk analysis becomes an important step of the actual strategy setting and update processes. Risk managers use scenario analysis or simulation modelling to present an independent opinion on strategic objectives, the likelihood of achieving them and the impact the risks may have on their achievement.
  • Integrating into budgeting – while it is quite common to budget using three scenarios (optimistic, realistic and pessimistic) it may not be sufficient from a risk management point of view. These scenarios are often formed without the risk management team’s participation or even without due consideration of the actual risks, associated with the budget. Thus, even the pessimistic scenarios often do not account for many significant risks, creating an overly optimistic and misleading picture for the executives and decision-makers. Proper risk analysis can bring significant value to the budgeting process. Risk managers should review and improve management assumptions used in scenario analysis or introduce the use of simulation modelling to make sure all important risks are captured and their impact on liquidity assessed. Risk analysis helps replace static, point in time, budgets with a distribution of possible values. It also helps set management KPIs based on the risk information, thus improving the likelihood of them being achieved and reduces the conflict of interest the finance department and management team have in presenting an overly optimistic budget. Risk analysis helps to identify the most critical risks affecting the budget, allowing management to allocate ownership and determine the budget for risk mitigation.
  • Integrating into performance management– risk management could be integrated into the performance management cycle of the organization: both at the individual level and the corporate level. One of the risk managers we interviewed shared an example where traditional static corporate key performance indicators (KPIs) have been replaced with dynamic, risk-based, ranged KPIs. This allowed their management to have bands of values instead of a single value. Some KPIs stayed as single value estimates however they were calculated as the 95% percentile of the distribution of possible values based on the Monte-Carlo simulation. Triggers and key risk indicators may also be set for corporate KPIs to improve monitoring and performance tracking. At an individual level, risk management KPIs may be set around risk-based decision making, timely risk mitigation, risk management training grades or an internal audit assessment of the risk management effectiveness in different business units.
  • Integrating into investment decision making– the use of simulation allows not only to estimate the range of project costs and expected returns, but also the most significant assumptions made by management that affect key performance indicators of the project.

For them, ISO31000:2018 will be a nice reinforcement of what they have been doing for years. Well done you!

Majority of risk managers in non-financial companies, however, choose to settle for regular risk register updates, period risk reporting and standalone risk management framework documents. All these practices are relatively ineffective and never did align well with the original ISO31000 principles. So, for them, the new standard is a wonderful opportunity to reevaluate current risk management methodologies and start building a business case on why risk management needs to be better integrated into decision making and key business process.

National and international risk management associations have an important role to play in building awareness around the new ISO31000 to help integrate risk management principles into national legislation and government issued guidelines.

Bio:

Alex Sidorenko is an expert with over 13 years of strategic, innovation, risk and performance management experience across Australia, Russia, Poland and Kazakhstan. In 2014 Alex was named the Risk Manager of the Year by the Russian Risk Management Association.

As a Board member of Institute for strategic risk analysis in decision making Alex is responsible for risk management training and certification (including creating exams) across Russia and CIS, running numerous risk management classroom and e-learning training programs. Alex represents Russian risk management community at the ISO Technical Committee 262 responsible for the update of ISO31000:20XX and Guide 73 since 2015.

Alex is the co-author of the global PwC risk management methodology, the author of the risk management guidelines for SME (Russian standardization organization), risk management textbook (Russian Ministry of Finance), risk management guide (Australian Stock Exchange) and the award-winning training course on risk management (best risk education program 2013, 2014 and 2015).

In 2012 Alex created Risk-academy www.risk-academy.ru a web portal dedicated to free risk management training for SME across Russia and CIS.

Alex worked as a Head of Risk Management at RUSNANO, one of the largest private equity funds in Russia, specializing in technology investment. Alex won an award for best ERM implementation at RUSNANO in 2014.

Prior to that Alex worked in senior risk roles at Skolkovo Foundation, Strategy Partners, PwC and Deloitte.

Alex recently published his second risk management book called “Effective Risk Management 2.0”. Alex also regularly presents at risk management conferences in Russia and Europe. In November 2012 Alex short a series of TV programs dedicated to risk management in start-ups. Alex teaches risk management at major Russian business schools including OpUS, Technopark Skolkovo, MIRBIS, MFUA, SKOLKOVO and USIB as well as corporate universities, like Gazprom.

He has successfully completed his double Bachelor degree in Risk Management and Econometrics at Monash University, Australia, achieving the top risk management and statistics student award two years in a row.

More information can be found here:

http://ru.linkedin.com/in/alexsidorenko

www.slideshare.net/AlexSidorenko/

https://www.youtube.com/user/alexausrisk/videos

Leave a Reply

Your email address will not be published. Required fields are marked *