#70 – FUTURE OF ASSURANCE: BSI STATEMENT OF COMPLIANCE FOR ISO 31000 ERM – GREG HUTCHINS

Greg Hutchins pixBritish Standards Institution (BSI) recently issued an ISO 31000:2009 Statement of Compliance for Enterprise Risk Management (ERM) System to Tata Power – one of India’s largest integrated power companies.

What does this mean?  This could be a game changer for ISO 9001:2015, ISO 31000, risk assurance, and BSI.  Let me explain.

WHAT IS STATEMENT OF COMPLIANCE?
Normally, we see a ‘Statement of Compliance’ in terms of testing and calibration laboratories reporting compliance with the requirements of ISO/IEC 17025.  The labs provide customers with a report or letter stating measurement results, their uncertainty, and compliance with the standard.

BSI, one of the world’s foremost management systems certification bodies is providing this level of assurance to one of India’s largest power producers is a statement of the credibility of ISO 31000 as an enterprise risk management system.

IS ISO 31000 AN ERM STANDARD?
We like ISO 31000 – a lot.  But, we think it is an ‘ERM light risk guideline’.  If we are advising a publicly traded (usually) organization, then we usually recommend COSO ERM guideline, which we call ‘ERM heavy risk guideline’.  Why?

  • COSO is a mature ERM.
  • COSO is widely adopted due to financial controls over financial reporting (ICFR).
  • COSO is widely accepted as a listing requirement.
  • COSO offers the concept of a system of controls.
  • COSO provides more guidance and latitude for applying an operational ERM system.

CAN YOU CERTIFY TO ISO 31000?
No.  it is a guidance document to facilitate other management system standards to comply with risk requirements.  It is not intended for certification.  However, BSI issued a Statement of Compliance to a global and very critical customer as an acceptable alternate to certification.

So, what’s going on?  I think that BSI and other global certification bodies are accommodating to business and marketing pressures to develop new assurance options for critical clients.  BSI offered the client training, consulting, and a level of objective (not independent) assurance that was acceptable to both parties.  We’re seeing this with other global certification bodies.

WHAT DOES THIS MEAN TO THE MANAGEMENT SYSTEMS CERTIFICATION INDUSTRY?
The BSI Statement of Compliance may be a one-off to a critical client.  Or, it may be an early but critical indicator in the evolving  management systems certification industry.  What do I mean?  The management system certification industry is mature.  It has been slow to adopt ERM and risk management.  Even the new ISO 9001:2015 does not require ERM or risk management.  So, the market is looking for higher levels of operational, IT, cyber security, and environmental assurance, specially risk-control assurance beyond a simple management system certification.  Global  CB’s will develop new forms and higher levels of risk assurance that are tailored to their clients.

Whet would this mean for the ISO management systems certification?  We would continue to have generic and even commoditized management systems certification for EMS, QMS,  ISMS, etc.

However, the global CB’s will offer tailored and specialized risk assurance and statements of compliance to their global clients based on specific company requirements not industry sector requirements.  These CB’s will also design compliant operational and supply chain systems of control that are aligned with their client’s internal control over financial reporting.

The future of operational risk assurance may consists of two levels:

1. Traditional management system compliance.
2. Higher level of risk assurance based on internal control over operational reporting based on an ERM system.

This may very well be the future for assurance.   Sound far fetched.  Maybe not?  Next week, we’ll discuss what we see is the future of risk assurance with a global auto company.

Bio:

Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com)  is the founder of:

CERMAcademy.com
800Compete.com
QualityPlusEngineering.com

WorkingIt.com

He is the evangelist behind Future of Quality: Risk®.  He is currently working on the Future of Work and machine learning projects.

He is a frequent speaker and expert on Supply Chain Risk Management and cyber security.  His current books available on all platform are shown below:

Leave a Reply

Your email address will not be published. Required fields are marked *