Risk Analysis, Vol. 30, No.

6, 2010

DOI: 10.1111/j.1539-6924.2010.01397.x

Perspective

ISO 31000:2009The New International Standard on Risk Management

Matthew Leitch
[This article has been updated since its original online publication on April 8, 2010.]

In November 2009 the International Organization for Standardization (ISO) published ISO 31000:2009 Risk managementprinciples and guidelines.(1) Although ISO standards in the area of risk management have been produced before, this is the rst that claims to be a standard for managing all risk everywhere. The consequence of this is that certain ideas about risk and its management have got a boost in credibility and prominence while others have lost out. ISO 31000 will be quoted endlessly and will inuence the concepts and language used by important people such as company board members and politicians. Gradually these ideas will spread. We have seen this happen already with documents produced by a collection of accountancy bodies known as the Committee of Sponsoring Organizations of the Treadway Commission, or COSO for short. While originally aimed at preventing nancial fraud in companies, the powerful boardroom inuence of accountants and, in particular, the big audit rms, drove the ideas in COSOs documents into the boardrooms of major companies around the world, which then ltered into guidance and expectations applied to government departments and third-sector organizations. Given the right backing, a set of ideas perceived as agreed by experts can achieve incredible prominence and acceptance, even if they are bad ideas, potentially helping or hindering efforts to manage risk.

So what is in ISO 31000:2009 and will it help or not?

1. OVERVIEW OF THE NEW STANDARD It is not easy to evaluate ISO 31000:2009 by reading it. The intended meaning of its rather abstract text is frustratingly hard to pin down. Key words and phrases are either vague, have meanings different from those of ordinary language, or even change their meaning from one place to another. The denitions provided rarely help. However, the origins of the new standard are illuminating. According to the preface of the Australian edition of ISO 31000:2009, the rst draft of the standard was the text of AS/NZS 4360:2004, the risk management standard published jointly by Standards Australia and Standards New Zealand, which had a much longer companion volume called HB436 Risk management guidelines that explains things more fully.(2,3) In fact HB 436 even goes so far as to offer designs for forms that will support the risk management process envisaged. Here at last is some real insight into what sort of process the authors of AS/NZS 4360:2004 had in mind, which in turn gives us some idea of what ISO 31000:2009 is trying to say. People looked at the HB 436 guide and realized that if they had a risk register (perhaps similar to the ones in the appendix), probability-impact matrices (similar to those shown in the guide), and some way to plan risk treatments, then they were pretty much compliant with AS/NZS 4360:2004. It is true that the guide also refers to quantitative methods that are more sophisticated, but its 887

Address correspondence to Matthew Leitch, MLA Ltd, 29 Ridge-

way, Epsom, KT19 8LD UK; tel: 44 (0)1372 815 856; matthew@ internalcontrolsdesign.co.uk.

0272-4332/10/0100-0887$22.00/1

2010 Society for Risk Analysis

888 focus and the bulk of its advice concern running a risk register. I believe this remains the concept underlying most of what is now the text of ISO 31000:2009. The result of the ISO standard development process, which involves responding to comments from other national standards bodies represented at the ISO level, was a standard with some additions and some modications, but largely the same content as the rst draft. Having gained a sense of what the new standard is describing, we can look in more detail at what it says and how, covering the contents of each clause of the standard, its terminology, and its handling of topics often done badly in guidance. 2. CLAUSES OF THE STANDARD Clause 1, Scope, denes the scope as generic risk management and says the standard contains principles and guidelines. (In fact it provides principles and two processes, one for longer-term development of risk management within an organization and the other for management of particular sets of risks.) Clause 2, Terms and denitions, provides denitions of 29 terms used in the standard, all sourced from another ISO document, a glossary of risk management terms called ISO Guide 73:2009.(4) Clause 3, Principles, lists 11 principles for risk management, each with a paragraph of explanation. Clause 4, Framework, describes a cyclical process for developing risk management within an organization. Clause 5, Process, describes a cyclical process for managing particular risks. Appendix A, Attributes of enhanced risk management, calls itself informative and sets out some idealistic characteristics that would be desirable in an organizations approach to managing risk. There are three diagrams in the standard, though the rst just repeats the other two. The diagrams feature boxes and arrows, but there is no explanation of what types of object the boxes and arrows represent, making it impossible to deduce their meaning. Some sense of the relative importance given to each part of the standard may be gained from the number of pages used (see Table I). 3. TERMINOLOGY Clear, well-chosen terminology is the foundation of a good standard and a moment ago I was criti-

Leitch
Table I. Page Counts of Clauses in ISO 31000:2009 Pages (Excluding Diagrams) 0.5 6 1 4.25 7 1.5

Clause 1 Scope 2 Terms and denitions 3 Principles 4 Framework 5 Process Appendix A, Attributes of enhanced risk management

% of Total 2 30 5 21 35 7

cal of the terminology in ISO 31000. What are the problems? Section 2 is a collection of denitions for terms used in the standard. On several occasions it denes a term using words whose meaning is even less clear than the term to be dened. Explanations are not provided. Risk management framework is dened as a set of components. Objectives are said to have different aspects. Establishing the context is dened as including denition of parameters. A risk source is dened as an element having the intrinsic potential to give rise to risk. Level of risk is the magnitude of risk expressed in terms of the combination of consequences and their likelihood. Another problem is that the terminology tries to avoid using mathematical words. No denition for probability is offered and the reader is warned that this word is often narrowly interpreted as a mathematical term. The solution the standard offers is to use the word likelihood, which it says can be described in terms of probability or frequency, or in general terms. What we want from a denition of terms is precision, not encouragement to be vague and ambiguous, which is what general terms implies. There are also terms whose denition seems to be putting new interpretations on familiar words. For example: Risk attitude is dened as being an approach. Risk criteria are dened as terms of reference (when the word criteria is clear enough on its own and what we want to know is what the criteria are specifying).

ISO 31000:2009 Risk prole turns out to be any description of a set of risks, not just a summary or outline of some kind. Risk management policy is dened as a statement of overall intentions and directions. There are also terms and denitions that are ambiguous. The denition of risk is artfully worded so that it can refer to risk generally, an amount of risk, or to a risk item in a risk register. While reading the standard it is usually possible to guess from the context what meaning is intended, but not always. An effect is explained as a deviation from expected without explaining if this is a mathematical expectation, a best guess forecast, or a view about what ought to happen. Establishing the context could mean nding out the context or putting it in place, and seems to mean either or both. A control is dened as a measure, which could, of course, mean a measurement or an action. The denition of risk suffers from some of the weaknesses mentioned above, and more. Denitions in standards are written as phrases that could, in theory, be substituted for the word or phrase being dened. The denition given for risk is:
Effect of uncertainty on objectives.

889 As previously noted this is undermined by the ambiguity of the word expected and it is unclear how a single deviation can be simultaneously positive and negative. Are the effects negative and positive in a purely numerical sense or do these words refer to whether the deviation is welcome or unwelcome? What if you have no expectation? Does that mean there is no risk? The ambiguity between an effect and the extent of effect maintains the ambiguity of the word risk I mentioned earlier. In summary, many of the denitions in ISO 31000:2009 are not clear and meaningful, let alone close to the actual usage of the terms. 4. HANDLING OF DIFFICULT TOPICS In the last 20 years a number of guides and standards on risk management have been produced with similar scope to ISO 31000:2009 and so it is not hard to identify areas that have been troublesome in the past. Has the new standard brought clarity and solutions to these difcult topics or repeated past mistakes? 4.1. Decisions About Treatments A problem with some past guidance has been that it puts forward decision-making procedures that lead to choices that are clearly illogical. The approach in ISO 31000:2009 is as follows: (1) Dene risk criteriaspecically, the level of risk that is acceptable or tolerable. This is done before considering any specic risks. (2) Identify risks and assess their level of risk. (3) Compare the level of risk with the risk criteria and decide if treatment is required, ignoring possible treatments. (4) If treatment is required, consider alternative risk treatments until you nd one that would reduce the risks to a tolerable level. (5) If alternative treatments are being considered (which does not seem possible following the preceding process) then select the best on a cost-benet basis. In addition to the obvious inconsistency between steps 4 and 5, this approach means that there is no reason to implement any treatment that modies risk that is already tolerable, even if that treatment would be immensely helpful on a cost-benet basis.

Taken literally this suggests a radical new focus on the way objectives are formulated but it is almost certain that the intended meaning is something else. It is something to do with the potential effect of events that are currently uncertain on the extent to which objectives are achieved. The standard repeatedly mentions objectives but this is another word with wide differences in interpretation between people. For some, objectives have to be conscious and clearly stated to be regarded as objectives. For others the mere awareness of what is in our interests and what is against them is sufcient evidence that an objective of some kind exists. People also differ in whether they regard objectives as including goals, or vice versa, see them as essentially the same, or see them as different levels in some hierarchy. Note 1 to the denition of risk says:
An effect is a deviation from the expectedpositive and/or negative.

890 An example would be where risks surrounding a new business venture are not so severe as to stop a company going ahead with it, but still the venture will be better off with improved controls.

Leitch Two common weaknesses in past guidance are: (1) Dening risk as including potential nice surprises but then writing the guidance as if only potential nasty surprises are involved. (2) Splitting risks into nice ones and nasty ones and dealing with each in a different way, perhaps even with different processes. This overlooks the fact that often risks have a mixture of consequences, some good and some bad, we do not always know if consequences are good or bad, and some risks that are bad overall may become good overall if managed in a particular way. The logic needs to deal with these complications. The approach taken by ISO 31000:2009 is to dene risk as including potential nice surprises too and to try to write a process that incorporates both in one approach. The language in most sections of the Process part is careful to recognize all types of surprise. It mentions the possible mix of positive and negative consequences and talks about modifying risks rather than the more traditional mitigating. Unfortunately, this breaks down when it gets to its process for deciding when risk treatment is necessary. Suppose there was a risk that was a potential nice surprise (i.e., little if any downside but lots of upside). Conceivably, one might dene risk criteria that make treatment required if an upside seems important enough. However, would you say that this treatment resulted in a residual risk that was tolerable? Both terms are natural only for risks that are negative and will be reduced by treatment. 4.4. Uniformity As pointed out by Ward (p. 150) a common ambiguity in risk management guides and standards is whether they are suggesting one, monolithic process with one set of meetings, techniques, documentation, and schedule, or a multitude of processes, each with their own meetings, techniques, documents, and schedules.(5) And if it is a multitude of processes, are they all identical or adjusted to t the needs of each management team (e.g., managers of different projects)? ISO 31000:2009 is ambiguous on this point. On the one hand it talks about the process as if there is only one, and while describing the process it talks about the organization doing things rather than just the management team involved in managing

4.2. Aggregation Another problem has to do with the aggregation of risks. Total risk can be analyzed into different risks depending on your point of view, purpose, and so on. Consider almost any risk on any risk register and you will nd there is at least one way to split it into two parts, or combine it with another item on the list. It is rare for guidance to give any advice on how to choose between alternative analyses or how to control aggregation in some way. On top of this, decisions about when to treat risks may be very different depending on how risks are aggregated, which is not controlled. This is undesirable. ISO 31000:2009 has no advice on aggregation, though it does say that risk criteria could consider more than one risk at a time. The standard writes about risks as if they are naturally occurring phenomena that dene themselves and only need to be identied and described. With the standards approach to deciding when risk treatment is required and the lack of advice on aggregation it would be easy for an organization to adopt a compliant process that leads to illogical decisions.

4.3. The Upside The word risk used in ordinary conversation refers to potential nasty surprises. Discovering you have cancer or that your house has burned down are exemplars of this kind of surprise and of risk. However, there has been a trend toward processes for risk management that also include management of potential nice surprises. If you are working on safety or health risks this idea is of little use and probably seems a bit odd. However, in some other areas where risk must be managed, such as in stock market investment or marketing, unexpectedly good turns of events are extremely important and it is easier to consider all relevant uncertainty together. Since standards like ISO 31000:2009 are intended to be useful to everyone they usually try to include the upside.

ISO 31000:2009 particular risks. On the other hand it repeatedly states that the risk management process should be an integral part of business processes. In clause 4.1, which introduces the Framework, there is a sentence that says: The framework assists in managing risks effectively through the application of the risk management process (see clause 5) at varying levels and within specic contexts of the organization. This is typical of the tantalizingly ambiguous wording throughout. 5. COMPLYING WITH THE STANDARD The standard is not intended for the purposes of certication. In other words, you cant be independently audited against it. People are more likely to say that their approach to risk management is based on the standard than compliant with it. This is just as well because the standard includes some idealistic requirements that, taken literally, are impossible to comply with. Here are some examples from the clause on Process: (1) In the rst paragraph of clause 5.2 it says: Communication with internal and external stakeholders should take place during all stages of the risk management process. Most organizations will realize that all stages implies too much consultation, especially with external stakeholders. (2) In the rst paragraph of clause 5.3.5 it says: Risk criteria should be . . . continually reviewed. Continual review may be the ideal but in practice frequently will have to do. (3) The nal bullet point in clause 5.3.5 says that when dening risk criteria, factors that should be considered include whether combinations of multiple risks should be taken into account and, if so, how and which combinations should be considered. To comply with this literally involves anticipating what specic risks will be identied in the next stage and listing combinations of specic risks that should be taken in combination. (4) Clause 5.4.2 on risk identication is keen to stress the importance of identifying all risks. This continues with the habit of writing about risks as if they are naturally occurring physical objects that appear in nite numbers, rather than uncertainties in our thinking. The standard offers no denition of what it means to 6. STRONG POINTS

891 say all risks and there is no generally accepted solution to this problem. (5) The second paragraph of clause 5.4.2 ends with the sentence [a]ll signicant causes and consequences should be considered, which implies studying the causal chain back to the beginning of time and forward to its end. Even eliminating causal tributaries and branches that are not signicant does not remove this problem.

So far this analysis has revealed only weaknesses in the new standard. Happily, there are some things about it we should welcome, and some will be a step forward for many organizations. The standard repeatedly stresses that risk management should be integral to management processes at all levels, and lists processes of particular signicance. This is an important point, though it is disappointing that no specic guidance is provided on how it can be done and all other text in the standard is as if risk management stands alone. The clause on risk analysis calls for more thinking than many organizations bother with and three specic points in particular will raise the bar for many: (1) It states that risk analysis can be taken to varying levels of detail depending on the risk. Its a simple and obvious point but many organizations expect to cover all risks with the same workshops. (2) Also in the risk analysis clause it says that it is important to consider the interdependence of different risks and their sources, which is often not done in a risk-register-driven process, which tends to consider risks one at a time. (3) Condence in assessments of risk should be considered and communicated, it says. Many organizations do not do this so complying with the standard will also require this signicant and benecial change. Furthermore, the material in AS/NZS 4360:2004 equating desirable risks with opportunities did not survive into ISO 31000:2009.

892 7. RESPONDING TO ISO 31000:2009 Despite its positives the overall conclusion must be that ISOs new standard on risk management is disappointing. We must remember that it is the work of a committee of people from different countries and speaking different languages. We must also remember that an abstract topic like risk management is far harder to write about clearly than, say, the size and electrical properties of a new electronic socket. Perhaps the next version will be better but for the next ve years or so we can expect the standard to be inuential and much quoted, despite its quality. If your view is that this new standard will not help you in your work but others want to know why you think that then perhaps a useful summary is that ISO 31000:2009: (1) (2) (3) (4)

Leitch

is unclear; leads to illogical decisions if followed; is impossible to comply with; and is not mathematically based, having little to say about probability, data, and models.

REFERENCES
1. ISO 31000:2009. Risk managementPrinciples and guidelines. 2. AS/NZS 4360:2004. Risk management. Standards Australia and Standards New Zealand, 2004. 3. AS/NZS HB436: 2004. Risk management guidelines. Standards Australia and Standards New Zealand, 2004. 4. ISO Guide 73:2009. Risk managementVocabulary. 5. Ward SC. Risk Management: Organization and Context. London: Witherbys Publishing, 2005.

Copyright of Risk Analysis: An International Journal is the property of Wiley-Blackwell and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.