Enterprise Risk Management

ISO 31000 and ERM

… volume and complexity of risks … increasing extensively …

2020 The State of Risk Oversight, NCS

less than 20% of organizations view their risk management process as providing important strategic advantage

2020 The State of Risk Oversight, NCS

I look at the these two NYS Poole messages with a lot of optimism. On one hand, the risk landscape is evolving. Hence, the management of new risks is a challenge and provides ample opportunity for ERM-professionals to deploy our skills.

Secondly, there is much more work to do in providing real strategic value to all stakeholders. This is a call to all of us to demonstrate the real value by embracing the forward-looking, strategic aspects of good ERM.

ERM has a bright future!

ISO 31000 – the ERM Gold Standard?

I’ve written and podcasted (see the embedded YouTube video) about ISO’s approach to ERM previously. In this post I’ll add more depth to my views and some practical considerations.

31000:2018 what is it?

ISO has updated its Risk Management framework in 2018. Subsequently, many institutions and practitioners have provided explanations and comments to the update.

In a nutshell, the ISO framework is

  • comprehensive, yet concise and understandable
  • contemporary
  • free of guff and lingo
  • applicable to any organisation and industry

ISO 31000 places great emphasis on senior management involvement, the iterative aspect of good ERM and its strategic value!

suggested add-ons

I’m a fan of ISO 31000. Having said that, a few points need to be added:

The document states several times that risk management needs to be “comprehensive”. However, the actual term “enterprise risk management” is not used. Whilst this is not a big deal per se, I would have preferred if they would have used the “e” word – at least occasionally.

The standard is comprehensive and quite easy to understand from a structure, flow and vocabulary perspective. However, there is very little practical guidance as to the actual “how to”. ISO leaves that to the community. Maybe I should publish an “ISO 31000 – How To for Dummies” guide. In other words, if an organisation is new to ERM, this ISO document will likely not be of much help.

Having said that, the ISO guide is an extremely helpful tool to ensure one’s ERM-approach is really covering all pertinent aspects.

Another little niggle I have, is the omission of board of directors’ responsibility. The document clearly refers to “leadership by top management”. However, top management is not necessarily equivalent to a board of directors. Maybe I am nit-picking here, but this aspect is important. Good risk culture starts at the very top (not just the top) of any organisation.

It’s great that the standard makes explicit reference to “connectivity between risks”. Hence, one of the major pitfalls of silo-ed risk management is addressed.

Lastly, I wish ISO would have been a bit more explicit with regards to the “velocity of change” in the risk landscape. Having said that, they do explicitly mention “emerging risks”.

and finally

The ISO standard is a great checklist providing all the necessary ingredients to good ERM.

Megrow Consulting has completed several ERM-mandates in recent years. We contributed to relevant text books and know the standards (ISO and others) well. Most importantly, we have worked with customers through the big picture risk landscape all the way down to the tiniest minutia.

Making your ERM-journey

efficient and effective

is our key mission.

Reto Brosi, MD of Megrow