In November, the International Organization for Standardization (ISO) published ISO 31000:2009, Risk Management -- Principles and Guidelines, a new management standard intended to help organizations of all types and sizes manage risk across the enterprise. Certainly, its arrival is timely.
Two months after its debut, reviewers pretty much agree that ISO 31000 lives up to its billing as a good generic, process-oriented risk management framework that addresses myriad forms of risk across many industries. The question is, do you need it?
For organizations with little or no experience in risk management, the answer is an emphatic yes, according to governance, risk and compliance (GRC) authorities. In short, ISO 31000 helps answer the fundamental conundrum in risk management: how to get everybody to talk about risk in the same way.
"It's very good at helping educate people in the organization who may not be actively involved in risk management on exactly what risk management is, what steps are involved, what the vocabulary words mean," said Forrester Research Inc. analyst Christopher McClean, who has issued a report to security and risk professionals about the standard.
A concise 24 pages, ISO 31000:2009 is noteworthy for its simplicity and adaptability, according to GRC expert Michael Rasmussen. For example, ISO 31000 can be used by public and private companies, organizations and individuals. It can be applied to a range of activities, from operations and processes to services and assets. Plainly written, the document is accessible to CEOs and controllers alike. ISO 31000's risk management framework can be used across an organization's many domains of risk.
"It is just as relevant to areas such as legal risk management as it is to information security, quality or environmental health and safety," Rasmussen said in his blog review of the standard.
The standard also adds a dimension to risk. Unlike some risk management frameworks, ISO 31000 defines risk as the "effect of uncertainty on objectives," acknowledging both the positive opportunities and negative consequences associated with it.
Two more plusses: First, ISO 31000 was built on the solid footing of the groundbreaking 1995 Australian/New Zealand Standard for Risk Management. Second, ISO 31000 builds on and is being published in conjunction with the American National Standards Institute's ISO Guide 73:2009 risk-management vocabulary guide, a collection of terms and definitions relating to the management of risk.
ISO 31000: Where it falls short
Who doesn't need it? As advertised, ISO 31000 is a process-oriented risk-management framework, as opposed to a controls-oriented one, such as the Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management -- Integrated Framework. For organizations schooled in risk concepts and looking for details on how to translate concepts into practical tools, the value of ISO 31000 is less obvious.
For example, in his briefing, Forrester's McClean cautioned that ISO 31000:
- Does not determine how your organization measures risk: Risk managers will still have to figure out how to create reliable risk data.
- Does not ensure that all germane risk areas are identified.
- Does not provide risk taxonomies, heat maps or other templates for developing risk documentation and reports.
Michael RasmussenGRC expert, Corporate Integrity LLC
Consultant Brian Barnier, who serves on the Control Objectives for Information and Related Technology (COBIT) Risk Task Force and writes for ISACA publications, said that "ISO-friendly" organizations will find the new standard helpful. Risk officers at companies that use ISO 9000 for quality management or ISO 18000 for safety, for example, can use the standard to harmonize their various risk management scenarios.
CIOs and CISOs who use the ISO27k family of information security standards may be the ideal candidates for "doing the hard work" of adapting ISO 31000 to IT and "using it as the way to connect to the rest of the organization," Barnier said.
For organizations that use other control frameworks, however, Barnier recommends ISACA's Risk IT, the COBIT-centric model released last year, to map concepts, including ISO 31000, down to their various risk controls.
Concerns about risk management standardization
The crowded risk-management framework community being what it is, the ISO 31000 standard did not materialize without some controversy. ISO 31000 was published as a standard without certification.
The Federation of European Risk Management Associations (FERMA) opposed the issuance of 31000 as a formal risk management standard in a 2007 position paper. FERMA basically argued that other ISO standards, for all their clout, do not prevent mistakes but can give a "false sense of security to regulators, shareholders and the like." Because of ISO's strong reputation, its formal standards also tend to get referenced in legislation and used in litigation as state-of-the-art practices. FERMA's ultimate objection to a standard, however, is sure to keep risk managers in high demand for some time to come: "FERMA believes that risk management is an integral part of management, and management of an entity cannot be standardized," the letter stated.
Let us know what you think about the story; email Linda Tucci, Senior News Writer