ISO 31000

A framework in development

By Ed Mallens and Jack P. Kruf

The International Organization for Standardization (ISO) has worked on the ISO 31000 as referential framework for risk management in organizations. The setting has been outlined by ISO very clearly:

“Risks affecting organizations can have consequences in terms of economic performance and professional reputation, as well as environmental, safety and societal outcomes. Therefore, managing risk effectively helps organizations to perform well in an environment full of uncertainty.”

The framework is still very young, published in 2009, and is  in a stage of further  development. PRIMO concludes that despite this the framework is complete in its essence. The ISO has elaborated Principles and guidelines, a vocabulary as well as risk assessment techniques. All united in the risk management toolbox. ISO 31000 describes the principles and guidelines to identify, analyze and treat uncertainties in relevant business processes. With its framework it describes in headlines how goals can be reached successfully and the hereto related management can be secured in an organisation. It is a useful document for employees, managers, and directors in public organizations. It’s a practical and easy to read document.

Knight (2010), chairman of the committee ISO 31000, who worked on the standards and guidelines:

“Risk is all about uncertainty or, more importantly, the effect of uncertainty on the achievement of objectives. This new definition is clearly different from existing guidelines on the management of risk in that the emphasis is shifted from something happening – the event – to the effect of uncertainty on objectives. Every organization has objectives – strategic, tactical and operational – to achieve and, in order to achieve these objectives, it must manage any uncertainty that will have an effect on their achievement. The really successful organization … work on understanding the uncertainty involved in achieving their objectives and ensuring they manage their risks so as to ensure a successful outcome.”

Remarks
PRIMO Europe places the following remarks at the new ISO 31000 model:

  • Risk management has matured to a first phase (1.0) of development by this standard. It can form a basis for public organizations in improving their approach of assessing and addressing risk
  • It needs further development for true use in relation to public risk management as a whole, because of the higher complexity of this in comparison tot Enterprise Risk Management (ERM). We are convinced that politics and governing councils play a crucial role in the creation and management of public risks. The difference in the dynamics of this in relation to the ISO 31000 model is interesting and challenging.
  • All kind of organizations can use the framework.
  • Communication within or between organizations can be improved using the common language within the framework.
  • Transparency of organizations and between politics, governing councils and management increases taking this document as a guide.
  • The document can easily be used throughout the whole organization. As Kevin Knight brings forward:

“Many organizations prefer to spend time debating whether to introduce “total risk management”, or “holistic risk management”, or “enterprise risk management”, or “enterprise wide risk management”, or “strategic risk management”. Others are content to settle for a “tick and flick” compliance programme that keeps the regulators happy.”

  • Benefits: local and regional government can become  more robust while using it. Less sensitive for unexpected events. They can allocate their threats more proactive en make the opportunities more profitable using the model.

Process
The risk management process demands specific attention for the context. This is important to make the evaluation and treatment of the risk effective. Knowledge of the organization, it’s structure and cultural topics support the effectiveness of risk treatment activities. Continuous communication within the organization and the stakeholders is of great value. It can be pointed out by communication and consultation.

The risk management process becomes transparant. The operation of the process and its progress are pointed out by the terms monitoring and review. This gives an clear view on the added value of the risk management process and gives an inside view of the operation of the process.

Frame
Risk management is fully a part of all the processes and activities in a (public) organization. To make this a reality, a organization wide frame is specified in this chapter. Because of the frame the risk management function can be described.

Explicitly the tasks, responsibilities and competencies of the employees who are working on risk management. The board of directors and senior management show the impact of risk management to the organisation.

The committed mandate makes the essential phases of the framework operable. This includes the validation and development of the frame. The frame is logically related to the process(es). Risk management processes can exist multifunctional because of differences in projects, locations, competences of the workers as well as the specific issues of the speciality.

Principles
They are the reference for risk management to be organized and finds its meaning for the organization. The 11 principles are subject to auditors for investigation and the communication of the board with their stakeholders. The organization must, especially to itself, clarify what has been established during a certain period of time. The Principles are input for as well the Frame as the Process. They are the soul of the risk management structure and – culture of the organisation. They make it possible to show the developments that are established.

Enterprise Risk Management
The most elaborated and generic report ERM and ISO 31000 by Airmic – the Association of Insurance and Risk Managers in Industry and Commerce -, Alarm – the Public Risk Management Association – and IRM – The Institute of Risk Management. It gives a complete overview over all aspects for steering and governing the enterprise from the perspective of risk management. The purpose of the guide:

“A successful enterprise risk management (ERM) initiative can affect the likelihood and consequences of risks materialising, as well as deliver benefits related to better informed strategic decisions, successful delivery of change and increased operational efficiency. Other benefits include reduced cost of capital, more accurate financial reporting, competitive advantage, improved perception of the organisation, better marketplace presence and, in the case of public service organisations, enhanced political and community support.”

Public Risk Management
Risk management is increasingly becoming a major focus for regional political leaders. Within more pronounced context of a search for efficiency, of diversification tools for public service and development of partnerships, risk management is a key element of public management. It is as much part of the optimization of resources as of the attainment of objectives.  Gérard Combe, Vice-President of PRIMO Europe (Public Risk Management Organisation) and founder of the UDITE (Federation of European Local Authority Chief Executive Officers), stresses in 2011 (Barcelona meeting), that:

“facing global and complex risks such as pandemics, economic or financial crises, or natural disasters, public authorities are organized for global risk governance.  However excellent vertical approaches may be, they are not enough to cope with the risks which are multiplying, intertwining and interacting with each other. Risk has invaded the heart of public management throughout Europe.”

Gérard Combe’s words took on a new and unique dimension in the context of the unprecedented crisis Japan is facing following the earthquake of March 11th 2011. Japan has developed a true risk culture on a large scale in order to deal with the frequent and severe seismic risk faced by the country. This fact has served only to increase the attention with which the international community is watching the Japanese government’s management and the role played by the civilian population in this crisis. The case of Japan speaks for itself: the sequence and combination of extremely serious risks, the proven importance of the involvement of the civilian population and the increased accountability of public power means that the position of risk management and resilience in the agendas of the different levels of public authorities can only be strengthened.   It is not possible to continue to ignore public risk management since doing nothing could prove more costly than investing in it.

The UK’s Risk and Regulation Advisory Council defines public risk as ‘those risks that may affect any part of the society and for which government is expected to respond.’  This definition implies increased responsibility on the part of the authorities, who must account for their own decisions and actions as well as for the activities developed within their area of responsibility. It is for this reason that our study on the governance of public risks also takes into account the companies providing basic public services.

New opportunities
Risk management presents an opportunity for the improvement of all aspects relating to public governance:

  • Strategies and decision-making
  • Public service activities
  • Processes
  • Functions
  • Major projects
  • The reputation of the organisation
  • Protection of goods and persons

Former President of the European Federation of Local Authority Chief Executive Officers and former Chief Executive of Cardiff Council, Byron Davies:

“One of the major advantages of risk management is the improvement of the decision-making process and the capacity to reach objectives. This is an advantage that is increasingly decisive in the current context where it is necessary to prove the optimisation of resources, a better quality public service, and increasing trust in partnerships.”

According President of PRIMO Europe, Jack P. Kruf, there is a true challenge in tailoring the ISO 31000 for not only public organisations but also for the public governance and management of our communities and cities as a whole:

“We need to examine – in cooperation with politicians, governing councils, managers, citizens and stakeholders how to outline this regulation in the light of the experience, accounts, and good practices that our representatives in the European public sector have informed us of. This is truly challenging. It is more than that: it is necessary! A task for the years to come.” Ω