Risk managers are a big step closer to an international standard that will provide them with a generic set of guidelines that can be applied to any organization and any sort of risk.
The International Organization for Standardization describes the new standard this way:
“ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.”
Last month, ISO members approved ISO 31000:2009 and it is scheduled to be published this fall. It is the culmination of years of work, led largely by Kevin W. Knight, convenor of the ISO Working Group on Risk Management and a figure recognized widely as a white-bearded, straight-talking Australian guru on risk management.
Mr. Knight was a founding member of the technical committee that produced AS/NZS 4360, the Australian/New Zealand standard first published in 1995 and last updated in 2004. That standard, which has been widely embraced outside of Australia and New Zealand, will no longer be published when the new ISO 31000 standard becomes available.
Risk managers in Australia and New Zealand will likely get the jump on their colleagues in other parts of the world in implementing the new standard, as the transition from AS/NZS 4360 should be smooth. Much of the new standard was based on the existing AS/NZS 4360 and Aussie and Kiwi risk managers are well familiar with that set of guidelines.
Canada, too, is expected to have an easy transition, as risk managers in that country have widely adopted AS/NZS 4360. European and American risk managers are expected to take a little longer to embrace ISO 31000.
The new standard is applicable to any “public, private or community enterprise, association, group or individual,” according to an ISO fact sheet. But while it provides generic guidelines, it is not intended to promote uniformity of risk management across organizations, the group says. Design and implementation of risk management will continue to take into account the specific needs of an organization, ISO advises.
In other words, the new standard doesn't replace good old-fashioned risk management. And, we're sure Mr. Knight would agree, that's as it should be.
