TORONTO — Confusion over the differences between risk and uncertainty hinders many organizations' decision-making ability and prevents them from maximizing the benefits of risk management, experts said this week during at a conference focused on the ISO 31000 risk management standard.

That confusion, along with the failure to incorporate risk management into decision-making, prevents many organizations from recognizing the upside of risk, said Carl S. Spetzler, CEO and chairman of Strategic Decisions Group International L.L.C. in Palo Alto, Calif. He made the comments Wednesday during sessions discussing ISO 31000 and decision-making, risk management and uncertainty during the Second International Conference on the ISO 31000 Standard in Toronto.

Among principles of the ISO 31000 risk management standard are that risk management should create and protect value, and that risk management should be part of organizations' decision-making.

Established in 2009 by the International Organization for Standardization, ISO 31000 is a generic set of principles and guidelines that provide a framework and a process for risk management by any organization of any size.

“A decision-maker has to understand what is a quality decision,” Mr. Spetzler said. “Uncertainty is just inherent in most important decisions.”

“Risk management is a fundamental pillar of decision-making,” he said, but decision-making is broader than risk management.

Another panelist, Michael Rasmussen, chief governance, risk management and compliance pundit and principal analyst at GRC 20/20 Research L.L.C. in Waterford, Wis., cautioned that there's more to decision-making than risk management, however. “Risk management is a fundamental pillar of decision-making,” he said, but decision-making is broader than risk management.

In itself, ISO 31000 isn't a panacea for poor decision-making, Mr. Rasmussen said.

“ISO 31000 is a standard, it's a framework, and I can show you bad implementations and good implementations,” he said.

%%BREAK%%

“Implementing ISO 31000 or (enterprise risk management) is a journey,” said another member of the panel, John Fraser, senior vice president of internal audit at Hydro One Networks Inc. in Toronto. But ISO 31000 should help organizations reduce “unpleasant surprises,” while helping them execute their strategic plans, he said.

Three personality types are needed to implement ISO 31000 at an organization, Mr. Fraser said: a champion “who can break down doors and make it happen,” a charismatic “go-to” person and an analyst who can collect the data to support decisions.

Jeffrey Posluns, a consultant and member of the board of Governance Risk Compliance Security International in Quebec, also participated on the panel.