Login Register Subscribe
Current Issue

ISO 31000 risk management standard helps balance uncertainty and opportunity

Reprints

TORONTO — Principles of the ISO 31000 risk management standard include the idea that risk management should create and protect value and be part of organizations' decision-making, areas in which many organizations are missing the mark.

Speaking at the “Second International Conference on the ISO 31000 Standard” held in Toronto May 28-29, Carl S. Spetzler, CEO and chairman of Strategic Decisions Group International L.L.C. in Palo Alto, Calif., said, “There's a big communication gap between ISO 31000 and the rest of the world,” suggesting that most businesses don't recognize that risk has an upside.

Established in 2009 by the International Organization for Standardization, ISO 31000 is a generic set of principles and guidelines that provide a framework and a process for risk management by any organization of any size.

Speaking in sessions discussing ISO 31000 and decision-making, risk management and uncertainty, Mr. Spetzler said top executives and boards often don't consider the upside of risk when seeking protection from the uncertainty of risk.

Meanwhile, many organizations' competency in dealing with decision-making in the face of uncertainty resides in areas other than risk management, he said. What's more, there often are misunderstandings and differences in language applied to issues of risk and uncertainty across organizations.

“A decision-maker has to understand what is a quality decision,” Mr. Spetzler said. “Uncertainty is just inherent in most important decisions.”

He cautioned that it's also important in risk management to separate decisions from outcomes.

“You have to watch out that you don't create incentive structures that are wildly off-base with making the best decisions,” Mr. Spetzler said. “This outcome measurement "accountability' ... makes organizations very poor risk-takers.”

Another speaker in that session, John Fraser, senior vice president of internal audit at Hydro One Networks Inc. in Toronto, said employing the ISO 31000 standard can help organizations reduce “unpleasant surprises” while also helping them execute their strategic plans.

Mr. Fraser said three personality types are needed to implement ISO 31000 at an organization: a champion “who can break down doors and make it happen,” a charismatic “go-to” person and an analyst who can collect the data to support decisions.

“Implementing ISO 31000 or (enterprise risk management) is a journey,” Mr. Fraser said.

Speaking in another session examining ISO 31000 and enterprise risk management, Christopher E. Mandel, senior vice president of strategic solutions at Sedgwick Claims Management Services Inc. in Memphis, Tenn., said risk managers should use standards such as ISO 31000, “because standards, no matter what kind or which ones, support key tools and processes.”

“Standards allow you to proactively address risks with some discipline,” he said. “Standards also relate well to the whole idea of focusing on outcomes.”

Another panelist in the ERM session, Eyvind Aven, head of enterprise risk management at Statoil A.S.A. in Stavanger, Norway, said Statoil's ERM program is consistent with ISO 31000, in that it focuses on managing risks in relation to the energy company's principal risk management objectives: creating value and avoiding incidents.

Employing the ISO 31000 standard increases the likelihood of achieving risk management objectives, Mr. Aven said. While Statoil's definitions of concepts such as “risk” and “risk owner” might differ slightly from those in the ISO 31000 standard, Mr. Aven said the standard appropriately presents those definitions in generic fashion so companies can tailor them to their own circumstances.

Also speaking on the ERM panel, Jeevan Perera, senior engineer at the National Aeronautics and Space Administration in Houston, said NASA doesn't comply completely with the ISO 31000 standard.

“We're probably 99% satisfying the intentions of ISO 31000,” he said. Some of the differences stem from the fact that NASA is not a for-profit enterprise.

But NASA's core risk management principles are that risk management creates value for the organization and that it is integrated in the agency's organizational processes, Mr. Perera said, aligning the program with principles of the ISO 31000 standard.