TORONTO — Best-in-class risk management programs begin with a process aligned with a framework, and the ISO 31000 risk management standard can provide such a framework, an enterprise risk management expert said.

While risk management is still evolving at many organizations, regardless of where an organization is in advancing its approach, risk standards “have a place at every step,” said Christopher E. Mandel, senior vice president, strategic solutions at Sedgwick Claims Management Services Inc. in Memphis, Tenn.

He was speaking Tuesday as part of a panel discussing ISO 31000 and enterprise risk management at the “2013 International Conference on ISO 31000” in Toronto.

Risk managers should use standards, Mr. Mandel said, “because standards, no matter what kind or which ones, support key tools and processes.”

“Standards allow you to proactively address risks with some discipline,” he said. “Standards also relate well to the whole idea of focusing on outcomes.”

ISO 31000 was released by the International Organization for Standardization in 2009. It offers principles, a framework and a process for managing risk.

Another panelist, Eyvind Aven, head of enterprise risk management at Statoil A.S.A. in Stavanger, Norway, said employing the ISO 31000 standard increases the likelihood of achieving risk management objectives.

%%BREAK%%

While Statoil's definitions of concepts such as “risk” and “risk owner” might differ slightly from those in the ISO 31000 standard, Mr. Aven said the standard appropriately presents those definitions in generic fashion so companies can tailor them to their own circumstances.

Ultimately, Statoil's ERM program is consistent with ISO 31000, he said, in that it focuses on managing risks in relation to Statoil's principal risk management objectives: creating value and avoiding incidents.

Jeevan Perera, senior engineer at the National Aeronautics and Space Administration in Houston, said NASA doesn't comply completely with the ISO 31000 standard.

“We're probably 99% satisfying the intentions of ISO 31000,” he said. Some of the differences stem from the fact that NASA is not a for-profit enterprise, Mr. Perera said.

NASA's core risk management principles are that risk management creates value for the organization and that it is integrated in the agency's organizational processes, he said.

“Our approach to the management of risk is we wanted risk to be managed at the lowest possible level,” Mr. Perera said, based on a belief that the people at those levels have the greatest knowledge of the risks they're charged with managing.