isoISO 31000 is a new International Standard that after four years of development was published on 18th November 2009.  It provides generic guidelines for the principles and the adequate implementation of risk management.  In this Advisor, we introduce ISO 31000 and answer some of the questions clients might have about the new standard.

What is ISO 31000?

ISO 31000 is an International Standard that seeks to provide organisations with guidelines for the principles and the adequate implementation of risk management.  

Is ISO 31000 mandatory?

ISO 31000 is not mandatory and as an International Standard describes voluntary risk management principles and guidelines for the implementation of risk management. Adopting a generic approach, the standard allows the unique needs of a specific organisation (e.g. objectives, context, structure, projects, products, services, etc) to influence the design and implementation of risk management. 

My Organisation is already compliant with an existing best practice standard, what does this mean for us?

The chances are if you are fully compliant with an existing code or standard, your organisation will have achieved many of the requirements outlined in ISO 31000.  However, there may be additional elements that need to be in place or further emphasis/ focus placed on particular areas before you are able to meet the full requirements of the new International Standard. 

What are the benefits of formally addressing risk management through ISO 31000 compared to other risk management standards?

ISO 31000 has been written and developed by an ISO International Technical Committee, representing risk management experts throughout the world.  As a concise and comprehensive statement of good risk management practice ISO 31000 will likely supplement or replace a variety of independent and national risk management standards – the risk management standards AS/NZS 4360 and COSO have both agreed to conform with ISO 31000.  ISO 31000 therefore provides organisations with a tool for following best practice and, if implemented, will provide a platform for developing effective management of risk.

Who will be affected and how?

Whilst every organisation will have its own unique risk footprint and its own risk management challenges, ISO 31000 has been developed so that it is generic and not specific to any industry or sector.  The International Standard can be applied to large, medium and small enterprises, whether public or private, as well as to a wide range of activities, decisions and operations.  ISO 31000 is not a legal requirement and there will be no immediate obligation for organisations to take any action. 

However, we would recommend clients become familiar with the standard and, as a minimum, compare their existing risk management framework with the standard.  Clients may also experience pressure from stakeholders, such as customers, to demonstrate that they have in place proactive and formal risk management.

My organisation has been practising risk management for several years.  Does the advent of ISO 31000 mean we need to start again?

No, ISO 31000 is only a guide and its application needs to be tailored to your specific needs.  Every organisation will have its own level of risk management maturity and therefore will be affected differently by the new International Standard. It would be worth using the standard as a sense check to ensure you continually review your risk management approach against best practice.

How can CRC help my organisation implement ISO 31000?

Sean Coleman has been part of the working group writing the national guidance see below.   We have developed a sophisticated benchmarking tool, which takes account of existing and new best practices in risk management across the globe.  Clients benefit from our benchmarking tool through assurance that their risk management framework is in line with best practice.  Our methodology also acts as a basis not only raising the bar in achieving a best practice position in risk management but also ensure that risk management is adding value and used as a proactive management tool.

How can my organisation learn more about ISO 31000?

NSAI the national standards authority in Ireland are due to publish national guidance on the standard along with the standard itself and the definitions standard ISO guide 73.

Latest News

linkedin logo 1-300x79

| + -