New ISO 31000 risk management standard receives good early reviews
Two months after its debut, reviewers pretty much agree that ISO 31000 lives up to its billing as a good generic, process-oriented risk management framework that addresses myriad forms of risk across many industries. The question is, do you need it?
For organizations with little or no experience in risk management, the answer is an emphatic yes, according to governance, risk and compliance (GRC) authorities. In short, ISO 31000 helps answer the fundamental conundrum in risk management: how to get everybody to talk about risk in the same way.
In November, 2009, the International Organization for Standardization (ISO) published ISO 31000:2009, Risk Management — Principles and Guidelines, a new management standard intended to help organizations of all types and sizes manage risk across the enterprise. Certainly, its arrival is timely.
- ISO 31000:2009 provides principles and generic guidelines on risk management.
- ISO 31000:2009 can be used by any public, private or community enterprise, association, group or individual. Therefore, ISO 31000:2009 is not specific to any industry or sector.
- ISO 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.
- ISO 31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.
- Although ISO 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.
- It is intended that ISO 31000:2009 be utilized to harmonize risk management processes in existing and future standards. It provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards.
- ISO 31000:2009 is not intended for the purpose of certification.
See New ISO 31000 risk management standard receives good early reviews, by Linda Tucci for SearchCompliance.com.
=============================================
The relationship between Business Continuity and Risk Management are addressed in the book A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance, by David Kaye and Julia Graham.
