Brought to you by:

ISO reviews risk management standard

The revision of a key risk management standard is under way and may take until the end of 2017 to complete, the International Organisation for Standardisation (ISO) says.

ISO 31000 and the accompanying ISO Guide 73 on risk management terminology were published in 2009. ISO standards come up for revision every five years.

ISO risk management technical committee chairman Kevin Knight says the committee met in Paris in March to complete a “limited review” of the standard.

A decision is pending on whether that review will form the basis of a draft international standard to be sent out for a global ballot of national standard bodies. If that eventuates the revised standard could be published by the middle of next year.

If the committee opts for a full technical revision, it may not be ready until the end of 2017.

Mr Knight, an Australian, says ISO 31000 has been adopted by 50 national standards bodies, covering 70% of the world’s population.

Although the standard is due for review, Mr Knight says risk practitioners around the world have given it added impetus.

“A need was expressed by risk practitioners, especially in the G20 economies, for a high-level document that reflects the way risk is managed in multinational organisations and national governments, as well as how risk management should be incorporated into the governance and management systems of organisations.”

Mr Knight says the revision will necessitate an update of risk management terminology.

“All the terms and definitions in ISO 31000 are contained in ISO Guide 73, so any changes to the terms and definitions in ISO 31000 must be identical in both documents.”

Risk Management Institution of Australasia President Bryan Whitefield says many current risk management terms were not common or in use in 2009.

“In ISO 31000… there is no mention of ‘risk appetite’, but after the global financial crisis everyone was talking about the risk appetite of the banks,” Mr Whitefield told insuranceNEWS.com.au.

“Risk is something to be managed across the globe, so it’s important that there is standard terminology. Some reports refer to risk mitigation, while others refer to risk control. Do they mean the same thing? Some terms are not that clear: what’s ‘risk capacity’ and what are ‘key risk indicators’? There’s no doubt there would be benefit in updating the language of risk management.”

Risk and Insurance Management Society Australasia President Brad Tymmons expects the revision will come up for discussion at the group’s next board meeting, in Sydney on June 10.