Risk Management’s Standard of Practice – Gallagher

ERM
An Overview of ISO 31000
Practice

JUNE 2015
Background basic “architecture” of risk management, which, if applied,
ISO 31000 (published in the United States as ISO/ANSI/ASSE will create a consistent and coherent basis for managing the
31000) is the only international standard for the practice of effects of uncertainty upon organizational objectives – or, in
risk management. It was issued in December of 2009, by an simpler terms – for managing risk.
international working group that included technical advisors The standard delineates a long list of the attributes of
from 26 countries. In a series of six meetings over several effective risk management, which includes improving
years, the group revised the Australia/New Zealand risk corporate governance, financial reporting and stakeholder
management standard (AS/NZS 4360, published in 2004) to trust. When done effectively, the management of risk
create a standard that can be used by any type of organization will raise awareness of the need to identify and treat risk
in any country for any type of operation. It is scheduled to throughout the organization and improve the identification of
be revised for the first time in late 2015 by a consortium of both opportunities and threats. It will improve controls and
experts from around the world; the expected publication date treatments as well as operational effectiveness and efficiency.
of the revision will be sometime in 2017. The successful implementation of risk management helps
ISO 31000 was intended to be a guide for practitioners, organizations comply with relevant legal and regulatory
decision makers, policy makers and those interested in risk requirements and international norms. The process of
management. It provides a framework for organizations risk management establishes a reliable basis for decision
wanting to manage risk consistently, efficiently and making and planning, and will appropriately allocate and use
effectively. The standard was published along with two resources for risk treatment. Some of the more traditional
related risk management documents; Guide 73, which is a attributes of effective risk management are also included in the
compilation of risk-related definitions and terms and ISO standard, including enhancing health and safety performance,
31010, a compilation of risk assessment techniques. Guide environmental protection, improving loss prevention and
73 applies to other standards, including safety related incident management and minimizing losses. And from an
documents, and is intended as a guide for developing a organizational perspective, effective risk management will
universal language of risk. ISO 31010 is currently under improve organizational learning and resilience.
revision, in an effort to expand upon, categorize and clarify
risk assessment techniques. Intended Audience
An implementation guide (published as a technical report) was ISO 31000 is intended to meet the needs of a wide range of
released in 2014 as ISO 31004. A technical report does not carry stakeholder; including those responsible for developing risk
the same weight of a standard; it a working document of best management policy (e.g., policy makers), ensuring that risk
practices from around the world. The purpose was to provide is effectively managed (as a whole or for a specific project
examples and advice about implementation of ISO 31000. or activity), evaluating whether risk is being managed
effectively (such as audit) and developers of standards and
codes of practice.
Introduction & Applicability
The basis for ISO 31000 follows these assumptions: The standard can be used by any public, private or community
enterprise, association, group or individual. It is not intended
1. All organizations exist to achieve their objectives; to be specific to any industry or sector.

2. Many internal and external factors affect those objectives,

causing uncertainty about whether the organization will Key Definitions
achieve its objectives; Risk is the effect of uncertainty on objectives.

3. The effect this uncertainty has on an organization’s Risk management is the coordinated activities to direct and
objectives is “risk.” control an organization with regard to risk.

In summary, the management of risk is central to the Risk management framework is the set of components that
livelihood and success of all organizations. provide the foundations and organizational arrangements
for designing, implementing, monitoring, reviewing and
ISO 31000 applies to organizations of all types and sizes. continually improving risk management throughout the
It outlines the principles that make risk management organization.
effective; a framework to support the implementation and
continual improvement of risk management throughout the Risk attitude is an organization’s approach to assess and
organization and the process for managing risk. This is the eventually pursue, retain, take or turn away from risk.

2 Gallagher ERM Practice Risk Management’s Standard of Practice–An Overview of ISO 31000
Risk appetite is the amount and type of risk that an There are 11 principles guide the way that risk management
organization is prepared to pursue, retain or take. is integrated and deployed:

Risk tolerance is an organization’s or stakeholder’s readiness 1. Risk management creates and protects value;
to bear the risk after risk treatment in order to achieve its
objectives. 2. Risk management is an integral part of all organizational
processes;
Risk owner is the person or entity with the accountability
and authority to manage the risk. 3. Risk management is part of decision making;

External context is the external environment in which 4. Risk management explicitly addresses uncertainty;
the organization seeks to achieve its objectives. This 5. Risk management is systematic, structured and timely;
includes the cultural, social, political, legal, regulatory,
financial, technological, economic, natural and competitive 6. Risk management is based on the best available
environment – whether international, national, regional or information;
local; key drivers and trends that will have an impact upon
objectives and the relationships with and perceptions and 7. Risk management is tailored;
values of external stakeholders.
8. Risk management takes human and cultural factors into
Internal context is the internal environment in which account;
the organization seeks to achieve its objectives. This
9. Risk management is transparent and inclusive;
includes governance, organizational structure, roles and
accountabilities, policies, objectives, strategies, capabilities, 10. Risk management is dynamic, iterative and responsive
resources, standards, the perceptions and values of internal to change; and
stakeholders, information systems, the organization’s culture
and contractual relationships. 11. Risk management facilitates continual improvement of
the organization.
Risk criteria is the terms of reference against which the
significance of a risk is evaluated.
The Framework
Residual risk is the risk remaining after risk treatment. The standard outlines a framework that will assure that
the process for managing risk is fully integrated into the
For additional definitions and explanations of terminology,
organization. That means that the management of risk is an
refer to Guide 73 and the explanatory notes.
explicit component of governance, strategy and planning,
management, reporting processes, policies, values and
The Principles culture. The framework provides for the integration of risk
The principles provide guidance on the rationale for managing management information, reporting and accountability. It is
risk and the characteristics of effective risk management. intended to be adapted to the particular needs and structure of
They shape the design and structure of an organization’s each organization.
risk management framework and can assist in assessing the
The component parts of the framework include establishing
effectiveness and quality of risk management.
the mandate and commitment to risk management,
designing the framework for managing risk (which includes

Gallagher ERM Practice Risk Management’s Standard of Practice–An Overview of ISO 31000 3
understanding the organization’s internal and external Context includes the review of organizational objectives and
context, establishing a risk management policy, integration mission and establishes the objectives, scope and parameters
of risk management into organizational processes, internal of the risk management process. It also requires understanding
and external communication and reporting and allocation of of the internal and external environment of operations and the
appropriate resources), implementing the risk management stakeholders that might be affected by the results of the risk
process (details follow), monitoring and review of the management process. The context will also define the parameters,
framework and continual improvement of the framework and methodology and risk criteria to be used in the process.
approach to risk management.
The other unique aspect of the ISO 31000 risk management
The full and active development of a sustainable framework process is the clear consideration and inclusion of
for managing risk and integrating risk management into stakeholders. Stakeholders are both internal and external to
key management processes is the “heart” of the ISO the organization and they include any person or organization
31000 standard and it is what will keep the “beat” of risk that can affect, be affected by or perceive themselves to be
management alive in an organization. It provides the basis for affected by a decision or activity. ISO 31000 expects that you
sustainable effort and continual improvement. will consider, consult and communicate with stakeholders
throughout the risk management process. This is represented
in the diagram by arrows at every step of the process.
The Risk Management Process
The ISO 31000 model puts emphasis on each organization’s Here are some examples of how stakeholders are engaged in
context of operations. Context affects the design of the risk management:
framework for managing risk and it is a part of each and every
• A broad cross-section of internal stakeholders
risk management process. The context of operations includes
participate in a risk identification workshop to identify
explicit consideration of internal and external aspects of
operations (such as governance, policies, technology, culture –
and assess key risks.
and more) as well as stakeholders (both internal and external). • Key external stakeholders provide input to a
Understanding these critical factors help to shape the process
university’s register of key risks, verifying risk rankings
of assessing, treating and communicating about risk.
and giving input to emerging risks.
The core of the risk management process incorporates the five
steps from a “traditional” risk management process (identify,
• For a key decision, both internal and external
analyze, select the best response, implement and monitor) stakeholders participate in a risk assessment process
– but expands upon them in two significant ways. The first that considers how uncertainties may affect the ability
is that the consideration of context is always the starting to achieve successful results.
point for a risk management process. This is true whether
you are assessing the risks of a part of your operations (a
• The corporate risk profile is provided to financial rating
department with high-risk activity, for example), creating a agencies as proof of the organization’s ability to manage
broad inventory of risks or making an individual decision. risk and address emerging risks (this has the potential
The explicit consideration of context grounds the process to improve credit rating scores).
into your organizational reality.

4 Gallagher ERM Practice Risk Management’s Standard of Practice–An Overview of ISO 31000
Working through each step in the risk management process increasing risk in order to pursue an opportunity or retaining
includes: the risk by informed choice. It is a cyclical process that
assesses a risk treatment, determines whether the residual risk
• Considering the context of the organization and is at a tolerable level (and if not, which additional treatments
establishing the context of the risk management process need to be implemented) and evaluates the effectiveness of
treatments.
• Risk assessment process:
ISO 31000 emphasizes that you must monitor and review
»» Identify risks at each step along the way and also communicate and
consult at every step of the risk assessment process; not just
»» Analyze risks
at the end of the process. Monitoring and review assures
»» Evaluate risks that controls are effective, lessons are learned and that
risks will be appropriately addressed and the organization
• Risk treatment will be resilient and ready for change. Communication and
consultation need to be built into the process and involve
• Monitor and review (which happens continually and appropriate internal and external stakeholders. This makes
at each step) the ISO 31000 approach to risk assessment more dynamic,
resilient and engaged.
• Communication and consultation (which happens
continually and at each step)

Risk assessment is the overall process of risk identification, The International Organization for Standards
analysis and evaluation. (ISO) is headquartered in Geneva Switzerland.
Its sole purpose is to develop and publish
Identifying risk includes understanding the sources of
risk, areas of impact, events and their causes and potential
international standards to ensure that products
consequences. The goal is to create a comprehensive and services are safe, reliable and of good
list of risks, including risks that may be associated with quality. A standard is a document that provides
missed opportunities and risks out of the direct control requirements, specifications, guidelines or
of the organization. A comprehensive review allows a characteristics that can be used consistently
full consideration of potential effects of risk upon the to ensure that materials, products, processes
organization. and services are fit for their purpose. ISO
The purpose of analyzing risk is to understand everything
has published more than 19,500 standards
possible about risks, including the causes and sources, covering almost all aspects of technology and
consequences and likelihood of occurrence. Existing business. www.iso.org
controls and their effectiveness and efficiency are also
taken into account. In the United States, standards are
adopted and published by the American
Risk evaluation is the step that will help determine the National Standards Institute (ANSI). For
need for treatment. Risk tolerance must be taken into the development of standards relating to
consideration, along with legal, regulatory and other risk management, ANSI has designated
requirements. The evaluation process will help you make
the American Society of Safety Engineers
the appropriate decision about whether and how to treat
risks.
(ASSE) as the secretariat for U.S. experts
who contribute to the ISO 31000 suite
Risk treatment involves selecting one or more options for of standards. You can purchase the ISO
modifying risks and implementing those options. Options 31000 series of standards from ASSE at
include avoiding the risk, removing the risk source, changing www.asse.org/publications.
the likelihood or consequence, sharing the risk, taking or

Gallagher ERM Practice Risk Management’s Standard of Practice–An Overview of ISO 31000 5
 Figure 1 from ISO/ANSI/ASSE 31000:2009
Figure 1 – Relationships Between the Risk Management Principles, Framework and Process

What Do We Gain From Using ISO 31000? Conclusion

For traditional risk managers in the U.S., it is important to The goal of effective risk management is to ensure that
remember that this new standard is intended to build upon an organization has a current, correct and comprehensive
what you already do well and expand your views about risk. understanding of its risks – and that those risks are within
For decades, we have been creative and forward-thinking its risk tolerance. The attributes include full accountability,
about risk finance and risk transfer techniques. We have not the application of risk management in all decision
been as forward-thinking about identifying a broad range of making, continual communication, full integration into
risks (beyond insurable risk, beyond hazard identification, the organization’s governance structure and continual
beyond emergency planning or disaster preparedness) or improvement.
addressing cumulative or crossover risks (such as IT or
pandemic planning). We can also learn how to expand the Implementing a broader approach to managing risk is a process
application of risk management to decision making, which that takes time, planning and sustained initiative. You need a
will strengthen the understanding and application of risk good road map and a plan. The model for implementation and
management throughout our organizations. tools provided in the ISO suite of standards can guide your
course of action and assure leadership that you are following
The identification of risk owners and education about risk – an internationally approved model, based on best practices
for stakeholders inside and outside of our organizations – is from around the world.
another key expansion from a more traditional approach to
managing risk. Those activities will increase accountability If you are ready to lead your organization’s approach to
and strengthen communication. The link to business evolving risk management, this standard should be your first
objectives (at all levels) strengthens both the relevance and step and your guide.
the importance of risk management. Ultimately, it will make
risk management central to the success of an organization,
and an influential part of key processes such as planning,
management and governance.

6 Gallagher ERM Practice Risk Management’s Standard of Practice–An Overview of ISO 31000
 Gallagher
Two Pierce Place ERM
Itasca, IL 60143-3141 Practice

About the Author

As Senior Managing Director, Dorothy Gjerdrum leads Gallagher’s largest client practice group, which includes cities,
counties, K-12 public schools, state governments, special districts and public sector pools. She has 25 years of public
sector risk management experience.

In 2015, Dorothy accepted an additional leadership role as Managing Director of Gallagher’s ERM Practice Group.
From 2008-2014, Dorothy was the Chair of the US Technical Advisory Group to ISO 31000 which is responsible for
representing the interests of the United States risk management community in the standards development process. In
addition to leading Gallagher Public Sector, Dorothy is a leading ERM consultant for cities, counties, public school
districts, community colleges and public universities. She is a frequent speaker on ERM and ISO 31000 and its
application in the public sector.

For more information, contact:

Dorothy Gjerdrum, ARM-P

Senior Managing Director, Gallagher Public Sector
Managing Director, Gallagher ERM Practice Group
[email protected]

15BSD28087A