The new ISO standard is meeting with a mixed response from risk managers, says Neil Hodge

The International Organisation for Standardisation is preparing to launch its new standard on risk management – ISO 31000 – in June this year, but European risk managers are hardly rushing to make a note in their diaries. ‘I’ve seen the draft document and there’s nothing new in it,’ says one UK-based risk manager who asked not to be named. ‘It’s basically a compendium of the best aspects of a range of other widely used risk management standards and assorted best practice. Unless you’ve never had a risk management function before, it’s of little use, frankly.’

Such views are also echoed by the Federation of European Risk Management Associations (FERMA). The body is wary of supporting any further ISO standards, as it believes that ‘experience has shown that compliance with a standard has never guaranteed total satisfactory performance’. In July 2007 it issued a press release headlined ‘ISO risk management standard not needed’. Furthermore, says FERMA, the number of new standards that are in the pipeline with an impact on risk management practices – such as SA 8000 on social accountability – is considered a concern and a potential drain on resources. Instead, FERMA recommends that risk managers refer to the ISO standard for guidance, rather than follow it as a rule.

The ISO accepts that a lot of the material contained within its draft standard is generic and is present in other risk management standards issued by other organisations. However, the ISO says that ‘although the practice of risk management has developed over time and within diverse sectors to meet diverse needs, a generic approach consisting of a framework of essential elements can help to ensure that risk is managed effectively and coherently across an organisation.’

It adds that ‘the generic approach described in this international standard provides guidelines on implementing these essential elements so as to manage risk within any scope and context with transparency and credibility.’

“The ISO has not kept up with recent developments in risk
management.

Daniel Bertaux

Pierre Sonigo, who is in charge of working group ISO within FERMA, says that ‘the standard provides an excellent framework to implement a risk management strategy in an organisation. It clearly spells out the right preliminary conditions and the necessary steps to ensure success. It is therefore an excellent tool for companies where risk management is new and not yet implemented.’

However, he adds that ‘I do not believe that such a standard will be very useful for companies where risk management is already in place, since it remains quite general, and, frankly, all recommendations of the standard are generally applied already.’

Some national risk management associations have refused to endorse the ISO’s draft standard, such as Italy and Belgium. Daniel Bertaux, a member of the board of the Belgian Risk Management Association (BELRIM) who was involved in examining the draft standard, says that BELRIM has refused to endorse the ISO’s standard for a number of reasons. ‘We felt that the standard was too old-fashioned and that its view of risk management, corporate governance and internal control was not up to

date or in line with current best practice,’ says Bertaux. ‘Risk management has changed enormously in the past decade, and other functions within an organisation – in particular, internal audit – have a very important role in ensuring that risk management is properly embedded, and that risks are properly identified and controlled. Yet the ISO standard does not mention this and we felt that, as a result, the ISO has not kept up with recent developments in risk management.’

“The standard is not prescriptive.

Yvonne du Floo

Bertaux also says that BELRIM rejected the draft standard because the ISO wants its standard to supersede all others, though the ISO and other risk managers dispute this. ‘We wanted to have the right to choose whether risk managers in Belgium could choose to adopt the ISO standard or, if they wanted, use other standards instead of or in tandem with the ISO standard. But the ISO is not allowing this,’ says Bertaux. ‘In Belgium it is a legal requirement that all companies listed on the stock exchange must follow the COSO standard on risk management. If the ISO wants us to use its standard exclusively, then any Belgian company that does so would be effectively breaking the law. How can we sign up to that?’

But other risk managers welcome the ISO standard and hope that many risk managers will follow its recommendations. Yvonne du Floo, a board member of the Netherlands Association of Risk and Insurance Managers (NARIM), says that the ISO standard ‘combines the best aspects of a number of existing risk management standards, such as the AIRMIC and COSO standards, and makes them applicable to a wider range of risk management activities and organisations. For example, some risk management standards are very much orientated towards financial risk management and are difficult to incorporate into the risk management functions of non-financial sector organisations. The new ISO standard overcomes this problem by using generic terms so that any risk manager can understand and use them.

‘Another benefit of the ISO standard is that it allows risk managers to take a very flexible approach as to how they embed its recommendations. The standard is not prescriptive; it allows risk managers to assess how its recommendations can be best applied to achieve the best results.’

Like many others, Du Floo believes that risk managers should not just follow one standard. ‘My view is that Dutch risk managers should use the new ISO standard, but they should use it in conjunction with other existing standards. I would never recommend that a risk manager should only use one standard exclusively when other standards may also be useful.’