Leveraging the value of risk standards and guidelines

There is a healthy debate currently occurring in the risk community about updates to global risk standards and guidelines. For me, how we use the ethos of risk standards and guidelines to help people take risk and manage uncertainty is the key. This is more important than, for example, which risk process diagram we use.

Many risks are complex and dynamic, and managing them requires robust frameworks and a mindset to think about what could be coming up and how different scenarios could play out, in order to make good risk-informed decisions. A good organisational culture is key to fostering and welcoming this type of approach, to ensure there is regular and proactive raising of risks and a “line of sight” of these risks through to the organisation’s centre.

Many standards and guidelines are focusing on how risk management is intrinsic to how organisations operate, not a standalone activity, which is welcome. Some continue to provide good technical guidelines. But there needs to be a focus on modern organisational aspects, such as managing risk in the digital age and with AI, and how to manage the interconnectivity of risks in a dynamic ecosystem. Risk practitioners should encourage standards and guidelines bodies to think about the future of work and how we need to position our profession for positive change.

Some people use risk standards and guidelines to good effect. Others ignore them. Many standards are being updated right now in response to a need to change and modernise the management of risk and uncertainty. If you have feedback on them, get in touch with the teams that oversee them to have your say.

Some key points for me, which risk standards and guidelines can help to emphasise, are as follows:

1. Use straightforward language: We do not need “a risk language” or jargon that is unnecessarily complicated.

2. Highlight the importance of a good culture: A good culture is a key determinant in how well we take and manage risk – it sets the tone for whether good practices are adopted or not.

3. Encourage a pro-active and open mindset: Risk management must be pro-actively woven into the rhythm of how people in an organisation work. Being open to question our options is part of this.

4. Highlight the value of the Risk practitioner: We can play key advisory roles to help people make good risk-informed decisions, when we can demonstrate the value that we bring to the table.

5. Connect the dots: Interconnections between risks can be subtle yet critical to understand. We need to use good ways to see insights into how risks can morph and turn into situations, and to see things coming ahead of time.

Food for thought: Should some risk standards become “families of standards”?

Some risk standards and guidelines already exist as a suite of documents. One example is COSO’s suite of ERM framework, Guidance on Internal Control and Governance and Operational Performance.

What about ISO 31000? Think of other ISO standards that exist as “families”, for example:

• ISO 9000: a family of standards on Quality Management and Quality Assurance

• ISO 14000: a family of standards on Environmental Management

• ISO 22300: a family of standards on Societal Security

• ISO 27000: a family of standards on Information Security Management Systems

As examples, ISO 22310 is specific on Business Continuity Management Systems; ISO 22316 (newly published in 2017) provides guidelines on organisational resilience.

Whether ISO 31000 would benefit from becoming a ‘family of standards’ covering specific elements of managing risk is up for debate but perhaps this could provide a way to tackle specific risk topics, while tying it together neatly with families of ISO 22300 (for business resilience risk) and ISO 27000 (for IT and digital risk).

As risk practitioners, we can use risk standards and guidelines as useful advice for frameworks and methodologies. What is most important is how we work with the people in our organisations to infuse good practices to address the risk and uncertainty that exists in our environment - to take and manage risk intelligently, and to ensure we have good risk-informed decision-making in place and driving value.

Standards and guidelines offer advice on how to achieve this, but it is up to risk practitioners, and the people we work with, to decide how we leverage it.