The revision of ISO 31000 on risk management has started. Reducing, anticipating and managing risk are all part of the daily grind for organizations that have integrated risk management into their business strategy. That’s why they often turn to ISO 31000 on risk management to support themselves in this task.
ISO standards come up for revision every five years, and ISO 31000, and its accompanying Guide 73 on risk management terminology, are no exception. Launching the revision process, ISO/TC 262/WG 2, the working group responsible for developing core risk management standards, gathered from 3 to 9 March 2015 in Paris – under the auspices of AFNOR, ISO member for France – to discuss the necessary changes to be made to the standard. Here, Kevin Knight, Chair of ISO/TC 262 on risk management, gives us the lowdown so far.
ISO/CD 31000, Risk management – Principles and guidelines, and ISO/CD Guide 73, Risk management –
Vocabulary, are under revision. Why is this revision needed?
With the passage of time, a number of risk practitioners indicated that ISO 31000:2009 needed a limited review to ensure it remained relevant to users. As a result, ISO Guide 73:2009 will need to be revised in so far as changes are made to terms and definitions used in the revised ISO 31000, or additional terms and definitions are deemed necessary to assist users with their own documentation.
In other words, it is important that the two documents be revised at the same time?
Yes. All the terms and definitions in ISO 31000 are contained in ISO Guide 73, so any changes to the terms and definitions in ISO 31000 must be identical in both documents.
What are the main points of the revision? How is the content and language brought up to date?
Many have seen this limited review as an opportunity to seek greater changes that reflect the needs of major corporations and governments for a high-level document. As a consequence, ISO/TC 262/WG 2 had to deal with a total of 656 comments at its March 2015 meeting in Paris. While they did complete the task, it has demonstrated a need for a new high-level document that will require a full technical review by ISO/TC 262/WG 2 to develop a design specification (DS) that outlines additional issues to be addressed based on the comments examined in Paris. The DS will, of course, have to be approved by the participating members of ISO/TC 262 in order to proceed.
The first editions of ISO 31000 and ISO Guide 73 were published in 2009. What feedback have you received since then from the users of the documents and how is this feedback taken into account in the revision process?
ISO 31000 has been adopted as a national standard by more than 50 national standards bodies covering over 70 % of the global population. It has also been adopted by a number of UN agencies and national governments as a basis for developing their own risk-related standards and policies, especially in the areas of disaster risk reduction and the management of disaster risk.
The widespread use of ISO 31000:2009 has prompted a variety of questions to various experts, with national standards bodies and ISO seeking clarification on certain points of the standard. These points, combined with feedback from the national mirror committees, indicated a need to provide greater clarity in some areas.
A need was also expressed by risk practitioners, especially in the G20 economies, for a high-level document that reflects the way risk is managed in multinational organizations and national governments, as well as how risk management should be incorporated into the governance and management systems of organizations.
As it stands, ISO 31000 is a generic guidance document, which has been found to be very useful in developing countries and small to medium-sized enterprises. Yet there is a need for something more substantial than the guidelines contained in Annex A of ISO 31000:2009 to help organizations move further onwards, and that is what ISO/TC 262/WG 2 is currently working on.
What will the new editions change for users of these documents?
The limited review of ISO 31000 will hopefully provide greater clarity for its users.
What are the next important steps of the revision?
This will depend on the work being done by ISO/TC 262/WG 2 since the Paris meeting to develop a recommendation to ISO/TC 262. There are two possibilities:
1. ISO/TC 262/WG 2 finalizes the limited review of ISO 31000:2009 into a Draft International Standard (DIS) and sends it out for ballot; then it undertakes a full technical review to develop a design specification for a New Work Item Proposal (NWIP) for a high-level standard on the management of risk; or
2. ISO/TC 262/WG 2 seeks the approval of the technical committee to stop the “limited” revision and go directly – with the results achieved so far – to a full “technical” revision. This will need a design specification (DS) that outlines the issues to be addressed in addition to what has currently been achieved. A task group of ISO/TC 262/WG 2 has until end of June 2015 to develop the DS for comment and then submission to a ballot of the technical committee participating members, along with the latest Committee Draft (CD) of ISO 31000.
What is the target publication date?
This very much depends on the outcome of the proposals outlined above. In the event of the first proposal being adopted, I would expect the revised edition of ISO 31000 to be published in mid-2016. On the other hand, if the second proposal is chosen, then I would hope to see publication of the resultant standard by the end of 2017.