Why do I love ISO31000:2018?

Quite simply, because it is so high level and it has plenty of good messages.

High level

That’s right. The best thing that ever happened to ISO31000 is the fact that is so ridiculously high-level and doesn’t provide any specific details on the implementation.

This is important for 2 reasons:

In fact, ISO is just about to make a huge mistake. ISO TC 262 will soon publish a detailed handbook on implementing ISO31000. There is a 95% chance the handbook will miss most of existing scientifically proven methods and research available in the risk space, because the motivation to reinvent the wheel is too great. This message is important and I will come back to it later in the article.

Good messages

Many of the messages in the ISO31000:2018 are solid:

And my favourite one…

This is how you supposed to implement risk management according to ISO31000:2018 which I fully support:

The organization should implement the risk management framework by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are made across the organization, and by whom;
— modifying the applicable decision-making processes where necessary;
— ensuring that the organization’s arrangements for managing risk are clearly understood and practised.

That’s right, you implement risk management by modifying how decisions are made, not by writing a risk framework document and updating risk register once a quarter.

There are, of course, not-so-good messages as well (read here), but there is more good stuff than not. By a big margin.

So what?

I think it’s naive to look for “how to” in the ISO space. ISO standards serve a different purpose. If you really want to become a good risk manager, stop hiding behind ISO31000:2018 limitations and learn:

Risk professionals already have all the answers, they had it for years. There is absolutely nothing new in ISO31000:2018 or COSO:ERM 2017 for that matter. Risk managers just need to start looking in the right places and asking the right questions.



RISK-ACADEMY offers online courses

+ Buy now

Informed Risk Taking

Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!

+ Buy now

ISO31000 Integrating Risk Management

Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.

+ Buy now

Управление рисками

В этом коротком и очень увлекательном курсе, Алексей Сидоренко расскажет о причинах внедрения риск менеджмента, об особенностях принятия управленческих решений в ситуации неопределенности и изменениях в новом стандарте ИСО 31000:2018.