A revised ISO 31000:2018 standard
Two weeks ago, the new version of the ISO 31000 standard was issued. From now on this 2018 version replaces the 2009 version of the standard. So, the past weeks I have been working in updating my presentations and exams that I use in my certification courses for G31000 Europe. Although nothing has really changed on the philosophy and fundamental understanding of this standard there’s a big difference between old and new. It was only when I was adapting the exams to the new standard, that I discovered how much guidance was lost. In a sense this could be interpreted as a good sign. Because less is more in that case. Less guidance, means less constraints for those that want to comply. However, less guidance is also less knowledge for those that are not yet fully aware of all the benefits of a comprehensive and standardized approach to risk and risk management.
I must admit that after the first draft DIS 31000 came out a year ago, I was very skeptical and negative on this “update” of the standard. But luckily the final changes were less drastic and less far fetched than at first sight. The graphics changed, but not to the same extent as proposed in the draft international standard (DIS), keeping things more aligned with what already existed. Because, ISO 31000:2018 still proposes a vocabulary, a set of principles, a framework and a process.
The graphics are now as follows:
Purpose, principles, framework & process
In this graphic, you can see the purpose (value creation & protection) of risk management and 8 principles (drawn from the previous eleven principles) that feed into the framework (to the left) and the process (to the right). Then there’s also the framework that integrates the risk management process into all activities of the organisation, and the process that is the way how risk management can be executed. Also, it can be used to build a suitable (customized) risk management framework for the organisation (the arrow goes into two directions).
The most remarkable changes are the omission of some principles and the addition of the “step” “integration” in the framework. But in essence, the previous representation of the standard is still there and in my humble opinion is less powerful and clear than the “old” graphics.
For some, holding a narrow interpretation on things, this revised standard might have its improvements, but for those that held a very broad understanding of the standard nothing has really changed except that a lot of good information has now been deleted, keeping the guidance to the strict minimum and in some cases even having a more restricted view on things. For instance, regarding the communication and consultation part of the process, which is now more aligned with “old school” thinking, missing the crucial guidance that, ideally, this part of the process should be in the form of a dialogue. Now it seems more focused on the dissemination and gathering of information, where the concept of “dialogue” is rather an afterthought, instead of an important element to gain trust and obtain the best available information (as one of the principles proposes).
There’s a lot more to say on the revision, although the main observation is that information has been deleted. It almost seems that any guidance that could embarrass more traditional approaches in managing risk or that could conflict with other views on standards has been omitted. Not because the information was wrong, but because it didn’t have a consensus to stay in. But I may be wrong in this perception.
My advice: keep your old version of ISO 31000:2009 and use the new version to expand your understanding (or the other way around). Your risk management will be served by that!
Since September 2014, Peter is also employed at TUDelft, working as a PhD researcher for the Safety Sciences section of the Technology Policy and Management faculty.
As the managing director of G31000 Europe he is now a trainer and consultant using the ISO 31000 Risk Management Standard.
Some of his articles can be read on LinkedIn