ISO 31000 Risk Management - Principles and Guidance
By François Masquelier, Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman of the European Association of Corporate Treasurers
The ISO 31000 international standard, which addresses the principles of risk management, is a crucial standard for risk managers (CROs) and treasurers. What principles lurk behind that fearsome figure? What basic principles should guide and drive our corporate risk management procedures? This standard is the basis that should guide us in our day-to-day management process. ‘31000’ is a figure that you will never forget in the future, you can be sure of that.
“ISO standards, what does that mean?”
The ISO (International Organization for Standardization) standards include a risk management standard that lays down its principles and guidelines (first issued in 2009 and revised in May 2017). This is the famous ISO 31000. You have probably heard people talk about it without being too sure what it covers. But it would be a very good idea to consider what an ISO standard involves. A standard is a document that lays down the requirements, specifications, guidelines and characteristics to use systematically to ensure that materials, products, processes and services are fit for purpose.
The ISO organisation has published over 21,000 international standards that everyone can easily find. But do you wonder what benefits these ISO international standards might have? They guarantee that products and services are safe, reliable and of good quality. For businesses they are strategic tools for lowering costs, increasing productivity and reducing wastage and mistakes. They are the symbol of good management, with companies certified in one field or another. A counterparty, customer or stakeholder may even require that the company should be ISO-certified in this field or that. They pave the way to new markets, and lay down the rules of the game fairly, enabling you to demonstrate that you are best in class and right up to date with standards that are regarded as best practice.
Organisations and other bodies, regardless of size, are confronted with a range of factors and influences that make their future and their results uncertain. The question of knowing when and if the business can achieve its objectives therefore becomes crucial. This element of uncertainty that affects every business is nothing more or less than what is commonly called ‘risk’. All business activities, even outside treasury management, involve risk-taking. We manage risks by identifying them, by analysing them, by assessing whether they need appropriate handling to mitigate them or avert them, or even to decide whether they can be borne as they stand. After following this process, we have to inform the stakeholders of how we are monitoring risk, how we are handling it and what controls we are putting in place to track and contain it.
The aim of this standard is nothing less than setting out a systematic and logical approach to be applied to risk management in general and financial risks in particular. Why not govern risk management in just the same way as we manage a whole host of other processes in a documented and organised manner? Risk has had its own standard for a number of years; but this standard has changed, and today it has become the authority that we have to follow. Even though risk management practice may have come a long way over the years, implementing it by applying a rigid set of instructions is not a good idea. Using a clear framework increases the assurance that management will be efficient, effective, coherent and appropriate. This is where ERM (enterprise risk management) and treasury management come into their own. Why not opt for ISO 31000 in your treasury management process?
Implementing ISO 31000
Implementing a standard of this type will, for example, increase the likelihood of achieving your goals and encourage proactive risk management. You are more likely to be aware of the need to identify and handle risks throughout the whole organisation, to identify opportunities and threats better, and to comply with the various legal and regulatory requirements imposed by national bodies in particular. It is likely to result in better reports, both mandatory and optional, and to improve governance, to bolster confidence, and to reassure stakeholders.
Relationships between the risk management principles, framework and process Source: ISO 31000 :2009 (E))
|
[[[PAGE]]]
A world in the throes of change
In a world that is in the throes of change, companies find themselves confronted with two objectives that, on the face of it, conflict with each other: (1) encouraging innovation, intrinsically a source of risk, and (2) guaranteeing a high level of security. To reconcile these objectives, risk must be kept under control and evidence of this control must be provided. The ISO 31000 standard is intended to provide a general framework for managing risk and gives a new definition of risk. It is crucial for everyone to have a common starting point so that they know what a risk is. It improves the risk management process, helps integrate risk management into the management system of the company, organisation or public institution, and it introduces principles (11 in all) that guide the decisions on risk management actions. These contributions enable the risk manager or treasurer to tackle, coherently and explicitly, many aspects of the risk management process that usually interact with it chaotically and implicitly. These, for example, may include multiple possibly conflicting objectives, the allocation of responsibilities (who is accountable?), or yet again the evaluation of the effectiveness of the methods and the uses of them.
Risk management (in the broad sense) remains conceptual, a virtual wisp, somewhat intangible, and in the final analysis, subtle and not necessarily scientific. The work done in laying down its general framework, basic principles and jargon was not a waste. ISO 31000 is a sort of constitution, charter or founding deed that acts as the basis for any formal risk management or ERM structure. This standard encourages the whole organisation to take risk into account and provides stakeholders with assurance that these risks are being controlled better.
Reporting the ability to manage risks
This ability to manage risk ought to be reported to the stakeholders and form one of the key considerations when investing in a company. Its risk appetite and its response to managing risk, bearing in mind that taking (some) risks is part of the essence of all business undertakings, are all matters that need to be addressed, and the response needs to be demonstrated over time. This standard can also be a sort of ‘bridge’ standard, opening up dialogue between business sectors by giving them a common vocabulary and framework. Finally, it helps build a body of information in the risk management field. ISO 31000 proposes a generic ERM approach but makes no recommendations on operational implementation. It suggests theright questions to tackle the complex subject of risk management, but not good practices to address them. It is intended for all types of companies and organisation, public and private, regardless of size. Its aim is not uniformity of practice, but to harmonise the approach in terms of principles and procedures. It redefines the term risk in a way that is better at explicitly reflecting many types of recently-encountered problem. It brings in a process called organisational framework, structuring the actions of organisations when putting into place and continuously improving the risk management process.
ISO 31000 is structured into four main sections: the first provides the vocabulary used in the standard, the second lays down the principles, the third describes the organisational framework and the fourth sets out the risk management process.
What is a risk?
For many years, the concept of ‘risk’ was seen as being similar to that of danger. Controlling it was within the province of technicians. The incidence of damage was prevented by action at its source with the purpose of reducing this danger. This approach implicitly led to total or partial lack of interest in the positive effects of the activity that was the source of the risk. The definition was then replaced by that of a probable event having consequences. The presence of a source of risk was made acceptable given the very improbable damage that it might incur and the positive contributions that it would certainly make.
The ISO 31000 standard defines risk as the effect of uncertainty on achieving objectives. This definition once again changes the issues surrounding risk by requiring that the business objectives whose attainment might be impaired by the occurrence of uncertain circumstances should be specified. This multitude of objectives means that decision-makers need to choose between alternatives. At the operational level, risk managers will suggest methods for preventing the effects of uncertainty from interfering with the conduct of the activities carried out to achieve the objectives. This new definition does not call into question the problems of dealing with dangers or assessing potentially harmful events. The standard also formally sets out the role of decision-makers.
Management of risks, when implemented according to ISO 31000, enables the company to, for example:
- Increase the likelihood of achieving objectives
- Encourage proactive management
- Be aware of the need to identify and treat risk throughout the organisation
- Improve the identification of threats and opportunities
- Comply with relevant legal and regulatory requirements and international norms
- Enhance mandatory and voluntary reporting
- Improve governance
- Increase stakeholder confidence and trust
- Establish a reliable basis for decision-making and planning
- Enhance internal controls
- Allocate and use more effectively resources for risk treatment
- Increase operational effectiveness and efficiency
- Enhance health and safety performance, as well as environment protection and respect
- Develop loss prevention and incident management
- Minimise losses
- Foster organisational learning and resilience
“The better the brakes, the faster the car.”
|
[[[PAGE]]]
The generic risk management process put forward by ISO 31000 restates the traditional activities of assessing risk (identification, analysis and assessment) and handling it. The standard adds three other actions to them:
- setting out the context, making it mandatory, before these actions start, to lay down the fundamental parameters that characterise the environment in which risk management is to take place and the values of those parameters, for example by means of a risk matrix;
- communication and consultation, and its link to all the other risk management process tasks and discussions with other internal and external stakeholders;
- the monitoring and review intended for example for re-evaluating the conduct of risk management activities.
The organisational framework is intended to manage these conflicts and more widely to incorporate risk management actions into the procedures of the organisation or company. In fact, risk management should not be treated as a stand-alone activity, but instead as part of other activities, including operational activities. It should therefore be of use to these operational activities and in particular it should contribute to the decisions that they require. Provision should be made for continuous improvement of this management process. For that purpose, it is useful to have evaluation resources to help with improvement. This organisational framework is built up using the traditional PDCA (Plan, Do, Check and Act) cycle. Risk management performance indicators need to be defined. The risk management process consists of the 11 basic principles laid down in the standard, as we stated above.
In the final analysis, a risk management process such as this should create value, for example. It should also incorporate human and cultural factors. In addition, it should deal explicitly with uncertainty. It should aim to inform and train all stakeholders. It involves defining everyone's roles and responsibilities, risk appetite, etc. A standard such as ISO 31000 needs to be revised every five years (as happened recently). The revision process is slow and involves garnering opinions from various stakeholders. This complicates it and slows it down, while at the same time giving it even greater value. In a document such as this, the difficulty lies in laying down guidelines and making it useful as a roadmap for everyone, while avoiding it becoming an all-encompassing manual, heavy-going and in the final analysis unsuitable because it would be too specific.
"ISO or not ISO?" - that is the question
The fact is that setting out to lay down a clear framework for managing risk in just a few pages is a very hard task. However, that is the challenge that the ISO organisation has set itself since 2009. At least we had a helpful and well-thought-out framework as a basis, together with guidance, which was recently updated. No doubt it will need to change further in the future to adapt to the complexities of risk management which are continually evolving and becoming more convoluted.
The economy has become global. The activities and risks that flow from this are intimately correlated. The world is becoming more and more difficult to manage, particularly through the emergence of new risks. These include the digital transformation, ‘Uberisation’ and cyber risks, together with risks that are resurfacing such as taxes, and geopolitical, regulatory and reputational risks. In an environment that is uncertain to say the least, it is vital to be able to offer an adequate risk management framework and, just as importantly, to let the outside world know about it. Your ability to manage risk will reassure investors and will create value over time. So don't delay in complying with one or other of the authoritative frameworks designed for this purpose.
For further information go to www.iso.org where you can buy this guide and its supplement for the vocabulary used.
François Masquelier Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman, European Association of Corporate Treasurers
François Masquelier has been Head of Corporate Finance and Treasury with RTL Group since November 1997. Before joining RTL Group he worked for Mitsui Talyo Kobe Bank (Sakura Bank) in Brussels, Eridania Béghin-Say Coordination Center in Brussels and ABN AMRO Bank in Belgium and Luxembourg.
He is Doctor in Law, Fiscal Law and Economy & Administration from the University of Liège, and has a degree from the Business School of Brussels. François is the President of the Association of Corporate Treasurers in Luxembourg (ATEL), and the Honorary Chairman of the European Association of Corporate Treasurers (EACT).
|