Creating a Common Language

In these times of global trade, innovation, economic crisis and threats to public safety and security, the need for a common understanding of risk management is critical. Risk can have some positive results, such as medical breakthroughs, technological innovation or successful new ventures. But when risk is not fully understood, communicated and managed, it can lead to negative consequences such as business failures, harmful side effects from medical interventions, industrial accidents, environmental disasters and, most recently, financial crisis. A common understanding of risk management by internal and external stakeholders is essential to the long-term success of an organization.

The International Organization on Standardization (ISO) developed ISO 31000 Risk Management –Principles and Guidelines in 2009, with input from stakeholders based in countries worldwide. Canada played an active role in its development.

International experts agree that risk management is not a standalone activity. Effective risk management must be integrated into the governance and operational processes of organizations. ISO 31000 provides principles and guidelines for the development and implementation of an effective risk management framework, as well as a process for helping organizations to achieve integration and improve their ability to manage risk.

Here in Canada, CSA Standards has released ISO 31000 as a national standard. CAN/CSA ISO 31000 Risk Management — Principles and Guidelines provides principles, a framework and a process for managing risk in a transparent, systematic and credible manner.

ISO 31000 defines “risk” as “the effect of uncertainty on objectives.” The standard will help users manage risks through careful consideration and awareness of both vulnerabilities and opportunities arising from potential and existing risk sources. ISO 31000 can also help Canadian organizations implement and continuously improve a risk management framework as an integral component of their governance and management systems.

A COMMON LANGUAGE

Additionally, ISO 31000 provides a common language that will help with risk communication to an organization’s internal and external stakeholders. It describes 11 principles for effective risk management, helping organizations — including insurance companies — understand the elements needed to build a solid foundation for their risk management framework. These elements include:

• establishing a mandate and commitment;

• designing the framework; • establishing a policy and accountability;

• integration into organizational processes;

• identification of resources;

• establishing communication and reporting mechanisms; and

• implementing, monitoring and continually improving the framework.

The standard also provides guidance on how to carry out the process of managing risk, through communication and consultation. This includes:

• establishing the external and internal context in which the organization and the risk management process operates;

• defining risk criteria;

• assessing and treating risk;

• monitoring risk; and

• recording the process.

ISO 31000 can also be integrated with management systems — such as environmental, or occupational health and safety — and with other risk management processes such as the Committee of Sponsoring Organizations (COSO) or Ontario Public Service Inspections, Investigations and Enforcement (OPS II&E).

ADOPTING STANDARDS

Effective implementation of ISO 31000 can help enhance existing risk management programs or processes through integration, addressing areas that may have significant gaps. For an organization with no formal risk management program, ISO 31000 provides the necessary building blocks to help develop an effective risk management framework and process.

ISO 31000 is not intended as a certification standard. It is a guidance standard to help organizations manage risk effectively. It is not specific to any country, industry or sector and can be used by any public, private or community enterprise, association, group or individual. ISO 31000 provides generic guidance that can be applied to both public and private sectors. It is not a one-size-fits-all standard. Rather, it emphasizes tailoring its principles to the specific needs of organizations (and even nations), so that each can develop its own guidance when deemed necessary.

Adopting the ISO 31000 standard can enable Canadian organizations to compare their practices with an internationally- recognized benchmark, providing them with useful principles for effective risk management.

In evaluating whether to adopt ISO 31000 as a National Standard of Canada, the CSA Technical Committee on Risk Management undertook a detailed gap analysis and consulted with Canadian stakeholders. ISO 31000 was compared with other risk management standards using 29 criteria considered necessary for effective risk management, some of which include:

• terminology;

• purpose;

• risk communication;

• stakeholder involvement;

• guidance on risk quantification;

• measurement of performance;

• evaluation of success;

• quality assurance;

• positive risk; and

• applicability to small and medium sized enterprises.

Overall, they found other risk management standards addressed risk well at an operational level, but not necessarily at the organizational level. CSA found various gaps in other standards that could be addressed through implementation of ISO 31000 and supplemental guidance for Canadian businesses.

ISO 31000 is different in that its intended audience is not only the risk practitioners that deal with risk daily, but also the board of directors and senior level of management within an organization.

Consultation with stakeholders found there was a strong appetite for guidance that explained how to manage risk, and not just what should be involved. Stakeholders were looking for guidance on how to integrate risk management into governance structures, how to undertake activities to establish the context, how to implement risk management with the business planning cycle, how to understand the difference between risk identification and setting risk criteria, understanding how to measure positive risk and how to audit risk management.

CSA Standards developed CSA Q850 Risk Management: Guidelines for Decision-Makers in 1997. This standard established a six-step process for managing risk with an emphasis on communication and consultation. This has carried forward into other risk management standards. To help Canadian organizations comply with ISO 31000, CSA Standards is now developing a new edition of an existing Canadian standard (Q850) that will replace the 1997 edition. CSA Q850-10 Risk Management will provide more detailed guidance on factors that should be considered in each step of implementing ISO 31000. These updates to CSA risk management standards will relate to the general needs of Canadian business operating in Canada and abroad, specifically addressing the integration of risk management with governance, understanding risk appetite, undertaking stakeholder analysis and environmental scans, performance indicators, risk communication, implementing risk management processes, risk treatment and attributes of risk maturity.

Used together, ISO 31000 and Q850 will help provide a unique solution for organizations looking to establish a reliable basis for decision making and planning, improving stakeholder trust and confidence and increasing the likelihood of achieving objectives — all the while minimizing the potential for negative consequences. The ultimate goal is to help improve the sustainability of organizations in Canada and abroad.

———

Elizabeth Rankin, Project Manager, CSA Standards

Doug Morton, Director, Life Sciences & Business Management, CSA Standards

———

For an organization with no formal risk management program, ISO 31000 provides the necessary building blocks to help develop an effective risk management framework and process.