Revision of ISO 31000 Risk Management Guidelines - Draft available

International Standard Risk Management ISO 31000 Draft ReviewISO 31000, the international standard for Risk Management - ‘Risk Management – Principles and Guidelines’ - is now available for public consultation. 
The decision to review ISO 31000 was taken at in Chicago in 2013 and now, 4 years later, a draft version of the proposed updates to the ISO 31000 document is available for users to see.
The next steps will be a review of the comments submitted that will modify the text further and then a ballot by ISO members to move to the final publication.  The next ISO meeting is being held in San Francisco in July 2017 and this suggests publication of the revised risk management standard perhaps early in 2018. 
The draft of the standard for review and comment is now available on the BSI Draft Review system at [registration required - Closing date for comments 11th April 2017] 
Click to Visit and View BSI DRAFT REVIEW SYSTEM
In the same time period three other risk standards have been proposed by ISO 262 covering disruption related risk, supply chain risk management and legal risk. Two of these, the disruption and supply chain risk standards, have failed to make the grade and have recently been officially dropped, but the legal risk standard (ISO 31022) is now in development with the national standards bodies of China and the UK jointly leading the work.   There is also a revision of ISO 31010 Risk Assessement Techniques underway and ISO Guide 73 on teminology will likely be revised following completion of the revision of ISO 31000.
Continuity Forum Policy Working Group Members can contact us directly to discuss the process and to obtain copies of document for comment. Continuity Forum Chairman, Russell Price is currently the Chair of the BSI Risk Managament Committee, as well as a member of the ISO Strategic Advisory Group and Committees responsible for 31000 and 31022.  
In September 2013 ISO/TC 262 decided in Chicago to carry out a limited revision of ISO 31000 ‘Risk Management – Principles and Guidelines’.
Initially it was agreed that only minimal changes would be made to the standard while the committee looked at the potential for more substantial revision. However eighteen months later in March 2015 at a Working Group 2 meeting in Paris it became clear that a more compressive revision would be needed and the work was ’upgraded’ to a fuller revision of the standard.
Since then, at ISO/TC meetings in Brazil, Russia and Jordan, there has been considerable work and debate on the DIS (draft international standard) as the committee tried to achieve international consensus.  The most recent meeting in Jordan provided the impetus and key changes necessary to move the standard forward and out of its committee stages making it available for wider comment.  
This DIS is at an extremely important stage and we recommend that you review it very carefully in the context and wider activities of your organisation. The Commenting process provides a real opportunity for those with risk responsibilities to feedback to the committee on any issues or opportunities to improve the standard before it becomes a National and International standard.  The process gives you the chance to suggest areas you would like to see adapted or removed and even add new elements that would benefit users in the front line.    
Below some of the changes to the 2009 version of ISO 31000 have been summarised and a few words on why the changes are being proposed:
Introduction Scope and Terminology
In the committee commenting stages there was a strong desire to address the proliferation of terms, that could impair the ease of access to the standard or add to confusion across sectors for many users. There was also support for more detailed and precise guidance though this ran the risk of adding to both the length and complexity of the standard.  There was considerable discussion on fundamental issues on the role of standards. Ultimately the decision was made to simplify the text and use other documents, such as ISO Guide 73 to provide additional information to those that need it.     
The Introduction and the Scope has followed this position of simple language and generic principles to clearly identify WHO the standard is for, WHAT needs to be done and what should ISO 31000 PROVIDE.
It should be noted that there was some convergence, from initially very different positions, from members of the technical committee, and in some cases National Mirror Committees, towards a shared vision of best practice in global risk management. The strengthened generic nature of the standard can hopefully provide for confidence between experts and end users who each have specific problems in risk but need to understand and communicate with others stakeholders.
The vision was to phrase a framework clause that provides guidance that is relevant for every possible user of the standard. 
This view was formed at the Moscow meeting and stuck to while resolving the comments on the technical committee draft reviewed in Jordan. A common theme found in the comments was the addition of concepts or examples specific to countries or industries. Our main challenge was to find a fair and sensible balance between supplementing the chapter with necessary concepts and not losing sight of all other users.
The message TC 262 would like to pass on to the reader of the DIS is to critically assess if the current draft provides the required guidance while still remaining relevant to all organizations, in all countries. It is important to keep in mind that we are not drafting an American or European standard, a public sector or financial services standard, but rather a generic international standard.
The clauses on process has probably been the area that has received most comments during the revision. Care needed to be taken in in considering all the points raised and discussions on the right way forward took considerable time. The result was that it was agreed that there was a need to reduce the text quite a lot but that an appropriate balance between giving guidance with enough details and not turning the guidance offered into a school text book.
The final DIS text has not dramatically changed the 2009 version and all steps in the process have been kept. However, more complex language has been edited and reduced and accordingly the revised text is shorter and more precise and hopefully the user will find it much simpler to read.
Principles and Annexes
The review and comments resolution of the committee draft on ‘principles and annexes’ contained in ISO 31000 resulted in a effort to make the text provided on each of the 9 Principles clearer and more succinct.
From the comments made by the contributing experts it was clear that Annex A should be removed and instead the topic dealt with separately through a New Work item proposal to address risk management maturity.
Summary notes 
Before being sent to ISO the draft of the DIS was endorsed by the working group (WG2) and reviewed by an editorial team who checked for typographic issues and consistency across the different sections. The new DIS is shorter than the original version of ISO 31000 from 2009, more precise and easy to read. 
There are substantial improvements that the committee feel will benefit the users of the standard such as the inclusion of the importance of human and cultural factors as well as the embedding of risk management within decision making that is now more strongly is emphasized. The title has slightly changed as well: “ISO 31000 Risk management – Guidelines”. 
The overall message of ISO 31000 stays the same that the risk management process is an integrated part of strategic and operational management.
The next steps of the revision process are translation into French followed by comments and ballots from the National Standardization Bodies. The Working Group meets next time on July 10th – 14th, 2017 in San Francisco to work on finalizing the revision. We can expect that the new version of ISO 31000 will be published at the end of 2017 or early in 2018.
The major task to accomplish is progress the revision of ISO 31000:2009 by finding the appropriate balance between giving guidance, with sufficient detail, and writing a textbook. The intention throughout the revision process in recent meetings has been to focus on the fundamentals and in doing so create a shorter, clearer and more concise document that is easier to read and apply. 
The ISO/TC262 committee now needs to gather feedback from interested parties on the proposed revisions to ISO 31000 ahead of possible publication in around 9 months. Please do review and pass on your thoughts and opinions by clicking the box below.
Click to Visit and View BSI DRAFT REVIEW SYSTEM
ISO/TC 262 Risk management was created in 2011. Its scope is “Standardization in the field of risk management”. The objective of ISO/TC 262 is to produce and maintain high quality standards and other publications in the field of risk management, to provide for high-level advice and service on the management of risk. The intention is to promote harmonization within ISO documents with respect to risk and its management. There are four standards under the direct responsibility of ISO/TC 262 which has four active working groups, 52 participating countries and 16 observing countries. For more information go to