As part of Cura's continuing Executive eBriefing Series on Enterprise Risk Management, we hosted a live Web based presentation and open Q&A session in December 2008 for our clients and friends.  This month's session featured Mr. Grant Purdy, a nominated expert on the ISO working group which recently wrote ISO 31000, the new global standard for Risk Management.

Developed in concert over the last 3½ years by over 30 ISO member organizations worldwide, ISO 31000 is arguably the most concise, clear, flexible set of guidelines ever developed for risk management.  Mr. Purdy discussed with our audience how ISO 31000 represents a durable, flexible framework for developing a solid risk management culture in all forms and sizes of organizations.

Incidentally, in our experience, we have never seen a more lively, attentive and engaged online audience for any topic like we had for this one.  Officials from a broad array of industries were treated to a thoroughly informative dialogue.  Here we present some of the fascinating highlights of the Q&A session with Mr. Purdy and our audience.  We hope you find it helpful.

Q: How has our understanding of risk and how to manage it changed?

GP: The way we think about risk and how we define it has changed greatly over the last 30 years. Even today, some professions and organizations define risk almost strictly in terms of adverse events, hazards and negative outcomes.  Over the most recent decade, and exemplified in one of the most broadly adopted current standards, the Australia/New Zealand (AS/NZ) 4360, the definition has broadened to: "The chance of something happening that will have an impact on objectives."  Now, with ISO 31000, we have defined Risk as: "Effect of uncertainty on objectives."  Risk is simply concerned with the juxtaposition between objectives and the factors of the environment (both internal and external to the organization) in which they are pursued.

In the past risk has been equated solely with hazardous events and was often regarded as something that you tried to transfer away.  Now we appreciate that risk is inherent to business and life and that you need to take risk to prosper, derive benefit and obtain enjoyment.  Transferring risks is not easy and is often not the most cost effective form of risk treatment as in most cases you just get a different type of risk transferred back.  This is why we call that approach to risk treatment ‘risk sharing' - which is really just a way to change consequences.  Risk is about the uncertainty inherent in any worthwhile endeavor, in whatever we want to achieve.  Risk should not be described as either negative or positive, but the consequences can be positive and/or negative - it all just depends on your point of view.  The context for risk is always our objectives - what we seek to achieve and therefore, critically, to be effective risk management must be regarded by senior managers as essential for the achievement of the organization's objectives.  Managers must be proficient in the management of risk to ensure that their organization achieves that which it sets out to do.

Q: What differentiates ISO 31000 from other standards?

GP: I've worked in risk management for over 32 years, and have seen a considerable evolution in standards.  Some were risk silo-specific, some have been written just to suit particular agendas or specific legislative environments.  The Australian and New Zealand Risk Management Standard AS/NZS 4360 has existed for 13 years now and has become a de facto global standard used by many thousands of organizations of all shapes and sizes around the world.  We have revised that standard on three occasions taking into account all the practical lessons learned in the many organizations that have based their approach to risk management on it.  ISO 31000 is based on AS/NZS 4360:2004 but has been improved further by the risk management experts representing over 30 countries on the ISO working group.  The resulting set of guidelines are authoritative, a paramount standard of the same standing as ISO 9000 or 14000, which is applicable to all types of risks and to all types and sizes of organizations - from small non-profit to complex global corporations.

Q: Describe some features of the ISO 31000 Standard that make it so appealing?

GP: The ISO standard is succinct comprising only about 20 or so pages.  It represents an easier, more accessible, more immediately applicable document.  The standard not only describes the core, stepwise risk management process but precedes this with a practical guide as to how risk management should be established within the organization and integrated with its key processes to ensure that it is successful and so that it is sustained and remains relevant and appropriate to the organization, its context and its needs.  The standard is associated with a standard vocabulary of terms whose adoption is mandated by all standards writers throughout the world.  For once, we will now all have one set of definitions and one simple approach to the implementation and practice of risk management.

Q: Is there a certification process?

GP: No. The standard has been written so that you cannot certify against it.  This is specifically precluded in the scope of the standard.  The reason for this is that the experts on the working group felt that organizations should not waste their efforts just seeking to gain a certificate.  As the first principle of good risk management given by the standard says: risk management must add value. Certification can lead to a ‘compliance culture' attitude to managing risk and we know that this is very detrimental, dilutes ownership and accountability, and significantly reduces the effectiveness of the risk management process.

Q: What are the key take-aways for companies?

GP: ISO 31000 will be a natural and worthy successor to legacy standards like that from Australia and New Zealand.  It will fit ERM (Enterprise Risk Management) requirements, but also will allow silo/project risk management if that is what you want to do.  In the spirit of risk management being concerned with the seeking and realization of opportunity (as well as the avoidance of loss) organizations should now start planning how they will benefit most from the new standard.  They should start now and use the draft standard as an opportunity to benchmark their current approaches to risk management and develop their risk management improvement plans.  I am convinced that ISO 31000 will help organizations treat the risk in risk management.

Q: If companies want to get acquainted with ISO 31000, what is the best way to go about it?

GP: Get a copy of the draft Standard and Guide from the ISO31000 Downloads at http://www.curasoftware.com/Downloads/ISO31000-Draft.pdf.  Contact Cura for the accompanying Guide.  Compare your approach to risk management against the Principles of Good Risk Management (Clause 4) and the Attributes in the Annex.  See if your framework matches that described in Clause 5 and see if your risk management process follows Clause 6.  If not, create a risk management plan!  You probably won't find a more effective model, whatever your goals, needs or risk appetite.

About Grand Purdy

Grant Purdy is an Associate Director of Broadleaf Capital International.  Grant has specialized in the practical application of risk management for over 30 years, working across a wide range of industries and in many countries.  He is a recognized expert on enterprise and strategic risk management, specializing in the tactics for the take-up, customization and embedding of 'bespoke' risk management frameworks and systems.  Prior to working with Broadleaf, Grant was manager of risk management for BHP Billiton, the world's largest resource company.  He led the team that implemented a global ERM framework that is recognized as world best practice in the resources sector.

About Cura Software

Cura software solutions enable businesses around the world to quickly achieve the bottom line benefits of enterprise-wide governance, risk management and compliance (GRC), coupled with performance management.  Cura does this through fast implementation, easier configurability and true enterprise architecture.

Cura is used by over 200 customers such as BHP Billiton plc, Westfield, Allianz, Old Mutual plc, GlaxoSmithKline, Standard Bank, Virgin Blue, Vodacom, as well as governments and consulting firms world-wide.  Cura has offices in New York, London, Sydney, Melbourne and Johannesburg, and has distributors in 10 countries (South America, Middle East and Asia). For more information, visit http://www.CuraSoftware.com.