A revised version of ISO 31000 was published in 2018 to take into account the evolution of the market and new challenges faced by business and organizations since the standard was first released in 2009.
What are the main differences?
ISO 31000:2018 provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization. This includes the recommendation to develop a statement or policy that confirms a commitment to risk management, assigning authority, responsibility and accountability at the appropriate levels within the organization and ensuring that the necessary resources are allocated to managing risk.
The revised standard now also recommends that risk management be part of the organization’s structure, processes, objectives, strategy and activities. It places a greater focus on creating value as the key driver of risk management and features other related principles such as continual improvement, the inclusion of stakeholders, being customized to the organization and consideration of human and cultural factors.
The content has been streamlined to reflect an open systems model that regularly exchanges feedback with its external environment in order to fit a wider range of needs and contexts. The key objective is to make things clearer and easier, using plain language to define the fundamentals of risk management in a way that the reader will find easier to comprehend. The terminology is now more concise, with certain terms being moved to ISO Guide 73, Risk management – Vocabulary, which deals specifically with risk management terminology and is intended to be used alongside ISO 31000. Work has commenced on a terminology standard and implementation handbook to further enhance the understanding and applicability of the standard.