ISO 31000 (2018) Observations No 2 – Principles of Risk Management

Like ISO 31000 (2009), this new version has a list of risk management principles.  They have been updated and although somewhat improved, they remain disappointing.  Our advice is to use them with caution – some of the stated principles are less than helpful – and some essential principles are missing.  A couple of examples will suffice to illustrate.

  • PRINCIPLE 8 is the statement of a simple, obvious truth – that “Human behaviour and culture significantly influence all aspects of risk management …..”.  The problem is that while true, it does not help us to design effective risk management frameworks.  It’s like saying “Structures and accountabilities in organisations matter”.  Yes, sure.  So what?
  • SENSITIVE RISKS.  A whole approach to risk management should recognise important some factors that are not covered by these guidelines.  For example it is evidently true that some risks are important, yet are difficult to safely write down in a risk register or report because they have personal or other implications. They are ‘sensitive’.   For completeness, ISO 31000 should include a principle something like:  “An effective risk management framework recognises that some important,sensitive risks will need to be dealt with other than through formal written risk registers or reports.”

These are  just two examples.   Our advice – don’t ignore the principles expressed in ISO 31000 (2018), but treat them as an imperfect, incomplete list.

If you want to see an alternative set of principles, feel free to contact us.