Updated: Feb 2, 2022
Like ISO 31000 (2009), this new version has a list of risk management principles. They have been updated and although somewhat improved, they remain disappointing. Our advice is to use them with caution - some of the stated principles are less than helpful - and some essential principles are missing. A couple of examples will suffice to illustrate.
PRINCIPLE 8 is the statement of a simple, obvious truth - that "Human behaviour and culture significantly influence all aspects of risk management .....". The problem is that while true, it does not help us to design effective risk management frameworks. It's like saying "Structures and accountabilities in organisations matter". Yes, but so what? In this case, an appropriate principle could be "Effective risk management frameworks explicitly recognise and respond to the critical role of culture and associated behaviours". This is useful because we can use as a guide to framework design. We can also use it to test the efficacy (maturity) of our risk management framework.
SENSITIVE RISKS. A whole approach to risk management should recognise important some factors that are not covered by these guidelines. For example it is evidently true that some risks are important, yet are difficult to safely write down in a risk register or report because they have personal or other implications. They are 'sensitive'. For completeness, ISO 31000 should include a principle something like: "An effective risk management framework recognises that some important,sensitive risks will need to be dealt with other than through formal written risk registers or reports."
RESPONDING TO SYSTEMIC AND INTERCONNECTED RISKS as a whole in order to optimise total risk outcomes rather than risk-by-risk, is crucial for the effective management of interconnected, complex, and interconnected risks. It is inherently more powerful and effective than prioritising risks based on likelihood and consequence. The absence of a risk management principle guiding leaders to work 'systemically on all risks at the same time' is a major gap in the approach taken by ISO31000.
These are just three examples. Our advice - don't ignore the principles expressed in ISO 31000 (2018), but treat them as an imperfect, incomplete list. Be prepared to challenge and adapt them.
If you want to see an alternative set of principles, feel free to contact us.