ISO 31000 – The Proposed New Risk Management Standard


I just read an article about the proposed new ISO 31000 standard in the Enterprise Risk magazine ( of March 2009.

In the article, the author and ex – Chairman of IRMSA, Steve Winks writes about the new way to define risk i.e that risk will be defined as ‘’the effect of uncertainty on objectives’’

The central issue of the definition is "objectives" -that is, the objectives of the individual or entity concerned.

The change in definition shifts the emphasis from "the event" (something happens) to "the effect" which is the effect of the event on objectives. So, the "risk" isn’t the chance of having a fire (for example) but the chance that value will be destroyed and or income flow disrupted (assuming preserving value and income flow was part of the objective).

From both definitions, it can be seen that risk is particular to the objectives of the individual, organisation (or even society) and that it arises because those objectives are pursued against an uncertain background. Although the individual or organisation controls their objectives, they cannot control or predict the background environment fully in which they operate. And it is this background environment, overlaid on the particular objectives, which generates uncertainty and thus risk.

Because risk is directly linked to objectives, it is obvious that risk is not inherently "bad". Many objectives can only be achieved by being willing to accept at least some risk. If risk can be managed effectively, opportunities can be exploited. Risk is generated by every decision that is made by an individual, organisation or society – small wonder that it is beneficial for individuals, organisations and governments to become increasingly proficient at understanding risks and knowing whether, how and when to "treat" those risks in order to improve the chance of realising objectives.

Risk is best characterised by describing both the effects (referred to as "consequences") and the chance of experiencing those consequences (known as "likelihood"). The level of any particular risk can be expressed by combining the two considerations (i.e. the potential consequence in terms of the objectives, and the likelihood of those consequences being experienced). If the resulting level of risk is either too high or too low for the entity whose objectives are at risk, then the risk can be treated so as to adjust the size of the consequences and/or the likelihood of experiencing those consequences.

I must say that this in line with my thinking and advice to clients.

When it comes to reputation risk, it is important to discern between a reputation event and reputation risk. (See words in bold above).

a Reputation event includes any action, incident or circumstance which induces, or is likely to induce, reputation risk for an organization. For example, such an event may arise from market rumours, severe regulatory sanctions, or heavy financial losses. Some of these events, if not acted upon swiftly and effectively, may turn into a full-blown crisis (e.g. a bank run).

Reputation risk means the risk that an organization reputation is damaged by one or more than one reputation event, as reflected from negative publicity about its business practices, conduct or financial condition. Such negative publicity, whether true or not, may impair public confidence in the institution, result in costly litigation, or lead to a decline in its customer base, business or revenue.

This uncertainty is what makes reputation risk so difficult to quantify or predict. Reputation Risk management therefore needs to include elements of reputation event or incident management, reputation risk consideration, environmental scanning and issues management.

Quite a mix! The starting point in managing reputation risk in an organization starts with a simple question. Is Reputation Risk a strategic risk on its own or a consequence of a risk?

For more information about the importance of definitions, go to my page –

In the past, reputation risk management was confined to damage control and fire- fighting after the event or crisis (Reactionary Approach – Reputation Event or Incident management). Now there has been a paradigm shift towards a Proactive approach which includes building up “reputational capital” before an event (problem or crisis0 arises.

To build reputational capital and minimize reputation risk requires an understanding of the drivers of corporate reputation and the risk and opportunities that each driver offers. That knowledge coupled with the understanding that no Company, organisation or individual whose livelihood depends on public support can afford to function without a reputation building and a crises communication plan will enable companies to formulate robust strategies for building, sustaining and protecting corporate Reputation.