by Alberto Bastos

As of October 2009, corporations of different sizes and industries will be faced with a new universal standard focused specifically on Risk Management. Dubbed ISO 31000: Principles and guidelines for risk management. The new guidelines were developed by the Organization for Standardization (ISO) in response to the need to standardize the existing norms, regulations and frameworks related to risk management.

The standards, which may be applied to companies and individuals alike and include guidelines for the implementation of risk management within organizations of any type, size and segment, stem from the need of corporations to address the uncertainties that can have a potential impact on their goals. These objectives may be related to different corporate activities ranging from strategic initiatives to operational tasks, processes or projects. As such, these principles may be applied to different types of risks associated with several departments within the organization, such as finance, projects, as well as health,. They also encompass the modern concept which states that risk is opportunity.

Until now, there has been no consensus with regard to the terminology and concepts utilized in risk management. This has created challenges for organizations to integrate their different risk management functions and activities. Typically, this results in risk management being addressed in an isolated manner, which often leads to the spread of the so-called silos or departmental “islands” utilizing disparate terminology, systems, criteria, and concepts for each area of the organization.

As a result, the greatest challenge faced by ISO 31000 lied in establishing a common terminology, as well as standardizing best practices and frameworks so that organizations could implement risk management practices in their processes. Since this is a standardization initiative in line with the integrated view of ERM (Enterprise Risk Management), the new norm does not contradict other existing regulations, such as ISO/IEC 27005 – the technical standard focused on information security risk management but provides guidelines and is aligned with other sets of rules.

Similar to ISO 9000 ( Quality Management) and ISO 14000( Environmental Management), which became references for managing these issues within organizations, the launch of ISO 31000 will provide countries worldwide with a set of internationally recognized guidelines for managing risk. Through the Brazilian Association of Technical Standards’ Special Study Commission on Risk Management, Brazil plans to remain on the leading edge of this movement. The Brazilian version of the norm is currently under development with the support of risk management experts from different organizations throughout the country, which will take into account local requirements, and will likely be launched at the same time as the original version.

*Alberto Bastos is a founding partner of Modulo – a global leader in IT Governance, Risk and Compliance Management automation -- as well as the Coordinator of the Brazilian Association of Technical Standards’ (ABNT) Special Commission on Risk Management Guidelines