The International Organization for Standardization (ISO) has spent years developing the ISO 31000 family as a top-level standard for monitoring risk management processes. The Aachen-based Steinbeis Transfer Center for Risk Management is now combining the concept of “standards as new business standards” with businesses’ future needs to manage risk. How? With its own innovation: “risk management without a risk management system”.
The ISO 31000 standard comes into effect in autumn 2009. It is by no means compulsory, but it does act as a guideline – albeit one expressly unsuited to use in certification. The standard makes recommendations as a general template for all risk management activities undertaken in a business. This includes a general risk management process, a toolkit and standard vocabulary. If necessary, specific risk management activities can still be certified.
ISO 31000 is a new type of standard – a kind of “entrepreneurial standard”. Companies can decided for themselves whether to use it, and if so, how – making decisions based to their own individual criteria, in light of and in line with ISO 31000. The benefit which this standard brings to companies is the impetus it provides to both strategic and operational levels.
Based on specific requirements, companies often use risk management on a standalone basis – such as for finance or certain products. They generally do not want to invest too much time and money in a system for managing risk throughout the whole company. They prefer to conduct their own evaluation rather than rely on third-party certification of their management system.
The Steinbeis Transfer Center for Risk Management has based its concept of “risk management without a risk management system” on the definition of risk given by ISO 31000: “the effect of uncertainty on objectives”. This interpretation of risk provides an approach for integrating risk management into a company’s objective management system. All risks are matched to the objectives of the company. The objectives and corresponding risks are not just of a financial or material nature – they also include strategic risks. The concept suggests that firms use risk management as part of overall objective management, based on balanced scorecard techniques.
Based on this approach, the Steinbeis Transfer Center for Risk Management provides a variety of services centering on the new ISO 31000 risk management norm. This includes consultation and implementation for all types of companies and organizations, plus training and courses, and publications.
The Steinbeis specialists believe that the ISO 31000 standard will encapsulate companies’ understanding of risk and opportunity: ensuring that a company achieves its objectives, and safeguarding the values underpinning company objectives. The standard will help companies overcome the problem of specialization and fragmentation associated with risk management within a company, offering businesses a framework for risks and all kinds of requirements to be placed on risk management. Matching objectives with risks defines ownership of the risk. The standard will make it easier for companies to simplify risk management for customers and other parties placing requirements on the business. Focusing on objectives and processes provides a simple basis for integration into the company, deliver maximum benefit from the standard.