ISO 31000 Risk Management - Principles and Guidance
By François Masquelier, Head of Corporate Finance and Treasury, RTL Group, and Honorary Chairman of the European Association of Corporate Treasurers
The ISO 31000 international standard, which addresses the principles of risk management, is a crucial standard for risk managers (CROs) and treasurers. What principles lurk behind that fearsome figure? What basic principles should guide and drive our corporate risk management procedures? This standard is the basis that should guide us in our day-to-day management process. ‘31000’ is a figure that you will never forget in the future, you can be sure of that.
“ISO standards, what does that mean?”
The ISO (International Organization for Standardization) standards include a risk management standard that lays down its principles and guidelines (first issued in 2009 and revised in May 2017). This is the famous ISO 31000. You have probably heard people talk about it without being too sure what it covers. But it would be a very good idea to consider what an ISO standard involves. A standard is a document that lays down the requirements, specifications, guidelines and characteristics to use systematically to ensure that materials, products, processes and services are fit for purpose.
The ISO organisation has published over 21,000 international standards that everyone can easily find. But do you wonder what benefits these ISO international standards might have? They guarantee that products and services are safe, reliable and of good quality. For businesses they are strategic tools for lowering costs, increasing productivity and reducing wastage and mistakes. They are the symbol of good management, with companies certified in one field or another. A counterparty, customer or stakeholder may even require that the company should be ISO-certified in this field or that. They pave the way to new markets, and lay down the rules of the game fairly, enabling you to demonstrate that you are best in class and right up to date with standards that are regarded as best practice.
Organisations and other bodies, regardless of size, are confronted with a range of factors and influences that make their future and their results uncertain. The question of knowing when and if the business can achieve its objectives therefore becomes crucial. This element of uncertainty that affects every business is nothing more or less than what is commonly called ‘risk’. All business activities, even outside treasury management, involve risk-taking. We manage risks by identifying them, by analysing them, by assessing whether they need appropriate handling to mitigate them or avert them, or even to decide whether they can be borne as they stand. After following this process, we have to inform the stakeholders of how we are monitoring risk, how we are handling it and what controls we are putting in place to track and contain it.
The aim of this standard is nothing less than setting out a systematic and logical approach to be applied to risk management in general and financial risks in particular. Why not govern risk management in just the same way as we manage a whole host of other processes in a documented and organised manner? Risk has had its own standard for a number of years; but this standard has changed, and today it has become the authority that we have to follow. Even though risk management practice may have come a long way over the years, implementing it by applying a rigid set of instructions is not a good idea. Using a clear framework increases the assurance that management will be efficient, effective, coherent and appropriate. This is where ERM (enterprise risk management) and treasury management come into their own. Why not opt for ISO 31000 in your treasury management process?
Implementing ISO 31000
Implementing a standard of this type will, for example, increase the likelihood of achieving your goals and encourage proactive risk management. You are more likely to be aware of the need to identify and handle risks throughout the whole organisation, to identify opportunities and threats better, and to comply with the various legal and regulatory requirements imposed by national bodies in particular. It is likely to result in better reports, both mandatory and optional, and to improve governance, to bolster confidence, and to reassure stakeholders.
Relationships between the risk management principles, framework and process