What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto

Thursday, June 28, 2012

ISO 31004 Wishlist

The International Organisation for Standardization [ ISO ] is about to enter into a trial review for its ISO 31004 guide.

Being an active risk manager, I believe it is important to highlight potential key topical points for inclusion in the ISO 31004 program. This is all in the hope that the final ISO 31004 document will address some of the open ended elements that ISO 31000 seems to omit. The risk community at large seems to struggle with some of the items listed in the attachment that is linked to this post and more information, example case studies and critique on these areas of risk measurement specifically, would be welcome from the ISO body.

This blog lists 50 key aspects of commercial enterprise risk management which are not only common practice in some cases, but are also important for evolving the enterprise risk management field today.

ISO 31004 Wishes
ISO 31004 is described on the website for the International Organisation for Standardization as:
Risk management guidance for the implementation of ISO 31000.
ISO Standards | TC 262 Under Development
While the final publication of ISO 31004 is a long way out, even years from this point in time, this review stage is an important milestone because it will be one of the major junctures where decisions are made that may reshape the contextual direction of the final ISO 31004 work.

ISO 31000 has been gaining momentum across the planet as a best practice approach for establishing an enterprise risk framework. The simplicity of the ISO 31000 technique is both its winning X-factor and its Achilles' Heel. On one hand, the ISO 31000 standard can be applied to a broard range of businesses or governments because it doesn't target technical idiosyncratic complexities. The downfall here is that many risk analysts are left with a relatively empty guide that gives little insight into HOW to approach the development of a risk framework.
ISO 31000 tells the risk analyst WHAT needs to be done but not HOW to do it.
Martin Davies | Causal Capital
The purpose of ISO 31004 is to address the ISO 31000 Achilles' Heel. However, it will only be tangible to the application of risk management if risk analysts across the globe contribute to the knowledge pool.

ISO 31004 Wishlist | Causal Capital [ Click link for complete list 

I have taken to list 50 key aspects of risk management in this post which potentially need further clarification in ISO 31004. This is a reference point for the Linked In discussion on evolving ISO 31004 and this post will be referenced in that forum as well.

While I have personally had no exposure to ISO 31004, nor have I read material around its development other than what is publicly released, I still believe it is important to put forward an ISO 31004 wishlist.

The complete ISO 31004 wishlist can be found at this [ link ]


  1. I am confused, what is the difference between ISO 31004 and ISO 31000?

  2. ISO 31000 is actually an entire family of standards for risk management, where ISO 31000:2009 or what is loosely referred to as ISO 31000 is the principles and guidelines for the implementation of an enterprise risk framework.

    There are several standards one must keep in mind in respects to the ISO 31000 group, they are:

    ISO 73:2009 - Risk Management Vocabulary

    ISO 31000:2009 - The core risk management standard for principles of implementation

    ISO 31010:2009 - Risk assessment techniques

    ISO 31004 - Risk management guidance for the implementation of an ISO 31000 framework

    ISO 31004 - Will eventually be the leading practice for ISO 31000 and should become important because it will show risk analysts what other firms have done to make their risk frameworks successful.

    Much of what I have written here is actually covered in parts of ISO 31010 however theory aside, actual practice (what is being used) for the implementation of these elements could become incredibly value learning material for risk analysts. It will help risk people connect the measurement techniques into the broader ISO 31000:2009 framework.

  3. I see it would be great to have actual examples or applications of the measurement techniques referenced in ISO 31010 and classed under ISO 31000:2009 section 5.4.4 displayed or showcased.

    ISO is moving towards industry accepted practice, so examples where these measurement techniques have been applied to real business problems, should become very valuable Intel.

    [1] We can take on-board how risk measurements have been interconnected in the ISO 31000 framework. The difficulties management experienced for applying one technique over another etc. It is that factor which will lead us from industry practice to best practice in my opinion.

    [2] When risk managers communicate with management, they will be able to show real working examples of where a specific strategy or communication technique was applied and what the success rate was.

    For me, this isn't about learning what to do but to understand what people are doing, HOW they did it and WHY that HOW works, If that makes sense.

  4. An overview of how ISO 31004 is being built, please visit: http://www.slideshare.net/fdecicco/iso-31004-wd2

  5. As I said on the G31000 linked in group:

    "Very interesting and thank you for sharing. I see all sections as important and one does seriously hope that annex E,F,G are going to be substantive."

  6. For those that are asking about the link here, the slides have been removed from slideshare.net at the request of the ISO 31004 working group, well, that is what was posted in the G31000 forum.

    Please note, I did not post the slideshare link up on this comment forum nor am I responsible for it. It is not my work and I am not able to organize a replacement link, please stop asking.

  7. we'll...your wish list is great but not for an ISO rather for a policy based on the ISO. The ISO SHOULD stay technology agnostic so that its implementation is available regardless of your infrastructure and organisational setup. Furthermore, going through the list I see you are looking for processes, if that is the case I'd defer that topic to the time when your company has defined what tools are to be used just because those are going to come with some of the processes you are looking for. The way I'd think one should be going about having a good risk management is by embracing ISO 31004, assessing its applicability in the context of its business model, defining the tools to enable good risk management practice, understanding how these tools can provide maximum return of investment, modifying and adopting those processes that come with the aquired tools in such a way that the above is acomplished (maximum return...) creating those adjiacent processes to enable tools integration and to integrate ISO 34001 with all other applicable ISO's ... I know this can be confusing but it is THE ONLY WAY to minimixe your capex and maximize your ROI and maturity level .
    Just my .02$
    Bogdan D