10 Takeaways From the ISO 31000:2018 Risk Management Guidelines

“Dealing with risk is part of governance and leadership, and is fundamental to how an organization is managed at all levels.”International Organization for Standardization

In February 2018, the International Organization for Standardization (ISO) released an updated version of its risk management guidelines, ISO 31000:2018, which can be purchased for about $95. The 2018 update, which replaced the prior version from 2009, provides:

  • Updated and simplified language and reference structures;

  • A renewed focus on the key leadership role that boards and top management must play in ensuring that risk management is fully integrated at all levels of the organization; and

  • Greater attention to the cyclical and iterative nature of risk management, which underscores the notion that organizations must evaluate their risk management process in light of new information or in response to feedback about gaps that might be present in the current risk process or associated controls.

Breaking Down ISO 31000:2018

In a world where standards often weigh in at hundreds of pages, the 16 pages of ISO 31000:2018 constitute a succinct and concentrated guide to help organizations improve the way they manage their risks. The document, which can be read in about one hour, consists of four major sections:

  1. The definitions of key terms such as risk, risk management, stakeholder, risk source, event, consequence, likelihood and control;
  2. The principles of risk management — namely, that risk management is integrated, executed via a structured and comprehensive approach, customized, inclusive, dynamic, based on the best information available regarding both human and cultural factors, and continuously improved;
  3. A framework for ensuring that risk management is properly implemented, well-integrated throughout the organization, carefully designed, regularly reviewed, and continuously adapted and improved; and
  4. A section on the risk management process itself, including the traditional elements of risk identification, analysis, evaluation and treatment, bolstered by a monitoring and review element as well as a communication and consultation element — the former to improve the effectiveness and quality of the risk management process, and the latter to ensure that “factual, timely, relevant, accurate and understandable” risk information is being communicated and used for decision-making.

Five Takeaways for Boards and Top Leadership

While ISO 31000:2018 is far from the only document covering enterprise risk management, one would be hard-pressed to find a more succinct set of principles for implementing and evaluating a risk management process. But brevity isn’t just the only benefit of this document. Below are five of the top takeaways from ISO 31000:2018 for board directors and top management.

1. Executive Buy-In Is Key

The document includes clear language about the importance of strong leadership and commitment to the risk management program. Executives should ensure that the risk management process is fully integrated across all levels of the organization and strongly aligned with objectives, strategy and culture.

2. Consider Risks in Business Decisions

ISO 31000:2018 also includes reminder that boards are responsible for ensuring that risks are given adequate consideration when decisions are being made, since those risks can impact the organization’s ability to deliver value.

3. Emphasize Proper Implementation

Boards also need to ensure that the risk management process is properly implemented and that the controls have the intended effect. Board directors may not have adequate domain expertise to fully grasp the significance and impact that cyber risks present to the organization. In such cases, they should bring in an external advisor to provide context and ensure that management’s actions are in line with the strategic importance of the cyber domain.

4. Risk Management Is Not One-Size-Fits-All

The document has a clear articulation of risk management as a cyclical process with ample room for customization and improvement. But instead of prescribing a one-size-fits-all approach, the ISO document advised top leadership to customize its recommendations for the organization — in particular, its risk profile, culture and risk appetite.

5. Be Proactive

While the document does not address cyber risks specifically, it provides powerful guidance to help executives take a proactive stance on risk and ensure that risk management is integrated with all aspects of decision-making across all levels of the organization. This includes business continuity, compliance, crisis management, HR, IT and organizational resilience.

Five Takeaways for CISOs

While top leadership would obviously benefit from reading and implementing the recommendations articulated in ISO 31000:2018, chief information security officers (CISOs) can also derive value from the guidelines. Below are five takeaways for CISOs.

1. Throw Out the Techno-Babble

The document provides a common language with simple, uncomplicated definitions of risks, events, consequences and the subtle implications of terms such as probability versus likelihood. The ISO document prefers “likelihood” for its broader meaning as the “chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically.”

CISOs should align their own use of terms to ensure communications are taking place without the hindrance of complex language or, worse, techno-babble. If a metric is too complex, it should not be shared with the board. However, it might still be useful as part of a larger metric representing trend lines on the organization’s overall cyber health and resilience.

2. Know the Cyclical Nature of Risk Management

ISO 31000:2018 focuses on the cyclical nature of risk management, helping security leaders understand and control the impact of risks, especially cyber risks, on business objectives. The various elements of the guidelines — from the principles to the framework and process — converge to improve and strengthen the organization’s ability to evaluate, communicate and consider risks in business decisions, and to select controls to help mitigate or transfer risks to fit within organizational tolerances.

3. Use the Best Available Information

Much of risk management is centered on the best available information, with all the ambiguity and imperfections the term implies. Instead of seeking to only share absolute risk information, CISOs should embrace this nebulous understanding and reflect on the cyber risk data they provide to solidify their role as effective advisors to the business.

The data CISOs provide should be relevant and understandable, delivered within a reasonable time frame and qualified with appropriate statements regarding its accuracy. This is especially true when responding to a cyber incident because the quality of the information that is initially available is often very different from the data revealed by a forensic review.

4. Measure Success

The guidelines also emphasize the value of measuring, evaluating and improving the risk management system itself. The idea isn’t to get everything right the first time around, but to improve every time the cycle is completed. Even imperfect risk data can be useful, as long as it is presented along with a timeline showing a trend. Flat trend lines might be acceptable for some risks and controls, whereas for others, top management and board directors should expect to see clear signs of progress. Ultimately, CISO reports should provide quality information to executives.

5. Engage Top Leadership in Risk Management

The ISO guidelines, together with the “Director’s Handbook on Cyber-Risk Oversight,” published by the National Association of Corporate Directors (NACD), outline a road map to help CISOs engage with top management on the governance of cyber risks. Both of these documents were created for business leaders, but they are also useful resources to help CISOs guide the thinking and activities of executives.

Ready to Get Started?

A companion summary of the changes outlined three action items to help CISOs and business leaders get on the path to improved risk management, which are outlined below.

  1. “Be aware of your organization’s key objectives”: Having clearly articulated objectives is key to identifying risk management targets and requirements.
  2. “Assess your current governance structure”: This helps business leaders ensure that lines of reporting and roles/responsibilities are adequate, that the board has unobstructed access to CISOs and that CISOs have proper visibility and support.
  3. “Define your level of commitment”: Organizations should precisely state and share their commitment to the risk management process, and consciously evaluate both their risk tolerance and where they should be on the risk appetite scale.

Whether you’re ready to implement your first risk management process or looking to improve an existing one, the ISO 31000:2018 guidelines can help manage uncertainty while protecting value. When it comes to cyber risks, organizations cannot afford to take a wait-and-see approach.

Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato...