Still room for improvement in ISO 31000

ISO 31000, the international standard for risk management, fails to pay enough regard to risk governance, said Paul Hopkin, technical director of the Association of Insurance and Risk Managers in the United Kingdom.Hopkin spoke on a panel discussion about ISO 31000 at the Risk and Insurance Management Society’s annual conference in Boston on Apr. 27.ISO 31000 was published in 2009. It is essentially the amalgamation of several risk management standards from around the world, primarily those of Australia, the United Kingdom and South Africa.The fledgling standard still has room for development, including in the areas of risk reporting and risk disclosure, Hopkin said.“I think there’s one reference to risk reporting in ISO 31000,” he said. “But if you look at something like the Sarbanes Oxley Act, and new regulations for financial institutions, then reporting how you undertake the governance of risk in your organization is becoming increasingly important for companies. “I would argue the [ISO 31000] standards as they are currently formulated don’t have enough to say about auditing, reporting and disclosure.”