IGTA Journal - Autumn 2017

into the management system of the company, organisation or public institution, and it introduces principles (11 in all) that guide the decisions on risk management actions. These contributions enable the risk manager or treasurer to tackle, coherently and explicitly, many aspects of the risk management process that usually interact with it chaotically and implicitly. These, for example, may include multiple possibly conflicting objectives, the allocation of responsibilities (who is accountable?), or yet again the evaluation of the effectiveness of the methods and the uses of them. Risk management (in the broad sense) remains conceptual, a virtual wisp, somewhat intangible, and in the final analysis, subtle and not necessarily scientific. The work done in laying down its general framework, basic principles and jargon was not a waste. ISO 31000 is a sort of constitution, charter or founding deed that acts as the basis for any formal risk management or Enterprise Risk Management (ERM) structure. This standard encourages the whole organisation to take risk into account and provides stakeholders with assurance that these risks are being controlled better. Reporting the ability to manage risks This ability to manage risk ought to be reported to the stakeholders and form one of the key considerations when investing in a company. Its risk appetite and its response to managing risk, bearing in mind that taking (some) risks is part of the essence of all business undertakings, are all matters that need to be addressed, and the response needs to be demonstrated over time. This standard can also be a sort of "bridge" standard, opening up dialogue between business sectors by giving them a common vocabulary and framework. Finally, it helps build a body of information in the risk management field. ISO 31000 proposes a generic ERM approach but makes no recommendations on operational implementation. It suggests "right questions" to IGTA eJournal | Autumn 2017 | 36