Internal Controls Design website by Matthew Leitch (tutor, researcher, author, & consultant)
New website, new perspective: - Related articles - All articles - The author - Services

BS31100 Graphic

What's good about BS31100?
The code of practice on risk management from BSI

by Matthew Leitch 25 September 2009

In October 2008 BSI published a new standard on risk management, BS31100. Like other risk management standards it contains a lot that is common to others, it's not exactly light reading, and its guidance is a little abstract. Although I was a member of the committee that produced it and was deeply involved with a lot of the discussions and drafting, I must admit that this is not a perfect document.

However, it has lots of good bits, some of them unique and valuable contributions to the field that you or colleagues might well wish to understand fully.

There's gold in those hills, if you only know where to look and how to mine it. If you've already taken a look then the chances are your main thought was "Do we comply?" and you probably found you could argue that you do already. Now that worry is out of the way, it's time to ask a new question, "What does this standard allow me to improve?"

A more inclusive approach

This is a great question to consider because BS31100 has been written to fit around more approaches to risk management than most if not all other standards. When writing a risk management standard it's very easy to think that the answers are obvious and then just write a version that makes sense to you. Unfortunately, it won't make sense to many others. Writing for a wide range of organizations, cultures, and skill levels is much more difficult.

BS31100 went through two consultations (one is typical) and drew 2,165 comments from 129 sources. The meetings were long, tiring, and far more numerous than anyone expected. Out of this effort came something designed to fit risk management approaches from the most to the least mathematical. The way this is achieved is not obvious, which is why I've written this article.

Multiple processes

The standard has material about the 'framework' and the 'process'. These terms are somewhat misleading, but the thinking behind them is based on what is realistic.

Firstly, any organization (and even if it's just one person working alone) should do things to get better at managing risk and uncertainty. It could be training, it could be tools, it could be recruitment - anything that contributes to capability. This activity is what is covered in the material on 'framework'.

Second, any management team (even one individual) who thinks about risk and uncertainty will go through thought processes to think about particular risk items and particular controls. The material in BS31100 on the risk management 'process' is concerned with this kind of thinking.

Of course, there are lots of management teams, lots of projects, lots of products, lots of types of risk, and usually there will need to be a suitable process for thinking through risk in each team, each project, for each product, etc. Each process will have its own timetable, its own meetings, it's own documentation, though of course there can and should be communication between them. The standard suggests that these processes should be similar at some level but do not need to be identical.

In practice it is not feasible for everyone to think through all risk items in exactly the same way. Imagine an oil company. It's risk management activities range from taking care of safety on a site to build a new refinery to managing risk arising from trading energy derivatives. Should the traders stop their mathematical modelling, or should the builders go and learn some calculus? Total uniformity is not practical.

If your organization is very small it may well be that the 'framework' turns out to be the most important thing to work on, with the risk management 'process' being bureaucracy you don't need to develop very far.


The standard puts considerable emphasis on aspects of risk management that cannot be captured on a flow chart. While 'culture' may not be the best word for these, it is vital that people behave in ways that support good risk management, even when there is nobody there to supervise them, no form to fill in, no database to update, and no auditor to answer to.

Something like half the text of BS31100 is devoted to the 'framework' and to non-procedural material. In contrast, the forthcoming standard from ISO, to be numbered ISO31000 (confusingly similar), has virtually nothing.

"Upside risk"

Most people in risk management today think it makes good sense to include all potential surprises within the same management process rather than only nasty surprises. In some areas, such as safety, there is no obvious 'upside' because we naturally regard any death, injury, or illness as a negative outcome. In other areas, such as financial trading the 'upside' of investments is typically treated along with the downside.

Increasingly, risk management standards have tried to find ways to allow this kind of integrated handling of potential surprises of all kinds. The usual approach has been to divide risk items into the good ones and the bad ones, then consider each separately in a way that seems appropriate. 'Opportunities' get 'exploited' for example, whereas 'risks' get 'mitigated'.

BS31100 incorporates all potential surprises, but doesn't make that mandatory. You can do it if you want to and the logic of the standard works whether you do or don't.

In fact, BS31100 works the same regardless of whether the risk item seems mainly positive or mainly negative. It recognizes that many risk items have consequences that are mixed and often we're not sure if they should be regarded as positive or negative. Sometimes, what seems at first negative could become positive with the right management.

The logic of BS31100 has been worked out so that it applies without alteration to all these possibilities. This is a technical breakthrough.

What is much more controversial is whether the word 'risk' can be applied to potential nice surprises. If someone said "There's a risk we could win the lottery" you would think they were joking or odd. BS31100 recognizes that there is a problem with the language in this area. If you ask people, in a workshop for example, to think of 'risks' then they will list bad things that might happen.

BS31100 suggests that if you want to include potentially nice suprises in your risk management process then you may need to use words other than 'risk' to explain your approach. The standard offers some suggestions.

Incorporating risk in decision making

In recent years several influential documents have advocated setting one or more limits on how much risk to undertake, known as a 'risk appetite'. This is a very unfortunate term and the thinking around it is vague and flawed. I do not recommend this approach and if your organization has not defined a 'risk appetite' you should be pleased. A 'risk appetite' is not something you already have; it is an invention and not a good one.

However, some organizations have been forced by law or similar regulatory pressures to operate some kind of 'risk appetite' and for that reason alone 'risk appetites' do exist. BS31100 includes material on 'risk appetite' and allows for the use of such limits.

However, a 'risk appetite' is not the only basis for incorporating risk in decision making and BS31100 talks about weighing risk in decision making to remind everyone that there's more to it. Specifically, when choosing controls to implement, the objective is not just to get risk within any applicable 'risk appetite'. Once that has been achieved there may still be worthwhile things that can be done (i.e. things that are easy to do but cut risk a lot, so on any reasonable cost-benefit basis they make sense). The standard advises carrying on until there's nothing worthwhile left to do, though recognizing that resources are limited.

(The standard does not require quantified analysis of costs and benefits, though of course this can be helpful in some instances.)

Bundles of changes to controls

(Note: In BS31100 the word 'control' is used to cover all active responses to risk.)

Several past standards have been based on the idea of a risk register, which of course is a list of risk items, usually thought about as if they are separate from each other. Typically, it is imagined that decisions about what to do in respect of each risk item are taken item by item.

For some reason it is also typical to write as if people are starting from a position of having no controls in place. It is often assumed that decision making is always between (1) having a particular control or set of controls in place to mitigate a particular risk item, or (2) having nothing. Sometimes procedures require the 'inherent risk' of every risk item to be assessed (i.e. the risk level if no controls were in place) regardless of what controls are already in place or under consideration.

None of this is very realistic. Almost all organizations today already have a lot of controls in place and for some risks, such as fire, it is hard to imagine what it would be like without the routine precautions that we take. Furthermore, it is common to find that one control contributes to managing many risks.

This all implies that, in a typical meeting to discuss controls and risks, the outcome will be the choice of a bundle of zero or more changes to make to existing control system. These changes may include modifications, replacements, and withdrawals, as well as new controls. The relevant comparison is not between having controls and not having controls, but between controls before and after making the bundle of changes.

BS31100 advises taking decisions on controls in this 'bundled' way, but it does not insist on it. You can still take decisions one at a time if you can't think of a way to do better.

Unequal levels of analysis

BS31100 says that risk items should be analysed in terms of their consequences to an appropriate extent. It does not say that all risk items should be analysed to the same extent.

For example, you could have a procedure that requires a first pass, quick assessment, but then subjects some risk items to more rigorous consideration.

By the way, BS31100 does not advise rating each risk item for its probability and it's impact. You can if you really think that's a good idea or have had it forced on you, but it's not necessary.

Linked risk items

Uncontrolled aggregation is a problem for many approaches to risk management. BS31100 does not propose a full solution to the problem. However, it does take a welcome step towards a solution.

Section 4.4.3, "Analysis of inter-related risk", offers suggestions for revising a risk analysis so that the aggregation of risks is decided for good reasons rather than by accident.


It may not be the most exciting document in the world but BS31100 does have some interesting innovations subtly worked into it. One of the worst things a standard can do is block good practices and a lot of work has gone into BS31100 to minimise the extent to which that happens. Consequently, if you want to see improvements in risk management at an organization you are involved with then the new document could support improvements that other standards are not open to.

© 2009 Matthew Leitch
New website, new perspective: - Related articles - All articles - The author - Services

If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details

Matthew Leitch - Author

About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website,, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more

Please share:            Share on Tumblr