Global ISO 31000 survey 2011Results & analysis
Survey Background
ISO 31000:2009 Risk management principles and guidelines published in 2009.
ISO 31000 is a voluntary generic guideline.
Internationally recognised reference.
LinkedIn ISO 31000 group founded March 2009
ISO experts are working on the ISO 31004 guide to ISO 31000 due to be published in 2014
© 2012 Copyright of G31000 all rights reserved
How the survey was conducted
Conducted between the 17th of October and the15th of December 2011.
Internet-based survey with 10-15 closed questions + 5 open questions for feedback to ISO PC 262.
Global reach via more than 100 risk management associations and LinkedIn groups in all sectors worldwide.
No sponsors to ensure impartiality.
Managed by a committee of volunteer experts who have large amount of experience using ISO 31000
© 2012 Copyright of G31000 all rights reserved
© 2012 Copyright of G31000 all rights reserved
G31000 Committee in chargeQuestionnaire design : Jacquetta Goy (Canada), Grant Purdy (Australia), Arnold Schanfield (USA), John Lark (Canada), Julian Talbot (Australia), Julian du Plessis (South-Africa), Jeffrey DeRose(USA), Pat Croke (Ireland) and Alex Dali (France)
Participating contacts : one person for each of the 100+ participating associations/LinkedIn groups
IT systems and survey design : Pat Croke
Powerpoints : Pat Croke, Alex Dali
Translation : Angel Escorial Bonet (Spanish), Alex Dali (French)
“We would like to thank all those who co-operated with the conduct this survey. Without their help, this survey could not have been carried out.”
© 2012 Copyright of G31000 all rights reserv.
Survey Objectives
Understand how ISO 31000 is perceived by risk practitioners in all sectors worldwide.
How the ISO 31000 is used by risk practitioners.
Collect questions, comments and input for the future ISO 31004 guide.
Raise awareness about the existence of the ISO 31000 Risk Management standard
© 2012 Copyright of G31000 all rights reserved
People Contacted
Main Source : ISO 31000 LinkedIn discussion group which has participants from over 90 countries.
Additionally 100 risk management associations and other LinkedIn groups, on a voluntary basis representing more than 400.000 people (note 1)
Advertised via a few risk management websites and several risk management magazines
Note 1 – Many people are part of multiple LinkedIn groups and associations
© 2012 Copyright of G31000 all rights reserved
List of associations & LinkedIn groups participating
© 2012 Copyright of G31000 all rights reserved
© 2012 Copyright of G31000 all rights reserved
Survey Population
1823 responses from 111 countries.
Largest Country representation in the surveyUSA 20%
Australia 10%
U.K. 10%
South Africa 8%
India 4%
Canada 4%
France 3%
© 2012 Copyright of G31000 all rights reserved
Survey Population
USA – 20%
France– 3%
111 countries
Australia– 10%
India– 4% Canada– 4%
UK– 10%
South Africa– 10%
(based on 1823 responses)
Word of caution
Some countries are over represented and others under represented relative to their population sizes
USA sample 366 population 314 million ratio 1:1,000,000
Australia sample 176 population 22 million ratio 8:1,000,000
U.K. sample 179 population 62 million ratio 3:1,000,000
South Africa sample 139 population 50 million ratio 3:1,000,000
India sample 78 population 1210 million ratio .06:1,000,000
Canada 76 population 34 million ratio 2:1,000,000
France sample 53 population 65 million ratio .84:1,000,000
New Zealand 43 population 4.5 million ratio: 9.5:1,000,000
UAE 30 population 8 million ratio: 3.75:1,000,000
© 2012 Copyright of G31000 all rights reserved
Word of caution
Some Country samples are too small to be representative.
Self selecting sample likely to more interested in risk management than the normal population.
Likely to be over represented by people interested in ISO 31000.
English speaking countries over represent 50% of sample.
Risk Management departments over represented 41% of sample.
Participating Organizations Size
1-10 252 14%
11-50 121 7%
51-200 174 10%
201-500 165 9%
501-1000 183 10%
1,001-5,000 356 20%
5,001-10,000 163 9%
10,000+ 409 22%
# responses percent
© 2012 Copyright of G31000 all rights reserved
(based on 1823 responses)
Participation by SectorPublic sector – 211
Management Consulting – 204
Information Technology – 185
Insurance – 134
Financial services – 123
Banking – 90
Manufacturing – 85
Education – 83
Other – 79
Energy – 63
Oil & Gas – 62
Construction – 52
Telecommunications – 52
Computers – 51
Mining & metals – 49
Health products & services - 47
Transport and logistics – 47
Utilities – 32
Aerospace & defense – 28
Chemicals – 23
Retailing – 21
Medical & Hospital – 20
Food drink & tobacco production – 19
Media – 19
Automotive & transport equipment – 17
Not for Profit – 16
Security – 11© 2012 Copyright of G31000 all rights reserved
(based on 1823 responses)
© 2012 Copyright of G31000 all rights reserved
Participation by Sector
© 2012 Copyright of G31000 all rights reserved
(based on 1823 responses)
12%
11%
10%
7%
7%5%5%5%
4%
3%3%
Public sectorManagement ConsultingInformation TechnologyInsuranceFinancial servicesBankingManufacturingEducationOtherEnergyOil & GasConstructionTelecommunicationsComputersMining & metalsHealth products & servicesTransport and logisticsUtilitiesAerospace & defenseChemicalsRetailingMedical & HospitalFood drink & tobacco productionMediaAutomotive & transport equipmentNot for ProfitSecurity
Participation by Department Type
© 2012 Copyright of G31000 all rights reserved
(based on 1823 responses)
41%
12%9%
6%
5%
5%
4%
3%2%2% 2%
2%2% 1%
1%1%
1% 1% Risk ManagementInformation TechnologyAuditOccupational Health & SafetyOperationsOtherAccounting/FinanceBusiness developmentServicesFacility management/SecurityAdministrationInsuranceConsultingLegalSales & marketingQualityProduct developmentProject Management
Participation by Job Type
© 2012 Copyright of G31000 all rights reserved
(based on 1823 responses)
What is your level of awareness about ISO 31000 ?
© 2012 Copyright of G31000 all rights reserved
(based on 1823 responses)
25%
35%
26%
14%
I understand ISO 31000 completelyI have some knowledge of ISO 31000I have heard of ISO 31000I dont know what ISO 31000 is
What is your level of awareness about ISO 31000 ? by Country
© 2012 Copyright of G31000 all rights reserved
(based on 1823 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
IndiaUSA
FranceItaly
FinlandUK
NetherlandsSpain
Rest of WorldAll CountriesSouth Africa
BrazilUAE
CanadaNew Zealand
Australia
7
40
7
5
6
37
9
10
104
385
36
11
11
32
20
115
26
133
17
12
23
83
14
18
157
618
46
12
11
17
18
50
29
122
24
13
2
40
11
10
134
476
38
13
5
19
2
8
16
71
5
5
3
19
9
9
89
226
19
3
3
8
3
4
I understand ISO 31000 completely I have some knowledge of ISO 31000I have heard of ISO 31000 I dont know what ISO 31000 is
What is your level of awareness about ISO 31000 ? by Organization Size
© 2012 Copyright of G31000 all rights reserved
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
10000+
5001-10000
1001-5000
501-1000
201-500
51-200
11-50
1-10
107
39
87
43
37
28
29
80
141
66
128
61
51
59
40
91
112
32
87
54
51
50
30
54
49
26
54
25
26
37
22
27
I understand ISO 31000 completely I have some knowledge of ISO 31000I have heard of ISO 31000 I dont know what ISO 31000 is
(based on 1823 responses)
What is your level of awareness about ISO 31000 ? by Department
© 2012 Copyright of G31000 all rights reserved
(based on 1823 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Risk Management
Information Technology
Occupational Health & Safety
Operations
Audit
Other Departments
All Departments
267
14
16
18
24
111
450
282
63
28
30
62
172
637
133
88
38
34
45
132
470
65
53
26
18
24
80
266
I understand ISO 31000 completely I have some knowledge of ISO 31000I have heard of ISO 31000 I dont know what ISO 31000 is
How is risk management mainly used within your organization?
© 2012 Copyright of G31000 all rights reserved
(based on 1726 responses)
How is risk management mainly used within your organization? by Country
© 2012 Copyright of G31000 all rights reserved
(based on 1726 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
USAFrance
NetherlandsUK
AustraliaBrazil
CanadaIndia
SpainFinland
ItalyNew ZealandSouth Africa
UAERest of WorldAll Countries
1397
54
3332
111
11
4296
3012
2216
46
113
44
412
538
162
7710
1330
198
151013
1012
77
499
334
635
12
20
41
70
70
51
23121
5415
1034
2115
1231
98
3547
6118
388
1291310
86114
936
2213
118
2667
13164
721
Not used Report performance Safety/SecurityInsurance Auditing/Compliance All decisions
How is risk management mainly used within your organization? by Country
18%-Safety/security 7%-Insurance40%-DecisionsAU, 64%NZ, 60%SA, 48%UK, 48%CA, 47%UAE,43%USA,35%FI,32%IN,28%ES,28%FR,25%NL,23%BR,23%IT,23%
IN, 40%BR, 38%SA, 34%FR, 28%FI,24%NL,23%UAE,20%ES,19%UK,19%CA,16%USA,15%AU,12%NZ,12%IT,9%
FR, 17%NL, 16%BR,8%ES,4%CA,4%IN,4%USA,4%UAE,3%FI,3%IT,3%UK,3%NZ,2%AU,2%SA,1%
5%_Not used
IT, 34%NL, 30%FI, 29%ES, 28%USA,21%BR,21%CA,20%FR,19%UK,17%NZ,16%UAE,13%IN,13%AU,11%SA,5%
IT, 20%USA,17%ES, 15%FR,9%CA,5%SA,4%UAE,3%NL,2%IN,1%AU,1%UK,1%FI,0%BR,0%NZ,0%
UAE, 17%IN, 14%UK,12%FI,12%IT,11%BR,10%NZ,9%AU,9%SA,9%USA,8%CA,8%ES,6%NL,5%FR,2%
9%-Reporting21%-Audit/compliance© 2012 Copyright of G31000 all rights reserved
(based on 1726 responses)
How is risk management mainly used within your organization? by Organization Size
© 2012 Copyright of G31000 all rights reserved
(based on 1726 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
10000+
5001-10000
1001-5000
501-1000
201-500
51-200
11-50
1-10
7
5
12
11
12
13
14
22
44
15
21
18
14
19
8
23
40
30
82
38
31
39
28
46
26
15
28
12
10
15
5
10
101
29
71
38
47
35
20
47
191
69
142
66
51
53
46
103
Not Used Report performance Safety/securityInsurance Auditing/Compliance All decisions
How is risk management mainly used within your organization? by Department
© 2012 Copyright of G31000 all rights reserved
(based on 1726 responses)
Risk Management
Audit
Occupational Health & Safety
Operations
Information Technology
Facility management/Security
Other Departments
All Departments
22
4
6
6
21
3
34
96
84
17
5
6
14
0
36
162
114
12
41
27
41
18
81
334
47
11
11
5
5
2
40
121
111
69
12
16
80
8
92
388
368
42
33
40
57
11
170
721
Not used Report performance Safety/SecurityInsurance Auditing/Compliance All decisions
Operations
Audit
Risk Management
Information Technology Health and Safety
© 2012 Copyright of G31000 all rights reserved
How is risk management mainly used within your organization? by Department
(based on 1726 responses)
How would you compare ISO 31000: Risk Management – Principles and Guidelines (2009) to other risk management references, guidelines and standards?
© 2012 Copyright of G31000 all rights reserved
(based on 1086 responses)
How would you compare ISO 31000: Risk Management –Principles and Guidelines (2009) to other risk management references, guidelines and standards? By Country
© 2012 Copyright of G31000 all rights reserved
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
UKUSA
NetherlandsFinland
SpainAustralia
New ZealandFrance
CanadaUAEItaly
IndiaSouth Africa
BrazilRest of WorldAll Countries
65
65
13
12
11
77
16
9
16
11
6
10
30
8
90
439
2
1
0
0
0
4
2
1
4
0
0
0
0
0
9
23
35
59
8
12
12
73
17
11
24
11
9
18
46
13
124
472
18
47
2
5
5
11
3
3
5
0
2
5
7
2
37
152
Similar Worse Better No Opinion
(based on 1086 responses)
How would you compare ISO 31000: Risk Management –Principles and Guidelines (2009) to other risk management references, guidelines and standards? By Country
BetterBR, 57%SA, 55%IN, 55%IT, 53%UAE, 50%CA, 49%FR,46%NZ,45%AU,44%ES,43%FI,41%NL,35%USA,34%UK,29%
SameNL, 57%UK, 54%UAE, 50%AU, 47%NZ,42%FI,41%ES,39%USA,38%FR,38%SA,36%IT,35%BR,35%CA,33%IN,30%
No OpinionUSA, 27%ES, 18%FI, 17%IN,15%UK,15%FR,13%IT,12%CA,10%BR,9%NL,9%SA,8%NZ,8%AU,7%UAE,0%
WorseNZ, 9%CA, 8%FR,4%AU,2%UK,2%USA,1%BR,0%FI,0%IN,0%IT,0%NL,0%SA,0%ES,0%UAE,0%
© 2012 Copyright of G31000 all rights reserved
(based on 1086 responses)
How would you compare ISO 31000: Risk Management –Principles and Guidelines (2009) to other risk management references, guidelines and standards? By Department
© 2012 Copyright of G31000 all rights reserved
(based on 1086 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Risk Management
Operations
Information Technology
Audit
Occupational Health & Safety
Accounting/Finance
Other Departments
All Departments
227
18
29
32
22
15
96
439
15
0
1
2
0
1
4
23
249
23
27
33
17
21
102
472
59
7
20
19
5
8
34
152
Same Worse Better No Opinion
Do you think that the associations you are a member of, should officially recommend that their members use ISO31000?
© 2012 Copyright of G31000 all rights reserved
(based on 890 responses)
Do you think that the associations you are a member of, should officially recommend that their members use ISO31000? By Country
© 2012 Copyright of G31000 all rights reserved
(based on 890 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
BrazilFinland
AustraliaSouth Africa
SpainNew Zealand
IndiaUK
USAFrance
UAEItaly
CanadaNetherlands
Other CountriesAll Countries
6
2
93
31
4
21
6
21
24
2
7
2
15
5
51
290
5
9
37
29
8
7
14
51
59
9
9
8
13
9
94
361
0
0
4
2
1
2
2
10
17
2
3
2
6
3
12
66
1
3
2
2
1
0
1
7
23
1
1
0
4
0
12
58
2
2
10
7
5
3
2
20
32
1
1
2
3
0
25
115
Should strongly endorse Should recommendShould not recommend My association does not recommendNo Opinion
Which of the following definitions of risk best reflects your understanding of the word Risk?
Effect of uncertainty on objectives 528 29% ISO Guide 73:2009
Combination of the probability of an event and its consequences 349 19% ISO Guide 73:2002
Combination of the probability of occurrence of harm and the severity of that harm
295 16% ISO Guide 51:1999 (safety)
Chance of something happening that will have an impact on objectives 320 18% AS/NZ 4360:2004
Event that would have a negative impact on the organization 141 8% COSO ERM:2004
Exposure to the chance of injury or loss 69 4% Webster
Hazard or chance of loss 35 2% Webster
Opportunity to make a profit or increase revenue 27 1%
Amount of money that the organisation company may lose 15 1%
None of the above 33 2%
© 2012 Copyright of G31000 all rights reserved(based on 1822 responses)
Which of the following definitions of risk best reflects your understanding of the word? By Country
© 2012 Copyright of G31000 all rights reserved
(based on 1822 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
ItalySpainIndia
NetherlandsUSA
FranceBrazil
UKSouth Africa
FinlandUAE
CanadaAustralia
New ZealandRest of the World
All Countries
3
6
12
7
75
11
11
56
45
13
12
33
95
32
117
528
5
9
2
4
28
7
1
10
12
2
3
5
4
1
48
141
9
8
13
8
101
9
5
37
23
5
3
13
28
2
85
349
6
9
21
10
34
11
11
43
28
6
7
12
32
6
94
330
6
10
21
9
78
7
6
22
18
5
5
11
10
2
85
295
6
5
9
5
50
8
5
11
13
3
0
2
7
0
55
179
ISO 2009 COSO ERM:2004 ISO 2002 AS/NZS 4360:2004 ISO Safety Other
Which of the following definitions of risk best reflects your understanding of the word ? By Department
© 2012 Copyright of G31000 all rights reserved
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Risk Management
Audit
Occupational Health &Safety
Operations
Information Technology
Other Departments
All Departments
289
45
10
22
29
133
528
52
18
7
7
20
37
141
75
19
42
26
56
77
295
121
24
22
25
51
106
349
138
40
12
11
42
86
329
71
9
15
8
20
56
179
Effect of uncertainty on objectivesEvent that would have a negative impact on the organizationCombination of the probability of occurrence of harm and the severity of that harmCombination of the probability of an event and its consequencesChance of something happening that will have an impact on objectivesOther Definition
(based on 1821 responses)
Operations
Audit
Risk Management Information Technology
Health and Safety
© 2012 Copyright of G31000 all rights reserved(based on 1821 responses)
Which of the following definitions of risk best reflects your understanding of the word ? By Department
Which of the following standards/guidelines are used in your organization? (multiple selections allowed)
© 2012 Copyright of G31000 all rights reserved
36%
13%
18%
4%
40%
16%
13%
17%21%
4%
11%
0 5 10 15 20 25 30 35 40 45
ISO 31000
AS/NZS 4360
COSO ERM
FERMA
Inhouse
ISO Guide 73
ISO/IEC 31010
PMBOK
ISO 27005
BS 31100
BASEL
(based on 1338 responses)
Usage of ISO 31000 by Country
0% 20% 40% 60% 80% 100%
New ZealandAustralia
FinlandCanada
UAEBrazil
South AfricaNetherlands
UKFrance
SpainUSAIndiaItaly
All Countries
37
148
21
36
14
16
53
12
50
14
12
75
11
4
503
6
29
13
40
16
23
86
30
129
39
35
291
67
31
835
YesNo
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
Usage of AS/NZS 4360 by Country
0% 20% 40% 60% 80% 100%
USAUK
South AfricaAustralia
IndiaCanadaFrance
SpainNetherlands
BrazilItaly
FinlandNew Zealand
UAEAll Countries
15
17
16
85
3
17
1
2
1
3
0
0
20
8
188
351
162
123
92
75
59
52
45
42
36
35
34
23
22
1151
YesNo
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
Usage of COSO ERM by Country
59
45
20
15
12
12
12
12
11
12
7
5
4
2
228
80
321
159
61
27
66
165
22
36
32
46
25
39
33
1112
0% 20% 40% 60% 80% 100%
South AfricaUSA
UKCanada
BrazilIndia
AustraliaFinland
SpainNetherlands
FranceUAE
New ZealandItaly
All Countries
YesNo
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
Usage of Self Developed by Country
0% 20% 40% 60% 80% 100%
USAUK
South AfricaCanada
AustraliaIndia
BrazilItaly
FranceSpainUAE
NetherlandsFinland
New ZealandAll Countries
186
93
62
38
38
25
17
17
16
15
14
14
9
5
549
180
86
77
38
139
53
22
18
37
32
16
29
25
38
790
YesNo
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
Usage of IRM/FERMA/AIRMIC standard by Country
0% 20% 40% 60% 80% 100%
USAAustralia
UKSouth Africa
IndiaCanadaFrance
SpainNetherlands
New ZealandBrazil
FinlandItalyUAE
All Countries
3
0
35
1
2
2
3
3
0
2
0
0
2
0
53
363
177
144
138
76
74
50
44
43
41
39
34
33
30
1286
YesNo
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
Certification ISO 31000 of your Organization ?
43%
12%
19%
18%
8%
External certification isdesireable
I have no opinion on theissue
External certification is notneeded for other reasons
External certification is notneeded because internalevaluation / audit is sufficient
External certification is notneeded because externalevaluation / audit is sufficient
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
Certification ISO 31000 of your Organization ? by Country
0% 20% 40% 60% 80% 100%
FranceNew Zealand
UKFinland
All CountriesAustralia
USAItaly
South AfricaCanada
UAENetherlands
IndiaBrazilSpain
External certification isdesireable
I have no opinion on the issue
External certification is notneeded for other reasons
External certification is notneeded because internalevaluation / audit is sufficient
External certification is notneeded because externalevaluation / audit is sufficient
ISO 31000 is a voluntary risk management guideline. Do you believe that organizations
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
Your Organization – Implementation of ISO 31000
© 2012 Copyright of G31000 all rights reserved
(based on 1498 responses)
24%
23%33%
20%
No opinion
is going to implement ISO31000 in the future.
has no plans toimplement ISO 31000.
has implemented ISO31000.
Your Organization – Implementation of ISO 31000 by Country
© 2012 Copyright of G31000 all rights reserved
(based on 1498 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
ItalyIndia
FranceSpainUSA
NetherlandsOther Countries
FinlandUK
All CountriesBrazil
South AfricaCanada
UAENew Zealand
Australia
has implemented ISO 31000.is going to implement ISO 31000 in the future.has no plans to implement ISO 31000.No opinion
Your Organization – Implementation of ISO 31000 by Organization Size
© 2012 Copyright of G31000 all rights reserved
(based on 1498 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
10000+
5001-10000
1001-5000
501-1000
201-500
51-200
11-50
1-10
67
33
60
29
26
16
15
55
64
31
62
40
30
27
31
52
115
51
92
54
50
51
30
55
96
19
77
33
26
41
18
52
has implemented ISO 31000.is going to implement ISO 31000 in the future.has no plans to implement ISO 31000.No opinion
Your Organization by Department
© 2012 Copyright of G31000 all rights reserved
(based on 1498 responses)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Audit
Information Technology
Operations
Occupational Health & Safety
Risk Management
Other Departments
All Departments
15
11
13
6
186
70
301
32
32
15
16
158
84
337
47
59
33
34
184
141
498
30
57
18
24
128
105
362
has implemented ISO 31000.is going to implement ISO 31000 in the future.has no plans to implement ISO 31000.No opinion
Your Organization – Implementation of ISO 31000, by Department (based on 1498 responses)
Operations
Audit
Risk Management
Information Technology Health and Safety
12%
26%
38%
24%
7%
20%
37%
36%
16%
19%
42%
23%
7%
20%
43%
30%
28%
24%
28%
20%
© 2012 Copyright of G31000 all rights reserved
Does your organization provide you with risk management training?
Yes
No but is planning to…
No and has no plans…
I don't know
55%16%
22%
7%
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
If yes, which of the following types of training have you received?
© 2012 Copyright of G31000 all rights reserved
(based on 1338 responses)
Call for sponsorsIf you wish to become a sponsor for the next Global ISO 31000 survey please contact Madeleine at [email protected]
Global ISO 31000 survey 2011Results & analysis