What It Is

ISO 31000:2018, Risk management — Guidelines is a principles-based international standard providing flexible guidance for enterprise-wide risk management. It defines risk as the effect of uncertainty on objectives and promotes a systematic approach applicable to any organization, emphasizing value creation and protection through integration into governance and operations.

Key Components

• **Three pillarsEight principles (e.g., integrated, dynamic, inclusive), framework (leadership commitment, integration, design, implementation, evaluation, improvement), and process (communication, scope/context/criteria, assessment, treatment, monitoring/review, recording/reporting).
• No fixed controls; follows PDCA cycle.
• Non-certifiable guidelines, no audits required.

Why Organizations Use It

• Enhances decision-making, resilience, and opportunity capture.
• Builds stakeholder trust via transparent practices.
• Aligns with regulations indirectly; strategic benefits include better resource allocation.
• Competitive edge in volatile environments without certification burden.

Implementation Overview

Phased approach: secure leadership, gap analysis, pilot process, integrate into operations, monitor continually. Suited for all sizes/sectors; involves policy, training, tools like risk registers. No certification; internal assurance via reviews.

What It Is

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) are mandatory reliability standards enforced by FERC for protecting the Bulk Electric System (BES) from cyber and physical threats. They employ a risk-based, tiered approach categorizing BES Cyber Systems by impact (High, Medium, Low) to prioritize controls.

Key Components

• Core standards: CIP-002 (scoping), CIP-003 (governance), CIP-004 (personnel), CIP-005/006 (perimeters), CIP-007 (systems security), CIP-008-010 (response/recovery/config), up to CIP-015 (monitoring).
• ~45 detailed requirements across 14+ standards.
• Built on recurring cycles (e.g., 15/35-day reviews) and audit-enforced compliance.

Why Organizations Use It

• Legal mandate for BES owners/operators to avoid multimillion fines.
• Enhances grid reliability, reduces outage risks.
• Builds stakeholder trust, lowers insurance costs.
• Provides competitive edge in reliability-focused markets.

Implementation Overview

• Phased: scoping, gap analysis, controls deployment, audits.
• Targets utilities/transmission entities in US/Canada/Mexico.
• Requires annual audits, 3-year evidence retention; no certification but enforced compliance.