COMPARISON OF RUSSIAN NATIONAL STANDARD “RISK MANAGEMENT. PRINCIPLES AND GUIDELINES” RELEASES (GOST R ISO 31000:2019 AND GOST R ISO 31000:2010), TAKING INTO ACCOUNT PRIMARY SOURCES

Introduction

Risk management as an independent direction of managerial and scientific thought was finally formed in 1955-1956: in 1955, the term "risk management" was proposed at Temple University in the USA by insurance professor W. Snyder. In 1956, R. Gallagher first described the profession of a risk manager in the Harward Business Review. In 1963 I. Mayor and B.A. Hedges published the first textbook on risk management in a commercial enterprise [Lyubuhin, 2021].

At the moment, having spread far beyond the field of finance and ensuring industrial safety, risk management covers, to one degree or another, almost all branches of enterprise activity, having turned from a narrow specific tool into one of the key components of a modern organisation management system [Oparin, 2017].

In order to systematise knowledge and ideas about risks, in 1995 the risk management standard AS / NZS 4360: 1995 was issued (the first national standard that applies to the territory of Australia and New Zealand). The standard contains general recommendations on risk management to ensure appropriate activities in terms of senior management of both state, private and public organisations, groups of individuals [Lyubuhin, 2021].

After the release of a number of national standards in the field of risk management, in particular in Canada and Japan, in 2009 the International Organisation for Standardisation released the first edition of the international standard ISO 31000:2009. Risk management - Principles and guidelines¹ (hereinafter referred to as the ISO 31000:2009 standard), which was translated and put into effect in the Russian Federation in 2010² GOST R ISO 31000-2010 was the key regulatory document in the field of risk management in Russia until the end of 2019 [Sekletsova, Ermolaeva, 2020].

Anticipating the presentation of the main material in the article, it should be noted that the previous and current versions of the standard are very close to each other not only in letter, but also in spirit. From our point of view, the key idea of both versions of the standard is expressed in the fact that risk management cannot be considered as a separate functional activity in an organisation, but is a specific set of tools and methods that allow company managers to make better management decisions, taking into account risk and uncertainty. At the same time, updating the standard can serve as both a reason and justification for the need to introduce risk management in an organisation, which, in our opinion, is still very relevant for most organisations in the country. Thus, it is possible to evaluate the changed wording of the standard from a political standpoint, in particular from the point of view of their perception by the decision maker. Without belittling the importance of the work carried out by the authors of the GOST R ISO 31000:2019³, standard, we would like to note that a number of formulations used in the GOST R ISO 31000:2010 standard are more successful from the noted perspective.

The text structure of the GOST R ISO 31000:2019 standard consists of four large semantic blocks: basic terms, principles, structure and processes.

Terms. The section “Terms and Definitions” has changed dramatically - in the first version of 2010, 29 concepts were deciphered, in the new version of 2019 there were only 9. Moreover, in the English version of 2018, five terms directly migrated from the old version, and in the Russian version all 9 terms were adjusted . Of the 20 terms not included in the glossary, only 2 are not used in the new standard, the rest are deciphered and disclosed directly in the text.

The definition of the term “risk” is supplemented with a note that a risk can be associated with both negative and positive consequences at the same time.

The introduction of the term "participant" is an innovation of the new Russian standard GOST R ISO 31000-2019 and requires additional semantic terminological analysis and comparison with the term "interested party" to establish or refute the synonymy of concepts.

As part of the definition of an “event”, the GOST R ISO 31000-2019 standard omits a note that an event, in addition to several causes of occurrence, can have not one, but several consequences of its completion (which is also an innovation of the ISO 31000: 2018⁴ standard).

Also, regarding the definition of the term “consequences” of the Russian version of the standard, two significant aspects in the notes to the term in the ISO 31000:2018 standard are missing, in particular, that the consequences can affect the goals directly or indirectly, as well as the possibility of a cumulative effect along with cascading in relation to the result of the consequences.

There is no definition of the term “risk level” in the new standard, while it is used in the text without disclosing its essence, which may lead to ambiguous interpretations of the term.

In the new version, the concept of “residual risk” has disappeared, which may introduce some uncertainty into the idea of risk management at the level of a general understanding of risk management in an organisation.

Principles. The scheme of principles is significantly simplified compared to the previous version of the standard and emphasises the equal importance of each principle by presenting them in the form of sectors of the same size, shortening their names. The central place (not equivalent, as before) was taken by the principle: "Risk management serves to create and protect value." In fact, this - the creation and protection of value - is declared the goal of risk management. Two principles are excluded: consideration of risk management exclusively by uncertainty and the inclusion of risk management in the decision-making process.

At the same time, the authors would like to note that the abbreviated wording o the principles of risk management principles in the new edition of the standard, despite the given interpretations compared to the wording in the previous version, may give rise to misunderstanding e of the principle essence, primarily among top management, which will be discussed in the relevant part of the article.

Structure. The translation of the term "risk management framework" has changed - previously it was translated as "risk management infrastructure". The scheme has changed: "leadership and commitment" have become the central element of the structure, the other elements are equivalent to each other. A new element of the structure - "adaptation" was added. The block "Monitoring and analysis of infrastructure" was replaced by the block "Performance assessment". The cyclical nature of work process on the risk management structure has been preserved. Block names have been shortened and simplified.

Process. The block has undergone minimal changes. The first group of processes in the previous version of the standard was called “situation (context) definition”, in the new edition it is called “scope, environment and criteria”. According to the authors, the goal-setting stage should be singled out from this group due to its critical importance.

The new version of the standard continues to emphasise the iterative and cyclical nature of risk management processes, as well as the fact that risk management processes should exist in three environments: monitoring and reviewing risk management processes, ongoing consultation with the organisation's stakeholders, and documentation and reporting (this element was not present in the previous version of the standard).

1. Introduction of the new standard and detailed analysis of changes

The authors of the article see the purpose of this work in analysing changes not only in the terminological apparatus of the GOST R 31000-2019 standard compared to the GOST R ISO 31000-2010 standard, but also in a number of fundamental provisions, including reference to the original source - the original versions of the "parent" standards ISO 31000:2018 and ISO 31000:2009, that is, the transformation of the principles and methodology of risk management, which is of unconditional value in practice.

At present, instead of GOST R ISO 31000-2010 “National Standard of the Russian Federation. Risk management. Principles and guidance” (hereinafter referred to as the GOST R ISO 31000-2010 standard), which is a translation of the ISO 31000:2009 standard, the new standard GOST R ISO 31000-2019 “National standard of the Russian Federation. Risk management. Principles and guidance” (hereinafter referred to as the GOST R ISO 31000-2019 standard) comes. The standard is also a translation of the international standard ISO 31000:2018. Risk management - Guidelines (hereinafter referred to as the ISO 31000:2018 standard), developed by Technical Committee ISO / TC 262.

It should be noted that at the time of preparation of this article, such standards as GOST R 58771-2019 “National Standard of the Russian Federation. Risk management. Risk Assessment Technologies" (approved and put into effect by the order of Rosstandart dated December 17, 2019 No. 1405-st), GOST R 51897-2011 / ISO Guide 73:2009 "National Standard of the Russian Federation. Risk management. Terms and definitions” (approved and put into effect by the order of Rosstandart dated November 16, 2011 No. 548-st), which are translations of the ISO standards of the same name, however, it should be recognised that it is the GOST R ISO 31000-2019 standard that is the methodological core of building a risk management system within the national regulation.

2. Concepts and terms

Careful attention should be paid to the transformation of the conceptual and terminological apparatus in the standards.

The disclosure of the terms used in the standard is carried out in section 3 "Terms and definitions" of the version of the GOST R ISO 31000-2019 standard. The section contains 9 definitions of terms instead of 29, reflected in the GOST R ISO 31000-2010 standard. The authors analysed these terms, including comparing them with the definitions in the original ISO 31000:2018 and ISO 31000:2009 standards.

Nine definitions in ISO 31000:2018 are provided for the following terms (clauses 3.1.-3.8.1):

• risk;
• risk management;
• risk source;
• involved (interested) party (stakeholder);
• event;
• consequence;
• plausibility (occurrence of the event) (likelihood);
• management (risk) (control);
• comparative risk evaluation.

All 9 definitions were amended in GOST R ISO 31000-2019 compared to GOST R ISO 31000-2010. However, for 5 terms no changes were made in the international standard ISO 31000:2018 compared to ISO 31000:2009 (excluding Notes), in particular, they include: risk, risk management, stakeholder, consequence, likelihood, which, apparently, is associated with a change in the approach to translating the text into Russian by developers. Also, in the GOST R ISO 31000-2019 standard, in relation to the ISO 31000:2018 standard, an additional definition is given to the term "uncertainty".

According to the authors, the key methodological features of the changes in the applied concepts are the following.

Changing the basic term "risk management" to "managing risk". If in the first case, based on the wording, subjectively, in the opinion of the authors, it is possible to allow the interpretation of risk management as the implementation of management activities under risk conditions, then the second wording somewhat limits this possibility, clearly outlining the object of management.

The definition itself in the version of the GOST R ISO 31000-2019 standard refers to the impact of uncertainty on the achievement of the set goals, however, in the text of the ISO 31000:2018 standard, the phrase “achievement of the set ones” is not used. Thus, we can conclude that the translation version of the term presented in the GOST R ISO 31000-2010 standard is closer to the ISO 31000:2018 standard. It should be noted that risks can affect not only the achievement of goals, but also the very formulation of the goal (especially when it comes to interpreting risk in a positive way - as an opportunity), but at the same time, the extremely high importance of the goal setting for risk management should be taken into account, which is emphasised by the translation of the current version of the standard.

The introduction of the term "stakeholder" is an innovation of the new Russian standard GOST R ISO 31000-2019 and requires additional semantic terminological analysis and comparison with the term "interested party" to establish or refute the synonymy of concepts. Important, in our opinion, here is the concept of "interest", which can be revealed as a positively colored emotional process associated with the need to learn something new about the object of interest, increased attention to it. Therefore, “interest” in one way or another is more active in nature, and “involvement” can also be expressed in passive forms of its manifestation, but it should not be confused with “passive indifference”. Participation can also be expressed in the conscious inaction of the subject.

Regarding the definition of the risk source presented in the GOST R ISO 31000-2019 standard, in comparison with the ISO 31000:2018 standard, there is no significant note in its translation into Russian that an event can also be a risk source.

As part of the definition of an event, the GOST R ISO 31000-2019 standard omits a note that an event, in addition to several causes of occurrence, may have several consequences of its completion (which is also an innovation of the ISO 31000:2018 standard).

As part of the term “risk control”, the ISO 31000:2018 standard adds the ability to keep the risk up to date as one of the components of the risk control process. This aspect is not taken into account in GOST R ISO 31000-2019.

With regard to the definition of the term “consequences” of the GOST R ISO 31000-2019 version, two significant aspects are missing that are present in the notes to the term in ISO 31000:2018, in particular, that consequences can affect goals directly or indirectly, as well as the possibility of having a cumulative effect along with a cascading effect in relation to the result of the consequences.

Of the remaining 20 terms previously present in the "Terms and definitions" section of the ISO 31000:2009 version of the standard, most (17) are contextually disclosed in the following sections, while 2 previously used terms are not present in the text:

– attitude to risk (risk attitude);

– risk profile.

Separately, we should consider the term "risk level", previously present in the GOST R ISO 31000-2010 standard. It is absent in the GOST R ISO 31000-2019 standard and, at the same time, it is used in the standard without disclosing its essence, which, in our opinion, is a drawback of the new edition of the Russian standard. Nevertheless, it should be noted that the concept is present in the National Standard of the Russian Federation “Risk Management. Terms and definitions GOST R 51897-2011 / Guide ISO 73:2009, approved by the order of Rosstandart dated November 16, 2011 No. 548-st, in accordance with clause 3.6.1.8 of which the level of risk is a measure of risk or combination of several types of risk, characterised by consequences and their plausibility/probability.

The 17 terms not included in the Terms and Definitions section of GOST R ISO 31000-2019 include: risk assessment, risk evaluation, risk management framework, risk identification, risk analysis, risk treatment, monitoring, review, residual risk, risk criteria, external context, establishing the context, risk owner, risk management process, risk management plan, communication and consultation, risk management policy.

The key features of the changes in the applied concepts are the following.

The term "risk management plan" in the text of the GOST R ISO 31000-2019 standard is also not used, however, the use of "plans that determine the necessary time and resources" is supposed to be used as a tool for implementing risk management. Thus, the restriction on the inclusion of measures for the implementation of the risk management infrastructure exclusively in the document named as the "risk management plan" has been removed. Meanwhile, in accordance with the requirements of the GOST R ISO 31000-2010 standard, it is stipulated that an alternative document should also include a description of the risk management approach, components and resources. This change is broadly in line with the change in approach to risk management plans in ISO 31000:2018.

An understanding of its characteristics has been added to the goal of risk analysis, and an understanding of the level of risk has been made as an optional element.

The GOST R ISO 31000-2019 standard does not use the terms “monitoring” and “review” separately. The disclosure of terms in the text of the standard is simplified through the description of their elements, including planning, collecting and analysing information, documenting results and providing feedback.

"Risk criteria" - in the GOST R ISO 31000-2019 standard risk criteria should allow to highlight not only the significance of the risk, but also its type and scale (value, size), in addition, the set of factors that must be taken into account when defining risk criteria. Also, in relation to this term, the following, in our opinion, shortcoming in the translation of the original standard should be highlighted. With regard to the factor “the method of determining and assessing the consequences (both positive and negative) and their likelihood”, which must be taken into account when determining the risk, a technical error is likely made, in particular, closer in meaning to the ISO 31000:2018 standard would be the wording “a way of determining and evaluating the consequences (both positive and negative) and their plausibility” (taking into account the translation of the term likelihood in section 3 of the standard).

The term "environment" (context) was previously translated as "context" or "situation" within the framework of the GOST R ISO 31000-2010 standard. In connection with the change presented, related terms have also changed, such as “external environment” (external context) and “internal environment” (internal context), as well as “defining the environment” (formerly “establishing the context”). Similarly, the translation of the term “risk evaluation” to “comparative risk assessment”, “risk treatment” , “risk management framework” in the version of the GOST standard R ISO 31000-2018 have been renamed.

The risk documentation and reporting element have been added to the definition of the risk management process.

It should be noted that hereinafter, in the text of the ISO 31000:2018 standard, the term reporting is used, the meaning of which in some cases implies not only the preparation, but also the provision of prepared reports (including for subsequent analysis). According to the text of the GOST R ISO 31000-2019 standard, the phrase “reporting preparation” is used with the exception of clause 6.7 in terms of mentioning the forms of preparation and the method of reporting. In our opinion, in all cases of using the phrase "reporting preparation" it should also be supplemented with the words "and its provision".

With regard to the term “risk management policy”, the restriction on the form was removed to reflect the general intentions, directions of the organisation’s activities in relation to risk management, precisely in terms of their placement in the risk management policy.

The concept of "residual risk" has disappeared in the new version. The removal of this term from the list completely overturns the existing risk management processes in many companies, changing the established approach. Previously, the philosophy of working with risks, so to speak, was based on the fact that uncertainty cannot be completely eliminated, but it can and should be constantly reduced. Accordingly, work with uncertainty consisted in the cyclic identification of its (uncertainty) manifestations through risks, more precisely, risk events (“risk is the impact of uncertainty on goals”), and attempts to reduce possible risks by controlling “residual risks” [Sidorenko et al. , 2016]. Such an idea, such a philosophy of working with risks were one of the drivers that ensured the cyclical and continuous operation of the risk management system in the organisation. The absence of the term and its definition in the new standard to some extent shifts the emphasis, and there is a danger in the perception of risk by the company's management as a relatively static phenomenon, completely removable at the moment (which is categorically wrong).

Applying the GOST R ISO 31000-2019 standard, an organisation is able to build an effective and continuous risk management process. A visual representation of the process elements and the relationship between the blocks are shown in the diagram shown in Fig. 1 of the standard "Principles, structure and process". Further Fig. 2-4 show the details of the mentioned blocks. Let us consider each block of the specified scheme separately, and then turn to the relationship between them.

3. Principles

The first block of elements includes principles that establish the characteristics of effective and efficient risk management, reflect its values and explain its role and purpose. The key changes in the composition of the block are shown in Fig. 1.

Table 2 shows the ratio of the block elements in the versions of the standards in Russian and English. The table made it possible to compare the elements of the block and highlight their changes.

The scheme given in the GOST R ISO 31000-2019 standard is significantly simplified compared to the previous version of the standard and emphasises the equal importance of each principle by presenting it in the form of sectors of a single size, abbreviating their names.

The fact that in the updated version the block "Creating and protecting value" (previously - "Creates value") has become a central, and not an equivalent element, is quite remarkable: in fact, the creation and protection of value in the new edition of the standard is declared the goal of risk management. The idea of the activities of a commercial organisation has been greatly transformed over the past decades and has gone quite far from the primitive idea of a company as a means of extracting profit from the outside world. The modern view of business defines a company as a structure for the supply (or production, but still further supply) of value to customers. The situation in management is such that if there is a supply of value, there will be both its monetisation (profit) and the benefit for shareholders (increase in value). And the ISO 31000:2018 standard proposes to consider risk management as an essential part of the overall process of creating and delivering value by a company, marking it as the center of management disciplines. With regard to the functioning of public authorities, the issue of finding and determining value is complicated by the fact that we are talking about large and super-large systems where it is necessary to establish rules and maintain public goods for the widest possible strata of the population and business. And here, of course, embedding risk management into overall management processes is a non-trivial task, which at the same time carries huge potential benefits.

We see the need to evaluate changes in the content of the principles and their composition.

Integration. In the previous version of the standard, instead of a very vague wording: "Integrated risk management is a main part of all organisational activities" - it was said that: "Risk management is an integral part of all organisational processes", which, in fact, meant that those or other business processes themselves become risk factors, which gave the risk manager a clear clue in identifying risks.

Structure and complex character. In the opinion of the authors, the translation of the English term comprehensive as complex is not entirely successful. Here, comprehensive means, rather, integrated, which implies that without risk management, the effective and efficient operation of the organisation is not possible.

It should be noted that from the description of the fourth principle - involvement - the requirement of transparency has justifiably disappeared. On the one hand, all stakeholders of the organisation should be involved in risk management processes in one way or another (the translation of this term as “participants”, in the opinion of the authors, is also not entirely successful), on the other hand, as a result of the implementation of risk management measures, information may arise , which is a trade secret. Moreover, certain information on risk management must be kept inside the organisation as well, otherwise, for example, such a risk identification tool as cross-interviews becomes ineffective.

Dynamism. It should be noted that when deciphering this principle, the mention of iterative risk management processes disappeared. This is most likely due to the fact that the new version of the standard does not contain the concept of residual risk. The authors of this article still consider it necessary to conduct an analysis and comparative assessment of risks that turned out to be impossible to eliminate after the hypothetical execution of all planned “risk treatment” activities. Moreover, it is known that “risk treatment” activities can lead to the emergence of new risks, the strengthening of other risks that have not been “treated”, therefore, it seems that a direct reference to the iteration of risk management processes would be useful in the new version of the standard.

Based on the best information. In this case, taking into account the practical side of the implementation of the principle, it is necessary to keep in mind the possibility of competing interests between the person responsible for risk management and other stakeholders and the existence of barriers to obtaining the necessary information due to this fact.

Accounting for behavioral and cultural factors. The wording and definition of the principle in the text of the GOST R ISO 31000-2019 standard fully coincide with those presented in the version of the GOST R ISO 31000-2010 standard and are understandable and sufficiently complete.

With the similarity of the formulation of continuous improvement principle with that presented in the previous version, in the opinion of the authors, in the version of GOST R ISO 31000-2010 this principle of kaizen was revealed more deeply and had a more applied character. "Risk management contributes to the continuous improvement of the organisation" - this is the old formulation of this principle. That is, if risk management does not contribute to the continuous improvement of the effectiveness and efficiency of the organisation, then this is not risk management. The new wording proclaims risk management as a kind of “thing in itself”, which must be constantly improved.

The new standard excludes such principles (compared to the GOST R ISO 31000-2010 standard) as the consideration of risk management exclusively by uncertainty (or the presence of a clear connection between risk management and uncertainty) and the inclusion of risk management in the decision-making process. The exclusion of the last two principles from the modern version of the standard, in the opinion of the authors, is inexpedient, first of all, from a practical point of view.

Risk management deals exclusively with uncertainty. When working with the risk register, responsible people quite often make mistakes of incorrectly identifying risks, which is quite understandable due to purely psychological reasons: a person refers to risks not an event or condition that falls under the standard, but what he is most afraid of. Therefore, restrictions quite often fall into the risk register, that is, negative conditions that already exist, or negative events, the probability of which is extremely high and which is almost impossible to influence. They are reflected in the registry using, for example, the wording “insufficient funding” or “lack of qualified personnel”. Maintaining the principle could, to some extent, reduce the likelihood of committing these methodological errors.

And finally, risk management is part of the decision-making process. It seems to us that if this principle remained in the updated version of the standard, then it would be an excellent reminder to all top managers of organisations that they must take into account risks when making key management decisions.

4. Structure

На рис. 2 приведены ключевые изменения блока «Структура».

The ratio of the "Structure" block elements presented in the diagram (taking into account the names given in the original standards in English) is shown in Table. 3.

With regard to the risk management structure, attention should be paid to the change in the translation of the term "risk management framework" in comparison with the GOST R ISO 31000-2010 standard: previously it was translated as "risk management infrastructure".

In this diagram, "leadership and commitment" is the central element of the structure, the other elements are also presented as equivalent to each other due to the equal size of the display. All the more, a new element of the structure has been added - "adaptation". The block "Monitoring and analysis of infrastructure" was replaced by the block "Performance assessment". The cyclical nature of the process of work on the risk management structure has been preserved. Block names have been shortened and simplified. The description of the blocks is given in section 5 of the GOST R ISO 31000-2019 standard.

According to the authors, the cycle of work on the management infrastructure is a special case of the implementation of the Deming-Shewhart cycle, which involves planning (Plan) in its structure (including goal setting and identifying resources to achieve them), doing what was planned (Do), monitoring and evaluation of the achievement of goals (Check), implementation of measures to improve performance (Act):

Plan - design and development;

Do - implementation;

Check - performance evaluation;

Act - improvement.

At the same time, the new element "adaptation", as the authors believe, ensures compliance and mutual integration of the management system and the organisation's processes in the risk management system.

Without diminishing in any way the importance of the information presented in this section of the GOST R ISO 31000-2019 standard, the authors would like to draw attention to some vagueness of the wording of very important provisions from a practical point of view, which were more clearly stated in the previous version of the standard. The essence of the meaning of the English term framework is the basis (regardless of translation), that is, it is a set of organisational components that helps to successfully integrate risk management into the organisation's activities.

The term "leadership" in the modern managerial vocabulary is vague and somewhat discredited. Thus, placing it in the center of the description of the knowledge area basis, related by and large to professional activity (hard management skills), in the opinion of the authors, is not entirely correct. Moreover, the decoding of this term includes:

– 5 points of explanations for understanding the terms "leadership" and "commitment";

- 6 competitive advantages that an organisation receives when implementing the principles of leadership and commitment in relation to risk management;

- 5 groups of expectations and requirements from the control and supervisory authorities in relation to the organisation in the field of risk management.

At the same time, the risk management infrastructure scheme itself, given in the text of the GOST R ISO 31000-2010 standard, despite a certain visual cumbersomeness, pointed to the “organisational components” that are in the basis of effective risk management:

1) without understanding the internal and external environment (context) in which the organisation operates, the implementation of risk management is impossible;

2) the risk management standard is universal, applicable to any organisation of any size and any form of ownership, therefore it is impossible not only to describe specific processes, but even to give an exhaustive list of required documents and reports. However, the standard considers one single document mandatory - the risk management policy - a kind of declaration of intent in this area;

3) the standard states that risk management information should be included in corporate reporting (organisation reporting), without focusing on how this should be done;

4) rightly focuses on the thesis about the need to integrate risk management into all organisational processes;

5) postulates the need to allocate resources of the required quality (primarily human) for the implementation of risk management in the organisation. In practice, personnel is often assigned to roles one way or another related to risk management on a residual basis;

6) the need to establish general rules and a mechanism for collecting and exchanging information within the organization is postulated (to ensure the implementation of the principle of basing on the best information);

7) the need to establish general rules and a mechanism for collecting and exchanging information with external stakeholders of the organisation (to ensure the implementation of the principle of basing on the best information) is postulated.

It was further stated that the starting position and the basis for the implementation of these components is the distribution of powers and responsibilities (in the text of the GOST R ISO 31000-2010 standard - obligations). The presence of this item in the scheme made it possible to immediately ensure the distribution of powers in the field of risk management between the CEO, risk manager, functional managers, owners and other parties (in relation to a commercial organisation).

It should also be noted that the term commitment in the previous version of the standard was translated as an obligation, and in the new one - as involvement. From the point of view of the authors, both interpretations are of extremely high significance. On the one hand, risk management should provide for a clear distribution of powers (obligations assumed), on the other hand, all levels of the hierarchical ladder should be involved in risk management in an organisation, starting from a low-level specialist and ending with the person responsible for making management decisions of high level himself [Tsakaev, Saidov, 2020].

5. Risk management process

The key changes in the "Process" block are shown in Fig. 3.

The specified block has visually undergone minimal changes. However, if the first group of processes in the previous version of the standard was called "Defining the situation (context)", then in the modern edition it is called "Scope, environment and criteria". At the same time, recalling the definition of risk given in the standard as a consequence of the influence of uncertainty on the achievement of goals, we must emphasise that without proper goal setting all risk management loses its meaning, therefore, according to the authors, the goal setting stage should be separated from the group “Scope, environment and criteria”.

The new version of the standard emphasises the iterative and cyclical nature of risk management processes (which was also evident in the previous version), as well as the fact that risk management processes should exist in three environments: monitoring and reviewing risk management processes, constant consultation with stakeholders of the organisation and documentation and reporting. The last element within the risk management process was not present in the previous version of the standard. Its inclusion in the new edition seems reasonable to the authors.

Based on the analysis of changes in the risk management process diagram (Fig. 3), the authors believe it is possible to distinguish the following main stages of the risk management process:

1. Setting the goals of risk management based on the decomposition of the organisation goals and its divisions.
2. Definition of risk criteria (to establish what is considered a risk for the organisation).
3. Risk identification (find, recognse and describe the risk).
4. Risk analysis (understand the nature of the risk and its characteristics, the causes and consequences of its possible implementation). Try to determine the level of risk. At this stage, as a rule, there is a draft list of possible actions for "risk treatment".
5. Comparative risk assessment (compare the results of the risk analysis with the established risk criteria, determine where additional action is required). At this stage, the selection of measures for "risk treatment" from the previous list is carried out.
6. Preparation of a risk treatment plan (selection of the final "risk treatment" option and documentation of this option).
7. Implementation of the "risk treatment" plan (timely and adequately response to risks).

6. General scheme of risk management

The relationship between the blocks of the central scheme of the GOST R ISO 31000-2019 standard is shown in Fig. 4.

Changes in the relationships between the blocks of the scheme involve the spread of risk management principles both to its entire process and to the entire structure of risk management.

In the previous version of the standard, it was schematically assumed that the principles were extended to the structure exclusively through the “authority and obligation” structure element, there was no relationship of the principles with the process, and the relationship between the structure and the process was probably implied by the “application of risk management” element of the structure.

7. Summary and conclusion

The analysis of the provisions of the analysed documents, taking into account, in particular, the international standards of the ISO 31000 family, made it possible to identify and evaluate the features of the new standard GOST R ISO 31000-2019 and its primary source.

According to the authors of the article, during the development of the ISO 31000:2018 standard, the following tasks were achieved, among other things:

• reducing the amount of textual content of the standard, in particular by excluding definitions of contextually understandable terms from the relevant section (for example, “risk management process”, “monitoring and review”, “risk analysis”);
• ensuring increased flexibility in the organisation's actions when creating and maintaining a risk management system when using the standard [Tsakaev, Saidov, 2020];
• clarification and addition of certain terms of the standard in order to improve their understanding (for example, this refers to the concept of "risk" and notes to it; in terms of keeping the risk in a given state; emphasised consistency in demonstrating that the risk can be associated not only with negative , but also the positive impact of uncertainty on the goals of the organisation, as well as simultaneously with these two effects).

The new version of the standard has greater application flexibility, as well as a more accessible visual component (used in the text of flowcharts), however, it has a number of features compared to the previous version of the standard, which are ambiguously evaluated by the authors from a practical and political point of view, in particular, the exclusion of the term " residual risk” from the relevant section, the exclusion of the principles that are important from a practical point of view “Risk management deals exclusively with uncertainty” and “Risk management is part of the decision-making process”.

It is also important to once again pay attention to the authors' proposal to single out goal-setting in the field of risk management in the risk management process diagram as an independent block along with the “Scope, environment and criteria” block.

An analysis of the transformation of the conceptual apparatus in the GOST R ISO 31000-2019 standard made it possible to conclude that a significant part of the terminological changes in the new edition of the standard compared to the GOST R ISO 31000-2010 standard is associated with a change in the translation of key terms into Russian in the new version of the standard. If it becomes necessary for an organisation that was previously guided by the requirements of GOST R ISO 31000-2010 to bring risk management activities in line with GOST R ISO 31000-2019, it is also advisable to use a comparison with its primary source - ISO 31000:2018 and (or) this article , which will avoid unnecessary creation of new risk management elements in the enterprise by transforming existing ones.

It should be noted that significant work has been done in terms of translating the English version of the standard into Russian with the elimination of a number of inaccuracies made during the translation of the ISO 31000:2010 standard. Nevertheless, according to the authors, the approved translation of the GOST R ISO 31000-2019 standard into Russian can be recommended for supplementing the previously unaccounted for individual notes of the original ISO 31000:2018 standard, for revising a number of notes to the terms and individual wordings used in the definitions in terms of ensuring a more complete and accurate compliance with the ISO 31000:2018 standard (Table 4).

It should be noted that in practice, risk management in an organisation is designed primarily to prevent threats to its functioning that arise or may arise in the future, and secondly, to probable opportunities that will improve the performance of the company, increase its efficiency as a whole or in parts of separate processes. In any case, for a commercial organisation, the implementation of risk management should lead to positive financial consequences, and for a budgetary organisation, to a more efficient and effective achievement of established performance indicators.

It should be remembered that risks can be associated both with the internal processes of the organisation (for example, with incorrect marketing organisation or employee errors), and with external conditions (for example, with inflation or the political situation), that is, with the internal and external environment or context [Brykalov and Trifonov, 2020].

Threats and opportunities, or rather, their assessment, taking into account the likelihood of implementation and consequences (clause 6.4 of the standard), should always be in the attention of competent employees (having the necessary skills, knowledge and authority); the list of threats and opportunities (usually referred to as the "risk register") should be reviewed regularly. These employees should maintain not only a list of risks, but also, if possible, on-line, based on up-to-date data, monitor the dynamics of the probability of their occurrence (for example, based on the information about the current financial condition of the organisation, information about the daily volume of products sold) [Oparin, 2016].

In order to prevent or respond to threats in a timely manner, as well as to realise opportunities for each risk, the algorithm of the standard for their processing (clause 6.5 of the standard) must be applied. In particular, it is necessary to choose a processing method (for example, eliminate the cause, reduce the likelihood, protect against the consequences , do nothing about the risk, refuse to take actions to increase the likelihood of risk), plan and execute (including if necessary) appropriate measures (for example, the purchase of new equipment, the formation of a financial or product reserve, reorganisation of production). It is imperative that “residual risks” must be taken into account, with which it is also necessary to carry out work similar to the one named, up to their elimination or responsible acceptance.

The results of risk assessment, planning and implementation of activities (or results associated with their absence) should be documented and regularly evaluated. Relevant reports should be brought to the attention of authorised people, who, in turn, should make decisions based on the information provided and, if necessary, use additional information.

Since threats and opportunities can be realised at any of the levels of the organisation’s functioning (in particular, at operational, process, managerial), as well as the reasons for their occurrence (for example, a stop in sales of products leading to a conflict with a counterparty that occurred as a result of equipment failure ), the list of risks, the development of necessary measures, and the assessment of their implementation should cover all these levels - from corporate goals (their planning and achievement control) to the activities of each individual employee (a group of employees with similar job responsibilities) - and be based, among other things, on the results of the assessment external and internal environment (context). To work successfully with risks, it is necessary to establish processes for the exchange of relevant information (including in terms of consulting), establish access rights to it, ensuring the preservation of trade secrets and the protection of privacy.

Algorithms, rules, the amount of resources of the risk management process, the powers of the participants in the process, fixed in the documentation (all stages of the process are subject to regulation) and actually implemented, should be regularly assessed in terms of improving the efficiency and effectiveness of the process. As a result of the evaluation, activities to improve the process should be developed, planned and implemented; their results are subject to evaluation in the next cycle.

Also, according to the authors, it is important to note that the management, as well as the structural divisions of the organisation, whose activity is to audit or supervise organisational processes, should take an active part in the risk management process and fully support its development, including on the basis of documented assigned powers.