The fact that so many nations have worked on the development of ISO 31000 gives it great credibility. The standard will provide a vehicle for the risk profession to harmonize concepts, irrespective of the country. It will overcome confusion and help stakeholders to understand the risks that are being communicated.
– Peter Janus
You may be familiar with the expression "Shooting Ducks in a Barrel". It's popular in some circles to criticise ISO31000 for any number of reasons. I would suggest that doing so is both easy and unsporting. Criticising is easy; building a better risk management standard is incredibly difficult. Until you've been on the inside of a standards committee, you probably have little appreciation for the challenges of creating a standard that translates into dozens of languages, including some languages which have no distinct word for risk.
I first came across ISO31000 in 1999. Or more correctly, I should say that I came across it’s predecessor AS/NZS4360:1999 Risk Management Standard. I was working in security risk management at the time and consulting to a company that had recently mandated AS4360 as their risk management process. I was asked to do a security risk assessment for my client's hydrocarbon production facility in accordance with 4360. That seemed like a reasonable enough idea but, frankly, I was skeptical that one risk standard could work for all types of risk. Surely, I thought, risk management for financial portfolios is different to risk management for security issues is different to engineering, project management, safety and health, etc? So many uniquely different types of risk management for each specialized field – how can they all be addressed by one standard? But do it we did, and in doing so I became a convert to the process that is now enshrined in ISO31000. Before I sing the praises of the standard, let's go back to basics for a moment and answer the question of 'why do we even need a standard?'. Surely there are any number of ways to do risk management? Yes. There are. And that’s why we need a standard. So that organizations have a consistent approach that enables ‘apples for apples’ comparison when assessing which risks and which divisions need the most resources. Equally, to provide a consistent approach so that individuals, once skilled in that single approach, can hit the ground running and quickly adapt it to any organization or circumstance they find themselves in. To be fair, if you’re like me, you probably find standards to be pretty dry reading. ISO31000 is no exception to that seemingly mandatory principle. That’s not a criticism of the standard but simply reflects the reality of building a generic standard that will work for any organization. For very good reasons, it is deliberately generic and this is one of its strengths – and one of its weaknesses. Here, and in next week's article, are some of the most common doubts that people have before engaging with risk management 'ISO31000-style' and, indeed, some of the questions you may be considering while you decide if this standard is for you. Why invest in risk management?
At it’s simplest, risk management is about making better decisions faster. There are any number of models and systems promoted by management consultants and the like, which seem to be determined to make risk management into some sort of self-licking ice-cream. The goal of risk management isn’t to do risk management per se, but to support organizational (or individual) objectives. Good risk management practices can help you to optimize the application of finite resources to achieve objectives.
ISO31000 has a longish list of ‘why apply risk management?’ in it’s introduction which I don’t propose to repeat here. If you asked me, however, to sum up the objectives and benefits of risk management, here are the key points I would address:
Better decision making
Reduced volatility (variability) of outcomes
Improved service delivery, reporting systems, outcomes and accountability
Optimization of limited resources
Protect the organization's people & assets
Provide stakeholder confidence
The ‘last but not least’ on the above list is one area that is often overlooked. Risks can have benefits as well as costs and the same processes that can avert misfortune can bring good fortune. ISO31000 understands this very well.
More people die of risks every year than any other cause. Following my advice could well result in death or injury so I advise you not to follow my advice; unless under the supervision of an adult. ISO31000:2009 will not save you in this regard. ISO31000:2017 might save you. But then again, it isn’t out yet and probably won’t be all that different anyway. Speaking of risks, there is a high probability that ISO31000:2017 will come out as ISO31000:2018 or ISO31000:2019 or … (well you get the idea :-)