FAQ 2: Some more questions for ISO31000 doubters...
Following on from last weeks article about ISO31000 ...
Is ISO31000 a good risk management approach for me?
Chances are good that it is. I've used it for personal risk management through to helping a $30 billion organization build an enterprise risk plan that not only worked but integrated over $300 million of risk treatments into a single plan; and addressed everyone in the organization. I've even used it successfully as a starting point for strategic business plans. How do you create a risk management framework in a day? Start with ISO31000 (and some of the templates on this website). It won't be perfect in a day, but you'll have a foundation that you can build on.
Is it just another passing management fad that will be a waste of time?
Maybe. But probably not. Total Quality Management (TQM), 6 Sigma, project management and many more management fads have all come and gone. Or have they? Actually, no. Most of them including TQM, 6 Sigma and project management body of knowledge have come and have been so widely accepted that they are simply part of our modern business landscape. Like the air we breath, we don't even notice quality management techniques such as templates, policies and procedures that we use every day. Like project management or financial management, risk management is a core skill for every manager today and will only become increasingly important as we are challenged to do more and more with less and less.
Will I have to cram more things into my already busy working day?
Not if you do it right. Subscribe to my mailing list or just keep checking back and I’ll show you some tips, tricks and shortcuts. For example, how to use the 4Cs and 4As or CASE to (seemingly mystically) put your finger on the inadequacies of your organizations current risk plan within minutes, or how to write a risk plan that will actually get funded and many more time savers. If you need to build user friendly, scalable risk management framework, would you like to then be able to present it in a way that has the rest of your organization thanking you instead of cursing you? Risk management when done correctly following a few simple and basic rules will save you a lot of time.
Is ISO31000 better than the other risk management frameworks?
Strictly speaking, no it’s not. There are many reasons however for choosing to use ISO31000 over other risk management tools.
Firstly, it’s an international standard so it’s had a lot of scrutiny and is widely accepted as a robust approach to risk management.
Secondly, it’s a generic standard so it can be applied to all types of risk so that organizations can compare and prioritize risks from across the organization in a consistent framework. This approach allows decision makers to prioritize risks in a consistent fashion on an apples-for-apples basis.
Thirdly it has been designed to provide not just a process for risk management but a framework which integrates with other management standards such as ISO9000.
Last but not least, is the consideration that should best efforts fail and for some reason you have to defend your risk management practices in a court of law or the court of public opinion, it will be much easier to hold up an international standard as your approach than to have to explain and defend a system that you’ve designed from scratch, no matter how great it may be.
Is ISO31000 a process or a framework?
Yes. No. Maybe. It’s many things. The process is a part of ISO31000 however it is often considered to be the strongest and most unique element of the standard. It involves applying logical and systematic methods to help you consider and manage risks. There are many risk management processes already in existence and they all have their respective merits and limitations. ISO31000 process is arguably as good as any of them but has the additional benefit of being an international standard. That means that it’s transportable across borders, consistent in application and easy to argue in support of when defending your processes to managers, investors or (should the worst happen) in a court of public opinion should '60 Minutes' decide to hand down a finding. Very briefly the process can be summed up as:
communication and consultation
establishing the context
identifying, analyzing and evaluating risks
monitoring, reviewing and documenting risks and risk treatments
Do I have to be a risk management guru or dedicate my life to risk management in order to be able to use it?
Not at all. ISO31000 is for anyone who is sick of analyzing risk management failures after the fact and would like a simple approach for making better decisions. Case studies in my articles and books range from planning a staff picnic to enterprise risk management for multi-national corporations. If you're sick of the standard menu of risk management options and prepared to enter a world of plain English risk management that helps you make better use of resources, you've come to the right place.
Do I have to implement all of it? I just need to do a risk assessment.
No. You can pick and choose from what you need. The objective is to get you started with what you need as quickly as possible and to free up your time for other tasks. If you want to jump straight in to a section have a look at the Jumpstart Section for suggestions.
Do I need to be a risk evangelist?
No. Definitely not. Just take what works for you if and when you need it. The stuff in here will work whether you are passionate about it of not. It’s just another perspective on business and fundamentally risk management is just about making better decisions faster. That’s it in a nutshell.
Do I need to apply it across the whole organization?
No. ISO31000 (or any form of risk management) can be applied to the entire organization (that’s called enterprise risk management) or you can simply pick and choose where and how you want to apply. It can be used in a workgroup, a project, across a division or simply to specific functions, areas or activities.
If you've read this far, you are probably the only person ever to do so; so my sincere thanks. Risk management is really complicated and very dull (unless you're a risk nerd like me and study it for decades). You should probably avoid doing it (risk management that is - mind of the gutter please) if at all possible. A simple example about the amazing benefits of risk management: Do you have your pension funds invested with a truly gifted funds manager? Probably not. Did you know that over 90% (about 96% depending on the analysis) of managed funds actually UNDERPERFORM the market? Yes, you'd be better off (statistically at least) just putting your money into a Vanguard Index Fund. Seriously. The funds that underperform for a few years just get closed and the funds management company open a new one. It's equivalent to giving 10,000 chimpanzees 10,000 coins and tracking the coin tosses. The ones that toss 'Heads' 300 times in a row get huge bonuses and their funds are widely advertised as 'outperforming the market' due to their superior risk management expertise. So risk management is useless and you should probably not waste your money buying any of my risk management books either. But if you do, it will help me manage my personal risks of feeding my family. And you'll make my Christmas Card list.