RIP ISO 31000??
In 2009, the ISO 31000 Risk Management Principles and Guidelines was released with much fanfare. It was hoped that the introduction of an international standard would provide legitimacy to risk management and standardise approaches across the world. There was an opportunity for those conducting the review of ISO 31000 (draft released in March 2017) to provide more substance to the guidelines for the management of risk. Instead, it appears they have: stripped it back in terms of content; maintained definitions that most people do not understand; provided no guidance on how the requirements are to be achieved – just what is to be achieved; and changed a process that wasn’t broken in the first place.
I’m quite disappointed with the draft version, so much so, that, if it is adopted in its current form, I will not be teaching to the new process as I do not believe it truly represents how risk is to be managed.
In my blog: The risk management standard strikes again and in my second e-Book, Risk is not a 4 letter word I focused on what I thought were shortfalls in the ISO 31000, particularly around what is regarded as a risk, the assessment of the likelihood of the consequence and the definition of risk.
I was hoping, therefore, that the 2017 version of the standard would provide more clarity and the key terms would be more easily understood. The paring back of the document in terms of content, and the change to the risk management process (when there was nothing wrong with the current one) may see some countries who have previously supported ISO 31000 revert to their own standards. be perfectly honest, I wouldn’t blame them.
So, let’s look at my concerns in detail, starting with the definitions:
Concern #1 – Definitions
The definition of risk in the revised standard remains: the effect of uncertainty on objectives. As was the case in 2009, I still have no idea what this means.
This is a definition I have created that I think more meaningfully describes what a risk is:
“A possible event/incident/issue that, if it occurs, will have an impact on objectives”
It works well. It’s clear and is much more widely understood and used by participants on my courses and clients.
I have also questioned for some time now the definition of risk management as detailed in the standard: “coordinated activities to direct and control an organisation with regard to risk”.
In my view this definition is more appropriate for the purpose of risk governance (activities to direct and control). My preference when it comes to defining risk management is:
“A systematic process that, when applied, enables organisations to make informed decisions as to the actions to be taken in relation to the events/issues/incidents (risks) that, if they occur will impact on their objectives”.
The fact that these two fundamental definitions have remained extant is somewhat disappointing to me and I see it as an opportunity lost.
Concern #2 – The Risk Management Framework
I am currently developing a risk management framework on behalf of a client. This is the 15th such framework I have developed for organisations across all sectors (government, private enterprise and not for profit).
One of the key components of ISO 31000, in both the 2009 version and the draft 2017 version, is the need for organisations to design, implement, evaluate and continually improve risk management across the organisation. The criticality of a framework in relation to the effectiveness of a risk management framework is not in question, however, my experience in developing and implementing frameworks has highlighted some requirements for an effective framework that have not been mentioned in the standard.
The framework structure detailed in the draft revision of the standard is show below:
I developed this next diagram a number of years ago to highlight the elements of an effective risk management framework:
Although the majority of these facets are covered in the standard, when comparing the two, you will notice that there are additional elements that I consider critical to effective risk management.
In essence, the key difference is that my Framework diagram also highlights the need for:
- Training and competence because it is critical to the effectiveness of any risk management framework that those with responsibilities and accountabilities receive the training necessary to ensure they can undertake their duties
- Integration with strategic and business planning because it has been my experience that organisations that do not do this are significantly at a disadvantage when it comes to achieving their objectives.
- Risk governance because without governance structures (i.e. the various layers of risk management committees that exist within organisations), the effectiveness of the framework cannot be verified and assured which, in turn, results in an ability to ascertain the contribution risk management is making to the overall governance of the organisation.
The Risk Management Process
There is a well-worn phrase – if it ain’t broke – don’t fix it. In my view, there is absolutely nothing wrong with the existing process, however, those working on the revision have seen fit to change it from this:
Whilst the actual steps don’t seem to have been altered too much when reading the accompanying text, the change to the diagram creates unnecessary confusion, particularly as the current process diagram has existed for seven years (a lot longer for those that were using the AS/NZS 4360). There appears to be no explanation whatsoever as to the reason for the change, other than to add recording and reporting. But I also have a problem with these additions.
Recording is inherent in the process of identifying risks and then assessing them and, therefore, I do not believe it needs to be mentioned explicitly.
Reporting, in my opinion, is not a function of the risk management process but is part of the governance structure for the risk management framework. By including it as part of the risk management process, the implication is that, as part of the process, all risks need to be reported individually. This, of course, is neither practical or practicable.
In the desire to review and create what I think should have been a better version of the ISO 3000, I’m not convinced it will ‘change the world’. If I was a betting man (well, actually I am), I would lay money that there will be a number of countries that will revert to their own standards in the future, because what they had previously was significantly better than what we have now.
End of rant.