When did ISO 31000 become an auditable compliance standard?
A client of mine recently had a run in with an auditor (what’s new). The auditor was adamant that, because what she was seeing was not something she was familiar with, it was wrong. She resorted to the auditor’s chestnut: but that is not in accordance with ISO 31000.
Fast forward a few days and the report is presented with a finding that the framework is not aligned to ISO 31000 and, therefore, the organisation was going backwards in terms of its risk management approach. There were other wonderful terms such as not in accordance with industry best practice that also managed to make their way into the report.
I see it all the time in tenders, organisational risk documentation, policy/regulatory guidance and the list goes on – always the same: must be in accordance with ISO 31000.
It is absolutely no secret that I am not a fan of ISO 31000, in particular, its definition of risk. That is a topic for an upcoming blog, but in this piece, I want to explore the common term: in accordance with ISO 31000.
In my view: in accordance with ISO 31000 implies that there is a compliance element to the Standard. Maybe I am reading a different Risk Management Standard to others – but I am at a complete loss to understand how ISO 31000 has become a standard to which we must comply. Unlike Standards such as ISO 9001, ISO 31000 is not a prescriptive Standard it merely provides guidance.
If we consider the very first words of ISO 31000 in the 2009 edition it stated:
This International Standard provides principles and generic guidelines on risk management.
It then went on to state:
Although this International Standard provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.
And here was the kicker ……..
This International Standard is not intended for the purpose of certification.
Whist these paragraphs are not replicated in the 2018 version, it does state:
This document provides guidelines on managing risk faced by organizations. The application of these guidelines can be customized to any organization and its context.
The key here is that there has never been any intent for ISO 31000 to be a compliance standard. In fact, only 17 odd pages of the 25 pages within the standard contain any information relating to the management of risk. My personal view is that anyone who believes that risk management can be explained in 17 or so pages, let alone to be certified to/against has absolutely no understanding of the complexity of risk management.
So how is it then, that there are organisations that are actively promoting that they will certify your organisation to ISO 31000 – or others where you can become a Certified ISO 31000 Risk Manager?
This to me is a blatant misrepresentation of the intent of the Standard and, worse still, may lead organisations to believe that because they are accredited or certified to ISO 31000 that they are effectively managing risk. Effectively, this is the ‘Claytons of accreditation’ – the accreditation you have when you don’t have any accreditation! All they have done is satisfy an organisation, (that itself may not understand risk management), that it has a risk management program and can point to a number of documents that have the right words in them.
This is not managing risk – this is doing risk management.
You may have a piece of paper that says you are certified to ISO 31000 as an organisation or an individual, however, in my humble opinion (and based on the fact that the Standard itself states that it is not intended for the purpose of certification) there is only one use for such a piece of paper ………
Actually, such a certificate may come in handy if there is any further panic buying during the pandemic.