#87 – TIME TO REVISE THE ISO 31000 RISK MANAGEMENT STANDARD – GREG CARROLL

GregCarrollWith the recent release of a new British standard BS 65000 on Organisational Resilience, and COSO’s announcement of a review of its 2001 COSO ERM framework, I believe that business is moving ahead of ISO 31000 as a necessary response the evolving business environment and accelerating rate of technical change; therefore there is a strong case for a taking a fresh look at ISO 31000. 

As I’ve stated many times, the pace of business changes and evolution of management systems is accelerating in the 21st century.  And so too has the role of Risk Management. The ground is continuing to move under our feet.  Long a supporter of Martin Davies causal approach to risk management, I feel the albatross of risk heat maps and 20th century OHS perceptions of risk to which many are still wedded, is causing business to bypass Risk Management.

HAS RISK MANAGEMENT BECOME LOST IN OPRISK?
In a recent article by David Vos titled “Ten steps to corporate risk analysis”, when referring to the need for Quantitative Risk Analysis (QRA) he cites “only about one quarter of corporate strategic planning departments truly use simulation analysis (the most useful means of evaluating risks), and only a third quantify their risks at all.” This left me feeling dumbfounded for if Risk is the level of uncertainty on objectives how can any system claim to be managing risk without quantifying it?  It leads me to ask, outside banking and insurance, how many people are really “managing” risk as opposed to recording it?

Could it be the arrogance, where we have elevated ourselves to the “opportunity and decision making” doyens of business, causing us to lose sight of our primary role?  When the likes of the legal fraternity start making comments like “Though these (traditional) approaches remain critical to ensuring organizational compliance, they are no longer sufficient to detect the accelerating variety of risks that are percolating within a global organization that is subject to widely disparate regulatory schemes”  in a recent  “Inside Counsel” article titled Data analytics as an emerging tool for compliance and legal risk management, it’s time we start questioning our place in the business landscape.

Coupled with the recent release of a new British standard BS 65000 on Organisational Resilience, and COSO’s announcement of a review of its 2001 COSO ERM framework, I believe that business is moving ahead of ISO 31000 as a necessary response the evolving business environment and accelerating rate of technical change; therefore there is a strong case for a taking a fresh look at ISO 31000.

IS THE LEGAL DEPARTMENT TAKING OVER RISK?
Thoroughly caned for my recent article PDCA is NOT Best Practice where I criticized PDCA as an “outdated” serial approach to Continuous Improvement, proposing instead Realisation, Optimisation and Innovations as an interactive real-time approach using mathematical predictive analytics, it seems the usually lagging legal fraternity are advocating at a similar approach “that may be used by the legal department for risk management purposes. These innovative uses of available technology can increase the return on investment in the technology and provide an added incentive to move forward with new approaches to risk management.”  Is the Legal department to become the vanguard for Enterprise Risk Management? With its relationship to Corporate Governance it is not beyond the realm of possibilities!

Although I am most likely preaching to the converted, we need to change the purpose of Risk Management from being administrative to being a proactive value adding tool.  This mandates, at a minimum, a reasonably level of understanding of statistical and analytic mathematics and the realisation that an Excel spreadsheet cannot be proactive.  As ISO 31000 is the only tool we have to wage this war, and 2009 (basically drafted in the pre-GFC world) was a life-time ago in terms of business practice, I believe it requires a major overhaul to risk becoming irrelevant.

Finally, risking the wrath of the ever swelling ranks of generalist OpRisk “consultants” out there, and however altruistic was the original decision for ISO 31000 not to be certifiable, there is a need to introduce a method of Certification to engender value and consistency into the reputation of ISO31000.

MY SUGGESTIONS FOR A REVISED ISO 31000
As a starting point I would suggest:

  1. Strengthen requirements on Risk Culture and Risk Appetite
  2. Mandate the need of Quantitative Risk Analysis (QRA)
  3. Mandate the need causal analysis and monitoring
  4. Take a proactive approach to Risk Management
  5. Incorporate BS65000 and Resilience as part of ISO 31000
  6. Introduce Certification to protect the ISO 31000 brand

Bio:

Greg Carroll 
- Founder & Technical Director, Fast Track Australia Pty Ltd.  Greg Carroll has 30 years’ experience addressing risk management systems in life-and-death environments like the Australian Department of Defence and the Victorian Infectious Diseases Laboratories among others. He has also worked for decades with top tier multinationals like Motorola, Fosters and Serco.

In 1981 he founded Fast Track (www.fasttrack365.com) which specialises in regulatory compliance and enterprise risk management for medium and large organisations. The company deploys enterprise-wide solutions for Quality, Risk, Environmental, OHS, Supplier, and Innovation Management.

Mastering 21st Century Risk Management” which will be available from the www.fasttrack365.com website in a couple of weeks.   Meanwhile a recent Webinar on the topic can be seen at http://www.youtube.com/watch?v=nQoJj6FBxrY&feature=youtu.be in which we show how emerging best practices provide a good picture for how enterprise risk management should look in the 21st century.

Leave a Reply

Your email address will not be published. Required fields are marked *