Business Insurance:: ISO 31000 should we believe the hype?



“…risk managers should use standards such as ISO 31000, “because standards, no matter what kind or which ones, support key tools and processes.”“Standards allow you to proactively address risks with some discipline,” he said. “Standards also relate well to the whole idea of focusing on outcomes.”

Surely the focus should be upon being proactive and ‘managing’ emergent risks, NOT outcomes!?

Where, I suspect, NASA have a distinct (informational) advantage is that the multi-scalar interactions among components, processes, networks of sub-systems and systems are each rigorously tested at every point in assembly and operation…

Read more of this post

ISO 31000: Dr Rorschach meets Humpty Dumpty…splat!!!

This is, what I call, a “Wispa moment”. If you remember the adverts for the 80’s chocolate bar you may recall Gryff Rees-Jones and Mel Smith in one of their face-to-face dialogues made famous by the Comedy series, “Not the 9 O’clock News”.

So, why a Wispa moment? Because the “punchline” was that “…the people that make ’em don’t know how they make ’em”!

Now, effective Risk Management is a much more serious issue than a chocolate bar (I can’t believe I said that) but, this is an industry that has carved such a lucrative niche for itself that, rather than focus on the many failures, the preference is to slug-it-out verbally to see which organisation can come up with the best set of rules (oops! guidelines)….as if there were some realistic chance of global acceptance, adoption and application. Farcical!!!

I have utmost respect for the opinions of Prof Adams & Dr David Hancock and really wish that some of the bumptious, self-important and self-anointed, “experts” would do themselves (and the industries they profess to want to help) a big favour: recognise that, even IF there was scope to move beyond the “language barrier” and the mental masturbation associated with the argument for/against a particular version, their “rules” will always come a poor and distant second to the profit motive.

I am currently having this problem with ISO 31000 – Risk management — Principles and Guidelines. The International Standards Organization published these guidelines in 2009 and with them appears to aspire to global leadership, if not domination, of the risk management industry. According to Kevin Knight, leader of the group that produced the document, it is comprehensive and global in reach – it “provides principles and practical guidance to the risk management process” and it applies to everyone everywhere – it is “applicable to all organizations, regardless of type, size, activities and location and should apply to all types of risk.”

A game anyone can play

I have now read it many times and still do not know what is expected of me. And I think I have worked out why. It repeatedly tells me to do what is “appropriate”: it tells me that my involvement with stakeholders should be “appropriate and timely”; that I should consider “the most appropriate ways to communicate with [stakeholders]”; that I “should allocate appropriate resources for risk management”; and that I should “communicate and consult with stakeholders to ensure that [my] risk management framework remainsappropriate.” The guidance to do the “appropriate” thing appears 34 times in 26 pages.

What is “appropriate”? Those deploying the word appear to assume that all readers will share its meaning. But anyone plugged into discussions about the influence of disparate cultural perceptions of risk will appreciate that this is a facile assumption. All these “appropriates” are Rorschach inkblots. The famous Rorschach test is known as a projective test. Subjects are shown ambiguous stimuli (inkblots) and asked to say what they see. Although psychologist have failed to reach a consensus on the interpretation of the answers it is clear that different people project very different meanings onto ambiguous stimuli.

“Appropriate” is not the only inkblot in ISO 31000. There are 33 “effectives” (“this International Standard establishes a number of principles that need to be satisfied to make risk management effective.”); 13 “culture/culturals” (“Risk management takes human and cultural factors into account.”); 9 “relevants” (I should ensure that “risk management remains relevant and up-to-date”); 8 “comprehensives” (I need “to generate a comprehensive list of risks”); plus 4 “acceptables” and 4 “tolerables”.

Using this (incomplete) list of inkblots I divide 105 inkblots by 26 pages and award ISO 31000 an inkblot score of 4.03. It is a game that anyone can play and I offer it as a way of quantifying the sense of vague dissatisfaction generated by so much of the current risk management literature.

via ISO 31000: Dr Rorschach meets Humpty Dumpty | John Adams.