Risk management needs to go from being administrative to being an active tool, and an updated ISO 31000 is the way to get there.
With the recent release of a new British standard BS 65000 on organizational resilience and the announcement by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) of a review of its 2001 enterprise risk management (ERM) framework, I believe that business is moving ahead of ISO 31000 as a necessary response to the evolving business environment and accelerating rate of technical change. Therefore, there is a strong case for a taking a fresh look at ISO 31000.
As I’ve stated many times, the pace of business changes and evolution of management systems is accelerating in the 21st century. So, too, has the role of risk management. The ground is continuing to move under our feet. Long a supporter of Martin Davies' causal approach to risk management, I feel the albatross of risk heat maps and 20th century occupational health and safety (OHS) perceptions of risk are causing business to bypass risk management.
Has Risk Management Been Lost in Operational Risk?
In a recent article by David Vos titled “Ten steps to corporate risk analysis,” he refers to the need for quantitative risk analysis (QRA) and says “only about one quarter of corporate strategic planning departments truly use simulation analysis (the most useful means of evaluating risks), and only a third quantify their risks at all.” This left me dumbfounded, for if risk is the level of uncertainty on objectives, how can any system claim to be managing risk without quantifying it? It leads me to ask, outside banking and insurance, how many people are really “managing” risk as opposed to recording it?
Could it be arrogance, where we have elevated ourselves to the “opportunity and decision making” levels of business, causing us to lose sight of our primary role in the business landscape?
Is the Legal Department Taking Over Risk?
In a recent article, I criticized plan, do, check, act (PDCA) as an outdated, serial approach to continuous improvement, proposing instead realization, optimization and innovations as an interactive real-time approach using mathematical predictive analytics. It seems the usually lagging legal fraternity is advocating a similar approach “that may be used by the legal department for risk management purposes. These innovative uses of available technology can increase the return on investment in the technology and provide an added incentive to move forward with new approaches to risk management.” Is the legal department to become the vanguard for ERM? With legal's relationship to corporate governance, that is not beyond the realm of possibilities!
Although I am most likely preaching to the converted, we need to change the purpose of risk management from being administrative to being an active, valuable tool. This mandates, at a minimum, a reasonable level of understanding of statistical and analytic mathematics and the realization that an Excel spreadsheet cannot be proactive. As ISO 31000 is the only tool we have to wage this war, and 2009 was a lifetime ago in terms of business practice (basically, before the end of the Great Financial Crisis), I believe it requires a major overhaul or risk becoming irrelevant.
Finally, risking the wrath of the ever-swelling ranks of generalist operational risk consultants out there: However altruistic was the original decision for ISO 31000 not to be certifiable, there is a need to introduce a method of certification to engender value and consistency into the reputation of ISO31000.
My Suggestions for a Revised ISO 31000
As a starting point, I would suggest:
- Strengthen requirements on risk culture and risk appetite
- Mandate the use of quantitative risk analysis (QRA)
- Mandate the use of causal analysis and monitoring
- Take an active approach to risk management
- Incorporate BS65000 and resilience as part of ISO 31000
- Introduce certification to protect the ISO 31000 brandaszzz