Enterprise Compliance Today

Time to Revise the ISO 31000 Risk Management Standard

Posted by Greg Carroll on Thu, Feb 19, 2015 @ 09:00 AM

With the recent release of a new British standard BS 65000 on Organisational Resilience, and COSO’s announcement of a review of its 2001 COSO ERM framework, I believe that business is moving ahead of ISO 31000 as a necessary response the evolving business environment and accelerating rate of technical change; therefore there is a strong case for a taking a fresh look at ISO 31000.   

 

Time to Revise.ISO31000

Traditional RM is no longer sufficient to detect the accelerating variety of risks within a global organization

paperbackfront

FastTrack Risk Product Demo
See how Fast Track provides risk management integrated with Corporate Objectives as part of the day-to-day operational management method of work and decision making.

As I’ve stated many times, the pace of business changes and evolution of management systems is accelerating in the 21st century.  And so too has the role of Risk Management. The ground is continuing to move under our feet.  Long a supporter of Martin Davies causal approach to risk management, I feel the albatross of risk heat maps and 20th century OHS perceptions of risk to which many are still wedded, is causing business to bypass Risk Management.

 

Has Risk Management become lost in OpRisk?

In a recent article by David Vos titled “Ten steps to corporate risk analysis”, when referring to the need for Quantitative Risk Analysis (QRA) he cites “only about one quarter of corporate strategic planning departments truly use simulation analysis (the most useful means of evaluating risks), and only a third quantify their risks at all.” This left me feeling dumbfounded for if Risk is the level of uncertainty on objectives how can any system claim to be managing risk without quantifying it?  It leads me to ask, outside banking and insurance, how many people are really "managing" risk as opposed to recording it?

Could it be the arrogance, where we have elevated ourselves to the “opportunity and decision making” doyens of business, causing us to lose sight of our primary role?  A recent  "Inside Counsel" article titled Data analytics as an emerging tool for compliance and legal risk management, states “Though these (traditional) approaches remain critical to ensuring organizational compliance, they are no longer sufficient to detect the accelerating variety of risks that are percolating within a global organization that is subject to widely disparate regulatory schemes”. When the likes of the legal fraternity start making comments like this, it’s time we start questioning our place in the business landscape. 

Coupled with the recent release of a new British standard BS 65000 on Organisational Resilience, and COSO’s announcement of a review of its 2001 COSO ERM framework, I believe that business is moving ahead of ISO 31000 as a necessary response the evolving business environment and accelerating rate of technical change; therefore there is a strong case for a taking a fresh look at ISO 31000.

 

Is the Legal department taking over Risk?

Thoroughly caned for my recent article PDCA is NOT Best Practice where I criticized PDCA as an “outdated” serial approach to Continuous Improvement, proposing instead Realisation, Optimisation and Innovations as an interactive real-time approach using mathematical predictive analytics, it seems the usually lagging legal fraternity are advocating at a similar approach “that may be used by the legal department for risk management purposes. These innovative uses of available technology can increase the return on investment in the technology and provide an added incentive to move forward with new approaches to risk management.”  Is the Legal department to become the vanguard for Enterprise Risk Management? With its relationship to Corporate Governance it is not beyond the realm of possibilities!

Although I am most likely preaching to the converted, we need to change the purpose of Risk Management from being administrative to being a proactive value adding tool.  This mandates, at a minimum, a reasonably level of understanding of statistical and analytic mathematics and the realisation that an Excel spreadsheet cannot be proactive.  As ISO 31000 is the only tool we have to wage this war, and 2009 (basically drafted in the pre-GFC world) was a life-time ago in terms of business practice, I believe ISO 31000 requires a major overhaul or chance becoming irrelevant.

Finally, risking the wrath of the ever swelling ranks of generalist OpRisk “consultants” out there, and however altruistic was the original decision for ISO 31000 not to be certifiable, there is a need to introduce a method of Certification to engender value and consistency into the reputation of ISO31000.

 

My Suggestions for a revised ISO 31000

As a starting point I would suggest:

1.     Strength requirements on Risk Culture and Risk Appetite

2.     Mandate the need of Quantitative Risk Analysis (QRA)

3.     Mandate the need causal analysis and monitoring

4.     Take a proactive approach to Risk Management

5.     Incorporate BS65000 and Resilience as part of ISO 31000

6.     Introduce Certification to protect the ISO 31000 brand

 

Resources

paperbackfront  reduce non-compliance  reduce compliance costs
Free Excerpt: Mastering 21st Century Enterprise Risk Management
Guide to selecting & implementing Enterprise Risk Management
Webinar Videos
See recorded webinar on the Mastering 21st century Enterprise Risk Management
FastTrack Risk Management Data Sheet
How Fast Track provides risk management integrated as part of the day-to-day operational management method of work and decision making.

Tags: risk management, Resilience, risk identification