Quite simply, because it is so high level and it has plenty of good messages.
That’s right. The best thing that ever happened to ISO31000 is the fact that is so ridiculously high-level and doesn’t provide any specific details on the implementation.
This is important for 2 reasons:
- risk management implementation is an art, dependent on human personalities, preferences, relationships as well as general company maturity and culture. The need to integrate into decision making is clear, yet there is simply no recipe how to integrate into any given process. In fact, I’ve integrated risk management into investment decision making at 3 different sovereign funds and each time it looked different. Similar organizations would probably integrate risk analysis differently into the same process.
- what are the chances that a group of country representatives sitting in ISO TC 262 (people working on the ISO31000), most of whom are not professional risk managers (less than 20%), but rather academics, consultants or standardization representatives, have any idea about the intricacies of risk management integration into decision making? Exactly. Just for fun, I will soon do an article with the recommendations and comments on ISO31000 from Russia that never made it to the final version.
In fact, ISO is just about to make a huge mistake. ISO TC 262 will soon publish a detailed handbook on implementing ISO31000. There is a 95% chance the handbook will miss most of existing scientifically proven methods and research available in the risk space, because the motivation to reinvent the wheel is too great. This message is important and I will come back to it later in the article.
Many of the messages in the ISO31000:2018 are solid:
- Risk management is not the process of identifying, assessing, mitigating and so on, rather it is coordinated activities to direct and control an organization with regard to risk.
- Risk is effect of uncertainty on objectives, which doesn’t have a positive or negative connotation, it’s all effects.
- The purpose of risk management is the creation and protection of value. It improves performance, encourages innovation and supports the achievement of objectives.
- Risk management is an integral part of all organizational activities.
- Human behaviour and culture significantly influence all aspects of risk management at each level and stage.
- The purpose of the risk management framework is to assist the organization in integrating risk management into significant activities and functions. The effectiveness of risk management will depend on its integration into the governance of the organization, including decision-making.
- Integrating risk management into an organization is a dynamic and iterative process, and should be customized to the organization’s needs and culture. Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations.
And my favourite one…
This is how you supposed to implement risk management according to ISO31000:2018 which I fully support:
The organization should implement the risk management framework by:
— developing an appropriate plan including time and resources;
— identifying where, when and how different types of decisions are made across the organization, and by whom;
— modifying the applicable decision-making processes where necessary;
— ensuring that the organization’s arrangements for managing risk are clearly understood and practised.
Check out other risk management books
That’s right, you implement risk management by modifying how decisions are made, not by writing a risk framework document and updating risk register once a quarter.
There are, of course, not-so-good messages as well (read here), but there is more good stuff than not. By a big margin.
I think it’s naive to look for “how to” in the ISO space. ISO standards serve a different purpose. If you really want to become a good risk manager, stop hiding behind ISO31000:2018 limitations and learn:
- statistics fundamentals – that’s right, no risk management is possible without math. Can be found in any good book on probability theory, etc
- decision-making tools – any good book on decision quality, like the one by Carl Spetzler actually called Decision Quality
- the science around risk perception – Daniel Kahneman, Gerd Gigerenzer, etc.
- an alternative way to look at life – any book by Nassim Taleb
Risk professionals already have all the answers, they had it for years. There is absolutely nothing new in ISO31000:2018 or COSO:ERM 2017 for that matter. Risk managers just need to start looking in the right places and asking the right questions.