ISO 31000 - fit for purpose?

Russell provided some insight into how the ISO generally works, as an organization and process:

• Companies who wish to influence and be involved in the ISO process pay a fee for the privilege. This is organised on a country basis.
•  Each country then identifies potential changes and groups them via a technical council or committee TC 262. One for each country. These changes are then proposed to the ISO group. Even though the proposals are grouped these proposals are not necessarily those that are presented by the TC 262 chair to the ISO committee.  There are potentially some biases involved.
• The ISO committee then votes on any changes and the majority result is the one selected and transformed into the standards. 

Russell noted that he has an approved alternative approach which includes organising groups of technical experts independent of country influence. These have the chance to propose more practical approaches and are not easily influenced. They are also volunteer in nature and do not need to pay for eligibility. The existing system sees that many industrial companies are not willing to pay for the eligibility to influence these RM standards and so there is a bias of those with financial interest in using these standards as part of their service portfolio.

In general it was noted  there are some gaps in the existing standard that need to be addressed. These are:

• ESG
• Sustainability
• Energy
• AI

Some of us felt these are already in the standard and should not necessarily be noted as otherwise we need to highlight all other areas too. The question is how can we ensure that the full scope of risk management in decision making in covered? Ie the lack of insight into including the 4 areas is due to the skill, scope and experience of the individual practitioners.

The general questions raised for discussion were what is wrong with the standards?, what needs to be improved? Where are there gaps and what is the intention of the standard overall. With so many issues arising from use of the currently standard in terms of companies and financial institutions failing the underlying question is whats wrong?

The following are some of the points raised by the members:

• Too conceptual and not enough practical advice and direction, for instance for SMEs in particular
• Needs more reference to the need for continuous and effective improvement
• Needs more linkage of RM to decision making, strategy, and psychology/biases, even if those broader topics themselves are out of scope for what the standard itself dictates
• Needs more anchoring in ethical and moral issues. The fact that the standard should be based on these key principles.
• What working environment does the standard actually generate?
• The 31000 RM standard could/should do a better job highlighting other adjacent, complementary, and even competing standards and frameworks, both for RM as well as e.g. ESG, IT, project management, ….
• It is within normal human nature to focus on downside risks so the standard should highlight the opportunity more to compensate for this natural tendency.
• Any standard needs to be relevant to daily organisations decision making and to be seen to be effective in a fast moving environment. The current standard is too broad and conceptual to do this.
• From a different aspect the question was raised concerning certification. With so many organisations creating training and offering certification ISO should try to ensure there is a predefined level of quality associated with certification, even if offered by others
• There was a general sense that various points (above and others) may technically be “covered off” by language somewhere in the standard, but if they are merely mentions that are not picked up by all but a careful, expert reader, then the standard is failing to meet an objective to shape the scope and aspirations in RM as it should

Some overarching questions are :

• How to get buy in by top management and boards/stakeholders so that they are persuaded of the value of RM? This goal needs to be clear in the standard even if it doesn’t have all the answers. Its not about compliance.
• How can risk managers individually and collectively improve quality of their work and make it a clear profession?

Please feel free to add, challenge and comment on this interesting topic. A revision of the standard is coming up so maybe we can add some value in an exchange.

[Comments to this summary provided by Russell:]

This is a useful summary.

I am adding a few comments and clarifying a few points for accuracy. Please forgive the length of this post, but I am hoping to stimulate more discussion and engagement across the group.

I do need to correct the ISO organization and process opening point. 'Companies' cannot 'join' ISO and automatically get onto a Technical Committee. There can be only one National Standards Body (NSB) in any country. These NSBs have different business models.  Some are part of Government, others may NGO's and a few will be more commercial in nature depending on local conditions. ISO has something like 170 member countries and sets out expectations and obligations of membership, along with a Code of Conduct.  NSBs may and often do, charge for membership offering either company or individual membership options.  Members of NSBs will usually look to join a technical committee that MIRRORS one of the International ISO Technical Committees. NSB mirror committees may choose to nominate individual experts to their equivalent ISO Technical Committee. In most instances, these people are present as Subject Matter Experts (SMEs).  At the annual Plenary meetings, the national committee will appoint delegates to attend along with a 'Head of Delegation', usually, but not always, the National Committee Chair.  This approach mitigates, but I recognise does not completely eliminate sector bias.  The Risk Management Committee (TC262) has a broad and diverse membership and around 10 'working' groups. We are currently reviewing the membership which currently stands at 400ish and will be removing those who have been inactive as per the ISO Directives. 

With that out of the way...

The notes provided were really interesting to me as they rather closely mirrored the findings of a survey of nearly 2000 people last year.  This feedback is really important as we have what is likely to be a significant revision starting this year. We are currently in the NSB balloting window and in October will be discussing how we approach the revision before formally starting the process.

One theme that has struck a significant chord is clarifying what ISO 31000 is! One thing to make clear is that it is NOT a 'how-to' guide to risk. Instead, it provides a framework, along with principles and processes, that are agreed as representing 'good' practice. This does not mean it is perfect or that is a Gold Standard.  I tend to see it as a map and compass that helps organizations develop the best approach for their organization and stakeholders. 

I should also point out that ISO 31000 does not sit on its own as a 'risk bible'.  Many other ISO Standards detail activities around risk matters in the context of their discipline.  A great example of this is ISO 27005 Risk Management for Information Security.  In ISO terms risk cuts across all of the vertical sectors as uncertainty and risk are found in all disciplines.  ISO 31000 provides a framework that brings all of these together to give a consistent operational and strategic picture that can work in complex structures and through supply chains for organizations of all types. ISO 31000 though does not dictate or even expect folks to use 'only' ISO methods and Standards.  Almost any system can be incorporated into the ISO framework 31000 provides including, for example, COSO and regulatory requirements.  This is largely due to its focus on clarity on objectives.

As a committee, we have to follow ISO Directives that are agreed across their stakeholder base. This limits the way we present material and how we use certain words and phrases.  We have to accommodate translation issues that should not be underestimated as well as the reality that the same phrase or term may mean different things in different sectors or disciplines. 

I fully accept the points made on improving the clarity on many of the points recorded and these do map onto the research previously mentioned reinforcing the message nicely from my perspective.

I do disagree with point 8 though which says "Any standard needs to be relevant to daily organisations decision making and to be seen to be effective in a fast-moving environment. The current standard is too broad and conceptual to do this". A number of the core principles speak to this very point and I would expect that developing the real-world capability to do this would be addressed by setting specific objects that then would affect the design of the system and supporting processes.  

Also, remember that ISO does not provide any certification services at all.  There are two types of standard thought, equal in status, but offering different outcomes.  These are described as Type A that are specifically designed to be the basis of Certification through independent Audit, and Type B Guidance Standards tend to be more flexible and adaptive. ISO 31000 is a Type B Standard by design at the moment.  To me, this makes sense as it is a framework that helps organizations manage risk and better ensure the achievement of objectives.  Some of these objectives will map onto other Standards, such as the aforementioned IT Risk Management Standard (and verification is available in this Technical Domain) along with many others.  ISO 31000 can also be used to ensure regulatory and other forms of compliance again by aligning the objectives and, for me importantly, not losing the adaptability or agility that firms may need. 

My logic is that for Risk Management to work well it needs an intelligent approach, integrity and transparency along with evidence of effectiveness.  It is my personal view that a checklist approach to anything tends to dumb down thinking, limiting action and scrutiny and hence potentially undermining the whole process.  My somewhat simplistic view is that it is much better to concentrate on developing strong sea swimming skills and related fitness than having a 50m swimming badge from your local pool. You all know this, especially if you live by the sea ;)                   

I have to confess that ISO has done a terrible job of explaining how standards work, especially together! I also think that recent developments have not yet become visible enough for much the same reason and it is one of the drivers in my attempts to reach out to more professionals. For example, Did you know that there is a great standard on Legal Risk Management that helps organizations better meet 'silent' risks that may be in contracts and obligations - this works for organizations of all sizes and goes into some detail. It won an award from a leading lawyers' professional body as innovation of the year. We have a Handbook that helps less experienced folks implement ISO 31000 and an SME guide to Risk Management too.  There is a standard for Business Travel Risk that has generated a lot of development in a sector where previously nothing really existed and in the words of some participants was nothing more than a wild west sector. 

As a closing point on the overarching questions ... we are definitely going to try to build the relevance and value messaging! On the last point, that frankly is the key to it all, Risk Professionals have to wake up and turn up.  So many bemoan the state of affairs at the moment but seem to think it is someone else's job to fix it. It isn't, it is all our jobs. I enjoyed the two meetings of the Beyond RM group I have been able to attend so far.  I hope you will all be willing to turn up in the coming months and years to create the positive change we need to see.  We will never get to perfect, but we can be better if we work together.