Are the updated ISO and COSO Risk Management guides actually offering anything new, or are they merely perpetuating outdated thinking?

Are the updated ISO and COSO Risk Management guides actually offering anything new, or are they merely perpetuating outdated thinking?

Are the updated ISO and COSO Risk Management guides actually offering anything new, or are they merely perpetuating outdated thinking?
Are the updated ISO and COSO Risk Management guides actually offering anything new, or are they merely perpetuating outdated thinking?

Bureaucracy that goes unchallenged, lives forever!   Here is an oldie but a goodie... an engineering design tale which demonstrates the influence of legacy driven thinking in modern innovation:
The modern day Space Shuttle is arguably the most sophisticated and innovative piece of transport hardware mankind has ever produced. It is an engineering marvel which has allowed humans to travel into space (and back again) more than 130 times since 1981. The Shuttle has a very specific and distinctive design, it is in fact designed not just to carry massive payloads into space, but also to be compatible with the three detachable rocket boosters which help the craft to launch through the atmosphere. 
Download Also:
These three fuel boosters play an important role in the Space Shuttle's historical success, they are re-usable fuel pods which meant at the time of design the cost of a launch could be brought down dramatically, thereby allowing for more frequent launches and of course allowing for a career legacy spanning more than 30 years.
When these boosters were first designed in the mid-1970's, the only way to get them from their manufacturing factory to the Space Shuttle assembly site was to transport them by rail. Thus the rocket boosters themselves were designed to be compatible with the commercial trains that would transport them. In this regard, the modern US rail network consists of commercial train tracks with a gauge width of 4 feet, 8 inches. In light of this, the rocket booster parts had to be designed to fit on a commercial goods train that runs on a gauge of 4 feet, 8 inches - any wider and the rocket boosters would too fat to fit on the train and any thinner they would be too long.

The North American rail network operates on a 4 feet, 8 inches gauge because their earliest rail network designers where imported from Europe and this is the same track specification of the European rail networks. The European Rail network used a gauge of 4 feet, 8 inches because this was the same dimension as the axle of the typical horse drawn cart when the first coal fired, steam train carriages started replacing horse pulled carts (mid 1700’s). 
At the time it made sense to design train carriages to the same axle width as a horse driven cart, because horse carts were the primary method for transporting goods anywhere and everywhere and so all existing manufacturing, loading and logistics were designed to accommodate the dimensions of the average horse driven cart. Also of benefit was the fact that if a stream train broke down, each train carriage could then be easily coupled to a cart horse and the journey completed.
Horse carts are of course pulled by cart horses - thus the primary design requirement for a horse drawn cart is that it be designed to suit the dimensions of a cart horse’s flank (i.e. its rear end). From this design analysis we can deduct the following learnings;
  • The Space Shuttle's design specifications (however modern) were ultimately derived from the dimensions of a cart horses’ rear end     
  • Never underestimate the influence that outdated legacy issues have on modern innovation and design     
  • Bureaucracy that goes unchallenged, lives forever! So never be afraid to ask; “Why are we still required to do it this way?” – the answer may frighten you!

Why we are still required to manage risk this way?

The year 2018 is shaping up to be a big year for the industry accepted, risk management methods. During the course of this year we should expect to see new updated versions of the ISO 31000, COSO and PMBoK Risk Management guides take flight across industry. All three of these methodologies are industry accepted leaders in their respective fields of Enterprise Risk, Internal Control and Project Risk Management.  Although the new PMBoK risk guide is still in development, the ISO and COSO guides have been published and both have made claims in their marketing materials to offer new thinking that is "game changing" and/or "ground breaking".


As much as I advocate for continuous improvement and congratulate the ISO and COSO Governing bodies for updating their advocated risk methodologies, upon review I’m not convinced that their advocated risk methodologies have changed in the manner in which change was actually required. At face value neither appear to be offering anything radically different, rather both appear to be offering exactly what they did in the past but in a shinier, slicker manner. This is most concerning when one considers just how radically our working world has changed over the past decade; in my opinion we need radical changes (not subtle changes) to many existing management control methods, risk included.  
My particular concern for these new guidelines is that despite their recent improvements they are still perpetuating an outdated legacy train of risk thinking and in so doing, have not met the needs of the modern age. Just as the Space Shuttle's highly advanced design is still constrained by a dependence on the historical dimensions of a cart horses flank. I feel the most current versions of ISO, COSO and PMBOK are still constrained by the risk management community's over endorsement of risk methods designed primarily to control only foreseeable risks. That is, those risks which are known, obvious and predictable. 
Consider how despite their supposed differences, most industry accepted risk management standards are highly comparable and offer the same basic approach to controlling risks. In fact, when reduced to their simplest form ISO, COSO and PMBoK offer the exact same three step approach. Namely;

  • identify the risk (predict/forecast);     
  • quantify the risk (assess/measure);     
  • control the risk (plan/treat/mitigate).  
  • So why is it that all three of these leading global methodologies offer exactly the same approach to risk management? Well it probably has something to do with how risk management better practice was allowed to emerge from historical need.

The origins of modern day risk management  

Risk management was borne as a means to manage uncertainty. Throughout history mankind had always put its’ fate in the ‘hands of the Gods’, whenever exposed to highly uncertain activities such as the weather, battle, disease, trade, travel, gambling and the like. Risk management thus emerged from history as a means to beat the whim of the Gods by improving the probability of securing a favourable outcome in uncertain situations. 
It was believed that through the proactive and rigorous assessment of a particular situation (a looming battle for example) one could potentially predict and therefore plan for all possible outcomes. In so doing one could then mitigate or even control the impacts associated with any particular outcome. 

Modern day risk management thus has its roots in probability theory and as a result endorses methods whose primary goal is to identify and quantify specific risk scenarios so that their probability of occurrence may be proactively mitigated. For this reason most forms of modern day risk management still advocate the basic three step process of identify, measure and treat risks. 
The challenge for modern day risk management however is that this simple, state three step approach does not meet the requirements and challenges of the modern working world.  That is, modern day risk management still operates on the fundamental design assumption that all risk scenarios are foreseeable and all possible risk outcomes can be planned for. But in the year 2018, is this design assumption still true?

but our Working World has changed  

Our working world has changed dramatically over the past decade. The rapid rise of personal technology, real time information sharing, social networking and disruptive thinking has created a working world which is more connected, informed, responsive and volatile than any other time in history.  
Yet despite these noticeable evolutions in our working world, our industry accepted risk management methodologies do not appear to have evolved in the same way so as to meet the needs of a more connected, complex and disruptive working world. In fact our industry accepted "brand name" risk methodologies still seem to be advocating the same old risk management messages of yesteryear. Because of this perception, a noticeable number of risk theorists and academics (myself included) have started focusing their research attention to three areas of particular interest in light of their respective influence and relevance to modern day risk management requirements.  
These three areas of risk interest appear to be monumentally material to the risk management needs of the modern working world and unfortunately they also appear to be areas of risk interest which are insufficiently addressed by the globally accepted risk guidelines such as ISO, COSO and PMBoK. These three areas of risk interest include;


Unpredictability is a state of advanced Uncertainty, and is a concept which is becoming more and more synonymous with the characteristics of our modern working world.  Although most accepted risk management methodologies do offer guidance on how to control the impacts of uncertainty they still do not seem to acknowledge that the very existence of uncertainty means that not all can be proactively known nor foreseen, and therefore some material risks will be inherently unpredictable. In turn, most risk management methodologies do not provide sufficient guidance on how to plan for and control risks which are simply unforeseeable e.g. Unknown-Unknowns, Rogue Waves, Black Swans, Shocks, Crises, Disaster, Chaos etc. 
The identify, measure & treat risk method is clearly not suited for controlling unpredictable risks, especially those that leap out of environments of high uncertainty.  Unpredictability thus remains as a material gap in the ISO, COSO and PMBoK advocated approaches as the modern working world does not always retain more knowns than unknowns nor more certainty than uncertainty. For this reason modern day risk management guides need to start providing guidance on how to control risks in highly uncertain/unpredictable environments such as in the case of an entrepreneurial business start up, sending a human to Mars, leading an armed forces unit into a battle, starting a new operation in a foreign country, investing in Crypto-currency and the like?  Also, today's risk managers are now facing unlimited volumes of data, transactions and challenges spread across an unlimited number of global landscapes. 
Making it almost impossible to foresee what is going to happen next. Most conventional risk management methodologies do not appear to have caught on to this unjust expectation and still endorse methods which encourage practising risk officers to proactively identify, measure and treat all material risk scenarios - as if that is actually still possible in a modern organisation operating on a global scale? Expecting modern day risk managers to predict and account for all possible outcomes (when, where, how) is now a completely unreasonable expectation.  
If our working world is becoming more and more disruptive and unpredictable due to a never ending increase in global up swells, shocks and stresses, shouldn't the "modern" risk management methodologies be teaching us how to deal with the impacts of such increased unpredictability? Not providing guidance on how to better manage unpredictability appears to me to be a major oversight for two risk management guidelines which claim to be "new generation" and suited to the needs of the modern working world?


Complexity is another concept which is becoming an increasingly referenced phenomena within modern organisations. As our working world continues to get more and more systematically inter-connected and co-dependent, the ability to both understand and control complexity will play an even greater role in the ultimate success or failure of modern organisations.  Complexity implies a very specific state of existence, a state ruled by emergence and dynamism rather than consistency and stability. A genuinely complex organisation is subject to risks which are highly energised, dynamic, erratic and systemically impactful. 
So, how does ISO, COSO and PMBoK expect its followers to control risks in environments of escalated complexity - for example; a stock market, an economic crash, a mega project, political unrest, social shocks, war, riots, epidemics, disaster zones and the like? More to the point, how does ISO, COSO and PMBoK expect its followers to control risk within highly energised and interconnected environments which are continually adapting in response to the sudden situational swells, shifts and shocks which emerge in real time?
Such chaotic environments are in fact becoming more frequent in the modern working world, so the need to better understand how to control such advanced complexity, appears to be another gap within the current risk methods. More specifically, ISO, COSO and PMBoK appear to endorse control methods which assume all material risks are stable, rational and predictable, whereas in reality modern risks are more likely to be highly energised, dynamic and chaotic. As any person who has studied the basic principles of complexity science will tell you; "You cannot solve complex problems with simple solutions" 

Complexity Science teaches us that organisations can exist in various states of complexity and as complexity increases (from simple, to complicated, to complex all the way through to chaotic) the organisation's exposure to risk will also increase, primarily in the form of an increased emergence of unwanted system behaviours (threats). More importantly however is how as systemic complexity increases the situational rationality, consistency and predictability decreases thereby impairing the conventional, process based risk management methods. 
What this all means for risk management specifically is that appointed officers can no longer adopt a static, "one size fits all" approach to risk management - risk management solutions need to be significantly more intelligent, responsive and adaptive than the "one size fits all" approaches being endorsed by most conventional risk methods.

Situational complexity is known to have a major role in determining how risks will emerge and manifest from within an organisation. So if our modern working world is becoming more and more systematically interconnected, co-dependant and complex, and if advanced complexity requires new rules of management; then shouldn't our "new generation" risk management methodologies be teaching us how to control the influences of such advanced complexity? To ignore systemic complexity (as well as its' influences) when attempting to control organisation-wide risk, is surely a fatal flaw because by reducing areas of escalated complexity appointed risk officer's are in fact reducing the potential for unwanted system behaviours (risks) to emerge.

Resilience  Resilience is the ability of an entity to prepare for, absorb and respond to sudden changes. It is yet another term which is growing increasingly more material in modern day risk management. Considering how we live in the most disruptive age in human history; there is now more than ever a need for modern organisations to start building an internal resilience to the situational upswells, shocks and tremors which can emerge at any time. Resilient organisations are those which can prepare, withstand and recover rapidly from disruptions - including market swings, consumer shifts, competitor advances, political shocks, accidents, disasters and even deliberate attacks.
In the past 5 years alone, the world has seen such globally emergent shock forces such as the Global Natural Resources Depression, BREXIT, TRUMP, Crypto Currency, Social Engineering and Cyber Security play major havoc on global operations, markets and business as usual. Even today it is not entirely clear how any of these are going to impact on the modern working world and for this reason organisations need to prepare themselves for a state of "anything can happen"
. In this regard, it has become practically impossible to predict what will happen next in our working world, nor is it possible to determine all the possible outcomes across all the possible landscapes. For this reason, modern day organisations need to put less faith in their ability to proactively identify and measure (aka predict) high impact risks and start placing more focus on building an internal resilience to "whatever this way comes".

Of the three mentioned risk methodologies, COSO appears to be leading in the organisational resilience space by endorsing methods which are are aimed at improving internal control and strategic decision making, which in itself is a form of resilience. ISO and PMBoK in my opinion are still too outwardly focused in their risk management methods and still largely endorse methods aimed at predicting emergent risks. 
The way the world is heading, I wouldn't be surprised that if in the next decade some global governing body develops a guide or standard for achieving organisational resilience, very much in the same vein as the ISO and COSO risk guides. I also wouldn't be surprised that if within the next decade after that this "Global Resilience Guide" overtakes ISO 31000 as the globally accepted risk management standard.

So what?

Our working world is not getting any simpler nor any more certain, there is now more dynamism, irrationality and volatility in our working world than ever before. For this reason, I believe the two biggest risk management challenges that modern organisations currently face is that of increased Global Unpredictability and that of increased Global Complexity and the best method for controlling risks within the modern era is not to attempt to predict risks (aka identify, measure and treat) but rather to build up an organisation's internal Resilience.

This statement is not without evidence, for the past 3 years the World Economic Forum's annual Global Risk Reports have strongly advocated for the need for organisations to start adopting Resilient risk management strategies that are designed to address the heightened displays of Unpredictability and Complexity being experienced by the modern working world. A number of papers on the topic were submitted and provided by the WEF in their 2018 conference (see link below) and significantly more industry literature is now available on the influence of Unpredictability, Complexity and Resilience on modern day risk management.
It is therefore surprising to me that ISO and COSO have not headed the call to provide any direct guidance on how organisations may in fact might achieve these risk management requirements in a practical manner - there is still hope for PMBoK but only time will tell. I do acknowledge that both ISO and COSO have worked hard at improving their guidance on risk management and that in itself is a win for the invested community, but "Game Changers" they are not. In my humble opinion COSO seems to be more of a front runner on meeting the risk management needs of the modern working world but still has some noticeable gaps. 
I struggle to see how either will radically advance our working world's control of complex, unpredictable risks nor radically improve organisational resilience. The newer versions of ISO and COSO, as well as the existing version of PMBoK, risk management still appear to be perpetuating that outdated risk thinking which assumes all material risks are obvious enough to be foreseen and that our working world is simple and stable enough to retain more certainty than uncertainty.

We however know this is no longer true and therefore static, step-by-step, one-size-fits-all, process driven methods of risk management can no longer consistently succeed in the modern world. In this regard, I genuinely believe there will come a future tipping point whereby the practising risk management community will come to the realisation that our working world is far too expansive, fluid and data saturated to consistently identify, measure and treat all the material risks with any degree of measurable success. It is at this point that the incumbent risk management focus will shift their risk management efforts from "predicting risks" to rather becoming "resilient to risk"
Risk management in the modern era is not about finding new and innovative ways to predict risks but rather finding new and innovative ways to build in an organisational-wide resilience to risk In conclusion, I appreciate how ISO and COSO have updated their risk guidelines but continue to worry that these globally accepted risk methodologies are still tied to outdated, legacy driven risk thinking - very much in the same vein as how the modern day Space Shuttle's new age, innovative, futurist design is still heavily constrained by the historical dimensions of a cart horses flank.

Related Topics:
                                         Warren Black
I am an Engineer, Risk Professional and Complex Systems’ Thinker who has particular interest in understanding how the complexity sciences may offer a better means to controlling emergent risks within highly complex, operating environments.

I currently consult on how to improve organisational Governance, Risk & Assurance practices so that they may reflect not only the degree of investment at risk, but also the specific environmental complexities in play. I believe that over the past decade in particular, I have accrued deep expertise in my chosen subject matter as evidenced by the fact that I was the head of Program-wide Risk for BG QCLNG and have held Senior Project Risk & Business Advisory roles at both Deloitte and Marsh & McLennan Risk Advisory Practices. 
I am also arguably one of only a handful a Risk Professionals who has built a full end-to-end risk management & reporting framework for an organisation of over $25 billion (BG QCLNG). At its peak this was the 8th largest project in the world and is hence a significant indicator of my capability.

As a practising complexity & risk specialist, I have worked within two of the world’s largest mining project hubs (BHPB and Rio Tinto), three of the Queensland mega LNG projects (GLNG, APLNG, QCLNG), Australia's largest construction company (Leighton’s/CIMIC), The State of NSW's largest Infrastructure PMO (I&P PMO), Victoria's Largest Rail PMO (VicTrack), Brisbane's largest city Rail Project (Cross River Rail) and the largest publicly funded civil & infrastructure PMO in Queensland (Brisbane City Infrastructure).

 Also, as a demonstration of my commitment to my art; I am currently engaged in a PHD by Research whereby I am "Investigating a Complex Systems Approach to Complex Project Risk Management". I believe that the complexity sciences provide a new generation lens upon which to help risk management transition into a future world of complex working relationships and perpetual disruption.

Post a Comment

Previous Post Next Post