 | |
| Is ISO 31000 now obsolete? In the current era of advanced complexity and severe unpredictability? |
Riddle me this We live in a world that is evolving faster than most of us can keep up. Just as we get a handle on one concept it evolves into something completely new and we have to embrace the learning curve all over again. In the past three decades (in particular) our world has become increasingly more technology driven and in turn it has also become more dynamic, highly complex and most noticeably; severely unpredictable.
We now live in a world whereby the only constant is change and everything (yes everything) becomes obsolete eventually. This in turn begs the fairly reasonable question; in a world defined by its' advanced complexity and severe unpredictability, has a risk management standard which encourages its practicing officers to predict risks, become obsolete?
"Obsolete" - to be less developed than the most current requirements
Download Also:
With noble intentions all things begin
ISO 31000 was established in 2009 by the International Organization for Standardization (ISO), so as to bring consistency to global risk management understanding and practice. Since 2009, it has become globally acknowledged as the "international risk management standard". "ISO 31000 was published as a standard on 13 November 2009, and provides a standard on the implementation of risk management"
Since this time, numerous organisations, institutions and comparable governing bodies have adopted ISO 31000:2009 as the basis upon which they endeavour to control their material risks. As a result, almost all "better practice" risk management frameworks, risk functions, risk management plans and practicing risk officers are now expected to demonstrate a sound understanding of the ISO 31000 risk management approach.
But ISO 31000 has now come under review
ISO 31000 started out with the noble intention of helping organisations and their practicing risk officers to better control material risks, but after a seven year track record ISO 31000 is now both literally and figuratively; under review. The literal review: ISO standards come up for revision every five years and in March 2015 an ISO working group assembled in Paris with the intention of identifying those areas of ISO 31000 which require further development. A revised standard is expected in the latter half of 2016 (watch this space) and although it has not yet been confirmed what amendments will be incurred; it is understood that most of the amendments will be designed to improve the internal terminology as well as the in-principal guidance offered by the Standard.
The figurative review: As part of my own Higher Degree in Research into "controlling risk in complex project environments" I have been involved in an extensive literature review of all the current academic arguments and published literature in the field of "complex project risk management". After 18 months I can confidentially state that there is an abundance of published literature available, both advocating and questioning the merits of the conventional risk management approach, such as that endorsed by ISO 31000. Although I don't claim to have reviewed every piece of available literature on this topic, it is evident to me that there are noticeably more published academics and industry practitioners questioning the effectiveness of the ISO 31000 risk management approach than those endorsing it (not unusual in the academic world).
Regardless, what is clear is that the invested risk community have spent the last seven years testing the ISO 31000 approach and a noticeable seed of doubt has emerged as to its' effectiveness and suitability in the modern context. Numerous literature sources now exist which suggest that ISO 31000:2009 is actually obsolete as it does not suit the current environmental requirements. As an indicative demonstration, I offer the following observations on the matter - gained during my own 18 month literature review journey;
Observation #1: In God We Trust
but all others must bring data! So what actually qualifies ISO 31000 to be considered as the "International Standard" in risk management? To be designated as the International Standard implies some form of absolute, empirically tested and scientifically validated law of nature is in place? This is not necessarily true. To date there still appears to be no universally accepted data demonstrating that the ISO 31000:2009 approach actually works in improving an organisation's exposure to material risk. Hence to title it as "the Standard" has become a contentious issue amongst some of the purists.
"An observation without supporting data, is merely an opinion" - W.E. Deming In fairness, a large number of accepted studies do exist which show a correlation in the improvement of general risk proactivity, accountability and awareness in those organisations which have adopted ISO 31000 but in almost all cases it could be argued that this measurable improvement was actually an outcome of changes in the organisation's broader attitude towards risk management. That is, in almost all cases it was observed that ISO 31000 was merely one of a diverse range of risk initiatives adopted by the organisational leadership and its stakeholders, thus to single ISO 31000 as the sole saviour is perhaps no more than optimism bias.
Also, if ISO 31000 is indeed "best practice" then why have the rates at which corporates (and large-complex projects) continue to fail not improved? Consider that in the past 3 years since the global commodities depression of 2014, organisational failure rates in the natural resources, infrastructure and engineering sectors (as well as all their related service industries) have increased significantly with trillions of dollars in shareholder value being lost as well as millions of jobs being dissolved globally.
Case in point: by the end of the 2016 financial year almost all of the major, globally listed mining, oil and gas companies were reporting significant losses in shareholder value, FTE employment and growth capital spend. In turn, many natural resource dependent economies globally are now in recession. In many cases (if not all), ISO 31000 was the predominant industry risk standard adopted by these publicly traded organisations; so how had ISO 31000 helped them in this regard? Can a risk management methodology which has had no measurable effect on improving industry failure rates be considered a "standard"? "If the ultimate goal is to improve the control of risk to objectives, but the industry failure rates are not improving, then doesn't ISO 31000 need further development?"
Observation #2: The Uncertainty Paradox
ISO 31000 defines risk as; “the effect of uncertainty on objectives”, yet ISO in its current form is not designed to address uncertainty. If anything, the current ISO 31000 risk control approach is actually highly dependent on certainty and this makes it problematic in such an uncertain world. Consider that ISO 31000 encourages its practicing officers to control risk in a linear step-by-step approach whereby they should first establish the context, then identify the potential risks, then assess these identified risks and then adopt suitable control solutions per assessed material risk. In brief, ISO 31000 advocates for a systematic "predict & process" approach to risk control which has now become fairly common across industry.
Now this approach in itself is not an issue, what is an issue however is that such an approach relies heavily on the surrounding environment being predictable, linear and rational (i.e. certain), after all how else can one effectively identify, quantify & control sufficient numbers of material risks in a step-by-step manner? Unfortunately, modern day operating environments are far more likely to be dynamic, deviant and irrational (i.e. uncertain) and therefore it is questionable what value a systematically linear "predict & process" approach offers in highly dynamic and uncertain operating environments. Also, ISO 31000 in its current form neither acknowledges nor offers any insight into how organisations might better control those risks which are simply unpredictable. The existence of "Black Swans",
"Wicked Risks", "Unknown-Unknowns", "Rogue Waves", "Complex-Uncertainties" and the like, has long been acknowledged by both industry and academia but not yet by ISO 31000. ISO 31000 still appears to advocate for a risk control method which assumes all material risks are identifiable and measurable - but what happens when they are not, what should organisations do then? In summary, the very presence of uncertainty requires an acknowledgement that not all risks can be known (nor predicted), and if not all risks can be known then should ISO 31000 continue to advocate for a risk control methodology which requires its practicing risk officers to first identify risks in order to then control them? Surely attempting to proactively identify (aka predict/forecast) risks is completely contradictory to the very definition of uncertainty?
"The very nature of uncertainty implies that not all risks can be known, thus attempting to predict material risks is a particularly vulnerable method of control" Cited Literature Review References: there are a broad range of available academics and authors writing on the "Uncertainty Paradox" but perhaps the most seminal include; Olga Perminova / DeMeyer, Loch & Pich / Chapman & Ward and if you really want to go old school look up John Maynard Keynes (1921)
Observation #3: The rise of Complexity
As discussed previously, ISO 31000 defines risk as; “the effect of uncertainty on objectives” and most of the reviewed literature appears to support this premise. However many of the more current publications appear to take this relationship a step further and advocate that Risk is an outcome of not just Uncertainty but Complexity as well. The rise of Complexity as a driver of risk is not necessarily a new generation ideal but it does appear to have gained significant momentum in the published works, over the past decade in particular.
Presumably this is in response to the increasing industry challenges which appear to be arising due to our operating markets having become highly complex and severely unpredictable in the technology driven age. More and more global risk exposures are being attributed to complexity and as a result both industry and academia now wish to better understand the relationship and its associated phenomena.
Consider the following indicative graph which demonstrates the relationship between risk, complexity and uncertainty. The more complex the operating environment and the more inherent unknowns that exist within - then the more risky the circumstances become;
Many of the observed authors in this space appear to agree that modern day risk management techniques are not suited to address the specific needs of highly complex environments. The general view is that most practising control standards (e.g. ISO) cater for a median level of complexity and tend to offer a foundation view of their topic which is designed to meet the mental capacity of the learning practitioner. As a result the industry accepted standards and methodologies fail to demonstrate the specific requirements that come into play when complexity increases beyond the median.
In fact a new generation of complex risk thinkers appears to be emerging (a sub class if you will) which advocate that the manner in which risk is to be controlled in complex environments is noticeably different from the risk practices being advocated by the conventional industry standards. Complexity breeds all sorts of unique and interesting phenomena which simply cannot be covered by a "one size fits all" or a systematic "step by step" approach to risk management (such as that offered by ISO 31000).
Furthermore, one of the signature traits of advanced complexity is the accompanying levels of unpredictability. Hence this new generation of complex risk thinkers advocate that risk management models based on prediction instead of maturity, agility, resilience and adaptation are no longer suited to today's complex challenges. Attempting to predict risks should not be the only way to confront threats - maturing controls, developing resilience, integrating effort and learning how to address the unknown should all have an equal standing in the new era of "complex risk management".
"Risk management models based on prediction instead of maturity, agility, resilience and adaptation are no longer suited to today's complex challenges" Also of interest is that many of the reviewed authors advocate for an industry call to arms whereby governing bodies, invested organisations and practicing risk practitioners need to start recognising and catering for the unique needs of highly complex operating environments. That is, a need exists to start enabling the next generation of advanced, complex risk officers. Already the governing bodies in other comparable industries such as Project Management, Safety and Quality Control are starting to generate and publish advanced methodologies that cater to the specific needs of their most complex applications.
In light of this new age of complexity, as well as the early rise of complex risk management practices, shouldn’t the governing body which oversees the International Risk Management Standard follow suit, particularly in light of the fact that those organisations which require the most rigid risk solutions are often those that are the most complex? Cited Literature Review References: there are a broad range of published writers on the theme of "Complex Risk Management" but perhaps the most seminal include; Nassim Taleb / Ortwinn Renn / Peter Bernstein / General Stanley McChrystal / Bent Flyvbjerg / Daniel Kahneman / Lyneis, Coopera & Elsa / Rittel & Webber / DeMeyer, Loch & Pich
Observation #4: The small matter of Critical Dependencies
Over the past seven years ISO 31000 has gained significant traction across almost all industries and should be commended for bringing a higher level of global consistency to the art of risk management. Unfortunately, the 2009 version of ISO 31000 appears to have created an industry-wide perception that total, enterprise-wide risk control can be achieved by adopting no more than a pro-active risk identification process supported by a risk register and a heat map.
That is, when applied in a compliant manner; the ISO 31000 risk identification process (by itself) provides an enterprise-wide risk solution. This is simply not true. Much of the current criticism of ISO 31000:2009 appears to be centered around a (perceived) lack of acknowledgement by ISO of many of the other critical risk controls which contribute in one way or another to establishing a fully integrated and enterprise-wide risk management solution. These other critical risk controls may include;
- The need to establish an effective decision making framework to provide oversight of all matters of entity-wide performance & risk (governance)
- The need to manage risk within clearly defined and investor approved tolerances (appetite)
- The need to proactively mitigate risks through robust upfront planning and design philosophies (planning)
- The need to enable effective control systems to manage performance as well as proactively identify, quantify & control emerging risks (systems)
- The need to independently mature, test and validate critical risk controls (assurance)
- The need to embed a positive and entity-wide culture which promotes both greater accountability and awareness for risk (risk culture)
Each of the six risk controls outlined above are supported by a significant amount of industry literature demonstrating their individual contribution to achieving risk management effectiveness. In many cases comparable risk management industries have emerged e.g. Safety-in-Design, Insurable Risk Bearing Capacity (Actuarial Science) and Occupational Health & Safety. These comparable risk industries are also observed as having conducted extensive research into the effectiveness of their particular area of risk control and in turn have published extensive case evidence and supporting data validating their particular control's effectiveness in mitigating risk.
In light of all these other industry validated risk controls, some of the invested researchers have argued that that the absence of any of these individual risk controls yields an exponential reduction in total organisational risk effectiveness as they are all "critically dependent" on each other. That is; no one risk control can achieve an independent state of effectiveness without the inter-dependent support from the other controls. As a result of these observations, the new generation of complex risk thinkers advocate firmly for a holistic, integrated and enterprise-wide approach to risk management that considers all the control criteria required to enable a total risk solution.
The current version of ISO 31000 however offers very little insight as to the other critical dependencies that exist when attempting to establishing a fully integrated and enterprise-wide risk solution (e.g. governance, culture, assurance etc.) and in so doing, sub-consciously promotes the flawed perception that an enterprise-wide risk management plan should consist of no more than a risk identification process supported by a risk register and a heat map. Cited Literature Review References: there are a broad range of publications outlining the perceived limitations of the conventional risk process approach, perhaps the most entertaining include; Nassim Taleb / Peter Bernstein / General Stanley McChrystal / Daniel Kahneman / Chapman & Ward
So what?
Despite ISO 31000's success in bringing global uniformity and better definition to the art of risk management over the past 7 years, the current version appears to advocate for a control method which assumes all material risks are proactively identifiable and measurable - but they are not. As environmental complexity and uncertainty increases; predictability decreases and so too the ability to proactively identify and measure material risks. With this in mind, industry needs to either become more aware of the potential limitations of ISO 31000:2009 or equally the Standard itself needs to be upgraded so as to better address the unique influences which complexity, uncertainty and dependency have on the art of risk management.
Related Topics:
- Risk Management-The What-Why-and How
- Why is Project Risk Management Important?
- What are the five steps in risk management process?
About:
I am an Engineer, Risk Professional and Complex Systems’ Thinker who has particular interest in understanding how the complexity sciences may offer a better means to controlling emergent risks within highly complex, operating environments. I currently consult on how to improve organisational Governance, Risk & Assurance practices so that they may reflect not only the degree of investment at risk, but also the specific environmental complexities in play. I believe that over the past decade in particular,
I have accrued deep expertise in my chosen subject matter as evidenced by the fact that I was the head of Program-wide Risk for BG QCLNG and have held Senior Project Risk & Business Advisory roles at both Deloitte and Marsh & McLennan Risk Advisory Practices. I am also arguably one of only a handful a Risk Professionals who has built a full end-to-end risk management & reporting framework for an organisation of over $25 billion (BG QCLNG). At its peak this was the 8th largest project in the world and is hence a significant indicator of my capability. As a practising complexity & risk specialist, I have worked within two of the world’s largest mining project hubs (BHPB and Rio Tinto),
three of the Queensland mega LNG projects (GLNG, APLNG, QCLNG), Australia's largest construction company (Leighton’s/CIMIC), The State of NSW's largest Infrastructure PMO (I&P PMO), Victoria's Largest Rail PMO (VicTrack), Brisbane's largest city Rail Project (Cross River Rail) and the largest publicly funded civil & infrastructure PMO in Queensland (Brisbane City Infrastructure). Also, as a demonstration of my commitment to my art; I am currently engaged in a PHD by Research whereby I am "Investigating a Complex Systems Approach to Complex Project Risk Management". I believe that the complexity sciences provide a new generation lens upon which to help risk management transition into a future world of complex working relationships and perpetual disruption.
Post a Comment