Sunday, March 13, 2011
FAQ 2: Some more questions for the doubters...
Is ISO31000 a good risk management approach for me?
Chances are good that it is. How does a $30 billion organization build an enterprise risk plan that not only works but also is understandable to everyone in the organization? How do you create a risk management framework in a day? It's all here.
Is it just another passing management fad that will be a waste of time?
Total Quality Management (TQM), 6 Sigma and many more management theories have all come and gone. Oops, that’s not quite right. Many of them including TQM, 6 Sigma and project management body of knowledge have come and have been so widely accepted that they are simply part of our modern business landscape. Like project management or financial management, risk management is a core skill for every manager today and will only become increasingly important as we are challenged to do more and more with less and less.
Will I have to cram more things into my already busy working day?
In this book I’ll show you how to seemingly mystically being able put your finger on the inadequacies of your organizations current risk plan within minutes, how to write a risk plan that will actually get funded and many more time savers. If you need to build user friendly, scalable risk management framework, would you like to then be able to present it in a way that has the rest of your organization thanking you instead of cursing you? Risk management when done correctly following a few simple and basic rules will save you a lot of time.
Is ISO31000 better than the other risk management frameworks?
Strictly speaking, no it’s not. There are many reasons however for choosing to use ISO31000 over other risk management tools. Firstly, it’s an international standard so it’s had a lot of scrutiny and is widely accepted as a robust approach to risk management. Secondly, it’s a generic standard so it can be applied to all types of risk so that organizations can compare and prioritize risks from across the organization in a consistent framework. This approach allows decision makers to prioritize risks in a consistent fashion on an apples for apples basis. Thirdly it has been designed to provide not just a process for risk management but a framework which integrates with other management standards such as ISO9000. And last but not least is the consideration that should best efforts fail and for some reason you have to defend your risk management practices in a court of law or the court of public opinion, it will be much easier to hold up an international standard as your approach than to have to explain and defend a system that you’ve designed from scratch, no matter how great it may be.
Is ISO31000 a process or a framework?
Yes. It’s many things. The process is just a part of ISO31000 however it is often considered to be the strongest and most unique element of the standard. It involves applying logical and systematic methods to help you consider and manage risks. There are many risk management processes already in existence and they all have their respective merits and limitations. ISO31000 process is arguably as good as any of them but has the additional benefit of being an international standard. That means that it’s transportable across borders, consistent in application and easy to argue in support of when defending your processes to managers, investors or (should the worst happen) in a court of law. Very briefly the process can be summed up as:
• communication and consultation
• establishing the context
• identifying, analyzing and evaluating risks
• treating risks
• monitoring, reviewing and documenting risks and risk treatments
Do I have to be a risk management guru or dedicate my life to risk management in order to be able to use it?
Not at all. This book is for anyone who is sick of analyzing risk management failures after the fact and would like a simple approach for making better decisions. Case studies offered here range from planning a staff picnic to enterprise risk management for multi-national corporations. If you're sick of the standard menu of risk management options and prepared to enter a world of plain English risk management that helps you make better use of resources, this book is for you.
Do I have to implement all of it? I just need to do a risk assessment.
No. You can pick and choose from what you need. The objective is to get you started with what you need as quickly as possible and to free up your time for other tasks. If you want to jump straight in to a section have a look at the Jumpstart Section for suggestions.
Do I need to be a risk evangelist?
No. Definitely not. Just take what works for you if and when you need it. The stuff in here will work whether you are passionate about it of not. It’s just another perspective on business and fundamentally risk management is just about making better decisions faster. That’s it in a nutshell.
Do I need to apply it across the whole organization?
ISO31000 (or any form of risk management) can be applied to the entire organization (that’s called enterprise risk management) or you can simply pick and choose where and how you want to apply. It can be used in a workgroup, a project, across a division or simply to specific functions, areas or activities.