I first came across ISO31000 in 1999. Or more correctly I should say that I came across it’s predecessor, AS/NZS4360:1999 Risk Management Standard. I was working in security risk management at the time and consulting to a company that had just adopted AS4360 as their risk management process. I was asked to do a security risk assessment for my clients hydrocarbon production facility in accordance with 4360. That seemed like a reasonable enough idea but frankly, I was skeptical that one risk standard could work for all types of risk. Surely I thought, risk management for financial portfolios is different to risk management for security issues is different to engineering, project management, safety and health, etc? So many uniquely different types of risk management for each specialized field – how can they all be addressed by one very short standard.
But do it we did, and in the process I became a convert to the process that is now enshrined in ISO31000. Before I sing the praises of the standard, lets go back to basics for a moment and answer the question of why do we even need a standard? Surely there are any number of ways to do risk management. Yes. There are. And that’s why we need a standard. So that organizations have a consistent approach that enables ‘apples for apples’ comparison when assessing which risks and which divisions need the most resources. Equally to provide a consistent approach that individuals, once skilled in that single approach can hit the ground running and quickly adapt it to any organization or circumstance they find themselves in.
To be fair, if you’re anything like me, you probably find standards pretty dry reading. ISO31000 is no exception to that fine principle. That’s not a criticism of the standard but simply reflects the reality of building a generic standard that will work for any organization. For very good reasons, it is deliberately generic and this is one of its strengths – and one of its weaknesses.
Here are some of the most common doubts that people have before engaging with risk management and indeed some of the questions you may be considering while you decide if this book is for you.
Why invest in risk management?
At it’s simplest; risk management is about making better decisions faster. There are any number of models and systems promoted by management consultants and the like, which seem to determined to make risk management into some sort of self-licking ice-cream. The goal of risk management isn’t risk management per se, but to support organizational (or indeed individual) objectives. Good risk management practices can help you to optimize the application of finite resources to achieve objectives.
ISO31000 has a longish list of ‘why apply risk management’ in it’s introduction which I don’t propose to repeat here. If you asked me however to sum up the objectives and benefits of risk management, these are the key points I would address:
- Better information for decision making
- Improved service delivery, reporting systems, outcomes and accountability
- Optimization of limited resources
- Protect the organizations people & assets
- Provide stakeholder confidence
- Opportunity realization
The ‘last but not least’ on this list is one area that is often overlooked. Risks can have benefits as well as costs and the same processes that can avert misfortune can bring good fortune.