In search of something other than Kool-Aid to refresh in the spring warmth in Paris. I have been reviewing the conference programme for G 31000 in Paris in May and I am a little bemused. ISO 31000 was introduced in 2009. The basic principles have been around since before the original AS/NZS 4360 in 1995, which drew on earlier UK-based work in engineering and risk assessment. I searched on the programme for the slot that discussed ‘evidence that ISO 31000 is effective at improving firms’ management of risk’ but couldn’t find it.
With more than 2 years and 17 years between them, respectively, these two standards should by now have generated a solid body of research on efficacy. At least, there should be evidence of relative strengths and weaknesses; that is, not stories of effective implementations, but evidence that the programmes in place have improved corporate performance by managing effectively the unexpected and potentially catastrophic. On the programme in Paris, I would have expected at least to see ‘Review of evidence on successes and failures in practice and how we can improve the standard’. No, again.
Looking through a downloaded provisional programme, I see one speaker who referred to ISO 31000 as “a guideline, not a standard.” A sensible view, but I note he is no longer appearing as originally advertised. Tim Leech, always balanced, remains, but where are the voices of criticism or of doubt? Where is the objectivity?
Risk management is not a religion. It is a management art. We need to treat it with the skepticism and dispassionate enquiry we do any developing area of human knowledge. Fundamental to that is the presentation of efficacy. Not the presumption of efficacy or reasoning that it should be effective; not the evidence that you can implement it easily, but that it works sustainably in practice at its stated objectives. Where is the critical evidence that ISO 31000 actually works? Not in Paris in May, it would seem. Expect the odd “Hallelujah!” from the benches.
Rather than disciples picking their corners – ISO or COSO or AS/NZS as was or whatever – we need systematic enquiry from both the academic and practitioner communities jointly and severally about what works. ISO 31000 has flaws and some pretty fundamental ones. There, I’ve said it. There is little or no evidence available that it is effective in practice (which may not mean that it is not).
What we need is a more realistic and naturalistic approach that rejects lazy presumptions like the need for a common language that is within the control of the guardians of risk semantics. Or ideas like risk = probability x impact. Or risk matrices at all. Or that we can create an ‘effective risk culture’ or that there even is such a thing. We need more thought, a greater recognition of the value of reflection and more humility about our ability to understand culture or predict the future or to prepare meaningful reductionist models of reality. A conference looking at how to do these things would be worth attending. If I want religion, I’ll go to church.