Much advice is proffered in cyberspace about how to manage risk: at the time of writing, tapping “risk management” into Google yielded 72 million hits. Do you sometimes (frequently?) on reading risk management guidance get to the end without a clue as to what the guide expects you, the risk manager, to actually do?
I am currently having this problem with ISO 31000 – Risk management — Principles and Guidelines. The International Standards Organization published these guidelines in 2009 and with them appears to aspire to global leadership, if not domination, of the risk management industry. According to Kevin Knight, leader of the group that produced the document, it is comprehensive and global in reach – it “provides principles and practical guidance to the risk management process” and it applies to everyone everywhere – it is “applicable to all organizations, regardless of type, size, activities and location and should apply to all types of risk.”
A game anyone can play
I have now read it many times and still do not know what is expected of me. And I think I have worked out why. It repeatedly tells me to do what is “appropriate”: it tells me that my involvement with stakeholders should be “appropriate and timely”; that I should consider “the most appropriate ways to communicate with [stakeholders]”; that I “should allocate appropriate resources for risk management”; and that I should “communicate and consult with stakeholders to ensure that [my] risk management framework remains appropriate.” The guidance to do the “appropriate” thing appears 34 times in 26 pages.
What is “appropriate”? Those deploying the word appear to assume that all readers will share its meaning. But anyone plugged into discussions about the influence of disparate cultural perceptions of risk will appreciate that this is a facile assumption. All these “appropriates” are Rorschach inkblots. The famous Rorschach test is known as a projective test. Subjects are shown ambiguous stimuli (inkblots) and asked to say what they see. Although psychologist have failed to reach a consensus on the interpretation of the answers it is clear that different people project very different meanings onto ambiguous stimuli.
“Appropriate” is not the only inkblot in ISO 31000. There are 33 “effectives” (“this International Standard establishes a number of principles that need to be satisfied to make risk management effective.”); 13 “culture/culturals” (“Risk management takes human and cultural factors into account.”); 9 “relevants” (I should ensure that “risk management remains relevant and up-to-date”); 8 “comprehensives” (I need “to generate a comprehensive list of risks”); plus 4 “acceptables” and 4 “tolerables”.
Using this (incomplete) list of inkblots I divide 105 inkblots by 26 pages and award ISO 31000 an inkblot score of 4.03. It is a game that anyone can play and I offer it as a way of quantifying the sense of vague dissatisfaction generated by so much of the current risk management literature.
Humpty famously told Alice “When I use a word it means just what I choose it to mean — neither more nor less.”
One word in ISO 31000 is most definitely not an inkblot. “Risk” is defined as “the effect of uncertainty on objectives – positive and/or negative”.
The document is forcefully determined that the meaning of the word should be absolutely clear to all readers. Section 2 contains 29 terms and definitions elaborating on the meaning of “risk” and its use in the document – supplemented by 44 explanatory notes. Section 3 contains eleven “principles” that turn out to be further definitions, e.g. “d) Risk management explicitly addresses uncertainty.”
But all this is not sufficient. To be absolutely confident that one is on the ISO 31000 wavelength one must master Risk management – Vocabulary (ISO Guide 73:2009). This is a 15-page dictionary further elaborating the terms and definitions of ISO 31000. An example: ISO 31000 refers to “stakeholders”, but one needs the ISO vocabulary to be confident of knowing what this word means – “a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity”. The Guide provides 49 such examples (supplemented by 56 more notes).
The ISO definition of risk – “the effect of uncertainty on objectives – and/or negative” – is described by the leader of the group that produced it, as “pivotal”. Certainly it is the pivot, the authors are determined, around which all discussion of risk management should rotate. But they have a couple of problems.
The first is that their definition of risk as something “positive and/or negative” is shared by no other dictionary. “Risk” as the rest of the world uses the word is negative. It is
• · “the possibility that something unpleasant or unwelcome will happen (http://oxforddictionaries.com/definition/risk) , or
• · “A probability or threat of a damage, injury, liability, loss, or other negative occurrence that is caused by external or internal vulnerabilities, and that may be neutralized through preemptive action” (http://www.businessdictionary.com/definition/risk.html ), or
• · “possibility of loss or injury : peril, someone or something that creates or suggests a hazard” (http://www.merriam-webster.com/dictionary/risk)
The established dictionaries have the merit of defining words as most people use them. With its idiosyncratic definition the ISO appears to aspire to establish itself as a priestly caste with a private vocabulary inaccessible to the vulgar horde.
There has been an attempt by ISO supporters to gain a foothold in other dictionaries. The Wikipedia definition of risk is in agreement with the established dictionaries: “Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome).” (http://en.wikipedia.org/wiki/Risk).
But then an ISO enthusiast took advantage of Wikipedia’s open-editing facility to add the following: “The ISO 31000 (2009) /ISO Guide 73 definition of risk is the ‘effect of uncertainty on objectives’. In this definition, uncertainties include events (which may or not happen) and uncertainties caused by a lack of information or ambiguity. It also includes both negative and positive impacts on objectives. Many definitions of risk exist in common usage, however this definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts [my emphasis added].”
The ISO definition may well be now shared by several thousand linkedin “experts”, but the problem is that they are vastly outnumbered by the hundreds of millions of other lay and expert risk managers who share the dictionary meaning – who understand risk to be something negative. From Britain’s Health and Safety Executive (mantra “Reducing Risks, Protecting People”) to the quants who calculate Value at Risk, most risk experts still side with the dictionaries. The consoling mantra of day traders after a bad day is “No risk, No Reward”. Outside the ISO club risk means what the dictionaries say it means.
A second problem encountered by the “expert” advocates of ISO 31000 is that their job as risk managers involves communicating with non-experts. Their definition of the key word “risk” that will be central to these communications is not only not in the dictionaries that most of the non-experts are likely to consult, but can be found only in ISO 31000 and the supplementary vocabulary ISO Guide 73. These documents cost CHF 112 ($104) and CHF 86 ($80) respectively.
When Alice questioned the meaning of a word that Humpty Dumpty had used he replied, “The question is which is to be master — that’s all.” In attempting to assert its mastery over the word risk, a word requiring 178 expensive terms, definitions and notes before those deploying it can be confident that they know what they mean by it, the ISO experts face a challenge. “When I make a word do a lot of work like that, said Humpty Dumpty, I always pay it extra.” Payment is likely to take the form of tears of frustration.
ISO 31000 and the IRM
In 2010 the IRM published an endorsement of ISO 31000 in a document entitled A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000. It says “this guide [the IRM Guide] provides a structured approach to implementing risk management on an enterprisewide basis that is compatible with both COSO ERM and ISO 31000.”
It runs into an immediate problem. ISO and COSO cannot agree on the meaning of the word at the centre of the exercise – “risk”. COSO sides with the dictionaries and views it as negative – “the possibility that an event will occur and adversely affect the achievement of objectives” while ISO defines it as “positive and/or negative”. Humpty Dumpty has yet to pronounce.
The IRM document shares with ISO 31000 an impressively high inkblot count – words onto which readers will project variable subjective meanings. In 17 pages it has 21 “appropriates”, 16 “significants”, 14 “effectives”, 14 “culture/culturals”, 13 “effectives”, 7 “comprehensives” and 4 “sufficients” – yielding an inkblot score of 5.3 – or 36 if you add the 523 occurrences of “risk” which, thanks to the ISO/COSO definitional conflict, has itself become an inkblot. The sentence “Achieving a good risk aware culture is ensured by establishing an appropriate risk architecture” conveys the flavour of the difficulty confronting those seeking to standardize risk management guidance. Which definition of risk will the health and safety officer, investment banker, compliance manager, financial regulator, or teacher producing a risk assessment for a school trip, have in mind when reading this sentence?
Although “culture” appears liberally in both documents it is used without content. There is no apparent awareness, acknowledgement or application of the substantial literature by behavioural economists, psychologists, anthropologists and members of other academic disciplines on the influence of cultural biases. The subtitle of the seminal work Risk and Culture, by Douglas and Wildavsky almost 30 years ago is “An Essay on the Selection of Technological and Environmental Dangers”. Ever since then cultural influences on the threats that people select to worry about, or choose to ignore, have generated an impressive literature. Why are GMOs shunned in Europe while planted over millions of acres in the United States? Why do middle-aged women have much lower road accident rates than young men? Who worries about global warming, and why? And what induced some derivative traders to place bank-busting bets? ISO 31000 appears oblivious to such questions. Why?
In an article in Risk Analysis Grant Purdy, one of the principal architects of ISO 31000 describes it as “a new globally accepted standard for risk management”. Accepted globally? Accepted by whom? Most, the vast majority, of the people around the globe interested in risk management have never been asked. They have never read it, and probably never heard of it. The academic world is comprehensively ignorant of it because it can be found in no libraries. If it, and its associated vocabulary, were to be made available in libraries sales of these documents at CHF 198 would be severely compromised.
No academics I know are likely to pay such a sum for the privilege of reading them. For a start they would not be interested in writing about something almost none of their colleagues had heard of – I have only been able to join this discussion because an anonymous friend sent me bootleg copies.
The academic world depends on open access to sources. The IRM is so sensitive to ISO’s aggressive protection of its copyright that it declares in its introduction that “Permission to reproduce extracts from ISO 31000 ‘Risk management – Code of practice’ is granted by the BSI.” Academics are not in the habit of seeking permission to reproduce extracts from sources that they are commenting upon.
Purdy acknowledges that ISO 31000 creates “challenges for those who use language and approaches that are unique to their area of work but different from the new standard and guide. The need for compromise and change is” he insists “the inevitable consequence of standardization.” In a world where the vast majority use approaches that are free, and communicate in the language of the standard dictionaries, the unique approach and language of the ISO “new standard” appear unlikely catch on.