«

»

May
07
2012

ISO 31000: the debate warms up

Until recently most online discussion of ISO 31000 has been confined to a friendly Linkedin site for supporters: two quotations – “I know the ISO 31000 and think it’s almost perfect” and “I think the ISO 31000 definition of risk is great” – will convey the flavor of the critical discussion to be found on the site.

The discussion is frequently ad hominem – in a nice way. Participants who agree with each other declare their mutual respect warmly – “I value your connection/friendship dearly.” But when skeptics or heretics attempt to join the discussion it can turn ad hominem in a nasty way.

Indeed outsiders do not even have to attempt to join the Linkedin forum; they can be dragged in. This happened recently to Robert Kaplan of the Harvard Business School. After speaking at a conference he was approached by one of the audience and asked his opinion about ISO 31000: “When I personally asked him afterwards to clarify how he saw ISO 31000 fitting in, he put it in the same basket as any other standard and ‘not relevant’ (implying not relevant to the future advancement of ERM).”

When asked, he said something that implied something. This was sufficient to involve him (in absentia} in a heated discussion on the ISO Linkedin site that degenerated into personal abuse.

One participant described him as “another arrogant potion peddling merchant that really should be treated as such although, this one seems to hide behind the curtain and title of a university doctrine [sic] to make the whole experience feel authentic for the next manager that is about to be ripped off.”

The convenor of the discussion declared at one point, “it is really upsetting that Dr. Kaplan’s team’s research is limited [sic] with LinkedIn ISO 31000 group. They did not asked [sic] permission for that and the legal rights are belongs [sic] to us not to him. We need to sue him for this.” It is not clear what this means or what “that” is. But we need to sue him!

The tone is consistently ad hominem, varying between nasty and nice depending on the participant’s perspective: “these people are a liability for the progression of risk management”, “excellent comments”, “I have no desire to waste my time with charlatans”, “100% agree” … etc. etc.

At one point in the discussion the ubiquitous Arnold Schanfield of Manhattanville College denounces Peter Bonisch of Paradigm Risk as “dishonourable”. He elaborates “We [i.e. the ISO fan club] are all offended by your remarks most of which cannot be supported and defended and your intentions are indeed dishonorable. If they were honorable you would be taking part in a discussion on what we need to do to move the discipline forward. Instead you have chosen to attack those individuals/professionals with very strong risk management backgrounds in a non stop barrage of $50,000 words [sic].” As with much else on this Linkedin site it is not entirely clear what this is intended to mean (or how the price of words was calculated) – other than that Schanfield stands by his view that Bonisch is dishonourable.

Bonisch has now retreated to the calmer, more dignified and coherent environment of his own blog and published an essay worth reading.

He begins by quoting a statement by Kaplan that I find difficult to argue with. It suggests that his (Kaplan’s) position is more nuanced than that attributed to him following an oral conversation:

“Standards and innovation have an inherent tension between each other, in some cases they can be mortal enemies. We standardize when we understand a process very well and want to ensure that everyone follows the same processes and measurements because they have been proven to yield superior results. But in an environment with limited knowledge and experience, premature standard setting will inhibit innovation, exploration and learning. We can standardize around preventable risks because managers do understand them well, and have developed excellent processes to prevent them from occurring. But we are just learning about the management of strategy risks and external, non-preventable risks. To think we can standardize the “best practices” for managing these two risk categories through an ISO-based process seems like a highly risky proposition for risk professionals to be engaged in with our present body of knowledge.”

Skipping to the end, Bonisch concludes, tellingly, by calling attention to an ISO 31000 injunction that I touched upon in my last blog on this subject: the risk manager should “generate a comprehensive list of risks”. ISO 31000 leaves the reader in no doubt about the importance of comprehensiveness:
 Management’s framework should be “comprehensive”
 “Comprehensive identification is critical”
 The organization should have a “comprehensive understanding of its risks”
 Enhanced risk management includes comprehensive, fully defined and fully accepted accountability for risks, controls and risk treatment tasks
 “Enhanced risk management includes … comprehensive and frequent reporting of risk management performance”
 There is a “need for risk treatment against properly established and comprehensive risk criteria” and
 “Comprehensive and frequent external and internal reporting … contributes substantially to effective governance within an organization.”

“In the face of irreducible uncertainty”, Bonisch asks, “how can analysis of its effects ever be comprehensive?”

Consider the “comprehensive” challenge through the eyes of a project manager tasked with producing a “comprehensive” event tree. It would be a strange tree, unknown to nature. It would have an infinite number of branches of varying lengths and numbers of branching points.

The branching points on some branches, let’s call these branches “probabilistically-known knowns”, can be assigned probabilities with relatively small error bands. This is the realm of someone, such as an actuary in a motor insurance company, working with large and stable actuarial databases.

Other branches, let’s call them “known unknowns” because the branching points represent imaginable possibilities, and the probabilities assigned to them are speculative; they have such wide error bands that they are effectively quantified expressions of ignorance. The fire that closed the Channel Tunnel for six months shortly after it opened had been assigned a probability in an event tree of somewhere between zero and 2.8 per billion journeys.

But the largest number of branches and branching points, a number that renders my contention of “infinite” unchallengeable, is the number of the unknown unknowns. We now live in a world inhabited by more than seven billion risk managers interacting reflexively with each other, and with natural hazards. The computer required to manage such a system is unimaginable, because once it started managing, it too would get caught up in myriad infinitely reflexive loops.

If one wants certainty one must turn to the fault tree. The event tree is a map of infinite possible futures. The engineer’s fault tree is a map of the post-accident past, and it commonly has only one branch called “culpable negligence”. (see dangerous trees)

So, what hope of demonstrating the (in)effectiveness of ISO 31000 or COSO or any other risk management standard? Concorde, before it crashed, could claim to be the safest airliner in the world – zero fatalities. After it crashed it became the airliner with the highest fatality rate per mile flown – because it had flown so few miles.

Good luck to those who hope to demonstrate the superiority of their risk management standards. Enron and Concorde had lots of fans – until they crashed – comprehensively. The ISO 31000 standard says that the risk manager “should allocate appropriate resources for risk management”. What it does not say is how, with finite resources and infinite uncertainty, one should define “appropriate”.

12 comments

No ping yet

  1. John A says:

    That ISO31000 LinkedIn group is really like a bad B movie. I don’t want to be associated with it anymore, but I can’t stop watching!

    I hope someone has the time to start a new INDEPENDENT ISO31000 discussion group.
    *********************************************************************************
    Lest their be any doubt, the author of this comment, is not the author of the blog.
    JA
    Although I do sympathize with the point.

  2. Alpaslan Menevse says:

    ISO 31000 is independent by itself. No member of the group (9.500+) ask permission from anybody else to post. Members all around the world have not been forced to come together, they just joined with their own will and respect.
    We believe in mutual respect, you may not want to use ISO 31000 but this does not give anybody the right to downgrade or disrespect the voluntary efforts of thousands of people.
    Some people make really good contribution to the knowledge base like Peter Bonish, but some people’s approach with disrespect which is confronted with equal tone, that’s all about it.
    Trying to ignore the work done will be treated in similar manner. I can see this attitude with the people who were once highly reputable once, but not anymore, sadly.

  3. ARNOLD SCHANFIELD says:

    Alpasian- I am going to respond in detail to John Adams blog of above which not only contains inaccuracies but as well many things taken completely out of context- intentionally so. This is a continuation of the jealously that I think exists out there. The United Kingdom would like to believe that Australia is still one of its colonies and is quite envious and jealous and flustered by the fact that Australia could in fact come out with superior guidance. This is why no one is able to explain what value there was in issuing BSI 31100 a year before ISO 31000 that looks like a complete clone of it and as well this ridiculous piece of minutiae referred to as risk appetite- where basic questions still remain unanswered and unaddressed. But I will fill in plenty of details.

    But I am also curious as to who JA is? Or is the individual afraid to properly identify himself/herself and for what reason?

  4. john adams says:

    Alpasian, not all your 9500+ members have joined out of “respect” for ISO 31000 – see the comment above. I also am a “member” – but not a respectful one.
    In comments following my previous blog on ISO 31000 (http://www.john-adams.co.uk/2012/02/22/iso-31000/#comments) Alex Dali claimed that the group had 7000+ members. Have you really added 2500 new “members” since March?
    Amongst the comments on my previous blog was one saying:
    “I think it’s important to be clear that of the 9500+ members of the group, most are there only to keep an ear on developments (or look for potential employers or potential employees), and are not necessarily supportive of ISO31000 or active participants in the discussion.
    I for one am a member, but detest the wordings of the standard.”

    I asked Alex Dali “Do you have any idea what percentage of your “membership” would describe themselves as supporters of ISO 31000?”

    I received no answer. You and Alex clearly think the numbers are important. Can you answer my question? If you cannot I will assume your numbers are meaningless.

    I am struggling to understand the rest of your comment. You say: “We believe in mutual respect, you may not want to use ISO 31000 but this does not give anybody (me?) the right to downgrade or disrespect the voluntary efforts of thousands of people.” Do you consider all criticism disrespect?

    Let’s start with “we”. Who is “we”? All 9500+ “members”? Does it include Arnold Schanfield who denounces Peter Bonisch, whom you appear to respect, as “dishonourable”? Does Schanfield have the right to do this? If not have you admonished him? You imply that I have no “right” to criticize ISO 31000. You also say, in your comment on my previous post, that the Oxford dictionary has no right to impose its definition of risk upon you.

    Does the fact that large numbers of volunteers have worked on a project exempt it from criticism?

    Who are these once reputable people? Name names. Otherwise I haven’t a clue who you are talking about.

  5. john adams says:

    Arnold
    You say: “I am also curious as to who JA is? Or is the individual afraid to properly identify himself/herself and for what reason?”
    Arnold I am a man of mystery. But since I am feeling sorry for you I will give you a clue. Try Googling “john Adams” + “risk”. Or perhaps visit my website. (Since I have seen no evidence that you appreciate irony perhaps this will pass you by.)
    I am indeed flustered by Australia’s superiority at cricket, but being a holder of a Canadian passport, proud that we would wipe them off the rink at hockey. But do tell me what this has to do with ISO 31000. Or am I being ironic again.
    Looking forward to your details.

  6. ARNOLD SCHANFIELD says:

    You have covered much ground in your blog posting John and so will address your points right now

    First and foremost- I speak for myself regardless whether or not I am associated with Manhattanville, so don’t drag the school into this. If you want to be helpful then go on line and review my programs and critique those. But this has nothing to do with the school

    Second- since you have decided to drag the discussions with Peter into this, I suggest that the first thing you do is go back and read all of our blog communications. Our discussions began much before the tail end of this that you see on the LinkedIn site of ISO 31000. Such discussions began on one of the Risk Managers blog sites and elsewhere on the various ISO 31000 sites. If you need reference to this, please let me know but do go back and read this since you have accused me of not reading before hitting the send button. Peter began his blog with no context at all to ISO 31000 but instead shifted into attack mode criticizing what he does not understand.

    Just for the record and assuming the LinkedIn resumes are updated and correct, Peter possesses a four year undergraduate degree. I see no evidence on the resume of further studies or professional certifications. I hold two degrees and certifications in six different professions including two from public accounting (Certified Public Accountant and Chartered Accountant) and two from internal audit (Certified Internal Auditor and Certified Fraud Examiner). The significance of this is quite important because Peter’s entire initial opus blames ISO and how we think or do not think about uncertainty. While his background in behavior economics is most impressive, this is the tip of the iceberg in so far as good risk management practices are concerned. There are huge problems that have been caused by both the Public Accountants and the Internal Audit Leadership over the past ten years and I have blogged about such problems extensively. This is the primary root cause for the current state of affairs in risk management. Do we need to get a much better handle on uncertainty/behavior/biases, scenario modeling- absolutely? But to portray this as the major basis for the problems we have demonstrates a complete lack of understanding of what has gone on around the globe.

    During my discussions with Peter, I became aware of the fact that he was partners with Richard Anderson. Richard I have known for three years give or take. During my first encounter with Richard, two minutes into the conversation, he referred to ISO as the ISO Taliban and has proceeded to try and undermine ISO for as long as I can recall. Tell me why it was necessary for the UK to issue BSI 31100? Tell me why it was necessary for them to issue the 90 page risk appetite document? I am still waiting for responses to my concerns on the document and his document failed to reflect concerns from a number of respected risk practitioners around the globe. Instead he selected t hose individuals who would agree with his position

    The genesis until someone explains this to me is because these folks are jealous of what Australia has put on the map in credible risk management guidance. So I do not see honor being brought on the profession in the least by the actions of both of these individuals and more specifically that of Peter during these past couple of months. Sorry to say this but many others would agree as well.

    Peter has stated that he never worked on ISO 31000 implementations. He never spoke to any companies or leaders in companies to try and ascertain whether efforts to implement ISO 31000 were indeed successful. When I pressed him for information on exactly what he had done, what instead this turned into was a myriad of minutiae commentaries. He is quick to criticize ISO 31000 but was nowhere to be found during its roll out. He has not published any white papers, any cases or any articles on this subject matter, yet deems himself to be an expert to criticize those who have labored on this for three years. Essentially the blog column has done nothing to move us forward but everything to get us further mired in muck.

    Furthermore, he has launched into a seven part series on COSO and while it is quite appropriate to criticize them, is this being done to try and further move the profession forward and if so, where was he years ago when this document was initially issued in 1992? Several of us have indeed criticized COSO in writing and with proper justification. Some of us (such as yours truly) have actual experience to the tune of several thousand hours on such documents and so we know what we are talking about.

    So the dialog between us on the LinkedIn site for ISO 31000 was the tail end of several prior communications. Dishonorable? You better believe it.

    Now on your Harvard blog- you are taking a statement in the middle of a conversation and inserting it into a blog posting. Why don’t you go back to the header and use that as the starting point. Domenic Antonucci a Chief Risk Officer of some thirty years based in Abu Dhabi started the blog posting. I obviously contributed to this posting and what is interesting is that the commentary dovetailed with my commentary communicated to one of the Harvard authors in June 2011 for which I never received any response. It is very interesting in how you portray the dialog instead of posting up the entire context of the discussions. I stand by all of the comments made in June 2011 to the author and I invite you to review such comments.

    You seem to sound like you know what you are talking about John and so I have a good proposition for you. Let me put an example out there of a real company situation and let us see from that example whether using ISO 31000 can work or not work and the specifics of such example. The article from Harvard and the approach will never be sustainable because I have tried on numerous occasions to build a case from it without success. Interestingly, Harvard did publish a couple of years ago a case study which fully supports using the DNA of ISO 31000 and more specifically AS/NZS 4360:2004

    Again Peter’s comments and your rendition of them on the “comprehensiveness” reflect that you have only partial understanding of risk management. Nobody is looking for certainty. We are dealing in an environment where 95% of the folks out there do not even know how to go about performing a proper risk assessment. So the word comprehensive is intended to mean “robust” and robustness implies that one consider quite carefully the different event/risk identification techniques including what you are describing.

    Peter’s analysis of this comes at it just as I would have expected someone with only a safety background that calls himself/herself a risk professional, or an actuary that does the same, or someone with a Sarbanes Oxley/financial services background that calls themselves a risk professional. This is all a small piece of the big pie. Critical yes. But a small piece

    Nobody ever stated that ISO 31000 was the end all and be all and if they do, then they should as well be banned from the world of risk management. I am a mere mortal and realize that I have quite a bit to learn in this field. I have tried as best I can to assemble quality materials in the academic world including all of the behavioral stuff but realize much more needs to be done

    So if you want to blog about something meaningful then do so and support it with examples and then we will see whether the definition of risk as being the effect of uncertainty on business objectives makes sense or does not make sense and whether it should include the upside or should not include the upside. Show us the goodies and while we are showing these goodies, let us take a further example through company and see if we can succinctly demonstrate the value of ISO 31000

    And while you are busy critiquing spend some time reading both our white paper just issued and as well Domenic’s template version 2 and share with us all your insights on this

  7. ARNOLD SCHANFIELD says:

    John:

    There is no need to be sarcastic to Alpasian. You are no doubt aware that English is probably not his number one language and are once again you are taking comments out of context and you seem to do a great job at this.

    From my perspective, the quantity of the members is less important than the quality of the discussions. I belong to an organization of some 40,000 members and the quality is so poor that my contributions to such group end up being miniscule. So it is the effort that is being put in to try and make this a quality organization. Alex is doing a great job at this.

    ISO will indeed be quite pleased to accept criticism but do so with some class. I have a number of criticisms of ISO and some of these have already been recorded on the various blog postings. Do this in a way so that folks feel that intentions are honest and honorable

    If someone posts gibberish or twaddle or piffle on the sites and launches into attack mode on ISO 31000 then they deserve what they get and no one has to be reprimanded for anything. If anything, charlatans should be shut out of the site but I actually encourage anyone to post freely. But if you post and If I have reason to believe that what you are saying makes no sense or if I do not understand what it is you are saying, then I indeed have a responsibility and an obligation to press you for further details. If you cannot deal with this, then stay off the site.

  8. John Adams says:

    Arnold
    I would have thought that your position at Manhattanville College (as Director of the Education & Research Center for Managing Risk) was a relevant qualification to note about someone engaged in a debate about risk management – at least as relevant as your two degrees to which you call attention.
    You suggest that I read all your blog communications with Peter. In the ones that I have read he was civil and you were not. I am afraid I simply don’t have time to read all your 1000+ blogs a month.
    I had not heard the term ISO Taliban before, but think I will start using it. Elsewhere when someone suggested that you might turn the heat down you said “Essentially I think we are in a bit of war and there never in the history of mankind was peace without war. We are at war because our profession/discipline was hijacked years ago and now fortunately things are getting back on track- no doubt the social media is keeping this alive and well.” I can imagine that the Taliban might take a similar line with people they disagree with.
    As for the rest, as you said to me in a comment on my previous ISO post “I am having difficulty in comprehending your train of thought here. Please elaborate.”

  9. ARNOLD SCHANFIELD says:

    I am not going to waste my time further in communicating with you John because I can see that it is pointless. Your view of the world is that folks ought to be able to publish what they want and when they want with no consequences. That is not the way things work.

    If you think that his comments were civil that is wonderful. But I read someone writing that really is in way over his head. A smart guy mind you but way over his head. You do what you need to do and I will do the same.

    I will challenge you to an on line debate providing you can support everything you say with written examples. Then we will see which one of us is blowing steam

  10. Harry Daly says:

    Arnold Schanfield claims that he can recognise such a thing as gibberish, twaddle, piffle or failing to make sense. But, for such a recognition to be possible, there needs to be broad agreement about the meaning and use of words. If we all used words randomly to mean different things, such a recognition would be impossible. (Obviously, we shouldn’t know what other people meant, and so couldn’t know whether they were talking gibberish or not, but, arguably, we shouldn’t know what we ourselves meant either.) “Making sense” and recognising when sense has or has not been made are done (or not done) collectively. They depend–absolutely, helplessly–on our meaning the same things by the words we use. Dictionaries don’t “impose” particular meanings upon us, they merely describe how we do, generally, in practice, use words. They are guides to usage, which help to prevent us deviating into nonsense. Imagine what would happen to the possibility of making sense, and recognising when it was and wasn’t made, if people generally treated words the way Humpty Dumpty does, as if they were free to give them whatever meaning they liked–to use “glory” to mean “a nice knock-down argument” or (anything else), “risk” to mean “indifferently the risk of happy and unhappy outcomes” (or anything else) or (as in Mr Schanfield’s last but one post above) “comprehensive” to mean “robust” (or anything else). The result would be that the distinction between sense and nonsense would be lost to us. All we should have is utterance … but without any idea what was being uttered.

    Mr Schanfield–or someone else on that side of the argument–really ought to try to answer a question I asked in an earlier post. Kevin Knight says, ISO 31000 is “applicable to all organizations, regardless of type, size, activities and location and should apply to all types of risk.” If so, it must apply to ISO 31000 itself and to the risk of being misunderstood or, even, of talking and writing nonsense. So my question for Mr Knight–or anyone else–is: if one uses words in a sense so private that other users and no dictionary recognise it, does one risk being not just misunderstood but talking outright nonsense? And, if one does, does it follow that ISO 31000 should refuse to warrant itself?

  11. Alpaslan Menevse says:

    I just checked, there are 9642 members (including you) currently. Yes, we are growing so rapidly, it is amazing. I think it is up to people, but nobody is forcing them to join.
    Secondly, the 3 stages of risk classification that Mr. Kaplan presented in the meeting, was actually presented by me in 2009 with 4 stages based from Johari window cognition model, which is a tool for training, but that was not the case. The case was his referring rule-based frame works as irrelevant BUT also including ISO 31000 in this ruke based framework list. That is why I criticized his opinion. In order to criticize one should first understand what he/she is going to criticize. Probably he is mis-guided by some of his colleagues.
    For Peter, he is very intelligent professional and his intentions are quite understandable even it may sound disturbing at the beginning. He is just searching for the truth, I respect very much on this perspective. Even we are not at same point all the time he is very valuable person for the RM sector.

    If you had posted your OWN ideas first, may be we may had better understanding each other.
    If the intention of the criticizer to add more value to the subject, he/she should be giving out corrective ideas or opinions on the subject. Saying only negative side only would not much help for the improvement.

  12. ARNOLD SCHANFIELD says:

    Harry:

    I would like to try and answer your question and may or may not successful in responding but can I ask you please to post this up on LinkedIn ISO. It is a legitimite question that deserves a proper response. i would like the entire body of individuals to see t he question and then let us see where this goes. Thanks

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>