ISO 31000: the debate warms up

Until recently most online discussion of ISO 31000 has been confined to a friendly Linkedin site for supporters: two quotations – I know the ISO 31000 and think it’s almost perfect and I think the ISO 31000 definition of risk is great will convey the flavor of the critical discussion to be found on the site.

The discussion is frequently ad hominem in a nice way. Participants who agree with each other declare their mutual respect warmly I value your connection/friendship dearly. But when skeptics or heretics attempt to join the discussion it can turn ad hominem in a nasty way.

Indeed outsiders do not even have to attempt to join the Linkedin forum; they can be dragged in. This happened recently to Robert Kaplan of the Harvard Business School. After speaking at a conference he was approached by one of the audience and asked his opinion about ISO 31000: When I personally asked him afterwards to clarify how he saw ISO 31000 fitting in, he put it in the same basket as any other standard and ˜not relevant (implying not relevant to the future advancement of ERM).

When asked, he said something that implied something. This was sufficient to involve him (in absentia} in a heated discussion on the ISO Linkedin site that degenerated into personal abuse.

One participant described him as another arrogant potion peddling merchant that really should be treated as such although, this one seems to hide behind the curtain and title of a university doctrine [sic] to make the whole experience feel authentic for the next manager that is about to be ripped off.

The convenor of the discussion declared at one point, it is really upsetting that Dr. Kaplan’s team’s research is limited [sic] with LinkedIn ISO 31000 group. They did not asked [sic] permission for that and the legal rights are belongs [sic] to us not to him. We need to sue him for this. It is not clear what this means or what that is. But we need to sue him!

The tone is consistently ad hominem, varying between nasty and nice depending on the participants perspective: these people are a liability for the progression of risk management, excellent comments, I have no desire to waste my time with charlatans, 100% agree etc. etc.

At one point in the discussion the ubiquitous Arnold Schanfield of Manhattanville College denounces Peter Bonisch of Paradigm Risk as dishonourable. He elaborates We [i.e. the ISO fan club] are all offended by your remarks most of which cannot be supported and defended and your intentions are indeed dishonorable. If they were honorable you would be taking part in a discussion on what we need to do to move the discipline forward. Instead you have chosen to attack those individuals/professionals with very strong risk management backgrounds in a non stop barrage of $50,000 words [sic]. As with much else on this Linkedin site it is not entirely clear what this is intended to mean (or how the price of words was calculated) other than that Schanfield stands by his view that Bonisch is dishonourable.

Bonisch has now retreated to the calmer, more dignified and coherent environment of his own blog and published an essay worth reading.

He begins by quoting a statement by Kaplan that I find difficult to argue with. It suggests that his (Kaplans) position is more nuanced than that attributed to him following an oral conversation:

Standards and innovation have an inherent tension between each other, in some cases they can be mortal enemies. We standardize when we understand a process very well and want to ensure that everyone follows the same processes and measurements because they have been proven to yield superior results. But in an environment with limited knowledge and experience, premature standard setting will inhibit innovation, exploration and learning. We can standardize around preventable risks because managers do understand them well, and have developed excellent processes to prevent them from occurring. But we are just learning about the management of strategy risks and external, non-preventable risks. To think we can standardize the best practices for managing these two risk categories through an ISO-based process seems like a highly risky proposition for risk professionals to be engaged in with our present body of knowledge.

Skipping to the end, Bonisch concludes, tellingly, by calling attention to an ISO 31000 injunction that I touched upon in my last blog on this subject: the risk manager should generate a comprehensive list of risks. ISO 31000 leaves the reader in no doubt about the importance of comprehensiveness:
ï‚· Managements framework should be comprehensive
ï‚· Comprehensive identification is critical
ï‚· The organization should have a comprehensive understanding of its risks
ï‚· Enhanced risk management includes comprehensive, fully defined and fully accepted accountability for risks, controls and risk treatment tasks
ï‚· Enhanced risk management includes comprehensive and frequent reporting of risk management performance
ï‚· There is a need for risk treatment against properly established and comprehensive risk criteria and
ï‚· Comprehensive and frequent external and internal reporting contributes substantially to effective governance within an organization.

In the face of irreducible uncertainty, Bonisch asks, how can analysis of its effects ever be comprehensive?

Consider the comprehensive challenge through the eyes of a project manager tasked with producing a comprehensive event tree. It would be a strange tree, unknown to nature. It would have an infinite number of branches of varying lengths and numbers of branching points.

The branching points on some branches, lets call these branches probabilistically-known knowns, can be assigned probabilities with relatively small error bands. This is the realm of someone, such as an actuary in a motor insurance company, working with large and stable actuarial databases.

Other branches, lets call them known unknowns because the branching points represent imaginable possibilities, and the probabilities assigned to them are speculative; they have such wide error bands that they are effectively quantified expressions of ignorance. The fire that closed the Channel Tunnel for six months shortly after it opened had been assigned a probability in an event tree of somewhere between zero and 2.8 per billion journeys.

But the largest number of branches and branching points, a number that renders my contention of infinite unchallengeable, is the number of the unknown unknowns. We now live in a world inhabited by more than seven billion risk managers interacting reflexively with each other, and with natural hazards. The computer required to manage such a system is unimaginable, because once it started managing, it too would get caught up in myriad infinitely reflexive loops.

If one wants certainty one must turn to the fault tree. The event tree is a map of infinite possible futures. The engineers fault tree is a map of the post-accident past, and it commonly has only one branch called culpable negligence. (see dangerous trees)

So, what hope of demonstrating the (in)effectiveness of ISO 31000 or COSO or any other risk management standard? Concorde, before it crashed, could claim to be the safest airliner in the world zero fatalities. After it crashed it became the airliner with the highest fatality rate per mile flown because it had flown so few miles.

Good luck to those who hope to demonstrate the superiority of their risk management standards. Enron and Concorde had lots of fans until they crashed comprehensively. The ISO 31000 standard says that the risk manager should allocate appropriate resources for risk management. What it does not say is how, with finite resources and infinite uncertainty, one should define appropriate.