Risk Management: Failures, Omissions, Fallacies & Deficiencies in Many "Standards-Based" Practices, Undermining "Risk-Based" Efficacy

Countless organisations, practitioners, government agencies and even commercial service providers declare risk management compliance, allegiance or superiority due to the use of a 'standard'.

So much so, such declarations or assurance imply "nothing to see here", "we are the best-of-the-best thanks to our individual and collective devotion to a risk 'standard''.

However, many of these editorial veneers are not only unsubstantiated, the lack of questioning or investigative critique conceals many varied and complex risks within organisations and their business practices.

Furthermore, unpacking claims of risk management standardisation and devotion routinely reveals organisations and government agencies have failed to keep pace with updates, revisions and changes, clinging (for financial, cultural or convenience reasons) to past versions, standards and guidance.

This is often most evident in the first few stages of risk 'standardisation'.

ISO 31000 Risk Management "Standard"

"ISO 31000 provides a relatively uncomplicated approach to risk management, which identifies generic stages required in a risk management program. While in most nation-states these standards are not legally binding, they may be considered persuasive."

(Smith & Brooks, 2013:58)

Communication & Consultation

This foundational instruction and initial stage is routinely the most omitted, undocumented or unsubstantiated of the risk standardisation approach. As a result, significant questions about as to the validity or efficacy of all steps and stages after this incorrect start point. In other words, lack of communication and consultation typically invalidates and negates the remainder, if not entire, risk management 'standards' pursuit. Moreover, instruction from 2009 to 2018 have changed, as have the concealed authors, contributors and objective terms of reference which attempts to combine the worlds entire culture, communities, knowledge, comprehension and threats into a boilerplate standard for all seasons, environments or contexts.

"Communication and consultation with external and internal stakeholders should take place during all stages of the risk management process.?" (ISO 31000:2009:14)

"Communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making.?" (ISO 31000:2018:9)

Establish Context

Lack of context and specific relevance to the organisation, operation or culture is most notable where organisations purchase or reference a purchased 'risk' ratings, scales or gradings. This practice remains a fundamental contradiction or antithesis of 'context'.

Absence, exclusion or failure to contextualise the process again invalidates or negates the subsequent phase or claims or adhering to a standard. Context can't be outsourced.

"'By establishing the context, the organization articulates its objectives, defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process.?"(ISO 31000:2009:15)

"When designing the framework for managing risk, the organization should examine and understand its external and internal context." (ISO 31000:2018:6)

Stop! Do no pass Go, Do not Collect $200

As the instructions in the board game Monopoly prescribe, question or do not progress until you have completed the first essential steps.

Moreover, the absence of evidence, efficacy or completeness of the first two steps should be a major warning and alert for auditors, investors, company directors, executive management, regulators and consumers of all subsequent 'risk' narratives, product or outcomes.

In other words, there is nothing 'standardised', compliant or relevant or compliant in the process thus far if communication, engagement, consultation and context have been omitted.

Look for supporting evidence, meeting evidence, edits and 'others' involved in the process. If not, ring the warning bell(s).

Risk Criteria

Long before risk is discussed, assessed, rated, ranked or 'managed', specific criteria and guiding terms of reference and standards are required. Not after 'risk' discussions, evaluations, analysis or investigation has commenced.

"Risk criteria should be consistent with the organization's risk management policy, be defined at the beginning of any risk management process and be continually reviewed.?"

(ISO 31000:2009:17)

"The organization should specify the amount and type of risk that it may or may not take, relative to objectives. It should also define criteria to evaluate the significance of risk and to support decision- making processes."

(ISO 31000:2018:10)

Risk Identification

Despite clear instructions, requirements and the completeness of the 'standard', this is where most individuals, organisations, government agencies and practitioners start.

That is, they start shopping around for risk topics, categories, start points or prior threats. Furthermore, the time and distance from most 'risk' reports, views and assessments has aged, changed or decayed since created and this stage commences.

This danger and lack of relevance is amplified for those that outsource or purchase 'risk' ratings, scales or rankings from commercial or free service providers.

This includes routine, annual or scheduled risk reports from regional or global entities.

"The organization should identify sources of risk, areas of impacts, events (including changes in circumstances) and their causes and their potential consequences.?" (ISO 31000:2009:7)

"The purpose of risk identification is to find, recognize and describe risks that might help or prevent an organization achieving its objectives. Relevant, appropriate and up-to-date information is important in identifying risks." (ISO 31000:2018:11)

Risk Analysis

The second most common start point for most risk management practices and habits.

That is, individuals, organisations or agencies begin analysing the most visible, topical or recent threats, forming risk views and narratives that are all but impossible to modify or influence after the fact.

"Risk analysis involves developing an understanding of the risk. Risk analysis provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods.?" (ISO 31000:2009, p.18)

"The purpose of risk analysis is to comprehend the nature of risk and its characteristics including, where appropriate, the level of risk. Risk analysis involves a detailed consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, controls and their effectiveness.?" (ISO 31000:2018, p.12)

Risk Evaluation

While this step is the least templated or prescriptive stage, templates and rigid forms of measurement and response abound. Risk matrices and other over simplification of complex world and human happenings dominate this step.

"Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered.?"(ISO 31000:2009:18)

"The purpose of risk evaluation is to support decisions. Risk evaluation involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required." (ISO 31000:2018:12)

Risk Treatment

Again, risk treatments are routinely prepared long in advance or any procedural consideration of threats, harm, hazards or peril and then matched based on accepted norms, scripted management practices or dictated in advance by senior management and some risk 'advisors'. Alternately, they roll over from year to year as the least objectionable approach to risk management and upsetting business operations or power structures.

Context, communication and relevance are routinely missing or remain too abstract.

"Risk treatment involves selecting one or more options for modifying risks, and implementing those options. Once implemented, treatments provide or modify the controls.?" (ISO 31000:2009:18)

"The purpose of risk treatment is to select and implement options for addressing risk." (ISO 31000:2018:13)

Monitoring & Review

"Resilience is a lifestyle, not a state"

In other words, the 'job' is never done and threats never sleep. Perpetual surveillance, awareness, monitoring and review is required. Despite the business planning and cycles of update that dominate risk management practices.

Especially those that worship standards, three lines of defence, audit as the tower of superiority in all matters organisational or those with compliance objectives and regulatory response.

"Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance.?" (ISO 31000:2009:20)

"The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes.?" (ISO 31000:2018:14)

Risk Management: Standardisation

By now, it should be apparent there is nothing standard about the understanding, application and implementation of the risk management standard at all. Acutely so where individuals, organisations and agencies 'cherry pick' start points, sequences and process.

Notwithstanding, the 'standardisation' of risk management or similarly complex, networked or system(s) dependent practices dependent upon a lot of human, community, natural and uncontrollable influences remains inherently flawed if not unrealistic.

Despite this reality, red flags and serious weakness are most visible where the first two steps (communications & context) are lightly evidence, visible or represented.

Evidence & Documentation

Despite even the standard prescribing the requirement for documentation and reporting.... it remains a common oversight and exclusion, especially where the first two steps are involved.

"Risk management activities should be traceable.?"

(ISO 31000:2009:21)

"The risk management process and its outcomes should be documented and reported through appropriate mechanisms." (ISO 31000:2018:14)

Critiques of Risk Analysis, Assessment & Management

"The standard (ISO 31000) does not aim to enforce uniformity of risk management systems, rather to specify the risk management process in any given industry, including security.?"

(Smith & Brooks, 2013. p.57)

"One of the key challenges that modern executives face is certainly that of finding a balance between the need to take risks into account as thoroughly as possible in order to implement appropriate preventive measures and the awareness that risk management can not be reduced to planned measures and organizational routines"

(LaLonde and Boiral, 2012)

"Despite its positives the overall conclusion must be that ISO’s new standard on risk management (ISO 31000) is disappointing. We must remember that it is the work of a committee of people from different countries and speaking different languages. We must also remember that an abstract topic like risk management is far harder to write about clearly than, say, the size and electrical properties of a new electronic socket."

(Leitch, 2010)

"many risk management standards (e.g., ISO 31000) do not consider the concept of threat."

(Smith & Brooks, 2013:64)

In other words, may risk management practices are more ritualistic organisational behaviours than response and resilience to specific threats, hazards, danger or peril. Hence so many keep being 'caught out' by pandemics, supply chain issues, natural events, war and negative economic variance.

In sum, risk management standardisation promises a world of universal protection and resilience to risk by prescribing common preparation, management and protection from harm, disruption, loss or delay.

Routine declaration of compliance, adherence or devotion to any risk management standard aims to allay concerns, fears or enquiry as to how 'risk' is actually considered, measured and responded to.

In reality, few follow 'the standard' and make random, dangerous short cuts in the process, dismissing the practice as subjective professional judgements (SPJ) executed by professionals.

Few who make these claims can evidence the basis for this self authored, organisationally endorsed professional 'risk' title, qualification or insight.

Making the phenomena even more problematic and hazardous.

Litigation, public enquiry and expert analysis routinely identifies these common 'risk' failures.

In short, 'risk management standards' are routinely used to conceal random, personal and ritualistic practices under the guise of manufactured consistency, when in fact, they aren't.

Especially with environments, threats, technology, people, laws, governments and communities prone to disparate cycles of change or threat, standards are of little use other than providing a common table of contents for comparison, not professional practice or mitigation of risk or resulting in verifiable resilience or protection, by any reasonable measure.

Tony Ridley, MSc CSyP MSyI M.ISRM

Security, Risk & Management Sciences

References:

ISO 31000:2009 Risk Management - Principles and Guidelines. International Standards Organisation

ISO 31000:2018 Risk Management - Guidelines. International Standards Organisation

LaLonde, C. and Boiral, O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management, 14(4), pp.272-300.

Leitch, M. (2010). ISO 31000:2009 - The new international standard on risk management. Risk Analysis, 30(6). pp. 887-892.

Smith, C. and Brooks, D. (2013) Security Science: The theory and practice of security. Elsevier, p.57, 58 & 64