What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto

Saturday, March 10, 2012

ISO 31000 and Objectives

ISO 31000 is becoming a popular risk framework, a credible alternative for COSO and many organisations across the planet are now selecting this approach for formalizing their internal risk programs directly. Actually, ISO 31000 is probably taking the lion's share of market interest for risk management at present and that isn't such a bad thing.

One aspect that sets ISO aside from many other risk frameworks in use, is its clear delineation yet connection between an objective and the objectives uncertainty. In this article we take a brief look at this relationship.

Objective vs Uncertainty
Anyone who has read the ISO 31000 core standard will come to the conclusion very quickly that ISO 31000 is focused on two key polar points: Objectives and the uncertainty in them. The opening sentence in the document for the entire standard goes something like the following:
Organisations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. This effect of uncertainty has on organisation's objectives is risk.
ISO 31000 Preamble | ISO 31000:2009
On the surface this seems very straight forward however if one ponders on the relationship between Objectives and Uncertainty for a moment, it becomes apparent quite quickly there is more to this than meets the eye.  Firstly objectives may come to an end, a natural end but not because of a risk.  Then there are objectives which are taken for per gratis, such as staying alive that may not even been seen as objectives but do have obvious downside to uncertain hazard. Downside itself is not the only hemisphere within risk outcome and there is also upside risk, that is we might capture unintended gain from an unexpected event just because of the way it played out.

None the less, connecting objectives to uncertainty is a tidy way of looking at risk and ISO 31000 makes this reference more than once throughout the document standard. If we take a look at some different types of objectives that an organisation might have, it will become apparent quite quickly that a clear definition of scope is going to be required for a successful ISO 31000 risk framework implementation.
Sample Objectives| Martin Davies (Click to Enlarge)

Let's look more closely at say, the test objective.

The Test Objective
A test objective's sole purpose is to understand the unknown dynamics within something against a benchmark belief. We might be testing the market suitability or safety of a prototypical car and as a consumers we would want to hope that car manufactures do actually carry out these tests. So in the experiment, if we were to test a cars performance against a safety requirement, an outcome which will have uncertainty, then we have to accept that an unfavorable result from the test doesn't mean that the test failed because of risk.

Test objective common risks
[1] The test objective failed because of a type I error
[2] The test objective failed because of a type II error
[3] The test objective has completeness concerns
Test objective common outcomes which are not typically risks
[4] Test objective failed to reject the null hypothesis & the main objective is abandoned 
[5] Test objective responded with positive outcome & the main objective is chosen

So where does this lead us to?

Be clear with your agenda
Inside an organisation there are going to be lots of personalities especially between departments such as marketing and engineering. There will also be many potentially conflicting agendas, diverse opinion on who owns the outcome from an objective and if you want ISO 31000 to be a success; I would say it is going to be prudent to engage an activity to map out these aspects of the business against uncertainty and to do this early on.

Secondly it is possible that the objective/uncertainty connect in ISO 31000 will give the corporate mandate for the risk department to involve itself in a wider aspect of the business operation and this probably won't come without additional costs.  

If ISO 31000 is implemented properly, you can expect some of the following:

[A greater coverage for measuring hazard in the business from the risk department
[2] The risk team is going to need to acquire more understanding of the business nature
[3] Meeting both these challenges generally won't come for free

All this aside, ISO 31000 shows great promise. It is a simple document to understand but its simplicity shouldn't be taken for granted.

No comments:

Post a Comment