What's Hot

"Risk Dashboards should serve the stakeholder" | Advanced Risk Dashboards

Sunday, January 6, 2013

Five thorns of ISO 31000

Anyone following the G31000 forum closely will come to realize that there are some continual inconsistencies of opinion which raise their head when ISO 31000 is discussed broadly. I call these debates of contention, the Five Thorns of ISO 31000.

In this blog posting, we are going to look at these Five Thorns in more detail. The aim in the end, is to put a structural emphasis on attempting to resolve them.

The five thorns of ISO 31000
Firstly, before leaping into the idiosyncrasies of the debate, it is definitely prudent to link to the source of this blog article and that can be found here at this [LINK].

Over the last few months I have been monitoring and actively commenting on many ISO 31000 discussions around risk management and its general application. When differences of opinion arise, they generally centre on five irreconcilable differences between opposing analysts beliefs. I take to list these five hurdles in one single place below.

In each case or thorn as it now is, there have been hours of disputation entertained and literally hundreds of risk analysts have put forward their opinions on why something should exist or not. In nearly all cases, the arguments have not been restitutionary.

If ISO 31000 is going to have a smooth deployment future across the globe, across different and diverse industry sectors, the structure in which the whole standard is put forwards might need to be tweaked.

Let's look at the five headaches, although they aren't listed in any specific order of priority.

[1] The categorisation of risk
The categorisation of risk is not new to risk management, although the banking standard Basel II has certainly given great life to this concept. Basel II published its final Annex VII "Detailed Loss Event Type Classification" and a first draft, Annex II [LINK] about a decade ago. There are arguments for and against risk categorisation but I have written about all of this before [LINK]. None the less, where risk management is being applied in some sectors of the economy, risk categorisation is important and it can't be removed without collapsing entire risk communities.

In ISO 31000, categorisation of risk is inferred by describing it as a formal risk management process for particular types of risk or situations. Yet, the standard is relatively mute on this type-casting process, perhaps more work needs to be applied here. 

[2] The ideals around inherent and residual risk
The ideas around inherent and residual risk are even longer standing than risk categorisation, possibly hundreds of years in the making and they are consequently more embedded in the world of risk management, finance, economics, the list of applications is endless. Again I have written about the importance of inherent risk as well, that can be found here [LINK]. All this aside, I summarize how critical the inherent risk concept is in the following way:
In financial markets, we have entire indexes set up for inherent risk such as VIX or iTraxx / Markit (spelled correctly), insurance is predicated on the concept, the whole notion of a bond spread is based around inherent risk or more so benchmarking. Valuation, perhaps even discounted cash flow would cease to exist without it and we would plunge the world back into a Babylonian economic era if we let the idea go; that is unlikely to happen.
Martin Davies | G31000
[3] Concepts around risk appetite
Risk appetite isn't a new concept either and for the last hundred years or so, it has been debated by some great minds, some of these people received Nobel prizes for their work in behavioral finance. Without listing the huge array of people and the accolades for their work in risk appetite, I fair we might be better off accepting the concept rather than trying to reject it. The later simply brings great loss of historical learning and I have written about this too, that link can be found here [LINK].

[4] Acceptance of the risk event ideal
The wording "Risk Event" seems to be confusing for a lot of risk analysts even though it is mentioned in ISO 31000. I see the idea as nothing more than an incident that has occurred. Theoretically, a risk's threat or likelihood has been realized. In the domain of safety, the concepts around a risk event, incident management and interestingly, near-miss, are quite well accepted in practice. ISO 31000 would do better to describe these unique aspects of incident management in more detail, perhaps in a central way. 

[5] An avoidance to attempt risk modelling
The next point is more of an annoyance, rather than a structural divide in opinion between analysts. However, there appears to be a lot of risk managers making up the ISO 31000 community who have an absolute repulsion to risk modelling. This is really quite strange when ISO 31000 itself has a risk modelling handbook that goes under the reference of ISO 31010.

Two common arguments that are thrown up to support the decision for not measuring risk are: Risk can't be predicted accurately because it lies in the future and the other is, risk management is more than modelling alone. Both these remarks are true but they are not sound reasons for rejecting to model.
Risk Quantification or modelling it, is not about predicting the future, it never has been and those that say this or argue for modelling on this premise are misplaced with their perspective of reality. Those that argue against modelling because the future is unknown, have thrown the baby out with the bath water.
Up front and on the line, randomness CAN'T be predicted. If it could, we would be able to value anything and everything, there would be no uncertainty and the price of everything would fall to zero because it would be known and stable. A place of ZERO volatility obviously does not exist if we extend the timeline around that volatility long enough.
Martin Davies | G31000 
So there we have it, our chronicle of the five thorns but how do we go about addressing them?

Looking forwards
Contrary to what one might believe, especially after reading this chronicle; is that I might actually not be a supporter of ISO 31000. That is not the case and I deeply would like to see the world have a reference standard for enterprise risk management, one where the five thorn obstructions have been flattened.

I also believe that a continual fight between analysts for justifying why ISO 31000 was first drafted with these unexpected delineations is not productive. It doesn't help the adoption of ISO 31000 across different industry sectors which face a thorn. Unending debates on whether we should have risk appetite or not just for example, is also futile. The concept of risk appetite is older than just about everyone debating it and in many circumstances it works wonderfully, it is in itself a work in progress and ISO 31000 is unlikely to summarize hundreds of years of research into a coin phrased term "risk attitude". Well it might achieve this in the end, but not without going through another hundred years of evolution and crossing the same road that "risk appetite" has already progressed down.

What is needed is a clear guide on why ISO 31000 differs but this isn't enough.  ISO 31000 needs to also acknowledge the existence of these other accepted and common risk practices (the thorns) in an annex, ignoring them is only going to keep the fire of argument alive.  Finally, ISO 31000 is up for review under the PC 262 technical review process and it would be prudent if each thorn in the five thorns was tabled for evaluation. 

Even still, if a thorn remains, that might be great. The world of risk management may evolve into something new, something fantastic, who knows; however, the alternatives before ISO 31000 came along need to be referenced in the standard at the very least.


  1. What do you mean by risk attitude?

  2. Risk attitude is an ISO 31000 concept similar to Risk Appetite. The term is fine but it shouldn't replace risk appetite in my opinion.

    It can of course be a little confusing as well, here is an example.

    A risk analyst can have a good attitude to risk management but also a high risk appetite.

    Conversely, the risk analyst may have a bad attitude to risk management and also a low risk appetite.

    Which is worse?

    What does this actually mean, it is a little confusing.

  3. The entire ISO 27001 Certification documents prepared as per requirement of ISO 27001:2005 Information Security Management standard by team of highly experienced iso auditors and management consultants. Entire ISO 27001 2005 documents for information security systems are written in editable MS-Word format in plain English. Any organization can easily modify as per their company requirement and within 2 days their entire documents with all necessary controls will be ready.

  4. nice blog !! thanks for sharing the information about iso consultants . this blog is really nice and interested to read.