The (probably non-) risk management process

If you want a process for managing risk, then ISO 31000, “Risk management — Guidelines” is probably not going to help you.

I’ve been looking at ISO 31000, because although I’ve been reading a lot of blogs and articles by individual people about risk, I also felt it was important to understand any “official” guidance on risk management. Ideally there would be a system for reducing the chances of bad things happening, in much the same way that the Theory of Constraints offers a systematic way of improving operational throughput.

There are other risk guidelines which are also in some way “official” (and we can have a fun time trying to define that word)—COSO and M_o_R are two examples. But I had to choose one to start with, so I chose ISO 31000. It does claim to be an international standard.

The document describes some principles, a framework, and a process. In fact it talks about “the process”, and although there’s no explicit statement about what the process is intended to achieve it is “the risk management process”. Risk management is defined in the document as “coordinated activities to direct and control an organization with regard to risk”, and risk is the “effect of uncertainty on objectives“. So ISO 31000 does offer a process for coordinated activities to direct and control an organization with regard to the effect of uncertainty on objectives. It’s the process that is the closest thing to the work on the ground, not the principles or framework.

However, the ISO 31000 process is really just risk listing, which (to be only a little harsh) means using a task list to track your concerns. It’s what project managers are traditionally told to do, and what got me started on this risk odyssey in the first place.

If risk management is about achieving objectives then our risk list doesn’t help us much. If we’re worried about our cyber-security then it doesn’t tell us how to address that. If we’re concerned about our competitors’ future product releases then it doesn’t provide much guidance.

What it does do is suggest a way of tracking our concerns and it gives us an artifact around which we can have a conversation (“Okay, moving on to item 3 on our list…”). When the auditors come round and we need to cover our backsides the list might be very useful. But in terms of helping us deal with difficult decisions, or spot areas of potential harm or opportunity, there is a yawning gap.

Perhaps the ISO 31000 process does deliver what it promises, in so far as it suggests a rough way to co-ordinate and direct… but it does seem to miss the crucial doing part.

Photo from Seattle Municipal Archives

2 thoughts on “The (probably non-) risk management process

  1. I’ve seen many projects that just did what you explain about ISO31000: (If they did anything about risk at all), they made a risk register and that was it.
    Could it be that they followed ISO31000, or does ISO31000 follow practice?

  2. Risk listing is very common, but I don’t know who has followed who. I suspect it’s one of those things where everyone just followed each other, and it became accepted practice without any great thought.

Comments are closed.