According to a recently published white paper, the current version of ISO 31000 is based on 1980s models no longer fit for purpose – and it needs a whopping big overhaul to pull it into the current millennium.
If you’re a risk management or resilience professional, security risk management consultant, or a member of one of any number of similar sounding occupations, then you probably know a thing or two about the international standard ISO 31000. No doubt you’ve probably also got an opinion or two about it.
Love it or hate it, the phenomenally successful ISO 31000 standard is coming to the end of its life as a standard and a formal process of review will soon begin. According to the authors of ISO 31000:2018 The Case for Reform, it’s an opportunity to give the venerable standard a complete overhaul.
“Although ‘ISO 31000’ has been a phenomenal success in its acceptance and take-up worldwide, the Standard is not without serious conceptual problems and practical limitations,” state the whitepaper’s authors. “The Standard has been widely criticised by various practitioners, professional bodies, academia, and by risk experts in different industry, science and technology domains.”
Under the ‘reign’ of ISO 31000, the outputs of risk management activities have become more and more about populating ‘risk registers’ and creating lists of risks.
“It can be argued that the simplicity and accessibility that has made ISO 31000:2018 the global guidance document, may also be responsible for both preventing the adoption of better practices (scientifically validated), and for promoting an increasing misunderstanding about the nature of risk and its management,” explain authors Dr Carl A. Gibson, Jason Brown, and Dr Elizabeth M. Gibson.
“Indeed, it appears that many of the problems in contemporary risk management arise from a shallow understanding of the Standard and the nature of risk, as well as from problems innate to ISO 31000 itself.”
The whitepaper’s case for reform includes the following areas for change (among many others):
- The Standard is highly generic. This has been a strength of the earlier versions of the Standard, allowing its ready adoption by a wide range of users, including those with a low knowledge and experience base about risk management. In this latest version of the Standard, this generic guidance has become a weakness.
- Unproven claims made within Standard, particularly about its wide applicability and benefits, have result in the adoption of the Standard for purposes for which it is wholly unsuitable.
- A great deal of the Standard is conjecture, based upon assumptions that have not been surfaced, tested, or validated.
- The Standard ignores a great deal of the high quality published literature that deals with uncertainty and risk. In doing so, the Standard uses concepts that are outdated and in various parts of the publication are incorrect.
- The Standard presents itself as the de facto approach for managing risk, without proof. It is also a claim rejected by numerous domains that use risk assessment and have formal approaches for managing risk.
- Under the ‘reign’ of ISO 31000, the outputs of risk management activities have become more and more about populating ‘risk registers’ and creating lists of risks.
- The Standard promotes the use of a PDCA (plan-do-check-act) cycle that is ill-suited to the high complexity and uncertainty within which most organisations now operate.
- All of the processes described in the Standard are highly linear in nature, which can increasingly struggle as complexity and uncertainty increase.