Risk-Based Thinking and the Low-Information Quality Practitioner

In the US, the political news media uses the term “low information voter” to refer to American voters who lack sufficient knowledge about politics to make proper informed decisions, and instead vote based on “gut” feelings, visual cues, responses to intentionally-skewed advertising, and other sources. Comedian Stephen Colbert spent his recent career satirizing this through what he called “truthiness,” which he defined as “truth that comes from the gut and not from facts.”

The concept of low information voters is used to explain, retroactively, many of the now head-scratching decisions made by citizens which, upon examination of facts, appear to make no sense. It has been used to attempt to understand everything from the recent Donald Trump surge in America, to the rise of Fascism in Europe, and even the chavista movement in Venezuela. Low information states are the sole reason we have pseudosciences such as homeopathy, Reiki and chiropractic: science tells us they don’t work, and may well cause more harm than good, but desperate patients seeking a hopeful way out rely on “their gut” to overcome their rational thinking. Perhaps the greatest example of low information influence can be seen in use right now by those denying global warming, where the deniers invoke their irrational feelings to ignore the science: “it’s freezing cold in my NY apartment, so global warming can’t be real!”

By responding to emotions, rather than facts, it removes responsibility of the person to make any effort: they need only rely on whatever already happens to be inside them (upbringing, opinions, insecurities) and have those things reinforced by sound bites and simplistic language. The alternative is to expend energy: study, learn, debate, and .. the most ghastly option of all … potentially change one’s mind.

Low Information Risk Management

Enter ISO TC 176, the inventor of the overnight pseudoscience called “Risk Based Thinking,” which it introduced into the new ISO 9001:2015 standard. I won’t belabor how RBT came to be (you can read it here), but the short version is that TC 176 faced a confluence of pressures: first, they had to inject “risk” into the standard because of a mandate by their oversight body, the ISO Technical Management Board. Then, they had to figure a way to do so without conflicting with TC 262 on risk management. Simultaneously they had to wrestle with the problem that few ISO 9001 users understood pre-existing language on “preventive action.” Finally, they had to solve all of these problems given an outrageous deadline set by the publishing arm of ISO, which only makes money when standards are in print, not when they are in development.

So TC 176 dreamt up, overnight, a new phrase called “risk based thinking” which, they said, replaced preventive action and satisfied the TMB’s non-consensual mandate to include risk in the new standard. Since “thinking” can’t actually be proved, disproved, or even particularly expressed, they couched it in a series of vague statements, light on actual requirements, so that they could check the box and rush the standard to the printers.

Sensing an intellectual backlash, ISO — which, remember, is first and foremost a savvy media publisher — worked with BSI to put out a series of official talking points to convince the quality profession that they hadn’t just started selling what one TC 262 rep called “selling cans of air and bottles of sound.” In these releases, they insisted that RBT was in the standard all along, just hidden under the term “preventive action.” They also insisted that it was something everyone does naturally, and that it was (literally) as simple as crossing the street. They ignored the fact that the standard dedicates over 1,100 words on “how to cross the street.”

ISO then trotted out the usual suspects of dutiful careerists to take their case to the people: Nigel Croft, Denise Robitaille, Lorri Hunt, Susan LK Briggs, Jack West, etc. Soon the pages of every quality publication were filled with restatements of the official talking points, and often just outright plagiarisms of them. Meanwhile, those who were trying to have a more honest discussion were banned from publication, isolated from speaking events, and generally treated like fringe lunatics. After all, why would any sane person question the motives of the ISO publishing house?

The situation has become so ludicrous, that now ISO consultants are rebranding themselves “risk-based thinkers” and the flood of books is already drowning the market. Yet one truth remains: none of the so-called experts could possibly have any expertise in RBT since prior to September 2015, it never before existed. If it sounds like I am calling every so-called RBT expert out there a liar, that’s pretty close to the truth; most of them are.

Go With Your Gut

The lack of any firm requirements in ISO 9001:2015 on this concept of “risk based thinking” is obvious to those who are not likely to be subject to the low information phenomenon. That’s not to say we are setting up a “smart people vs stupid people” slapfight, because many smart people are nevertheless attracted to the low information state. But what’s clear is that those who insist RBT is “revolutionary” or otherwise helpful are nearly universally doing so based on their “gut” — it feels right.

They then set up phony straw man arguments, such as “of course risk is everywhere, and if you aren’t working to reduce risk you may as well go out of business.” Well, that may be true, but for tens of thousands of years mankind has been managing risk, and it never required ISO to put the three words “risk based thinking” in sequence to suddenly get it right. But the point is that anyone claiming RBT is fake must have a suicidal inclination towards accepting all risks, since there cannot be any other answer.

This intellectual laziness is never more evident then when the word “FMEA” pops up in defense, or in explanation, of RBT. While the tool isn’t mentioned in ISO 9001, nearly every CB auditor, consultant and TC 176 proponent of RBT eventually trots out FMEA as the means of addressing RBT. It’s fallacious — FMEA has been debunked as a mathematical failure prone to shift resources away from true risks and waste them on fighting unicorn dragons — as well as failing to address ISO 9001’s claim that RBT must address both risk and opportunity; the easiest way to shut up someone arguing for FMEA is to ask them how a tool used to mitigate negative risk can simultaneously be used to maximize a positive opportunity.

The “FMEA meme” comes about because few in the quality profession have a second degree in Risk Management, and fewer still have actually ever read a book on it. Instead, quality consultants probably filled out a few FMEA forms during their last job, typically as a middle manager or chief inspector, so they “go where they know,” a phrase which is also used by law enforcement to help find lost children, by the way. These sudden experts in risk management have never run a Monte Carlo, never heard of Frank Knight, and probably think “ERM” is something the butler Carson mutters when he’s trying to get Lord Grantham’s attention. If they’ve read a single book on the subject, it would be nothing short of a miracle.

(I’m serious… if you’re at one of those TC 176 events, ask Denise Robitaille how many books she’s read on risk management. Bring a stopwatch to measure the pregnant pause, and then prepare for her to shift the answer to some unrelated nonsense about preventive action, as she “goes where she knows.”)

In response to the argument that those accepting RBT at face value are low information, anti-intellectuals, expect a lot of indignant anger. I ran an experiment on LinkedIn, and it was nearly 100% conclusive: those debating against RBT were asking for science, data, proof that it worked, or at least was the product of a study of some sort. Those who argued for RBT did so based on emotion, feelings, and a little fear. When the issue of anti-intellectualism rose up, the RBT defenders grew furious, felt insulted, but at every turn failed to come up with a fact-based defense of their new beloved science.

Low Information, High Risk

The problem now is that RBT has infected areas outside of ISO 9001. As we saw, consultants are adopting the label as some sort of honorific. The term has even cropped up in job postings. But worst of all, it is now being spread, Zika style, into other standards. The dupes at IAQG have allowed RBT to be injected into the new AS standards, AS9100, AS9110 and AS9120, despite it being in complete contradiction with any form of risk management ever before used in aviation, space or defense. Similar effects are happening even in non-ISO standards, as well as the term being used in government contracts.

This creates tremendous risk, ironically. whereas ISO 9001 used to require a formal, well-prescribed method to treat preventive action (including cause analysis), RBT makes no such requirement, and instead just asks the user to “think” about risk, and then do whatever they like with it when they find it. For the low information quality practitioner, this is a dream job: they don’t actually have to do anything, just tell their clients to “think.” Oh, and fill out a few FMEAs.

But the result will be an increase in product safety issues, a reduction in process effectiveness, and a massive increase in ISO 9001 certificates being issued to companies that are ticking time bombs, since they will have no formal preventive action system in place. Consider the Takata airbag scenario: under ISO 9001:2008, the company should have been cited for not using data to generate preventive action measures; under ISO  9001:2015, the company gets a free pass just by saying, “well, we hadn’t thought about that risk.” And there’s nothing the CB can do about it now.

Ultimately, this low information state comes from the fact that ISO standards are developed by the private sector, through a perverse model that calls on “volunteers” to spend thousands of dollars traveling all over the world to create documents that ISO then publishes, keeping all the profits for themselves. As a result, the only “volunteers” ISO can attract are funded interests (CB reps) and private consultants, seeking to use their TC 176 credential to later line their pockets. Paying for travel expenses to go to a million ISO conferences is an investment that is later paid off by the unending book deals, speaker fees, and overnight boost to their private consultancies. This means ISO cannot attract actual, working experts to write standards like ISO 9001, because actual working experts are busy… well, working as experts. Oh, the mouthpieces of TC 176 try to sound like they are on the front lines of Sokovia working as Doctors Without Borders, but no one takes that seriously.

So given that the authors themselves suffer from a low information state, it’s no wonder they would produce a rushed, hackjob based on “gut feelings” and not facts, and then spend the bulk of their time marketing the thing, rather than providing evidence that it works through studies, data or science. And, of course, since no one holds them accountable, it all goes on as ever.

The solution is dramatic: international standards bodies, such as NIST in the US, must file a formal series of complaints against ISO as a whole, alleging violations of WTO regulations that exist to ensure ISO standards are developed by actual consensus, and do not present a barrier to free trade. If that sounds like a leap, it’s not. The complaint must force ISO to withdraw ISO 9001:2015 and start over, with a standard that includes concepts drawn from industry, devoid of the corrupt abuse by cronies and private consultants.

Is that likely to happen? No, but with the growing focus on the relationship between ISO and the various international product scandals, such as Takata, more and more consideration is likely to be given to the idea. What’s more likely to happen is that ISO will lose its place as the world’s standard body entirely, to be replaced by a host of competitors.