(UPDATE: See below.)
There’s a fascinating debate going on over at LinkedIn, in the ISO 31000 forum. Here’s the link, although I suggest you scroll through to the end and work backwards, because the back-and-forth between risk advocate Peter Blokland, myself and ISO 9001 author David Hoyle is one for the books.
What started out as a simple question (how can ISO 9001:2015 require identification of risks, but not risk management?) has morphed into a full-on debate over the origins and validity of risk management. I am working on a series of articles on these subjects, so won’t go into it here, but so far I’ve maintained that risk management — as presented by ISO, anyway — is taking on the characteristics of a pseudoscience, like astrology or homeopathy. It’s adherents are unable to produce any solid data or evidencethat it works, and instead seem to rely on fear (the “doing nothing increases risk” argument) or after-the-fact claims of victory (“xyz was accomplished because of robust risk management”) — both without any evidence.
I’ve likened this to a tent preacher insisting to his church that snake handling is just fine, if you have the right amount of faith. No matter what you do, if you get bit, it’s your fault… never the preacher’s.
As if to prove my point, Mr. Blokland offered the following. When I asked to see data on risk management’s abilities, he responded:
What is it that makes quality practitioners so afraid of the ISO 31000 definition of risk that they want to fight it all the way. This discussion has been covered already many times. We live in the 21st century now. Things change. People learn.
It is difficult to share insights if others keep their eyes closed.
I responded by saying that this is because “quality practitioners rely on data.” I’ve invited risk managers to provide a single, repeatable, independent experiment which would show that “XYZ did not happen because of a ABC risk management efforts.”
No one has been able to provide one yet, but instead Mr. Blokland merely claimed,
The hard data are in each decision you take. When you know you’ve made a good decision, it’s because you maximised the benefits and kept the cost to a minimum.
In other words, risk management is like pornography. You can’t prove it, but you know it when you see it.
Sorry, but for skeptics like myself that rely on objective data and science, that’s just not enough.
UPDATE: Feb 25, 2014: That didn’t last long. The notoriously oversensitive folks at G31000 and the ISO 31000 LinkedIn forum didn’t take kindly to discussions of risk management, especially the parts where I asked for data or questioned the consensus process that led to the development of ISO 31000, or the Annex SL inclusion of risk. First I was asked to cut and paste my posts into a different discussion (here’s a clue, dummies: you can’t CUT on a LinkedIn forum, since the posts are permanent after 15 minutes), and because I didn’t answer in time (I was busy taking care of a literal car crash), they shoved me into moderation.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
