Risk management consultants represent one of the only professions that spectacularly fails with absolute consistency, and then uses those failures to convince you to buy more of their services. If Einstein’s definition of insanity still holds, then it’s time to put risk management experts on the trash heap where they belong, and cut off their growing influence in the standards industry, if not entirely.

Let’s be real clear: risk management consultants totally didn’t see the coronavirus pandemic coming, and they did absolutely nothing to prepare their clients for its disastrous effects. Barely a single company on the entire planet was prepared. Now, the best some can hope for is that they can cobble together scraps from existing business continuity plans, along with some ad hoc, last minute innovations, to come up with a survival tactic. “Work from home!” and “move our services online!” were not ideas they planned for, but are forced to do now… after the fact.

But now the international cartel of risk management charlatans is trying to sell us on the fact that they alone can save us. If we just give them one more chance, they will regurgitate the same failed techniques and ideas and somehow magically ensure that this time — for realz! — they will work.

Umm, no they won’t.

Post-Game Analysis

Risk management consultants are claiming, without any evidence, that they prepared their clients for the pandemic. They’re lying, and there’s an easy way to test it.

I pushed a scenario at them which requires them to look forward, not backward. I asked a sampling of so-called risk management “thought leaders” if they had discussed the very real risk of coronavirus going airborne, for example. It’s an actual risk that no one is talking about, because either everyone is terrified of the consequence, or they are only capable of reflecting on past events, not actually mitigating future ones.

Right now, the novel coronavirus is only airborne as an aerosol, where droplets expelled during coughs or sneezes can travel limited distances; thus, the “social distancing” rules now being implemented by thoughtful countries. But viruses mutate. If coronavirus were to cross species (again) and infect birds, the transmission rate would be phenomenal. If the virus were to mutate and allow for itself to be carried on smaller particles in the air, and not just sneezejuice, you’d again have worldwide transmission that no amount of social distancing could correct.

Not a single risk management expert had thought of this, and so that means they have not developed mitigation plans for their clients. They claim to have done so for the past event — which no one can prove anyway — but when tested against a possible future event, their failures were exposed.

Moebius Strip Show

Over on LinkedIn, I challenged one such risk management “thought leader” to give a concrete example of how he prepared clients for an event similar to the pandemic. Here’s how that exchange went:

CHRIS PARIS: Here’s a challenge. Throw out a short case history of one of your clients who you prepared for this type of event before it happened, and let us know how that advice is helping them right now, during the event itself. I don’t expect you to have predicted the COVID-19 virus specifically, but certainly you must have prepped someone for a pandemic at some point in your career, and that advice is paying off now in some manner.

RISK MANAGEMENT GURU: Sure. We developed a crisis communication process that would fit any event like this.

CHRIS PARIS: That’s not an answer.

RISK MANAGEMENT GURU: Of course it is.


You can never get a straight answer, with any demonstrable evidence, from these people. It’s always smoke and mirrors, obfuscation and generalities. They can’t give examples because they don’t have any.

Leave The Swans Out of This

The excuse trotted out by many risk management experts is that the coronavirus pandemic was a “black swan” event, something that no one could have predicted. This is convenient, since it excuses risk management consultants’ failures. In fact, the virus was not a black swan, but instead a “grey rhino,” or “a highly probable but neglected threat that can have an enormous impact.” But labeling it as a grey rhino puts the responsibility back in the hands of RM experts, so they can’t have that get out.

The “black swan” label is inherently dangerous, too. Per the Washington Post:

An obsession with the “unforeseeable” black swan metaphor has promoted a mentality that led us straight into the mess we’re in now: a sense of helplessness in the face of daunting threats and a sucker’s mentality that encourages people to keep throwing good money after bad. And the facile willingness to see crises as black swans has provided policymakers cover for failing to act in the face of clear and present dangers from climate change to health care to economic insecurity. This accountability vacuum has pervaded U.S. policy on financial risk and on the pandemic.

Keep in mind, the risk management experts have infected the highest offices in ISO. International standards are now mandated, under ISO rules, to include elements of risk management in their text, whether it makes sense to do so or not. Meanwhile, these so-called risk management experts can’t even come up with a standardized definition of the word “risk,” and attempts to standardize “risk management” into a universal discipline that can be used equally in all industries and professions has largely failed. Prior negotiations between these A-type personalities on the ISO 31000 development committee led to shouting matches during official sessions, where the members threatened to sue each other. Now the ISO Technical Management Board has had to admit that it couldn’t come to consensus on updating the definition of “risk” featured in Annex L, either, so they just gave up.

But ISO continues to push for “risk,” seeing the word as something sexy, something that will push paper.

Meanwhile, in the real world, ISO’s risk approaches — along with those of its next sexy buzzword, “resilience” — have failed utterly.

We should be rejecting these approaches. FMEA, SWOT, 5 x 5 charts, risk priority numbers are all bullshit. They rely on people making guesses, assigning numbers to those guesses, and then calling it “math” or “science” afterward. Yet it routinely fails, because guesses are not science. You may as well be assigning a likelihood and consequence rating to a daydream or a wisp of smoke.

No More Bone Throwing

Risk management evolved — literally — from ancient divination techniques such as throwing bones, reading tea leaves and consulting mystic oracles. Slowly, over millennia, it turned into our current state, where we apply math the the guesses, rather than rely on gravity (for bones) or chance (for tea leaves). But it’s still nearly the same thing.

Some industries use data-driven risk ranking and mitigation. Pharmaceutical risks are based on clinical trials, with objective hard numbers that (hopefully) remove all guesswork. Even that can get corrupted by financial interests, but at least it’s better than outright guesswork.

ISO and the risk management profession as a whole — including the Institute for Risk Management (IRM) and the Risk Management Society (RIMS) — have utterly and completely failed. They didn’t see coronavirus coming, and they didn’t prepare anyone for it. Hell, they are barely managing the effects of the virus on their own operations, even as they ramp up their marketing by invoking the virus, like ghouls at a funeral.

(It took RIMS until March 16th to cancel their 2020 event! They still have not cancelled a November event, apparently “predicting” that society will be back to normal by then. We’ll see. IRM, meanwhile, is just plowing ahead and continuing in-person events because fuck you and your pneumonia. Ditto for the plagiarist Alex Dali and his G31000 risk management certification group, which continues to hold in-person events, potentially infecting everyone who attends with both coronavirus and his bullshit.)

Oracles and tarot card readings rely on the subject yielding logic to the authority of a person who claims, without any evidence and despite reality, to have magical powers. Today’s risk management consultants are the same thing; they claim magical powers for themselves that routinely fail, and then demand you buy more of their services afterward. Treading in the waters of myth and psychic belief, you can’t prove or disprove anything with them, so they flourish despite their obvious and stunning failures.

These should be the last people we listen to now that this pandemic is upon us.

Instead, we should be developing meaningful, data-driven, evidence-based risk prediction and mitigation models, and tell these so-called “thought leaders” to GTFU already.




ISO 14001 Implementation