The so-called professionals are declaring that the upcoming ISO 9001 revision’s New Age, beaded-curtain fabrication called “risk based thinking” is actually full-blown risk management, even as TC 176 scrambles to get them to stop saying this.

RBT was invented as a concession to the ISO Technical Management Board which demanded the new 9001:2015 standard include some form of risk, whether TC 176 wanted it or not. In order to comply, the TC invented a thing calledf “risk based thinking” which simultaneously satisfied the TMB, while trying to address previous weaknesses in the language on preventive action. (For a more detailed primer on the origin of “RBT” click here. ) RBT has never before existed in any risk management profession or body of knowledge, and has been derided by many professional, published risk management experts as a complete joke.

The intent was to create “risk lite,” something flexible enough to fit a giant global corporation that might implement ERM (enterprise risk management) along the lines of COSO or some other established standard, as well as the tiny 5-man machine shop that might not have ever heard the word “risk” before. It was an admirable goal, but the execution has proven disastrous.

footbridge2TC 176 attempted to clear up their scented candle, Om-gong meditative process by publishing a few official documents on RBT, and openly stating that no, risk based thinking did not require full blown risk management. But the result comes off as a manifesto written by a stoned 60’s hippie, which probably made sense to the author, but which doesn’t quite work to anyone in the sober world. Their reliance on inane “real-world” metaphors (that goddamn footbridge story insults the entire planet’s intelligence in one swipe) and lack of firm requirements has left RBT an open vessel, ready to be filled by whatever crap the usual suspects can spew.

And spew they have.

Release the Hounds

Larry Whittington recently published a newsletter on RBT in which he, too, declares RBT is risk management, and then goes on to define the standard FMEA-style of risk assessments that requires one to assign a likelihood factor and multiply it by a consequence factor, to come up with a magical number that will solve all your problems. Nowhere does Whittington clarify that this is just his opinion on how to approach RBT, nor that it contradicts what TC 176 has said about it. A casual reader will understand this as a requirement, in fact. Of course, he’s selling courses on this approach, complete with FMEA style handouts, so admitting that RBT doesn’t actually require any of this stuff would hurt his bottom line.

(When I confronted Larry about this, he merely changed the title of his article, but hasn’t changed a word in his training presentations or marketing.)


From the Whittington training materials. Not a single thing here is an actual requirement, and actually contradicts official TC 176 opinion.

Over at Scott Paton’s website InsideStandards, which also publishes Whittington’s stuff, Lance Coleman wrote a piece on RBT also declaring (wrongly) that it is “risk management” not just once, but fifteen times. Editor Paton never seemed to notice.


From the InsideStandards piece by Lance Coleman; even the graphic is wrong.

Not to be left out whenever gross misreporting is going on, Quality Digest gets it’s spin machine rolling in an article written by Intertek’s Paula Oddy and Jeff Eves, which declares the new ISO 9001 draft is “proof that quality management and risk management can no longer be considered separate issues for your organization.” Waiter, I’ll have what they’re drinking.

The ever-spamming CERM Academy founder Greg Hutchins is insisting, also falsely, that ISO has adopted risk-based thinking for all its management standards, when of course it hasn’t; RBT only applies to 9001. Nevertheless, Hutchins — who only refers to himself in the plural (“we”) — has refused to correct this misinformation even after being confronted with it multiple times. He is using his distortion of ISO’s risk-based thinking to sell “Certified Risk Manager” certificates to anyone stupid enough to believe they mean anything. Not only that, Hutchins is just falling short of claiming he invented risk-based thinking, saying he started “the journey” of RBT over a decade ago, even though he had no role in TC 176 nor in the development of ISO 9001, and nobody on the committee knows who he is.

Michael Shuff at Cognidox claims “among the key changes … in the ISO 9001:2015 quality management system standard, and available to read in the Draft International Standard (DIS) published in May 2014, are… the focus on risk management.”

The registrars, who have a lot to gain by selling risk management training courses and (soon) organizational risk management certifications, are in on the game, too, natch. SGS just opens the fountain of nonsense by selling a course that claims you can develop a full-blown “risk management system (RMS) based on the principles of ISO 9001.” As I mentioned above, Intertek is busy spreading the same stuff, but using their “content partner” Quality Digest as their platform. BSI admits that, no, ISO 9001 doesn’t require risk management, but then goes on to lie and tell you why you need to take their risk management training anyway:

While the new structure for these updated standards does not mandate a specific risk methodology, regulators and other third-party auditors require evidence of the logic behind an organization’s decision process. Therefore, risk-based thinking begins to require a more formal and organized approach.


The Fallout

So what’s the impact of this mess? Other than, of course, an entire industry filling in the vacuum left by TC 176 with misinformation? There are multiple problems that will affect real ISO 9001 end users, and cost them real dollars, both problems about which the spreaders of this junk simply don’t care.

First, the imposition of a single method of risk management — which, by the looks of it, will be FMEA — doesn’t allow for the flexibility originally envisioned by TC 176. In fact, it contradicts it, and risks strangling smaller companies who don’t have the resources to do this kind of thing.

Next, no two sources of this misinformation agree on specifically how RBT is equal to risk management, even as each one of them insists they are the most reliable subject matter expert. So an end user may adopt the approach of one source (probably a trainer, consultant or registrar) only to find their CB auditor — who was trained by some other source — disagrees. Now we have conflict over what is a bogus nonconformity to begin with.

riskfacepalm2Next, most of the methods being proposed (such as, again, FMEA) are grossly inadequate to begin with. They are mathematically flawed, junk science magic tricks that result in nearly no reliable data with which management can work, and — in the worst cases — actually provide erroneous information, which can lead companies to pursue nonsensical risks while ignoring the more critical ones.

Finally, the costs of all these activities can mount quickly. Training, execution and then the ultimate repairs when the whole thing fails to work, will cost companies a bundle, thus increasing ISO 9001’s poor reputation for lousy ROI, and further alienating potential users.

If, instead, those claiming to know this stuff admitted that, no, risk-based thinking doesn’t require full blown risk management, we would be off to a good start. Instead, such experts should be presenting a flexible, scaled idea of what companies might do to comply, and offer it as a suggestion, not imply that it is a single means to meet an imaginary requirement.

Meanwhile, TC 176 can’t seem to get its act together, is denying there’s a problem, and insists on telling us it’s all about a footbridge.


Traditional Tri-System