This is Part 1 of Oxebridge’s exclusive report on the origins of risk management in ISO standards. See links at bottom for other parts, as they are published.
For standards nerds who love a good treasure hunt, the origins of ISO’s sudden love affair with risk management is a confusing mystery. ISO’s talking points on “risk based thinking” for the upcoming ISO 9001 standards are murky, it’s release of ISO 31000 has been met with a mix of “meh” and “WTF?”, and — thanks to the reporting right here on Oxebridge — we now discovered ISO has 40 separate definitions of the word “risk” and is internally frustrated by this mess. Admits Katie Bird, ISO’s Marketing head:
… regarding the multiple definitions for risk – it is a valid point. Sometimes multiple definitions of concepts are needed, due to the very different sectors and contexts in which they are applied. However, it is obvious we need to avoid unnecessary proliferation of definitions, as they may lead to confusion.
What has happened within ISO is a near usurpation of the standards development process by risk management professionals who, until recent years, had previously never had much interest in ISO standards. Risk management pros are now controlling the work done by quality professionals, environmental professionals, product certification experts and nearly every other industry group represented by ISO standards. ISO has not just given them the keys to the kingdom, but the entire kingdom of keys, too.
It wasn’t like this originally. In fact, until very recently, there were nearly no risk professionals walking the halls of ISO, and that not only created a problem with ISO’s understanding of risk, it created an environment ripe for takeover. For example, the lack of ISO participation by international risk groups such as RIMS, RMA and IRM led to nearly 140 different standards which mention risk, but don’t align and don’t necessarily match any industry understanding of risk. Without healthy representation by risk mangers, this has led to those 40 different definitions of the word “risk,” which at times contradict themselves. This chaos then enabled the vanguard scouts of the risk invasion forces to take hold, proclaiming their expertise over all others. Without any other risk managers present, there was no one there to challenge their authority, and ISO fell under the power of a tiny subset of risk professionals.
So ISO had a sudden awakening to risk, and is now demanding the concept be included in every ISO management system standard that exists, from this day forward, until infinity. It did so through its “Annex SL” mandate, a document prepared not by ISO Technical Committees, with their international representative member structure, but instead by the bureaucratic administration body known as the ISO Technical Management Board (TMB), which rules over all the TCs. Official TMB Resolutions, including Resolution 18, demand that all TC’s adopt a “high level structure” as defined in its document “ISO/IEC Directives Part 1 – Consolidated ISO Supplement – Procedures specific to ISO“; the Annex number SL of that document describes the structure, which is where it gets its name. But the ISO TMB is answerable to nearly no one, and is not required to obtain international consensus for its mandates. So the version of risk you see falling into all the new ISO standards is not the product of ISO’s own rules on content development through consensus, but by decree from on high.
Of course, at about the same time as Annex SL (more or less), ISO has trotted out its risk management standard ISO 31000 to great fanfare, going so far as to utilize dubious, unaccredited certificate mills like G31000 to help promote it.
Spock Yells “Khannnn!” and Greedo Shoots First
Worsening matters, ISO’s talking heads are trying to make it seem as if risk has been there all along, in some strange attempt to retcon the past, like a weird Star Trek-meets-Doctor Who sci fi movie plot. But anyone with an attention span lasting more than the length of an episode of Lost knows this isn’t true.
Just looking at ISO 9001, for example, we can go back all the way to its source code, that of the US Department of Defense’s standard MIL-Q-9858. That standard, which provided the basis for what BSI would later convert to BS9000 and BS 5750, makes no mention of risk. The BSI standards likewise do not address it, even as they added more contemporary “systems controls” like corrective and preventive action. When ISO 9001:1987 came on the scene, it was a near cut and paste of the BS standard, and so risk remained out of scope.
So out of scope, in fact, that sector specific standards like QS9000 (for automotive) and AS9100 (for aerospace) had to add specific risk management requirements into their variants to address it. One would think this is evidence enough that risk hadn’t been included.
So where did this sudden love affair with risk come from?
The Wizards of Oz
It’s taken a lot of digging — a lot — but it appears that the infection process started with Australia.
In 1993, a joint committee was formed between the national standards body of Australia and its counterpart in New Zealand. The resulting work product was the risk management standard called AS/NZS 4360. I spoke with Kevin Knight, the Australian who would later become the senior architect of ISO’s risk strategy and 31000 standard, about these early days.
In the case of 4360 the process started in 1992 when a Standards Australia questionnaire was submitted on behalf of the Association of Risk & Insurance Managers of Australasia (ARIMA). This led to the distribution of a further questionnaire to a wide range of industry and professional organisations to determine both need and interest. Satisfied of the need and the availability of a representative range of potential members, Standards Australia and Standards New Zealand established a Joint Technical Committee composed of individuals representing industry, professional and government organizations.
Knight, while working with ARIMA, had answered the 1992 questionnaire, which put his name in front of some folks at Standards Australia. He was then invited to participate in the Joint Technical Committee.
About 25 organizations participated along with Knight’s ARIMA, including the Financial Services Institute of Australasia, Institution of Professional Engineers of New Zealand, Minerals Council of Australia, and the Law Society of New South Wales. On paper, it looks to be a comprehensive list of participants, with representatives from finance, insurance, engineering, mining and other sectors.
On paper. Despite what we will see as Mr. Knight’s gushing praise of the process, actual physical attendance was low, with “participation of 20 or more members.” If one does the math, it’s easy to decipher that the organizations may have leant their names to the group, but a few didn’t bother to physically send anyone to meetings at all. Knight didn’t have a good explanation of this, explaining it away as, “maybe this was because the various members of the JTC had done a reasonable effort in sounding out their constituents.”
Maybe. Maybe not.
Knight continues:
The Committee first gathered all available information. All submissions and documents were copied and supplied to the members. After several drafts, the Committee produced one for public comment. To ensure maximum exposure the representative organizations were asked to encourage responses from their membership, advertisements were placed in the daily press seeking input from the general public, and copies were supplied to all member organizations of the International Federation of Risk and Insurance Management Associations (IFRIMA). A total of 326 specific comments were received from 55 individuals and/or organisations. Each was addressed by the Committee, in many cases resulting in changes to the draft. The final document received unanimous approval and was published in November 1995.
The strength of this time consuming and occasionally frustrating process was a final document seen as the product of discipline practitioners, who voluntarily accepted it as “best practice.”
This raised some questions, however. Could it really be called a “product of discipline practitioners” and a multinational “best practices” document if only 55 people commented? If so much effort had been taken, as Knight says, including ads in newspapers and polls of industry participants, why did only 55 people respond? Why was this deemed an acceptable sampling? Remember, we are talking about two massive countries with a combined population (at that time) of nearly 25 million.
If this convenient spin sounds familiar, it’s because it’s nearly identical to that routinely used by ISO when boasting of its ISO 9001 user base of “more than 1 million companies,” which nevertheless represents a nearly insignificant statistical data point, when compared to the total number of potential user organizations on the planet (estimated by some sources to be as high as 2 billion.) The synergy between the thinking processes of Knight and ISO will become important later on, so put a pin in it.
When pressed on the point of poor participation, Knight punted:
I think when we talk of 4360 we really should focus on 4360:2004 as that edition really represents the inputs from a wide range of users over 10 years.
OK, let’s.
To be continued in Part 2: The Millennium Bug.
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 35 years’ experience implementing ISO 9001 and AS9100 systems, and helps establish certification and accreditation bodies with the ISO 17000 series. He is a vocal advocate for the development and use of standards from the point of view of actual users. He is the writer and artist of THE AUDITOR comic strip, and is currently writing the DR. CUBA pulp novel series. Visit www.drcuba.world
