Timeline: The Origin of ISO 9001’s “Risk Based Thinking”

Last update April 5, 2016. This document undergoes periodic updating as new information comes in.

NOTE: Two ISO Guides are discussed here — Guide 73 (on risk terminology) and Guide 83 (on the high level structure.) It’s easy to get them confused, but it’s important to distinguish them. Try to keep that in mind when reading.

1994: Australia and New Zealand publish AS/NZS 4360 on Risk Management, the first serious attempt at a cross-national standard on the subject. It’s received well by Japan and Canada, and soon after receives some support from other nations. The top Australian contributor is Kevin Knight. The Japanese contributor appears to be one Dr. Okamoto, but this is not confirmed, and Dr. Okamoto is refusing to speak about it.

1998: The ISO Technical Management Board (TMB — the administrative body that governs the work of the ISO Technical Committees) begins considering a standard on risk management terminology, urged by Japan. Again, this appears to have been Okamoto, but is unconfirmed.

1998: Japan, along with Canada and Australia, form a Working Group to devise the terminology standard. The same individuals from the Australian standard are involved, and begin pushing for AS/NZS to be used. Japan is granted the secretariat, and Kevin Knight is made convenor of the Working Group.

1999: An IEC advisory body on product safety balks at the Australian language, as it contradicts common risk approaches on product safety. This is the first indicator that the Australian approach is not, in fact, universally palatable. Negotiations to placate the IEC body continue.

2002: The IEC either ignores its safety body, or pushes ahead without its agreement, and the ISO/IEC Guide 73 document is published. Again, it is only on risk management terminology, and not on risk management itself.

2004: Australia and New Zealand issue an updated version of AS/NZS 4360. Kevin Knight approaches his contacts in the ISO TMB to have the updated 4360 standard adopted as an official, international ISO standard on Risk Management.

2004?: ISO agrees to begin work on an international risk management standard, and forms the initial working group. It does not call for the formation of a Technical Committee, but rather begins working on the standard itself, and so the standard is not subject to the normal rules of consensus that govern TC-written standards. Kevin Knight is given the leadership position of the Working Group.

2006: The TMB establishes the Joint Technical Coordination Group (JTCG) to “coordinate the development of ISO
management system standards with a view to enhancing their consistency and alignment.” The JTCB begins work on ISO Guide 83, which will govern the “high level structure” of all ISO management system standards. Somehow, Kevin Knight and his Japanese counterpart are involved in this as well, and Guide 83 adopts language from the risk standards on “risk and opportunity” as well as “context of the organization.”

2009: ISO updates Guide 73 on risk terminology, under Kevin Knight again. This time the IEC’s product safety group balks to such an extent, the IEC is forced to reject the standard. ISO publishes it anyway, this time merely as “ISO Guide 73:2009” rather than as an “ISO/IEC Guide.”

2009: This part is murky. Cracks within ISO working group on risk management begin to form, as Kevin Knight loses some authority. While Knight is still chairman, a BSI delegate takes over as secretary, and works behind the scenes to further BSI’s agenda. Knight becomes more and more ineffective. This is no better illustrated then when a Chinese delegate alters the definition of “risk” in ISO 31000, against the wishes of Kevin Knight, who wanted the definition to be closer to that of the Australian standard.  Working Group members indicate the change was made after voting had already happened, but ISO TMB does not enforce the rules, and the BSI secretary kept the change from Knight until it was too late. This is evidence that the definition of risk was not even agreed upon by the ISO 31000 authors themselves.

2009: The ISO TMB publishes ISO 31000 on risk management. It is not subject to the full voting of TC members, since it was not created by a Technical Committee.

2010: Dr. Nigel Croft is elected Chair of TC 176 SC2, the body responsible for development of ISO 9001:2015. He struggles to form a hierarchy of ISO 9001 certification levels [link now dead], based on the risks suppliers pose to the supply chain; critics shoot this down as a return to the ISO 9001/9002/9003 days, but the concept of “basing ISO 9001 on risk” begins to germinate.

2010: ISO conducts a User Survey which reveals that “risk management” was not overwhelmingly requested by users to be included in the next edition of ISO 9001. In fact, risk management was in fifth place of most-wanted additions to 9001. This mirrors the results of the earlier User Survey conducted prior to the release of ISO 9001:2008.

2011: ISO TMB cancels Guide 83 “high level structure” as an ISO Guidance document. Different ISO players give four different reasons for the cancellation: (1) that while Guide 83 received enough votes to proceed to publication, it was seen as too controversial and scrapped; (2) that the vote was a procedural “gut-check” to gauge opinion, and nothing more; (3) that the voting was corrupted, and the results suspect; (4) that Guide 83 was never intended for publication in the first place, but that ISO infrastructure, specifically its online document management system, required the work be formed around a Guide, simply to structure the development activities. Regardless of the reason, rather than modify Guide 83, the ISO TMB scrapped the project entirely.

2011: ISO places the text of the scrapped Guide 83 into an obscure procedural document, not subject to any voting, called ISO/IEC Directives, Part 1: Consolidated ISO Supplement – Procedures specific to ISO, Second edition. It places the text in an Appendix to Annex SL; references to this thus become known simply as “Annex SL.”

2011: ISO TMB alerts key Technical Committees, including TC 176 for ISO 9001, that Annex SL will be mandatory for all future ISO management system standards.

2011: ISO forms Technical Committee 262 on Risk Management. Kevin Knight maintains his position from the working group, as TC Chairman.

2011: In March 2011, US TAG to TC 176 representative Lorri Hunt gives a $1,000-a-head speech on “Dramatic Changes to ISO 9001” even as ISO issues a statement on its website that same week that the process has only just started, and requirements had yet been written. The Hunt speech covers the High Level Structure requirements, proving that TC 176 had already been advised to comply with the TMB mandate. Despite the ISO User Survey not even having been released yet, and no requirements allegedly written by TC 176. the Hunt presentation nevertheless promises “How to incorporate new tools & techniques into your existing QMS.” The presentation’s marketing misleads readers into thinking the new requirements are the result of “consensus.” US TAG officials, including Chair Alka Jarvis, refuse to answer any questions on the subject for the next five years.

2011: Within TC 176, conflict arises over the mandate that they will have to adopt HLS language, specifically on risk. Calls to simply refer to ISO 31000 on risk management are rejected. Separate concerns are had over “preventive action” which the TC 176 members do not feel has been properly defined. No one can come up with improved language on preventive action, however, so WG Chair Nigel Croft finds a compromise. He combines the issues into something called “risk based thinking” which would delete the language of preventive action (thus eliminating the requirement to rephrase it) while addressing the TMB mandate to include risk. The term appears to have carried over from Croft’s previous attempts to create a tiered certification scheme, based on risk. Outside of TC 176, “RBT” is not based on any known risk management approach, and no professional risk managers were involved in its development.

2011-2013: ISO takes the full text of the failed ISO Guide 83 “high level structure” and inserts it into the mandatory procedural document “ISO Consolidated Supplement” which is “the complete set of procedural rules to be followed by ISO committees.” This bypasses any voting on the HLS, and imposes its content as mandatory for any ISO Technical Committee responsible for a management system standard, regardless of consensus voting by TC members.

2012: Working Draft of ISO 9001:2015 is released, and includes the HLS language mandated by the TMB. TC 176 members insist the changes are the result of user feedback, and make no mention of the TMB mandate. They continue the myth that the content could be altered, when TMB rules say otherwise.

2012: Feedback from automotive and aerospace industries is negative, particularly on the imposition of the HLS language, and the notion of “positive risk.” Early threats from the industries to “decouple” from ISO are launched.

2012: TC 262 Secretary — and BSI representative — Mick Maghar issues an internal memo requiring that the next edition of ISO 31000 remove the language which suggests the standard cannot be used for certification purposes, thereby raising questions as to whether BSI intends to offer ISO 31000 system certification.

2013: US TAG to TC 176 member Denise Robitaille writes an article for Qualty Digest which claims that risk management was included in ISO 9001 one of “the most commonly received comments from the extensive survey that SC 2 sent to ISO users.” As indicated, this is factually untrue. The Robitaille article makes no mention of the TMB mandate to include risk, but repeats the ISO talking point that “technical experts explored the significant global changes and evolving concepts vis-à-vis the standard to decide which ones might be relevant to any future revisions. Some of the concepts that were discussed included … risk management.”  Quality Digest does not respond when asked for a clarification on how this mistruth was published.

2013: Oxebridge issues “Public Call for a Temporary Pause in the Development of ISO 9001:2015” to better assess user and stakeholder feedback, particularly as it pertains to risk language and the HLS. TC 176 Chair Dr. Gary Cort issues rebuttal. ISO rejects the request, and launches a lawsuit threat against Oxebridge, using “trademark bullying” tactics. ISO demands Oxebridge immediately cease operations, and reimburse it for everything it ever earned over a 25 year history. Oxebridge lawyers deflect the charges and no lawsuit results.

2013: DIS of ISO 9001:2015 is released. TC 176 adds a note under the definition of risk, contradicting the TMB language that risk may be positive, and indicating that it is usually negative. The two notes contradict each other, but this is as much as TC 176 is allowed to change. TC 176 alters the definition of risk by adding words, since it was disallowed from removing words.

2013: Insiders within TC 262 on risk management are furious at the ISO 9001 language proposed b TC 176, which changes their definition of risk once again, and appears to reject “positive risk.” Relations between TC 262 and TC 176 are strained.

2013: TC 176 Chairman Gary Cort steps down. He later indicates the work was “more political” than he expected.

2013: Oxebridge coins the abbreviation “RBT” and it immediately sticks, although it was likely inevitable.

2013: ISO issues an “official” slide presentation on Risk Based Thinking. It is only 13 slides long, including covers and section breaks, and does not provide details. The last slide indicates, “additional updates and information will be made available as the revision process proceeds,” but over a year later, the presentation has not been updated.

2014: ISO 31000 training organization “G3100” founder Alex Dali accuses Oxebridge of “spreading false information” for saying that ISO 31000 was written by the ISO TMB, and not by a TC. This results in the discovery that Dali had plagiarized documents on risk management, and was using a fake woman’s account on LinkedIn to promote his unaccredited training courses. Oxebridge reports on these findings, and despite overwhelming evidence, Dali and associate Allen Gluck — a member of the US TAG to TC 176 — file lawsuit against Oxebridge in New York state on grounds of libel. The case is thrown out of court, and later Gluck and Dali split. Gluck forms his own US-based competing group, ERM31000.

2014: Oxebridge confronts BSI and ISO on the Maghar memo. Representatives of ISO and ANSI tangle with Oxebridge, claiming that nothing is amiss, and insisting that ISO 31000 is not intended for certification. Kevin Knight says certification to ISO 31000 would not even be possible. Eventually, ANSI’s Steve Cornish admits the Maghar memo was incorrect, and says a correction will be published.No such correction is ever made, and Cornish later says it’s not worth doing because so much time has passed.

2014: Kevin Knight attends a G31000 speaking event which openly discusses ISO 31000 system certification. When questioned how this contradicts his earlier statement, Knight insists he knows nothing about the event having discussed certification, despite the official G31000 agenda, and subsequent pieces , indicating this was a key topic, and another saying that Knight spoke on the subject.

2014: The International Labor Organization raises concerns over ISO 31000’s definition of risk.

2014: Based on a flood of comments to the DIS of ISO 9001, some discussions go on within TC 176 to request ISO extend the publishing deadline for ISO 9001. IT is not clear whether ISO rejects this outright, or if TC 176 never seriously pushed for an extension, but the extension does not materialize. TC 176 is pressured to complete the standard, as agreed, according to the deadline.

2014: TC 262 begins work on a new Working Draft of ISO 31000. Oxebridge attempts to provide official feedback on the changes to the US TAG to TC 176, and is instead threatened with criminal prosecution by US TAG secretary Tim Fisher of the American Society of Safety Engineers (ASSE) who accuses Oxebridge of theft and trademark violation. A few days later, presumably under Fisher’s prompting, ISO again threatens Oxebridge with a “trademark bullying” style lawsuit. This time, ISO claims trademark rights over “discussions” of any ISO product. Oxebridge defeats the accusations and — again– ISO drops the lawsuit entirely. Oxebridge requests that Fisher be admonished, and ASSE Executive Director promises to take action, but does not do so. TC 262 Chair Dorothy Gjerdrum declines to consider action against Fisher.

2014: Marketing of “risk based thinking” begins, and history is rewritten to suit. Unaccredited certificate mill operator Greg Hutchins claims he wrote the first book on the subject ten years prior. TC 176 members give articles that “ISO 9001 has always been about risk.” ISO senior committee participant Sandy Liebesmann writes a paper defining “risk based thinking” approaches and presenting them as globally accepted, but fails to cite sources; when asked if he invented the approaches listed therein, he does not reply.

2014: Sources within ISO 31000’s TC 262, and risk organizations IRM, RIMS, GARP and PMI all indicate to Oxebridge they have never heard of “risk based thinking” and confirm that it has no basis in any professional risk management discipline, body of knowledge, or educational curriculum.