Risk management 'experts' have strong disagreements on standards for risk management. On one side, some argue that standards absolutely must be followed, mainly, because they are standards - enough said. On the other hand, some self-appointed authorities maintain that risk management is too complex to standardize and can only become known by the suitably initiated - i.e. themselves. As with many complex issues, both sides are right (and wrong). [In the interests of full disclosure, the author is somewhere in the middle: any standard is better than no standard but a purely 'tick in the box' standard can cover up rather than illuminate problems.]
If the risk management profession were doing a good job, then such a debate would be amusing and relatively harmless. But, as the sub-prime crisis demonstrates, risk management is in a mess and needs serious help. ISO 31000 might just be the road map for getting our collective act together.
ISO 31000 is based on a much-overlooked truth: risk management is a process - albeit, an untidy messy process!
In its draft form (which may change before final publication, ISO 31000 recognizes that the risk management process operates at two distinct levels: (1) senior management and the Board, and (2) within business lines - at the risk-taking coalface.
At the senior management level, the process is termed a 'framework' but is nonetheless a process for: committing to comprehensive risk management across the firm; creating a viable risk management capability; monitoring and reviewing its implementation; and continually improving the firm's approach to managing risks.
This framework is almost a perfect match with new requirements for risk governance placed upon financial institutions by regulators in, for example, Basel II and Solvency II and in itself is a good reason for taking ISO 3100 seriously.
At the business-line level, ISO 31000 relies on the "AS/NZS 4360:Risk Management Process" model for the day-to-day activities of identifying, assessing and treating risks. While the use of AS/NZS4360 will undoubted displease aficionados of COSO, the retort has to be - get over it!
ISO 31000 is far from perfect but its guidelines on principles and implementation do point the/a way to doing risk management better. The financial industry (with its usual hubris) has missed the boat on molding this standard but that is no reason for not having a reasonable debate on how such a standard could help to satisfy the needs of businesses and regulators, including rating agencies. There may even be an opportunity for regulators to join this debate for the good of the industry, but that may be too much to hope for.
While it might be novel, daresay the industry could adopt a risk management approach to considering ISO 31000! For example, it should be possible to identify the risks of adopting ANY standard (e.g. potential for 'tick in the box'), then assessing those risks against ISO 31000 and, most important of all, developing treatments / mitgants for the major risks identified. Treatments in this case would include developing tools and techniques to help firms manage their risks to an acceptable level of quality. Organizations such as PRMIA are ideally placed to provide the forum for such a debate?
On one issue, the debate could begin immediately.
In anticipation of ISO 31000, ISO has published "ISO/IEC Guide 73 - Risk Management - Vocabulary", which defines some 65 internally consistent, self-referential risk management terms. This guide is obviously deficient (65 terms is too few to cover, for example, insurance). However, that is not an argument for throwing this attempt away in favor of a local variant, even if the local vocabulary is published by a respected risk management association. The rational approach would be to come up with a combined set of agreed terms so that we talk to each other sensibly about risk management.
Starting at the easiest, anyone disagree that 'risk' is the 'effect of uncertainty on objectives'?
