ISO 31000: Shaping the Future

Results of a survey on ISO 31000:2009 and future editions

Contents

Many thanks to everyone who participated in this important survey.

This report of survey findings was written by Matthew Leitch, a member of BSI's RM/1 committee, and the interpretations do not necessarily reflect the views of the full committee.

Summary

ISO Technical Committee 262 – Risk Management and the British Standards Institution wanted to understand more about use and perceptions of their standard, ISO 31000 – Risk management: Principles and guidelines. The results of this survey provide valuable input to the ISO technical committee responsible for work on risk management and the revision of ISO 31000 and Guide 73 – Risk management: Terminology.

The aim of the anonymous survey was to get an honest idea of what people would find helpful in future editions of the documents.

The results of the survey are too many and too rich to be summarised fully here, but some points with clear implications for ISO 31000 include:

  • A strong desire for methods that work well.

  • More interest in everyday awareness, skills, and behaviour than in corporate processes and risk register databases.

  • Clear support for extending the scope of the risk management process(es) to include all significant decisions, not just decisions on actions seen as responses to risk.

  • Strong interest in reducing the number of specially defined risk terms used in the standard.

  • Strong interest in more clarity and guidance on integration, including diagrams showing how risk can be managed in core management activities.

  • Confirmation that ISO 31000:2009 can be usefully clarified on some important points.

The findings probably have more implications for the risk management process (or whatever replaces it) than for the framework. The framework already states many of the ambitions endorsed by the survey respondents, but the current risk management process is not capable of fulfilling those ambitions.

A note on the statistics and graphs

Most of the graphs in this report look like a dark red bar chart with a grey overlay at the end. This overlay represents uncertainty about the true value in the population, based on the sample evidence, using Bayesian methods.

    

The dark red part of the bar shows the range up to the 10th percentile of a probability distribution representing belief about the true percentage or average of the entire population (i.e. people with an interest in management). The pink part shows the range from the 10th to the 50th percentile. The light grey part shows the range from the 50th to the 90th percentile. In effect, the graph says that, given various assumptions (as usual in statistics), we can be 80% certain that the truth lies within the grey overlay area (i.e. pink and grey segments combined).

In all cases the initial prior distribution was uniform. For questions requiring a choice between two answers the prior distribution was the beta distribution. For questions requiring a choice between more than two answers the prior distribution was the Dirichlet distribution. For the distribution of risk-listing focus a gamma distribution was used because the scores appeared to be roughly Poisson distributed.

The respondents

There were three samples of respondents.

  • Attendees at the TC/262 and BSI event on the same topic held on 13th and 14th June 2013. These were people who accepted an invitation to the event, sent by BSI.

  • IRM members responding to a request included in an e-bulletin to all IRM members.

  • Contacts of Matthew Leitch, many of whom have participated in previous surveys of his. Matthew sent a personal invitation to each of around 850 people.

The groups should provide interesting comparisons. The BSI group was predominantly people who had shown an interest in standards before, for example, by buying one. The IRM group were not necessarily standards enthusiasts but the IRM's style of risk management is much like that described in ISO 31000:2009, and not necessarily representative of all risk managers or people involved in risk management. For example, a group of actuaries, financial risk managers, or scientists looking at climate predictions or cancer causes would have very different views on risk and risk related decisions. Finally, Matthew Leitch's contacts were neither standards enthusiasts nor enthusiastic about listing risks, but were again a special group because of their interest in risk management, past interest in his work, and in some cases past participation in other surveys.

For most questions the pattern of responses by each sample was similar, but there were some notable differences. Matthew Leitch's contacts tended to be less interested in standards generally, and less interested in particular in prescriptive corporate processes and risk registers, while IRM members were markedly less keen to see the level of jargon in ISO 31000 reduced. Matthew Leitch's group also provided more comments.

The survey questions and answers

In this section the text in italics is the text used in the survey itself. Other text discusses the implications for ISO 31000.

1. In which sector are you, or have you been most recently, employed (if at all)?:

SectorBSIIRMMLTOTAL
Public sector - emergency services or healthcare3238
Other public sector83718
Third sector2147
Private sector - financial services47819
Private sector - other3482062
Not employed0011
TOTAL512143115

2. We need to know a bit about your role. (It doesn't matter for this survey if you are not a risk specialist of some kind.) Do you consider yourself to be in a specialist risk management role? (Choose the best description.):

RoleBSIIRMMLTOTAL
Yes, some kind of risk manager or CRO (more directly helping)39182178
Yes, auditor (mainly just reviewing and reporting)1021325
No21912
TOTAL512143115

3. The roles of people in 'risk management' jobs are remarkably varied. If your role involves getting others to think differently, what are your main concerns? (Click all that apply.):

Persuasive goal% of respondents*
Getting people to consider one particular 'risk' factor that is your special responsibility (e.g. cyber security, health and safety, credit management, market risk, reputation, ethics, sustainability, reliable financial reporting/Sarbox, revenue assurance, business continuity).35%
  
Getting people to consider all the negative 'risk' factors (such as those in the previous item).38%
  
Getting people to consider all potentially important negative outcomes, including disappointing sales and unexpectedly low productivity, for example, as well as negative outcomes from 'risk' factors such as those mentioned in the first item.43%
  
Getting people to respond to all important uncertainty, including uncertainty around sales and production, for example, so outcomes better than expectations are included as well as outcomes worse than expectations.60%
  

Implications for ISO 31000: This question was designed to identify people in different types of risk management role, ranging from the narrowest type, focused on managing one concern such as security, safety, or fraud, through to the broadest type, with an interest in all uncertain outcomes and all objectives. However, all respondents selected items from this list and so perhaps the desire to influence thinking about risk is wider than expected.

Many respondents clicked more than one item. Each item is broader than the one before, so another summary of the data is that 12% of respondents clicked the first item but no others, 24% clicked the first or second but no others, 40% clicked at least one of the first three but not the fourth, and 60% clicked the fourth at least. For example, 40% of respondents are only concerned with getting colleagues to think of bad possibilities and negative factors. That is the current reality of their job.

The results confirm that a standard aimed at people interested in risk continues to attract people with a range of roles. ISO 31000:2009 describes and recognises only the broadest role (responding to all important uncertainty) and this may be one reason why there is controversy over its content. Should ISO 31000 continue to take this position or should it guide people in all these roles? Should it support all roles but recommend progression towards the broadest? If it excludes some roles should it say so explicitly and explain why?

4. The following questions assume that you are a risk manager or have that role (along with other roles). If you personally do not have that role then please IMAGINE that you do and answer the questions anyway. We will separate out the answers.

In principle, a standard could help you in your role in various ways. How likely is it that you would use the standard in each of the following ways, assuming you obtained the standard and found it was well written and sensible?:

UseRank% of maximum*
look through for useful advice you can put into practice185%
  
quote short sections from it to support ideas you want to promote within your organization279%
  
design a review around it to assess the current state of risk management in your organization or parts of it374%
  
include tools from it in your organization's processes (e.g. formulae, document formats, model structures)470%
  
quote larger sections and diagrams from it to explain ideas to people within your organization5=66%
  
circulate the whole standard to colleagues with a risk specialism5=66%
  
try to get compliance with the standard adopted as the policy of your organization763%
  
try to get compliance with the standard included within contracts with certain types of supplier to your organization859%
  
use the whole standard as a kind of textbook and encourage colleagues to read it to learn how to manage risk947%
  
circulate the whole standard to colleagues who do not have a risk specialism1035%
  

* The available answers were 'Definitely', 'Probably', 'Possibly', 'Unlikely', and 'Certainly not'. To summarise the answers we have given these answers points values (4, 3, 2, 1, 0 respectively) and shown the percentage score relative to the maximum possible score. The bars do not have measurement uncertainty shown because the distribution of scores is not known to be a recognized distribution. However, a sense of the uncertainty involved can be gained from other graphs in this report.

Across the three samples, risk managers typically expected to make more use of a standard than respondents who were just imagining they were risk managers, but otherwise the pattern of answers was very similar. The ML sample respondents also expected to make less use of a standard, whether they were risk managers or not.

Implications for ISO 31000: Broadly, most respondents thought they would use a new standard, if it was well written and sensible, in most of the ways suggested, with the possible exception of circulating the whole document widely.

They thought they would use it in selective ways more often than using all of it. They would look through for good advice, selectively quote from it, and perhaps pass it around to colleagues in risk management. However, they were somewhat less likely to distribute it more widely, use it as a textbook, adopt it as an organization-wide standard, or put it into contracts with suppliers.

When writing future editions of ISO 31000 its authors should take care to make key points in short paragraphs suitable for quoting, placed appropriately in the document so that they can easily be identified. It may be impossible to write the whole document well but if key paragraphs are good that will be very helpful.

There was considerable interest in tools and an obvious tool would be some kind of guide to reviewing risk management against ISO 31000's recommendations. This could take the form of a checklist in an appendix perhaps.

5. Again assuming that you obtained the new standard and found it well written and sensible, how likely is it that you would use it to help you do each of the following?:

GoalRank% of maximum*
encourage greater consistency in risk management across your organization181%
  
increase use of good practices for risk management by managers2=81%
  
improve the effectiveness of risk management activities2=81%
  
improve management attitudes to risk management479%
  
improve board attitudes to risk management5=76%
  
increase use of good practices for risk management by the board5=76%
  
rationally justify risk management activities771%
  
broaden the scope of risk management869%
  
cut the cost of risk management activities957%
  
emotionally justify risk management activities1046%
  
narrow the scope of risk management1132%
  

* Again, the available answers were 'Definitely', 'Probably', 'Possibly', 'Unlikely', and 'Certainly not'. To summarise the answers we have given these answers points values (4, 3, 2, 1, 0 respectively) and shown the percentage score relative to the maximum possible score. The bars do not have measurement uncertainty shown because the distribution of scores is not known to be a recognized distribution. However, a sense of the uncertainty involved can be gained from other graphs in this report.

Answers to this question were similar across the three samples and between risk managers and respondents just imagining they were risk managers.

Implications for ISO 31000: Again, respondents expected to use the standard for most goals suggested, with the possible exception of emotional justifications and narrowing the scope of risk management.

The responses show a lot of interest in improving attitudes and behaviour, though more via rational justification than emotional justification.

ISO 31000:2009 contains material that is nearly a justification in its introduction, but this is mostly unsupported assertions about value and does not justify the particular approach recommended by the standard. It only justifies risk management generally. To improve attitudes towards risk management the standard would also need to be well written and give sensible advice, which was one of the assumptions our respondents were asked to make.

More respondents were interested in improving effectiveness with the standard than in cutting costs.

More respondents were interested in expanding the scope of risk management than in narrowing it. Answers to later questions give clues as to how scope should be expanded.

6. The following are items that a new version of ISO 31000 could potentially include. Which do you think you would probably find helpful and make use of?:

PointRank% of respondents*
a recommendation that, with projects, risk management should be involved from the very beginning in shaping the project, not just once detailed project planning is underway192%
    
a recommendation that risk should be dealt with during planning and design activities, not just later, as far as possible287%
    
a definition that says the scope of risk management includes all uncertain outcomes, not just undesirable ones3=72%
    
a statement of the scope of risk management that includes all significant decisions, not just decisions about actions seen as responses to risk(s)3=72%
    
a recommendation that risk management should include within its scope uncertainty around stakeholder interests5=68%
    
a recommendation that risk management should include within its scope uncertainty around the current situation and how something works (e.g. uncertainty in medical diagnoses and environment analysis for strategy making)5=68%
    
a recommendation that quantification should be used where the stakes are high755%
    

There were some larger differences between the samples. The table below shows the percentage of risk managers in each sample who thought each point would be helpful, presented in descending order of the overall average percentage. The BSI risk managers were unusually less interested in including all significant decisions (though even here a majority supported this) and more interested in quantification. The IRM risk managers were unusually supportive of including uncertainty around stakeholder interests. The ML risk managers were noticeably less keen on quantification and on including positive 'risks'.

PointBSIIRMML
a recommendation that, with projects, risk management should be involved from the very beginning in shaping the project, not just once detailed project planning is underway85%100%90%
a recommendation that risk should be dealt with during planning and design activities, not just later, as far as possible85%89%95%
a definition that says the scope of risk management includes all uncertain outcomes, not just undesirable ones77%89%67%
a statement of the scope of risk management that includes all significant decisions, not just decisions about actions seen as responses to risk(s)59%89%86%
a recommendation that risk management should include within its scope uncertainty around stakeholder interests67%94%76%
a recommendation that risk management should include within its scope uncertainty around the current situation and how something works (e.g. uncertainty in medical diagnoses and environment analysis for strategy making)67%78%71%
a recommendation that quantification should be used where the stakes are high64%56%43%

Implications for ISO 31000: All the suggested points were considered helpful by most respondents and this is also true for risk managers in particular.

Three of the top four items on the ranked list above are related. ISO 31000:2009 recommends a risk management process that implies that only decisions about actions considered responses to risks are within the scope of the process. Typically this happens when a plan or decision has already been made, but then a review of the plan is performed or a risk management exercise is done to amend the plan to respond to perceived risks in it.

The high ratings for these items are evidence that users would welcome a change to the process that expanded its scope to include all major decisions.

7. Some things that a risk manager can push for to improve risk management are particularly expensive and/or time consuming. Which of the following would it be helpful for the standard to emphasize and justify in order to help you obtain support for these larger investments. Click all that apply, and of course do not click any item that you would not want to do.:

Risk management investmentRank% of respondents*
workshops and presentations to talk about the value of risk management and increase awareness of risk management practices185%
    
training events to teach everyday tactics for managing risk/uncertainty270%
    
software to gather, analyse, and present data that helps with risk management357%
    
training events to teach how to comply with formal corporate risk management processes441%
    
specialist data gathering and mathematical/simulation modelling to support decision making under risk/uncertainty538%
    
purchase and implementation of a risk register database, with training in how to use it629%
    

Again, there were differences between the BSI risk managers and the IRM and ML risk managers. However, in this case, the ranking was almost identical, but the BSI risk managers were much more interested in support for expensive investments than the others.

Implications for ISO 31000: The pattern of responses shows more interest in support for actions likely to improve everyday risk management than for more investment in formal processes based on risk registers. The top three items had majority support and amount to making people aware, skilled, and informed enough to manage risk better in everyday management situations, rather than just in risk meetings. This may be because of the relative importance placed on the investments, or differences in the difficulty of justifying them.

ISO 31000 should perhaps recommend work on everyday risk management and make its important role within the overall risk management framework clear.

8. Here are some possible diagrams that might be included. Which do you think you would probably find helpful?:

DiagramRank% of respondents*
a diagram of decision-making showing what should be done to deal with risk at every stage173%
    
a diagram of planning showing what should be done to deal with risk at every stage259%
    
a diagram of situation-appraisal showing what should be done to deal with risk at every stage357%
    
a diagram of performance evaluation showing what should be done to deal with risk at every stage4=51%
    
a diagram of design showing what should be done to deal with risk at every stage4=51%
    

Risk managers across all three samples were generally interested in all these diagrams, but auditors were not as enthusiastic, bringing the overall percentage down.

Implications for ISO 31000: Most of the suggested diagrams were thought helpful by most respondents. The diagrams were quite similar and interest in each one dropped slightly as respondents went down the list. They may have felt that having all the diagrams would be too much.

ISO 31000:2009 has no diagrams at all showing how risk is to be managed within ordinary management activities. It shows the risk management process only in isolation. There is no explanation in the text either. Showing diagrams of core management activities with guidance on how risk can be managed within them would be a step towards explaining integration in practical terms and would be welcomed by users, provided it was at the right level.

9. ISO 31000 currently includes definitions of 29 technical risk terms. Bearing in mind the uses to which you might put the standard, which direction would you prefer?:

DirectionBSIIRMMLTOTAL
Increase the number of risk related words and phrases within the standard, expanding the vocabulary to more like 40 terms66618
No change128525
Reduce the use of special terms to about 10 terms and instead write using words adequately defined in an ordinary dictionary3373272
TOTAL512143115

Implications for ISO 31000: Most respondents preferred the direction of reducing the number of technical risk terms in the standard rather than keeping the same number or increasing them. IRM members were notably more divided on this, which may be a result of the IRM's thought leadership focusing on 'risk appetite' and 'risk culture', two poorly defined buzz phrases.

10. One of the ways that a standard can help is by recommending methods that are liked by most people. In your organization, how important do you think each of the following qualities is to a method being liked by most people?:

QualityRank% of maximum*
gives good results184%
  
can be understood without knowledge of advanced mathematics281%
  
is logically consistent, sensible, and without obvious technical flaws380%
  
complies with relevant laws and regulations477%
  
is easy to scale up or down, and otherwise adapt to different challenges573%
  
gives sensible advice on when quantification is worthwhile and what level of sophistication is worthwhile669%
  
does not involve extra meetings and documents, as part of a separate corporate risk process759%
  
fits within natural mental and social processes859%
  
its practices can be done quickly957%
  
is consistent with established scientific and mathematical ideas1054%
  
is something they already do, at least sometimes, without being forced1153%
  
can be summarised on a single Powerpoint slide with boxes and arrows1241%
  
is always done the same way regardless of circumstances1331%
  

* The available answers were 'Unimportant', 'Some help', 'Important', and 'Critical'. To summarise the answers we have given these answers points values (3, 2, 1, 0 respectively) and shown the percentage score relative to the maximum possible score. The bars do not have measurement uncertainty shown because the distribution of scores is not known to be a recognized distribution. However, a sense of the uncertainty involved can be gained from other graphs in this report.

Implications for ISO 31000: Most of the qualities suggested were thought to contribute to methods being liked by most people, but there were notable exceptions. There was relatively little interest in having a method that can be summarised in one Powerpoint slide of boxes and arrows, or that is always done the same way regardless of circumstances. This suggests that most people would not be greatly concerned about loss of appeal to colleagues if ISO 31000 moved away from relying on one generic risk management process.

The very high importance given to 'gives good results' suggests there may be value in looking for published, scientifically sound evidence of effectiveness for any methods suggested.

These next questions explore your current knowledge of ISO 31000:2009. We have a number of reasons for wanting to do this and will explain when the results are presented.

11. To what extent have you read ISO 31000:2009, the current edition? (It doesn’t matter whether you have or not. Just pick the best description.):

Level of readingBSIIRMMLTOTAL
Have not read about it or read any of the original document1001929
Have read about it, but not read any of the original document112720
Have read some parts of the original document, but not all124420
Have read it all, but did not carefully analyse it97723
Have read it and carefully analysed it (e.g. to write comments or a review)87318
Helped to draft it1135
TOTAL512143115

Implications for ISO 31000: The following questions explore users' understanding and views on four key points concerning the standard. These points were chosen for use in the survey because the standard seems to be unclear on them despite their importance. The answers showed not systematic connection between degree of reading of the standard and any particular interpretation of it. This suggests that more reading does not help to clarify the meaning. Rather, people think the standard says what they think it should say, and this is true even when they have read the standard. Expressions of agreement with, and support for, ISO 31000:2009 need to be taken with a pinch of salt. More positively, many users would welcome greater clarity, provided the points made clearly were the correct ones.

We would like to ask you a few questions about what you think ISO 31000:2009 says. Please don't try to check if you are right. Just answer on the basis of your memory and/or imagination and say which answer is most likely to be correct.

12. Suppose a railway was to be built and a river lay in the path of the proposed line. A decision has to be made between building a bridge over the river or a tunnel under it. Does ISO 31000:2009 imply that you should perform a risk assessment of each of these options before deciding?:

Answer% of respondents
Yes73%
    
No27%
    

Note that only the BSI and ML samples answered this and the following questions.

Implications for ISO 31000: A sizeable minority of respondents recognized that the standard's risk management process does not imply risk assessment of each alternative in this kind of decision. However, most respondents thought that the standard does imply analysis of each option in a decision such as this, even if they had read the standard. This difference in views may be due in part to mixed messages in the standard itself.

ISO 31000:2009 does not make any explicit recommendation or exclusion. The text on the framework about integration implies that the risk management process can be applied to all decisions and readers might naturally infer that this is by assessing alternatives. However, the risk management process shows risk treatment as the only decision about actions, and its scope includes only actions that are treatments of risk(s). Nothing in the descriptive text for the risk management process contradicts this. Therefore, the best interpretation of the current wording of ISO 31000:2009 is that its risk management process does not imply risk assessment of the alternatives in a decision that is not about a risk treatment, such as the tunnel or bridge decision. This gap may be unintended.

13. Suppose that there was concern about cars speeding down a suburban road. A decision has to be made on what traffic calming measures to put in place, if any. When does ISO 31000:2009 say that the decision on whether to use any traffic calming measures at all should be taken?:

Answer% of respondents
Without first considering the costs, effectiveness, and other effects of particular measures that might be appropriate18%
    
After at least some consideration of the costs, effectiveness, and other effects of particular measures that might be appropriate82%
    

Implications for ISO 31000: Respondents mostly answered in line with what they thought the standards should say. ISO 31000:2009 does not clearly say what to do in this situation. Within clause 5.4.4 Risk evaluation, it says that a decision may be taken not to treat a risk in any way. This would be without considering any changes to controls. In clause 5.5.1, which is part of Risk treatment, it says that risk treatment options should be selected, but lists risk treatment options as abstract categories of actions with no specific costs or other effects. On the other hand, in clause 5.5.2 Selection of risk treatment options, it says that selecting the most appropriate risk treatment option involves balance costs and efforts of implementation against the benefits derived, suggesting that risk treatment options in fact are more specific than the examples given and actually do have costs and other effects.

Clarification would be welcomed.

14. ISO 31000:2009 contains a description of 'the risk management process'. How is that process to be carried out?:

Answer% of respondents
Independently from core management activities, with separate meetings, separate documents, and specific roles9%
    
As part of core management activities, within management meetings, documents, and so on55%
    
Both within core management activities and as a separate activity36%
    

Implications for ISO 31000: Again, ISO 31000:2009 gives mixed messages and does not clearly state if the risk management process is to be carried out independently or as part of core management activities. Clauses 4.1, 4.3.4, 4.4.1, 4.4.2, and 5.1 all make strong statements about the risk management process being embedded/integrated but without being clear on what exactly this means in practical terms. Taking only these statements into consideration it sounds like the idea is to carry out risk management as part of core management activities. However, the rest of the standard writes as if risk management is a separate activity with its own roles, documents, meetings, procedures, etc, leaving readers unsure how to interpret it. If risk management is to be embedded in organizational processes, why is there no guidance on what embedding looks like, or how to do it?

15. Suppose a project involves partnership between a number of public sector organizations. The interests of each of these stakeholders are to be taken into consideration when making plans for the project. Does ISO 31000:2009 give advice on how to deal with uncertainty about the interests of the stakeholders?:

Answer% of respondents
Yes46%
    
No54%
    

Implications for ISO 31000: On this point, respondents were more cautious, more willing to think that the standard might lack this guidance even though they thought it should include it (see below). Once again, ISO 31000:2009 is not clear. However, a stronger argument can be made for saying that it does not give advice on this point. ISO 31000:2009 generally discusses objectives as if they already exist. The one exception to this is in clause 5.2 Communication and consultation, which advises dealing with potential uncertainty about stakeholder interests through a 'consultative team approach' with lots of communication and consultation. In short, the only guidance offered on how to deal with uncertainty about stakeholders' interests is to talk to them a lot.

Now we would like to ask you a few questions about what you think ISO 31000:2009 SHOULD say. They are not clues to what it does say now, so please don't even think of changing your answers to the previous questions. Just give us your honest opinion.

16. Suppose a railway was to be built and a river lay in the path of the proposed line. A decision has to be made between building a bridge over the river or a tunnel under it. Should ISO 31000:2009 imply that you should perform a risk assessment of each of these options before deciding?:

Answer% of respondents
Yes86%
    
No14%
    

Implications for ISO 31000: An overwhelming majority of respondents thought that ISO 31000 should advise risk assessment of each option in a decision like this, and this is also true of the risk managers within the three samples. This is consistent with the majority view that stating the scope of risk management to include this kind of decision would be helpful.

17. Suppose that there was concern about cars speeding down a suburban road. A decision has to be made on what traffic calming measures to put in place, if any. When should ISO 31000:2009 say that the decision on whether to use any traffic calming measures at all should be taken?:

Answer% of respondents
Without first considering the costs, effectiveness, and other effects of particular measures that might be appropriate16%
    
After at least some consideration of the costs, effectiveness, and other effects of particular measures that might be appropriate84%
    

Implications for ISO 31000: A heavy majority thought that ISO 31000 should say that a decision on whether to use any positive response should be taken only after at least some consideration of the costs, etc.

18. ISO 31000:2009 contains a description of 'the risk management process'. How should it say that process should be carried out?:

Answer% of respondents
Independently from core management activities, with separate meetings, separate documents, and specific roles3%
    
As part of core management activities, within management meetings, documents, and so on50%
    
Both within core management activities and as a separate activity47%
    

Implications for ISO 31000: Again, the standard should make its position clear. Although most respondents would prefer it to advocate risk management within core management activities a sizeable majority would like it to advise both approaches. Almost nobody wants a purely separate approach, which is what most of the text of ISO 31000:2009 currently describes, despite statements of principle to the contrary.

Considering risk during all significant decisions and other core management activities looks like the best, most balanced, most efficient, and most effective way to manage risk. It is probably where most people would like to go. However, there are times when that hasn't happened and times when it is not clear that it has happened. At those times a separate review might be worthwhile.

19. Suppose a project involves partnership between a number of public sector organizations. The interests of each of these stakeholders are to be taken into consideration when making plans for the project. Should ISO 31000:2009 give advice on how to deal with uncertainty about the interests of the stakeholders?:

Answer% of respondents
Yes88%
    
No12%
    

Implications for ISO 31000: The standard should provide more substantial guidance on uncertainty about stakeholder interests.

20. This box is for any comments, explanations, or suggestions you would like to make. Include your email if you would like a personal response.

Comments received from BSI respondents (other than friendly greetings) were as follows:

20.1.1 "As with any Standard, it will have to be seen as a business benefit, to align, adhere to it or gain certification, for it to have recognition, credibility and value."

20.1.2 "The relationship of Risk Management (ISO 31000) to all the other ISO management system standards is hazy to say the least; what does the TC think it should be?"

20.1.3 "I believe the document should bear reference to business risk being embedded in business management systems."

20.1.4 "1. Framework for quantitative & qualitative risk scoring. 2. Framework for Monte-Carlo and other statistical probability prediction techniques. 3. Relationship between ISO 31000 and other sector specific risk / threat management standards. e.g. business continuity, cyber threat, health & safety, air worthiness, biological threat, etc, i.e. a family tree."

20.1.5 "There is a tendency for complicating the risk management process by overloading it with mathematical jargon. On a practical basis, it is extremely hard to make the folks in an organisation understand the mathematical complexity. The intent should be to develop something which can be practically used by a large section of society without a bias to the math-oriented folks. What is lacking today, in my opinion, is the communication and articulation of risk in a manner that the larger audience understands."

20.1.6 "An interesting exercise. My risk management training has taught me to observe the opportunities that risks introduce to the process and how these can and should be considered. There seems to be very little on positive outcomes suggested in any of the above."

20.1.7 "I work in security risk management and struggle with others who calculate risk as likelihood x consequence. My department has chosen to use the calculation Risk = asset x threat x vulnerability (ref FEMA 426). This is seen as more relevant for security risk management as calculation of the likelihood for malicious intent is difficult (at best, and not particularly wise, at worst). It would be helpful if ISO 31000 provided suggestions for different types of risk calculation, including different settings when different calculations would be relevant."

Comments received from ML respondents (other than friendly greetings) were as follows:

20.2.1 "Consider Malcolm Sparrow's views in regard to Public Sector regulation and compliance in creating any revised view of ISO 31000. The extent to which regulatory compliance is dependent upon risk assessment and management is a crucial component of the definitions in the standard. Otherwise you risk the separation of regulatory compliance risk assessment and management from that used for projects etc in the private sector, with the consequent problems that would result."

20.2.2 "Playing chess really helps with considering risks vs. opportunities, including considering the interest of the other stakeholder (i.e. your opponent). Of course there are other good games, especially multiplayer games, that in my opinion are the best training for management and help select managers that are able to deal with risk. Especially in times of crisis your risk appetite should change a lot!"

20.2.3 "ISO 31000 should be offered only as a guide, not a standard. It should be much shorter in length. It should acknowledge the wide discrepancies in the use and understanding of the word 'risk'. And some form of 'risk management' should be understood as the responsibility of every person in an organization."

20.2.4 "It may be a good idea to have some sort of ISO 31000 software package that could initially be downloaded and used as a cheaper 'LITE' version for organsations/risk managers to use and then to have the option to upgrade if it is effective and there's an appetite to explore further."

20.2.5 "Coverage of risk appetite and the publication of that appetite would be useful to stakeholders."

20.2.6 "I still struggle with the debate about whether risk management should be taken to include all uncertainty or just negative uncertainty. The natural usage of the word 'risk' is about the negative. I think that the 'cleanest' thing to do is to change the name of the standard to the 'Management of Uncertainty' (or similar). This instantly puts it into a language frame that people understand. We can stop trying to rewire people's understanding of risk (as a situation involving exposure to danger) and say that 'risk management' has evolved to include both positive and negative aspects of 'uncertainty'. But then someone comes along and throws that view into doubt by defining the two terms as follows: Risk: We don't know what is going to happen next, but we do know what the distribution looks like. Uncertainty: We don't know what is going to happen next, and we do not know what the possible distribution looks like. The issue of language still causes (me at least) confusion."

20.2.7 "It's all about decisions - opportunities for gain, values, creativity, performance shortfalls, information shortfalls, and then coming up with indicators and warnings of future contexts/models."

20.2.8 "Risk management needs to decide what it is to be! It appears to be developing a theory of business without really saying it. I do not think that risk management is a separate activity, but a set of tools that all of the business can / should use in order to make better decisions. Risk management needs to move from the tick box / documenting (sterile risk registers) process and look to providing better tools, then it will become relevant. However, in this respect risk management will then be competing with consultancies and business schools, which will not be a bad thing if what they provide is better (practical and not a management fad)."

Comments received from IRM respondents were as follows:

20.3.1 "I analysed ISO 31000 in order to write about it for an essay I was completing for my MSc Risk Management course. The most apparent observation is that it makes no mention of risk appetite. Some risk culture guidance would also be good."

20.3.2 "Please consider including a typical risk taxonomy with the relevant definitions."

20.3.3 "In my opinion, the key to the success of a standard is to keep it simple (without compromising on quality and reach). Although a practitioner understands the nuances of the standard, the key to success is the wider organisation accepting and embedding it. This can only be possible if they understand what they are required to do and not overwhelmed (or scared) of the standard."

20.3.4 "Inclusion of on-the-ground aspects of managing risks is required in a clearer manner, and more than that enhanced RACI."

20.3.5 "For me, in my own experience, compliance with laws and regulations is always important and, in a similar manner, standards are also very useful in getting the message through. However, even though laws and regulations provide the power to make changes happen, the most important thing is to get managers and decision makers to 'buy in' to the process. Hence the laws and regs must always be shown to be there BECAUSE THEY ARE GOOD FOR THE ORGANISATION rather than simply because they are law. Quoting the law is for me always a last resort, once I have gone past trying to get people to understand or buy in to the value of the process or the standard. Hence, any standard that helps to show the value is so much more important than a standard that simply lays down a set of parameters. Standards should provide as much technical information as possible (within limits of practicality), but should also allow for flexibility, especially if the subject (as with risk management) is still a developing one. My experience is that qualitative matters are better understood, but ultimately where possible there should be quantitative backup to this, and that is really where flexibility is most important - otherwise innovation will be stifled. I have in fact used elements of the ISO draft in previous presentations, and found them very useful indeed."

20.3.5 "Yes it's a good standard can be reviewed and put in place for all kinds of products and functions."

Themes and overall conclusions

Several themes were raised in more than one question. Here they are, with the findings on each pulled together.

Scope of decisions

The risk management process described in ISO 31000:2009 effectively restricts the scope of risk management to decisions about actions seen as responses to risk(s). Many decisions are not of this type, as illustrated by the bridge or tunnel decision in question 16. Question 16 established that most people would like ISO 31000 to include all significant decisions like this within risk management, and question 12 found that most people think it already does.

Question 5 confirmed the broad principle. A large majority thought it would be helpful for ISO 31000 to state the scope of risk management as including "all significant decisions, not just decisions about actions seen as responses to risk(s)." This question also showed that most respondents were more likely to broaden the scope of risk management than to narrow it.

With the existing, relatively narrow scope of the risk management process it is harder to get involved with planning and decision making, and in the very early stages of project management. Instead, the pattern tends to be that these decisions take place first and then some kind of risk management exercise responds to what has been decided, perhaps in the form of a review or a detailed analysis of risks arising from a proposed plan.

Including all significant decisions would bring more of these early decisions into scope. Question 6 found very strong support for points encouraging the use of risk management in the early stages of projects, in planning, and in design and planning activities.

In summary, the survey results provide very strong evidence in favour of expanding the scope of ISO 31000 to include all significant decisions, which can be done only by opening up the risk management process.

Improving everyday management

This theme is similar to the previous one, but broader. Responses to question 3 showed that all respondents, even those not in risk management roles, thought their role included getting others to think differently on risk matters in one or more ways.

Question 5 showed that most would aim to improve board and management attitudes to risk management, and increase their use of good risk management practices. Question 7 found that the expensive item people most wanted support to justify was events to promote the value of risk management, but training in everyday risk management practices was also strongly supported. In contrast, training in corporate risk management processes and purchase of risk register software were poorly supported.

Answers to question 8 showed that most thought that it would be helpful to include diagrams of how risk management would be achieved during ordinary management activities.

Responses to question 9 indirectly support this direction too. Most wanted the risk jargon to be cut significantly in ISO 31000, with ordinary words used instead. This also is more consistent with good, everyday risk management than with an elaborate corporate process dedicated to risk management as a separate activity.

Question 10 showed that most respondents thought a method was more widely liked if it was natural, quick to perform, did not involve extra meetings, and did not require advanced mathematics. All these points are consistent with promoting everyday use of risk management methods.

Question 18 also showed a strong preference for embedded risk management.

Comments further reinforcing this point, sometimes indirectly, were: 20.1.3, 20.2.2, 20.2.7, and 20.2.8.

In summary, the survey results also provide strong support for embedded, everyday risk management. In contrast, the only question to test interest in formal corporate processes and risk register databases found low support for these, and there was strong support for cutting back on the risk jargon.

Quantification

Quantification is sometimes a contentious topic but survey responses point clearly to moderate and appropriate use of quantification.

Most respondents for question 10 thought that requiring an understanding of advanced mathematics would prevent a risk management method from being widely popular in their organization, but sensible advice on when quantification was appropriate would help popularity. They thought that, although being consistent with established scientific and mathematical ideas was not very important to popularity, being logical and without obvious technical flaws was very important. Mathematically inspired models, whether quantified or not, tend to be more logical and less technically flawed than other models.

In question 6, a slight majority thought it would be helpful for ISO 31000 to recommend quantification where the stakes are high, but relatively few wanted more support for expenditure on specialist modelling in question 7.

Comment 20.1.4 suggested coverage of quantification and the use of statistical and simulation techniques, while comment 20.1.5 complained of a tendency to overload risk management processes with mathematical jargon. Correspondence with this respondent established that this complaint was not a reaction to ISO 31000:2009, which barely mentions mathematics.

Overall, there was support for recommending quantification in appropriate circumstances, but not for recommending advanced mathematical methods for all risk management.

Happy surprises too

The contentious topic of including happy surprises as well as nasty ones within the scope of risk management was also touched on more than once in the survey. ISO 31000:2009 defines 'risk' in such a way that all such outcomes are included.

Question 3 showed that a modest majority of respondents aimed to get colleagues to think about all uncertain outcomes, not just bad ones. However, that still leaves a substantial minority, even of our respondents, not promoting consideration of happy surprises.

Question 6 again found majority support for including 'all uncertain outcomes, not just undesirable ones'.

Comment 20.2.6 pointed out the practical difficulty of using the word 'risk' to refer to all uncertain outcomes when almost all English speakers are brought up with the usual definition of 'risk' as referring only to unwelcome outcomes.

In summary, the survey supports continuing to include all outcomes, not just undesirable outcomes, but recognizing in some way that many users have jobs that focus on entirely negative factors, or on negative outcomes. Perhaps the right approach to this is to say that one cannot manage risk in isolation. To manage well one must consider all possibilities, somehow, and take decisions in a balanced way, considering all relevant factors. One consequence of doing that should be that risk (in the traditional sense) is managed.

Uncertainty about stakeholder interests

At almost every point, ISO 31000:2009 considers objectives as existing already due to some management thinking that is outside the scope of risk management. Risk management does not help with developing objectives. Also, there is no advice on how to deal with uncertainty about the interests of different stakeholders, beyond suggesting that one should talk to them a lot.

In answer to question 6, most respondents thought it would be helpful for ISO 31000 to recommend that 'risk management should include within its scope uncertainty around stakeholder interests'.

Similarly, question 19 showed that a heavy majority thought that ISO 31000 should give advice on how to deal with uncertainty about the interests of stakeholders.

Question 15 showed that a significant minority thought it already does give advice on this.

In summary, there is strong support for giving advice on uncertainty around stakeholder interests and for considering uncertainty around stakeholder interests to be within the scope of risk management. In short, risk management should help set objectives as well as achieve them.

References

ISO 31000:2009. Risk management: Principles and guidelines.

 

Company: The Ridgeway Expertise Company Ltd, registered in England, no. 04931400.

Registered office: 29 Ridgeway, KT19 8LD, United Kingdom.

Words © 2013 Matthew Leitch