Advanced complexity and severe unpredictability pose an existential threat to the global standard, writes Warren Black, HDR candidate at Australia’s Queensland University of Technology
We live in a world that is evolving faster than most of us can keep up. Just as we get a handle on one concept, it evolves into something new and we have to embrace the learning curve all over again. Over the past decade in particular, our world has become increasingly technology-driven; it has also become exponentially more dynamic, complex and unpredictable.
The only constant now is change and everything must become obsolete eventually. Which begs the fairly reasonable question: in a world defined by its advanced complexity and severe unpredictability, has a risk management standard that encourages its practising officers to predict risks become obsolete?
WITH NOBLE INTENTIONS ALL THINGS BEGIN…
ISO 31000 was established in November 2009 by the International Organization for Standardization (ISO) to bring consistency to global risk management understanding and practice. Since then, it has become acknowledged as the international risk management standard. Numerous organisations, institutions and governing bodies have adopted ISO 31000:2009 as the basis upon which they endeavour to control their material risks. As a result, almost all ‘better practice’ risk management frameworks, risk functions, risk management plans and practising risk officers are expected to demonstrate a sound understanding of the ISO 31000 approach.
BUT ISO 31000 HAS COME UNDER REVIEW…
ISO 31000 started out with the noble intention of helping organisations and their practising risk officers to control material risks better, but seven years later it is under review, both literally and figuratively.
The literal review: ISO standards come up for revision every five years and in March 2015, an ISO working group assembled in Paris with the intention of identifying those areas of ISO 31000 that require further development. A revised standard is expected in late 2016 and although it has not yet been confirmed what amendments will be incurred, it is understood that most of the amendments will be designed to improve the internal terminology as well as the in-principal guidance offered by the standard.
The figurative review: As part of my own higher degree in research into ‘controlling risk in complex project environments’, I have been involved in an extensive review of all the current academic arguments and published literature in the field of complex project risk management. After 18 months, I can confidentially state that there is an abundance of published literature available, both advocating and questioning the merits of the conventional risk management approach, such as that endorsed by ISO 31000.
Although I don’t claim to have reviewed every piece of available literature on this topic, it is evident that there are noticeably more published academics questioning the effectiveness of the ISO 31000 approach than endorsing it (not unusual in the academic world).
Regardless, what is clear is that the invested risk community has spent the past seven years testing the ISO approach and a seed of doubt has emerged as to its suitability in operating environments which are highly dynamic, complex and uncertain.
Consider the following four observations gained during my research literature review journey (see inserted boxes).
Despite ISO 31000’s success in bringing global uniformity and better definition to the art of risk management, the current version appears to advocate for a control method that assumes all material risks are proactively identifiable and measurable – but they are not.
As environmental complexity and uncertainty increases, predictability decreases, and so too the ability to proactively identify and measure material risks.
With this in mind, industry needs to either become more aware of the potential limitations of ISO 31000:2009 or the standard itself needs to be upgraded so as to better address the unique influences that complexity, uncertainty and dependency have on the art of risk management.
OBSERVATION 1: IN GOD WE TRUST… BUT ALL OTHERS MUST BRING DATA!
What qualifies ISO 31000 to be considered as the international standard in risk management? The designation implies some absolute, empirically tested and scientifically validated law of nature is in place, but this is not necessarily true.
There appears to be no universally accepted data demonstrating that the ISO 31000:2009 approach actually works in improving an organisation’s exposure to material risk. Hence to call it ‘the standard’ has become a contentious issue among some of the purists.
In fairness, a large number of accepted studies do exist that show a correlation in the improvement of general risk proactivity, accountability and awareness in those organisations that have adopted ISO 31000, but in almost all cases, it could be argued that this measurable improvement was actually an outcome of changes in the organisation’s broader attitude towards risk management.
That is, it was observed that ISO 31000 was merely one of a diverse range of risk initiatives adopted by the organisational leadership and its stakeholders – thus to single out ISO 31000 as the sole saviour is perhaps no more than optimism bias.
Also, if ISO 31000 is indeed ‘best practice’, then why have the rates at which corporates (and large- complex projects) continue to fail not improved?
Consider that in the past three years, since the global commodities depression of 2014, organisational failure rates in the natural resources, infrastructure and engineering sectors (as well as all their related service industries) have increased significantly, with trillions of dollars in shareholder value being lost, as well as millions of jobs being dissolved globally.
Case in point: by the end of the 2016 financial year, almost all of the major globally listed mining, oil and gas companies were reporting significant losses in shareholder value, FTE employment and growth capital spend. In turn, many natural resource-dependent economies are now in recession.
In many cases, ISO 31000 was the accepted industry risk control standard; so why did the ‘standard’ not help mitigate such widespread industry failure?
Could it be that the ‘standard’ needs further development to suit the modern context?
OBSERVATION 2: THE UNCERTAINTY PARADOX
ISO 31000 defines risk as “the effect of uncertainty on objectives”, yet ISO in its current form is not designed
to address uncertainty. If anything, the current ISO 31000 risk control approach is highly dependent on certainty, which makes it problematic in such an uncertain world.
Consider that ISO 31000 encourages its practising officers to control risk in a linear step-by-step approach whereby they should first establish the context, then identify the potential risks, then assess these identified risks and then adopt suitable control solutions per assessed material risk. In brief, ISO 31000 advocates for a systematic ‘predict and process’ approach to risk control, which has now become fairly common across industry.
Now, this approach in itself is not an issue. What is an issue, however, is that such an approach relies heavily on the surrounding environment being predictable, linear and rational (i.e. certain).
After all, how else can one effectively identify, quantify and control sufficient numbers of material risks in a step-by-step manner?
Unfortunately, modern-day operating environments are far more likely to be dynamic, deviant and irrational (i.e. uncertain) and therefore it is questionable what value a systematically linear ‘predict and process’ approach offers in highly dynamic and uncertain operating environments.
Also, ISO 31000 in its current form neither acknowledges nor offers any insight into how organisations might better control those risks that are simply unpredictable. The existence of ‘black swans’, ‘wicked risks’, ‘unknown unknowns’, ‘rogue waves’, ‘complex uncertainties’ and other unidentifiable risks have long been acknowledged by both industry and academia, but despite this, ISO 31000 endorses a control method which requires material risks to first be identified?
The very existence of uncertainty requires an acknowledgement that not all risks can be known (or predicted) – and if not all risks can be known, then should ISO 31000 continue to advocate for a risk control methodology that requires its practising risk officers to first identify risks in order to then control them?
Surely attempting to proactively identify (aka predict/forecast) risks is completely contradictory to the very definition of uncertainty?
OBSERVATION 3: THE RISE OF COMPLEXITY
As discussed, ISO 31000 defines risk as “the effect of uncertainty on objectives” and most of the reviewed literature appears to support this premise. However, many of the more current publications appear to take this a step further and advocate that risk is an outcome of complexity as well.
The rise of complexity as a driver of risk is not necessarily a new generation ideal, but it does appear to have gained significant momentum in the published works, over the past decade in particular. Presumably this is in response to increasing industry challenges, which appear to be due to our operating markets becoming highly complex and severely unpredictable in the technology-driven age. More and more global risk exposures are being attributed to complexity and as a result, both industry and academia wish to better understand the relationship and its associated phenomena.
Many authors appear to agree that modern-day risk management techniques are not suited to address the specific needs of highly complex environments. The general view is that most practising control standards (e.g. ISO) cater for a median level of complexity and tend to offer a foundation view of their topic, designed to meet the mental capacity of the learning practitioner. Such standards and methodologies fail to demonstrate the specific requirements that come into play when complexity increases beyond the median.
In fact a new generation of complex risk thinkers appears to be emerging, who advocate that the manner in which risk is to be controlled in complex environments is noticeably different from the risk practices advocated by conventional industry standards. Complexity breeds all sorts of unique and interesting phenomena, which simply cannot be covered by a ‘one-size-fits-all’ or systematic ‘step-by-step’ approach.
A trait of advanced complexity is the accompanying levels of unpredictability. Hence, this new generation of complex risk thinkers advocate that risk management models based on prediction instead of maturity, agility, resilience and adaptation are no longer suited to today’s complex challenges. Attempting to predict risks should not be the only way to confront threats – maturing controls, developing resilience, integrating effort and learning how to address the unknown should all have an equal standing in the new era.
Many of the reviewed authors advocate for an industry call to arms whereby governing bodies, invested organisations and practising risk practitioners need to start recognising and catering for the unique needs of highly complex operating environments. That is, a need exists to start enabling the next generation of advanced, complex risk officers. Already the governing bodies in other comparable industries, such as project management, safety and quality control are starting to generate and publish advanced methodologies that cater to the specific needs of their most complex applications.
In light of this new age of complexity, as well as the early rise of complex risk management practices, shouldn’t the governing body that oversees the international risk management standard follow suit, particularly in light of the fact that those organisations that require the most rigid risk solutions are often those that are the most complex?
OBSERVATION 4: THE SMALL MATTER OF CRITICAL DEPENDENCIES
ISO 31000 has gained traction across almost all industries. Unfortunately, the 2009 version appears to have created a perception that the ISO risk management process by itself is an enterprise-wide risk solution.
This is simply not true.
Much of the current criticism appears to be centred around a (perceived) lack of acknowledgement by ISO of other critical risk controls such as:
1. The need to establish a decision-making framework to provide oversight of matters of entity-wide performance and risk (governance)
2. The need to manage risk within clearly defined tolerances (appetite)
3. The need to proactively mitigate risks through a robust strategy and effective business plans (planning)
4. The need to enable effective control systems to manage performance (systems)
5. The need to mature, test and validate critical risk controls (assurance)
6. The need to embed a culture that promotes greater accountability and awareness for risk (culture)
Some have argued that the absence of any of these individual risk controls yields an exponential reduction in total organisational risk effectiveness, as they are all ‘critically dependent’ on each other.
That is, no one risk control can achieve an independent state of effectiveness without interdependent support from the others. As a result of these observations, the new generation of complex risk thinkers advocate firmly for a holistic, integrated and enterprise-wide approach to risk management that considers all the control criteria required to enable a total risk solution.
The current version of ISO 31000, however, offers very little insight as to the other critical dependencies that exist when attempting to establish a fully integrated and enterprise-wide risk solution.
In so doing, it subconsciously promotes the flawed perception that enterprise- wide risk management is dependent on nothing more than a risk identification process.