ISO risk management standard not needed, says FERMA

A formal international risk management standard, especially with an externally verified compliance regime, is undesirable and would not benefit European companies, according to a position paper issued this week by FERMA on proposals by the International Organization for Standardization (ISO) to create an ISO risk management standard 2009.

FERMA believes an ISO standard would be too inflexible for such a broad discipline as risk management, which is extremely complex and varied in its application. The position paper states that “great caution is required in the development of an ISO standard on risk management.” Instead, it urges the use of a term such as “reference guide, framework, general principles or list of best practice” to describe the document which ISO is developing. FERMA says it would support a generic guide entitled “Risk management system: essentials, principles and terminology.”

Among the disadvantages of an ISO standard from a candidate’s perspective, says FERMA, are substantial internal and external resources needed to implement and maintain the standard, which may have a serious effect on competitiveness, and considerable additional paperwork, without commensurate benefits.

“experience has shown that compliance with a standard has never guaranteed totally satisfactory performance

Nor do such standards necessarily accomplish everything they seem to offer, says FERMA. According to the position paper, industry has already accepted compliance with standards in areas such as quality, environment and safety, which are risk management areas. It continues, “However, experience has shown that compliance with a standard has never guaranteed totally satisfactory performance. Accidents continue to happen and product liability claims continue to occur. Compliance with an ISO standard can, therefore, give a false sense of security to regulators, clients, shareholders and third parties. This is often aggravated by a certification process which is not always objective and varies greatly from one country to another.”

Representatives of European risk management associations have disputed the need for an ISO standard since the idea was proposed a little over 10 years ago. Instead, they have promoted the idea of guidelines which are, in ISO terminology, less stringent than standards. In the meantime, a variety of standards or standard-like documents, have been developed to address specific risk management areas and received wide acceptance.