Tag Archives: iso 31000

A New Paradigm for Risk Management?

The final draft version of the King IV Report on Corporate Governance in South Africa 2016 places a different focus on the governance and management of risk. It now states that:

“The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and addressed in the organization. Risk governance should encompass both:

  • the opportunities and associated risks to be considered when developing strategy; and
  • the potential positive and negative effects of the same risk on the achievement of organizational objectives.”

The focus is now firstly on “opportunities” and the “potential positive effects” and only thereafter on “negative effects.” The major change in focus, however, is the requirement in paragraph A, where it is stated that opportunities (firstly) and risks should be considered when developing strategy. It is implied that the opportunities referred to are the opportunities brought about by the development of the organization’s strategy. These opportunities can be viewed as “stand-alone” opportunities, or opportunities that were identified without first identifying the risk. This requirement is different from the requirement in the next paragraph, where the positive and negative effects of the same risk should be dealt with.

See also: Easier Approach to Risk Profiling  

The difference in accent is more apparent when the definition of risk contained in King IV is examined. It states that, “Risk is about the uncertainty of events; including their likelihood of occurring and their effect, both positive and negative, on the achievement of the organization’s objectives. Risk includes uncertainties with a potential positive effect on the organization (i.e. opportunities) not being captured or not materializing.” This definition of risk clearly highlights “uncertainties with a potential positive effect.”

Although all commonly used risk definitions, from COSO 2004 to ISO 31000/2009, as well as King III, referred to opportunity or the upside of risk, the concept of risk was generally viewed as something negative, or as the potential downside of a future occurrence. What has exacerbated this misconception was the view that risk and opportunity were opposites. Many documents, including King II, stated that “enterprise is the undertaking of risk for reward,” implying that the greater the risk, the greater the reward. In other words, if everything went well, you had great reward, but if things went badly, you had great risk. This led to the mistaken belief that opportunity is merely the “upside of a downside risk.” This belief assumed that risk and opportunity are inextricably linked. It is now apparent that this notion is not true. It is entirely possible to reduce risk while improving returns. In fact, to survive in today’s world, it is not only possible but essential.

Traditionally, risks were classified and managed in three broad categories, namely hazard risks (so-called pure risks like fires, natural catastrophes, violent attacks, etc.); financial risks (bad debt, currency, interest rates, etc.); and operating risks (IT system failures, supplier interruptions, etc.). The opportunities attached to these risks can be described as reducing the impacts of the downsides, also known as the “silver-lining” opportunities. In other words, every dark cloud (risk) has a silver lining (opportunity) attached to it. Often the opportunities are the exact opposite of the downside risk, viewed as the two sides of the same coin. A good example may be a rise in interest rates, which may be a risk to some people, while being an opportunity to others.

However, when one looks at the King IV definition of risk it is apparent that the achievement of the organization’s objectives is the key element. The key objective of any organization can never only be the avoidance of loss or harm, but must be the optimization of its strategic objectives. This is confirmed by the adage that “a risk is not only a bad thing happening, it is also a good thing not happening.”
Any future uncertainty, which can be opportunity, risk or both, can be classified into four broad categories, namely:

  • Future possible event (Stochastic Uncertainty).
    • This refers to an event that has not happened, and it may not happen at all. However, if it does, it will have an impact on the organization. Most identified risks are like this and include events like new developments, a supplier going out of business, law changes, disasters and the like.
  • Variability (Aleatoric Uncertainty).
    • Some aspect of a task or project is uncertain and may include timing uncertainties, budget variability and the like.
  • Ambiguity (Epistemic Uncertainty)
    • This uncertainty stems from lack of knowledge or understanding of a situation, condition or event. This may include matters like market conditions, competitor capability and the like.
  • Blind Spots (Ontological Uncertainty).
    • This uncertainty exists outside of normal knowledge and experience frameworks and is therefore not seen or expected – the so-called “black swans,” emergent or emerging risks and blind spots.

The traditional method of identification of opportunities as part of the risk assessment process, where the upside of a downside risk is identified, can be viewed as “passive opportunity identification.” These identified opportunities are mostly the direct opposites of the identified risks and fit in well with the view that higher reward requires higher risk – the “two different sides of the same coin” principle. It must be stressed, however, that this method of opportunity identification remains a key component of risk and opportunity management and that it remains important to have it done. Examples of these kinds of opportunities are items such as interest rate movements, exchange rate fluctuations, margin squeeze and the like. In short, it can be described as “risk including opportunity.”

King IV, on the other hand, now requires the governing bodies of organizations to ensure that “active opportunity identification” is conducted. These are the stand-alone opportunities that are not necessarily aligned with any downside risk. These would be the opportunities that the organization needs to pursue to enable it to achieve its strategic objectives. Custodians of this process would normally be the office of the CEO, the strategy director or the research and development department. The opportunity identification and assessment process would be distinctly different, and separate, from the risk assessment process that organizations are currently conducting in terms of King III.

Reporting of the opportunities that are the result of the identification process would be different as well. These reports would not fit the mold of the typical risk report, with likelihood and impact indications, as these metrics are mostly irrelevant to opportunities. The target audience of the report would be different, as the information surrounding potential opportunities are by their very nature confidential and not for wider consumption.

See also: Building a Risk Culture Is Simple–Really  

The key aspect in the risk assessment process that needs careful consideration when conducting opportunity management is that of “appetite and tolerance.” When downside risks are considered in isolation, determining and calculating risk appetite and risk tolerance levels are foundational in the process. These levels do not only refer to financial metrics (gearing, debt levels, cash, etc.) but also to non-financial metrics (level of injuries, negative press, etc.) and are mostly absolute downside risk limits beyond which the organization is not willing or able to venture. These risk limits do not reference opportunity, and the only upside apparent in appetite and tolerance levels would be when those limits are not reached or breached. When dealing with stand-alone opportunities, the organization would determine or calculate what downside limit it is prepared or able to endure to achieve a particular opportunity.

Although the identification and management of opportunities may not be the responsibility of an organization’s risk department, the latter has a role to play and can add significant value to the process. As a result of the methodologies and techniques at its disposal, and as a result of the knowledge and experience of its personnel, the risk department may be able to assist in the process to identify opportunities, may be able to assist in the documenting and evidencing of the results of this process and may be able to assist in the monitoring of the results.

Risk Management, in Plain English

For a while, I have been saying that one of the reasons for the disconnect between senior executives and risk practitioners is the latter’s language.

Leaders of the organization speak in plain English about the achievement of corporate objectives such as earnings, profits and projects.

Leaders of the risk management function talk about risks, impact or consequences and sometimes talk in technobabble about terms that only risk practitioners and statisticians understand, such as “risk capacity,” “alpha” and “residual risk.”

See also: How to Remove Fear in Risk Management

The traditional way of explaining the risk management process is (per ISO 31000):

  • Establish the context
  • Identify risks
  • Analyze risks
  • Evaluate risks
  • Treat risks
  • Communicate and consult (throughout the above)
  • Monitor and review (continuously)

Can this be translated into plain English?

How about this:

  • Anticipate what might happen
  • Analyze the possibilities
  • Ask: Is there a problem? Can we do better?
  • What are the options? Can we improve them?
  • Which is best?
  • Decide
  • Act
  • Review/monitor/learn

I especially like the work anticipate. It’s better than talking about “uncertainty,” another word that risk practitioners understand (I hope) but that executives find difficult.

See also: How Risk Management Drives Up Profits

Isn’t risk management all about anticipating what might happen between where we are and where we want to be?

I welcome your thoughts.

Can we practice risk management in plain English and help leaders make intelligent and informed decisions without even knowing that this is “risk management”?

It’s Time to Revise ISO 31000

With the recent release of a new British standard BS 65000 on organizational resilience and the announcement by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) of a review of its 2001 enterprise risk management (ERM) framework, I believe that business is moving ahead of ISO 31000 as a necessary response to the evolving business environment and accelerating rate of technical change. Therefore, there is a strong case for a taking a fresh look at ISO 31000.

As I’ve stated many times, the pace of business changes and evolution of management systems is accelerating in the 21st century. So, too, has the role of risk management. The ground is continuing to move under our feet. Long a supporter of Martin Davies’ causal approach to risk management, I feel the albatross of risk heat maps and 20th century occupational health and safety (OHS) perceptions of risk are causing business to bypass risk management.

Has Risk Management Been Lost in Operational Risk?

In a recent article by David Vos titled “Ten steps to corporate risk analysis,” he refers to the need for quantitative risk analysis (QRA) and says “only about one quarter of corporate strategic planning departments truly use simulation analysis (the most useful means of evaluating risks), and only a third quantify their risks at all.” This left me dumbfounded, for if risk is the level of uncertainty on objectives, how can any system claim to be managing risk without quantifying it? It leads me to ask, outside banking and insurance, how many people are really “managing” risk as opposed to recording it?

Could it be arrogance, where we have elevated ourselves to the “opportunity and decision making” levels of business, causing us to lose sight of our primary role in the business landscape?

Is the Legal Department Taking Over Risk?

In a recent article, I criticized plan, do, check, act (PDCA) as an outdated, serial approach to continuous improvement, proposing instead realization, optimization and innovations as an interactive real-time approach using mathematical predictive analytics. It seems the usually lagging legal fraternity is advocating a similar approach “that may be used by the legal department for risk management purposes. These innovative uses of available technology can increase the return on investment in the technology and provide an added incentive to move forward with new approaches to risk management.” Is the legal department to become the vanguard for ERM? With legal’s relationship to corporate governance, that is not beyond the realm of possibilities!

Although I am most likely preaching to the converted, we need to change the purpose of risk management from being administrative to being an active, valuable tool. This mandates, at a minimum, a reasonable level of understanding of statistical and analytic mathematics and the realization that an Excel spreadsheet cannot be proactive. As ISO 31000 is the only tool we have to wage this war, and 2009 was a lifetime ago in terms of business practice (basically, before the end of the Great Financial Crisis), I believe it requires a major overhaul or risk becoming irrelevant.

Finally, risking the wrath of the ever-swelling ranks of generalist operational risk consultants out there: However altruistic was the original decision for ISO 31000 not to be certifiable, there is a need to introduce a method of certification to engender value and consistency into the reputation of ISO31000.

My Suggestions for a Revised ISO 31000

As a starting point, I would suggest:

  • Strengthen requirements on risk culture and risk appetite
  • Mandate the use of quantitative risk analysis (QRA)
  • Mandate the use of causal analysis and monitoring
  • Take an active approach to risk management
  • Incorporate BS65000 and resilience as part of ISO 31000
  • Introduce certification to protect the ISO 31000 brandaszzz

What Really Sank the Titanic?

ISO 31000 (Risk Management) and its supporting publications encompass an impressive to-do list of risk management guidelines for organizations. However, if an organization selectively pursues some of the ISO guidelines and ignores others, highly undesirable events — even tragedies — can occur. This is what happened with the Titanic.

ISO 31000, section 4.2, suggests we align risk-management efforts to our objectives. White Star Lines, the Titanic’s builders, fulfilled this requirement. The objectives were to create a luxury liner at the lowest costs, in the least amount of time, and maybe even break the speed record for an Atlantic crossing. These were admirable goals. The Titanic also followed ISO 31000, Section 5.5.1.b., by “taking or increasing the risk in order to pursue an opportunity.” The builders did so because they believed their risks were not extraordinary and could be controlled. This is a common judgment error.


The individual risk opportunities that Titanic pursued were not terribly unusual, but collectively they created a perfect storm fueled by three main, linked, cascading risks:

  1. Ship design shortcomings influenced by cost-cutting efforts
  2. Flaws in rivets
  3. Mistakes in the operation and evacuation of the vessel

ISO 31000, Section 5.4.2, warns us that “Risk identification should include examination of the knock-on effects of particular consequences, including cascade and cumulative effects.” The World Economic Forum, in its 2014 Annual Global Risk Report, highlights cascading and connected risks many times as a serious threat. The report also stated the need for better efforts to deal with such threats by supplementing traditional risk management tools with new concepts, methods and tools.

What are cascading risks?

Cascades can be beneficial, neutral or destructive. We define cascading risks as a series of interacting risks that emanate from leadership (aces) through the work culture (kings) and work processes (queens) that create bad performances (jacks) and negative feedback loops (jokers) back to leadership. Leaders then either apply learnings in creative ways or ignore the cascade signals, which can lead to disasters. Detailed cascading risk analysis can aid in minimizing such risks.

Cascade #1 That Threatened the Titanic – Inadequate Design

The Titanic’s design was not unsinkable, as was widely publicized at the time. It had many “watertight compartments,” but they were open at the top, like an ice cube tray. It had far too few lifeboats, a result of cost-cutting efforts during the design phase. It had a double bottom, but that did not extend up to the waterline, where the iceberg sideswiped the ship. This design flaw was quickly corrected on the Titanic’s sister-ship, Britannic, which was still under construction at the time of the Titanic’s sinking.

The Titanic’s builders claimed that it was constructed considerably in excess of the Lloyds registry safety requirements. Therefore, they never saw the need to seek Lloyd’s registry approval. However, Lloyds disputed that claim publicly after the Titanic sank.

Cascade #2 That Threatened the Titanic – Bad Rivets

The Titanic required 3 million rivets to hold her together. Archives tell us that, at that time, there was a shortage of riveters and the necessary materials to create high-quality wrought iron rivets. White Star’s competitors converted to 100% steel rivets, which were much stronger.

The Titanic used steel rivets in the straight section of the hull but not in the front, where the iceberg hit — wrought iron rivets were easier to rivet by hand than steel rivets in those sections. The recovery of the Titanic’s wreck from the sea floor confirmed the low quality and brittleness of the rivets in the impact areas. Higher-quality rivets would have kept Titanic afloat longer and saved more passengers.

Cascade #3 That Sank the Titanic – Operation and Evacuation Errors

The Titanic was cruising near top speed, which was very risky on a moonless night through an area with active iceberg warnings. Just hours before the disaster, the captain canceled a lifeboat drill for no apparent reason. It was suspected that the captain was attempting to break a cross-Atlantic speed record. That recklessness and the collision with an iceberg sealed the Titanic’s fate. Her brittle rivets in the impact area popped off and allowed water to rush into the hull. The Titanic sank in less than three hours. 1,502 people perished after a disorganized evacuation filled the far-too-few lifeboats to just 61% of capacity.


Although ISO 31000 attempts to protect us from ourselves and the outside world, we cannot be selective in what we implement. We need to follow all of the guidelines and even test areas that we believe are safe. We must also heed ISO’s challenge to examine cascading and cumulative effects. Effective risk-based thinking must include cascade effect thinking.

A Better Way to Think About Reputation Risk

A new survey by Deloitte reinforces the obvious truth that a smart CEO and her board will nurture the organization’s reputation because it is critical to success (in almost every case). The survey states one other truth that should be obvious to us all: “Reputation risk is driven by other business risks.” As Miriam Kraus, a senior vice president at SAP responsible for its risk management program, is quoted as saying in the report: “Usually, reputation risks result from other risks. For example, noncompliance with applicable laws and regulations, misconduct of senior management, failure to adequately meet our customer’s expectations and contractual requirements. All of these could lead to civil liabilities and fines, as well as loss of customers and damage to the reputation and brand value of SAP, to just mention a few.”

But, while the paper has many interesting numbers and charts, I think it leaves much left unsaid.

I wish that Deloitte had advised that when decision-makers assess risks they should consider the potential impact on the organization’s reputation (which can be good, bad or neutral) and add this to the assessment of other (more direct) potential effects.

It should be noted that the likelihood of a significant impact on reputation arising from, say, a safety issue is not necessarily the same as the impact from fines, lost time and so on. In addition, the impact on reputation may be positive while the impact on, say, cash flow is negative! For example, the decision to divorce the organization from a supplier who is found to have broken the law may raise costs and disrupt delivery of product to the market – while enhancing the reputation of the organization.

I also wish that Deloitte had made it clear that organizations need to understand what is most likely to have a significant impact on their reputation. While Deloitte mentioned a few important areas, it omitted situations like failures (or excellence) in customer service, the help desk, public statements (including on social media), responses to media and regulators’ inquiries, announcements about plant closures and so on.

I believe it is important to identify the more significant drivers of reputation value, both the potentially positive and negative, so that they can be monitored and treated when appropriate, to optimize reputation.

Monitoring is key, and Deloitte has a sidebar that talks to some of the ways to do this. Deloitte calls the process risk-sensing.

One aspect that I didn’t see mentioned is that an organization’s reputation can be affected by the actions of third parties – without any stimulus from the organization. For example, from time to time, statements are made by the CEO of Oracle that are intended to attack the reputation of SAP, its primary competitor. The organization that is attacked needs to know what is happening and assess whether a response would help or hurt.

In the same way, when there is violence in some part of the world, people look to the U.S., EU, and others for a reaction. It’s not only the action that can affect reputation but the failure to act.

When the media find that there have been an unusual number of apparent failures in a model of automobile, the failure of the manufacturer to react can be as damaging as or more damaging than a poorly worded press statement.

Actions by third parties that are part of the extended enterprise (suppliers, channel parties, agents and even customers) can affect reputation. They need to be identified, assessed and monitored closely, as well.

Reputation risk is critical. While Deloitte doesn’t make this clear, because so many decisions and actions can impair or improve the organization’s reputation, it is essential that the impact on reputation be considered in pretty much every decision, from strategy-setting to the daily operation of the business.

Every manager and decision-maker — not just the chief risk officer — needs to own the risk.

One final point: One of the reasons I like the ISO 31000:2009 global risk management standard is that it doesn’t limit the risk management discussion to preventing bad things from happening. Every organization needs to pay attention to the ways in which it can build and grow its reputation, not just protect it.

Do you agree?

I welcome your comments and perspectives.

This article was first published on:  Norman Marks on Governance, Risk Management, and Audit.