Kevin Knight, a pioneering figure in risk management, joins us from Australia to share the history of ISO 31000, the best known standard for enterprise risk management. In Part I, Kevin shares some insights from his involvement to create the first national standard on ERM in the 1990s and how AS./NZS 4360 became ISO 31000.
After leaving school, I spent a few years in private industry in a variety of administrative roles until I became employed in the Australian Public Service. My first public service position was with the Department of Civil Aviation. My focus was personnel and physical security related work which I would go on to do with a number of Commonwealth Departments, all of which kept me gainfully occupied for some 25 years. My final years were with the Department of Education in the State of Queensland as their Risk Management Coordinator.
An aspect of my public service career related to the acquisition of security related equipment which was very focused on buying prescribed items rather than determining what was the most cost-effective way of ensuring that security requirements were met. Changing the way that public service works is difficult in the best of times; in the security area, it is significantly more difficult. It was around this time that I came across an article in Security Management magazine that talked about applying a risk management approach to security that had nothing to do with insurance. Instead, the approach focused on defining what it was that had to be secured or protected and then working out the most cost-effective way in which it could be achieved. The other significant feature was that it called for risk to be managed by line managers. This way of thinking convinced me that my risk management responsibilities should be focused on helping leadership be accountable for the management of security risks with my role being to assist leadership in finding the most efficient way they could meet their key objectives.
How did your career in risk management evolve and what kinds of work did you perform before getting involved in the creation of standards for risk management?
In 1975, the Queensland division of the Australian Postal Corporation put me in charge of their security function as well as the investigation and prosecution of criminal activities against the postal service. In order to ensure we were meeting the needs of the enterprise, I obtained the approval of the State Manager for the establishment of a Protective Security Committee. Chaired by the Deputy State Manager and other direct reports, the Committee reported to the State Manager. The role of the committee was to ensure that line managers managed security in a cost-effective manner that protected the security of the enterprise and its reputation. Following a year or so of talking to the Chairman about the concept of the management of risk, we changed our committee from Protective Security to the Risk Management Committee and its scope expanded to identifying the significant risks facing the viability of the enterprise and how and by whom they would be managed – i.e., who would be the risk owner.
It was also decided that I should get involved with the Association of Risk and Insurance Managers of Australia (ARIMA) to learn more about the management of risk. Initially, I was saddened because ARIMA seemed to be concentrating on insurance, but fortunately, I was able to swap experiences with the few members from international companies that were starting to think of risk management as a broader activity that required involvement of line managers and senior leadership. My management wanted ARIMA to be a source of my professional development, so I became very active to the point that I became a Director of ARIMA. As an ARIMA Director, I was asked in 1992 to respond to an enquiry from Standards Australia directed to a range of government, academic and professional bodies about the feasibility of developing a national standard on risk management and the availability of volunteers willing and able to do the work. We said “yes” to the enquiry and I was nominated as one of ARIMA’s representatives to work on the project. Saying “yes” has become a 27-year journey looking for a destination!
Looking back on your career, what professional values or principles are most important to you and how did these values influence your work?
The first two State Managers I worked for at Australia Post were great teachers. From them, I learned the principle that line managers manage their part of the business and to do this, they need the delegations and resources that will enable them to meet their accountabilities. Non line managers, like the positions I held, are there to provide advice and services to the line managers to assist them in meeting their accountabilities. This important principle is embodied in the definition of the term risk owner as contained in ISO Guide 73:2009 - person or entity with the accountability and authority to manage a risk, published some 30 years later after it was taught to me. The challenge with this principle is that success is very dependent on senior leadership at the top of the organization who must actively promote and support implementation. In other words, the management of risk only thrives when actively supported by the board and top management. No amount of regulation or legislatively imposed accountability is an adequate substitute as evidenced by the 2008 financial crash.
I am especially pleased that AS/NZS 4360 and ISO 31000 both encourage a holistic approach to the management of risk by the risk owner. Within Education Queensland, I was able to explore this further by developing the application of the AS/NZS 4360 risk management techniques for the benefit of students who had behavioral problems arising from intellectual and other impairments. It was very satisfying to see these students receive the support they needed to help them develop to their full potential.
The second and third parts of our interview will focus in detail on the development of standards for risk management both in Australia and internationally. Looking back, what are some of the seminal moments in the development of standards for the field of risk management?
The first seminal moment would have to be the movement that began in the early 1990s to develop models for managing risk across an enterprise or organization while doing our best to live up to the ISO principles of consensus-building and collaboration that takes into account all views, an industry-wide perspective, and volunteer involvement. Credit for the first institutional model of risk management belongs to Norway who in 1991 published the Norsk Standard NS5814:1991 “Krav til risikoanalyse” (Norges Standardiseringsforbund (NSF), Oslo, Norway). Fortunately, it was bilingual and contained a brief 14 pages of Norwegian–English text with an extra full-page diagram depicted below:
Another seminal moment would be the effort of Australia and New Zealand to develop a risk management model which became known as AS/NZS 4360:1995 - Risk Management. This effort took three years of work by the Standards Australia/Standards New Zealand Joint Technical Committee 0B/7, which brought together some 27 members representing 21 industry, professional and government (federal, state and local) organisations. A strength of AS/NZS 4360 was the deliberate decision of the Committee that the standard be an instrument for general application. Our Committee firmly rejected the temptation to confine the standard to insurance-related corporate risk so the generic process could work for the management of risk, regardless of industry or economic sector. Looking back, the whole process of creating the original AS/NZS 4360:1995 standard for ERM was truly ground-breaking.
Here is a short history of what happened in our country after the publication of AS/NZS 4360. Our Joint Technical Committee (OB/7) began work on industry specific handbooks and/or guidelines for the application of AS/NZS 4360:1995 to such topics as risk financing, the public sector, outsourcing, the environment, business continuity management, and healthcare among others. This activity, in turn, led the OB/7 Committee to revisit the Standard itself in 1998, resulting in its reissuance as AS/NZS 4360:1999. Published in March 1999, the revised standard was evolutionary rather than revolutionary in that it retained much of the shape and content of AS/NZS 4360:1995.
Standards are required to be reviewed at least every five years so in 2003, the OB/7 Committee turned its attention to an in-depth review of AS/NZS 4360:1999. A subcommittee of OB/7 developed a draft document incorporating comments provided from a wide range of submissions from practitioners which was then addressed by the full Joint Technical Committee.The draft document also incorporated the terminology from ISO/IEC Guide 73:2002 Risk Management - Vocabulary - Guidelines for Use in Standards. The resultant AS/NZS 4360:2004 was again evolutionary rather than revolutionary with much of the shape and content of AS/NZS 4360:1999 being retained.
What three or four books would you recommend that every business leader interested in risk management should be familiar with?
Here are my favorite books for students of risk management:
Against the Gods, The Remarkable Story of Risk, Bernstein, P. 586 pages. 1998. John Wiley and Sons, Inc., Hoboken, NJ, USA. ISBN 978-0-470-49908-5
Enterprise Risk Management: An Introduction and Overview, in Enterprise Risk Management, Fraser, J. and Simkins, B.J. 577 pages. 2009. John Wiley and Sons, Inc., Hoboken, NJ, USA.
ISO 31000 - Risk Management - A practical guide for SME's; International Organization for Standardization, the International Trade Centre, and the United Nations Organization for Industrial Development; ISBN 978-92-67-10645-8. Available through: http://www.iso.org/iso/publication_item.html?pid=PUB100367
The Security Risk Management Body of Knowledge. Talbot, J. and Jakeman, M, 471 pages. 2008. Risk Management Institution of Australasia. ISBN 978-0-9804777-0-2