Over the last 30 years, several different fields have attempted to devise frameworks to help organizations manage risk and uncertainty in a holistic way. In this article, we begin to look at the contributions from the international field of standardization which culminated in the creation of the ERM framework known as ISO 31000.
“We do not first see, and then define – we define first and then see.”
- Walter Lippmann, Public Opinion (1922).
“Wisdom remains; theory passes.”
- Walter Lippmann, A Preface to Politics (1913).
Walter Lippmann was among the most gifted and influential American political journalists of the 20th century. Much of Lippmann’s work focused on the democratic system of government; he thought incessantly about how to make it work better. His primary concern was whether the public could govern itself intelligently and he spent his life wrestling with how to help the public become more informed so that the country could reach better-reasoned conclusions about the issues of the day. Lippman’s lifelong objective to improving decision-making within a democratic society is a useful reminder by analogy of the equally important task which confronts business leaders - determining what kind of enterprise-wide risk management framework best enables their organization to thrive in a state of uncertainty.
A serious effort to create an ERM framework should start with understanding the contributions of the profession devoted to the work of standardization. Standardization as a profession dates back to the ancient civilizations of Babylon and Egypt and the desire to create a single reference point for weights and measures. One view of standardization is that it is a way to solve repeated problems or even better, arriving at a shared truth. That is, standardization is way to bring various fields together to collaborate to solve a problem and then record a solution to the problem (the standard); it is essential to managing the simple and complicated forms of uncertainty which by their very nature involve repetitive tasks (e.g., baking a cake is a simple risk; building an airplane is a complicated risk).
Standardization of freight containers is a good example of how standardization can be interdisciplinary and transformational. With the advent of the steamship and railroad, it became inexpensive to ship things long distance. However, the challenge was getting cargo on and off the ship or train in a systematic way. Thanks to the coordination of experts from various transportation companies (shipping, railway, trucking etc.), public authorities responsible for transportation, and port and railway operators, ISO freight container standards were devised. Malcolm McLean who contributed to this effort described the impact on the shipping industry this way: “a London dockhand told me that in 1970, it took 108 guys about five days to unload a timber ship; with containerization, the comparable task today takes eight folks one day.” (International Regulatory Cooperation and International Organizations: The Case of the International Organization for Standardization (ISO) at 12 (OECD/ISO 2016)).
The global organization for standard setting is known as the International Organization for Standardization (“ISO”) which was created in 1946 through the union of two organizations. One was the International Federation of the National Standardizing Associations (“ISA”) established in New York in 1926 and administered from Switzerland. The other was the United Nations Standards Coordinating Committee (“UNSCC”) established in 1944 and administered from London.
The basic idea of postwar international standardization was to evolve international standards from those already evolved nationally, and then to re-implement them nationally. The overarching purpose of these voluntary international standards is the development and maintenance of global trade which is dependent on products and services conforming to the minimum standards set internationally. In effect, ISO standards serve as indicia of rules and best practices at the international level. Headquartered in Geneva, Switzerland, more than 160 countries participate in ISO which functions like a federation in which representatives of various countries serve on technical committees that develop the standards.
Naturally, the initial areas addressed by ISO after the second world war concerned the fields of mechanics and chemistry which accounted for 50% of the standards promulgated by the 1970s. As other technologies and fields emerged, ISO’s scope of work expanded (e.g., nuclear energy in 1956, environmental air and water quality in 1971, solar energy in 1980, and standards for quality management and environmental management in the 1990s). (See generally Friendship Among Equals, Recollections from ISO’s First Fifty Years (ISO 1997)).
As mentioned, the work of creating a standard is done through technical committees comprised of volunteer experts from a variety of industries. The process of creating the ISO standard 31000 for risk management began in 2004 at which time representatives of 29 countries, including the United States, worked within an ISO technical committee. Published in 2009, ISO 31000 is a group of non-prescriptive, non-compulsory guidelines Intended to serve as a centralized global framework and reference tool to help organizations think about their own risk management framework and processes. A benefit of a centralized ERM framework is that it builds institutional capacity for broader discussion and it allows for participation within a larger community that can capture and share risk management practices from various industries, fields of expertise, and regions of the world, each of whom have their own methodologies and paradigms for managing risk. The exposure to a broader community also allows individual practitioners to leverage knowledge obtained from that experience to improve ERM practices and procedures within one’s own field or organization.
Often work on an ISO standard starts at the national level within a particular country and then moves to the level of becoming an international standard. This is true of ISO 31000 which originated in Australia and New Zealand, the two countries that led a focused effort on creating a generic ERM standard from 1992 until 2004 when Standards Australia and Standards New Zealand approached ISO to create the development of an international ERM standard that was released in 2009. Thanks to the help of Kevin Knight, Dale Cooper and Grant Purdy, all of whom served on the Standards Australia/Standards New Zealand Joint Technical Committee on Risk Management (OB-007), we will get a detailed look at the history of the predecessor ERM standard to ISO 31000 in the next section.