Developed over a four period from 2004 to 2009, ISO 31000 has become the national ERM standard in over 50 countries and has been translated into 23 languages. The story of ISO 31000, however, begins in 1992 when Standards Australia announced the first public enquiry on the feasibility of creating an ERM framework. This article begins sharing the important work between 1992 and 2004 in Australia and New Zealand that would serve as the foundation for ISO 31000.
“Watson, look up at the sky and tell me what you see.” “I see millions of stars, Holmes,” replies Watson.
And what do you deduce from that?” Watson ponders for a minute.
“Well, astronomically, it tells me that there are millions of galaxies and potentially billions of planets. Astrologically, I observe that Saturn is in Leo. Horologically, I deduce that the time is approximately a quarter past three. Meteorologically, I suspect that we will have a beautiful day tomorrow. Theologically, I can see that God is all powerful, and that we are a small and an insignificant part of the universe. What does it tell you, Holmes?”
Holmes is silent for a moment. “Watson, you idiot!” he says. “Someone has stolen our tent!”
- Jill Lawless, The World’s Funniest Joke, Associated Press & CBS Evening News, October 3, 2002.
One of the big challenges facing business leaders who want their organizations to adopt ERM is knowing where to begin and how to avoid falling into a trap of using something that is filled with indecipherable jargon or technobabble. An even bigger trap for business leaders is reliance on the advice of a high-priced consultant that projects an air of competence simply to be able tell the board and the public that they don’t deserve blame when ERM processes fail. “It’s not our fault! We relied on the smartest, best and most expensive advice we could find!”
To avoid the technobabble trap, we think it’s important to know the salient history of the most cited ERM framework, which is the International Organization for Standardization Standard 31000 or better known as ISO 31000. What is ISO 31000? How was it developed? In the legal profession, this kind of inquiry is called originalism which is an umbrella term for interpretative methods such as ascertaining the original intent or original meeting of the U.S. Constitution. To understand the original intent or original meaning of ISO 31000, we must go back to Australia and New Zealand in 1992 where the ISO 31000 concepts originated. If we walk in the shoes of those that created the ERM model that became ISO 31000, we can identify key points and lessons that help us remember the “big stuff” when we design and implement our own ERM practices.
Before delving into the history of ISO 31000, let’s linger for a moment about what it means to remember the “big stuff.” The most important aspect of the “big stuff” is epistemology which is the study of how people come to know things – e.g., what counts as truth or evidence and how we accumulate knowledge, all of which is critical to learning to thrive in uncertainty. Consequently, an ERM framework that is grounded correctly is built on epistemological principles that comprise a cosmopolitan and consistent approach, organization wide. In other words, the organization and the greater world are viewed as a single community that is held together by a shared morality and governing principles. “Big stuff” also means effective communication of knowledge across the organization. An organization can only keep learning to thrive in uncertainty when its people are able to continuously build and develop a shared body of knowledge of how things work or should work. Think back to our earlier discussions of Paul 0’Neill (best example in the business world) and Stanley McChrystal (best example from the military) and the risk management models they built in the organizations they led.
Turning back to ISO 31000, the story begins in 1992 and our ability to share the story is due in large part to Kevin Knight of Australia. Knight was kind enough to shares his records and his memories so that we could preserve the early history of ISO 31000. Risk management history buffs know that Knight was a founding member of the Joint Technical Committee known as OB/7 that was created by two organizations: Standards Australia and Standards New Zealand. Before turning to the work of OB/7 that produced the first standard ERM model known as AS/NZS 4360, it’s useful to know something about Knight’s personal story as it is instructive for many risk management professionals working in traditional positions but aspire to play a larger ERM role within their organizations.
At the start of his career, Knight spent many years working in various public service positions in Australia, including what was a security-oriented risk management role for the Australian Postal Corporation. During this experience, Kevin learned that risk management for security had less to do with insurance and much more to do with helping line managers become more effective for managing security risks within their sphere of influence. Kevin credits two executives for teaching him that his primary responsibility as risk manager was to provide support to the appropriate person or entity with the accountability, authority, and resources to manage risk. Knight also recalls the creation of a Risk Management Committee whose purpose was to identify the significant risks facing the viability of the enterprise and then to consider how and by whom such risks would be managed – i.e., who would be the risk owner -– a concept that would become embedded in both AS/NZS 4360 and ISO 31000.
Wanting Knight to keep growing professionally, his superiors encouraged him to join the Association of Risk and Insurance Managers of Australia (ARIMA) to learn more about the management of risk. Initially Knight was disappointed by the experience because ARIMA was focused on insurance-related tasks, but two fortuitous events occurred. First, he met a few members employed by international companies that were starting to think of risk management as a broader ERM-related activity that required committed involvement of line managers and senior leadership. Second, in 1992, ARIMA asked Knight to respond to an enquiry from Standards Australia directed to a range of government, academic and professional bodies.
Specifically, the enquiry asked whether it was feasible to develop an ERM standard and whether there were sufficient volunteers willing and able to do the work. In what would become a life-changing event, Knight said “yes” on behalf of ARIMA and he was selected as one of ARIMA’s representatives to become part of the Technical Committee known as OB/7.
In the next section, we will examine the history of OB/7’s work from 1993 to 2004 that resulted in the creation of the ERM standard known as AS/NZS 4360 which, in turn, would become ISO 31000.