Long before the COVID-19 pandemic, the field of standardization worked to develop a useable framework to help organizations manage risk and uncertainty in a holistic way. This article traces the conversion of AS/NZS 4360 to ISO 31000 which began in the late 1990s with an interim step to build a basic vocabulary of terms associated with managing risk.
“You can’t build a vocabulary without reading. You can’t meet friends if you … stay at home by yourself all the time. In the same way, you can’t build up a vocabulary if you never meet any new words. And to meet them you must read. The more you read the better.” - Rudolf Flesch, Author of Why Johnny Can’t Read (1955).
The previous sections told the story of how the ERM standard known as AS/NZ 4360 was developed between 1992 and 2004. After AS/NZS 4360 was revised in 2004 as part of a routine revision performed every five years, the Joint Standards Australia/Standards New Zealand Technical Committee known as “OB/7” joined with Japan to ask ISO to promote the development of an international standard for enterprise risk management. In June 2005, the ISO Technical Management Board (“TMB”) established a working group from 25 different countries. Given the decade of experience behind AS/NZS 4360, it became the first draft standard of the working group and four years later, in 2009, AS/NZS 4360 became ISO 31000.
It is not well known, however, that the effort to convert AS/NZS 4360 to ISO 31000 actually began in 1995, shortly after publication of the first version of AS/NZS 4360. These early conversion efforts in 1995-96 proved unsuccessful because there was insufficient international momentum and consensus to develop an ERM model that was inclusive of existing ideas and approaches by those working in fields commonly associated with risk management such as safety and insurance. Undeterred and wanting to collaborate and learn from others, the OB/7 Committee approached the International Electrotechnical Commission (“IEC”) which, in 1996, expressed interest. The IEC is a sister organization of ISO that prepares and publishes international standards for electrical, electronic and related technologies.
The specific part of IEC to express interest in working with the OB/7 Committee is known as IEC Technical Committee 56 (IEC TC 56), which is dedicated to the study of dependability management (defined as the practice of coordinating the reliability, maintainability, supportability, availability and other related aspects of performance). Here, within IEC TC 56, the OB/7 Committee found interest because IEC TC 56 had already been working on standards for project-based risk management. Accordingly, in 1996, AS/NZS 4360 became a New Item Work Proposal of IEC TC 56. Meanwhile, at the urging of the Japanese Standards Association, ISO continued to debate in 1997 and early 1998 about whether to pursue the creation of an ERM framework. As mentioned, much of the deliberations were about whether an ERM framework was necessary in light of preexisting work on safety and insurance. Moreover, there was also concern that an ERM framework could be potentially misused by organizations more interested in selling certification-related services than facilitating internal skill development in risk management.
Ultimately, a middle ground was adopted. In June 1998, the ISO TMB established a working group of 12 countries to work with IEC 56. The purpose of the working group was not to develop an ERM framework but rather to take a preliminary step of creating a vocabulary of risk management terms and concepts that could promote global discussion of risk management. This vocabulary would not come to life for another four years when it was published in 2002 as ISO/IEC Guide 73:2002 Risk Management – Vocabulary – Guidelines for Use in Standards.
The Vocabulary Guidelines consist of 29 definitions across four categories: (i) 8 basic terms, (ii) 4 terms related to people or organizations affected by risk, (iii) 6 terms related to risk assessment, and (iv) 11 terms related to risk treatment and control. Simply reviewing the list of definitions across the categories is helpful to thinking about the scope and breadth of an ERM framework:
The previous sections told the story of how the ERM standard known as AS/NZ 4360 was developed between 1992 and 2004. After AS/NZS 4360 was revised in 2004 as part of a routine revision performed every five years, the Joint Standards Australia/Standards New Zealand Technical Committee known as “OB/7” joined with Japan to ask ISO to promote the development of an international standard for enterprise risk management. In June 2005, the ISO Technical Management Board (“TMB”) established a working group from 25 different countries. Given the decade of experience behind AS/NZS 4360, it became the first draft standard of the working group and four years later, in 2009, AS/NZS 4360 became ISO 31000.
It is not well known, however, that the effort to convert AS/NZS 4360 to ISO 31000 actually began in 1995, shortly after publication of the first version of AS/NZS 4360. These early conversion efforts in 1995-96 proved unsuccessful because there was insufficient international momentum and consensus to develop an ERM model that was inclusive of existing ideas and approaches by those working in fields commonly associated with risk management such as safety and insurance. Undeterred and wanting to collaborate and learn from others, the OB/7 Committee approached the International Electrotechnical Commission (“IEC”) which, in 1996, expressed interest. The IEC is a sister organization of ISO that prepares and publishes international standards for electrical, electronic and related technologies.
The specific part of IEC to express interest in working with the OB/7 Committee is known as IEC Technical Committee 56 (IEC TC 56), which is dedicated to the study of dependability management (defined as the practice of coordinating the reliability, maintainability, supportability, availability and other related aspects of performance). Here, within IEC TC 56, the OB/7 Committee found interest because IEC TC 56 had already been working on standards for project-based risk management. Accordingly, in 1996, AS/NZS 4360 became a New Item Work Proposal of IEC TC 56. Meanwhile, at the urging of the Japanese Standards Association, ISO continued to debate in 1997 and early 1998 about whether to pursue the creation of an ERM framework. As mentioned, much of the deliberations were about whether an ERM framework was necessary in light of preexisting work on safety and insurance. Moreover, there was also concern that an ERM framework could be potentially misused by organizations more interested in selling certification-related services than facilitating internal skill development in risk management.
Ultimately, a middle ground was adopted. In June 1998, the ISO TMB established a working group of 12 countries to work with IEC 56. The purpose of the working group was not to develop an ERM framework but rather to take a preliminary step of creating a vocabulary of risk management terms and concepts that could promote global discussion of risk management. This vocabulary would not come to life for another four years when it was published in 2002 as ISO/IEC Guide 73:2002 Risk Management – Vocabulary – Guidelines for Use in Standards.
The Vocabulary Guidelines consist of 29 definitions across four categories: (i) 8 basic terms, (ii) 4 terms related to people or organizations affected by risk, (iii) 6 terms related to risk assessment, and (iv) 11 terms related to risk treatment and control. Simply reviewing the list of definitions across the categories is helpful to thinking about the scope and breadth of an ERM framework:
In looking at the list of terms, two things stand out. First, most of the terms focus on the mechanics of defining, identifying, assessing and treating risk. Only four terms focus on people themselves and the organization they comprise. Second, the fact that the international standards community took a preliminary step to work on a common vocabulary is a foreshadowing of current challenges with ERM. Every organization working to manage risk in an integrated way is comprised of people with a wide range of knowledge, skills, interests and perspectives. Consequently, just getting everyone in an organization to work together to manage risk is a challenge. If people can’t agree on what risk is or how to communicate and manage the subject of risk across an organization, implementing a system for ERM will be challenging, if not impossible. In the next section, we continue telling the story of the transition from AS/NZS 4360 to ISO 31000 during the period 2004 to 2009.
(As a reminder, ISO stands for International Organization for Standardization – an entity that was established in 1946 to serve as the global organization for the creation of voluntary international standards that support the development and maintenance of global trade.)
(As a reminder, ISO stands for International Organization for Standardization – an entity that was established in 1946 to serve as the global organization for the creation of voluntary international standards that support the development and maintenance of global trade.)
RSS Feed