I am old enough to remember the world of management before it had a risk management standard. In fact I was studying risk management in OHS when the Australian Standard 4360 was released. It substantially changed the way OHS was managed in Australia (and lined the pockets of the publishers). It increased the significance of management standards beyond Quality and helped considerably in progressing an integrated approach to managing a broad range of workplace risks.
[The process also instilled in me a distrust of the standards development process when I sat through a seminar from one of the risk management standards committee members where he spruiked a PC-based management system that "anticipated" the new standard........ at $30,000 setup fee??? Clearly in this case, and I have been told in almost all cases, the participants always have one eye on the commercial benefits of participation]
Grant Purdy recently discussed the new international risk management standard ISO 31000:2009. At one of his presentations he said that the new standard has a definition of risk that “shifts the emphasis from “the event” to “the effect” and, in particular, the effect on objectives.”
The previous risk management standard overlapped with auditable elements in other management standards – OHS, environment, and quality. This new definition may cause problems across these sectors.
Purdy said that risk is now not only perceived as a negative.
“Risk has in th past been regarded solely as a negative concept….[but] it is now recognised that risk is simply a fact of life that cannot be avoided or denied.”
He speaks of the traditional way of measuring risk as sometimes creating “phantom risks” due to an overstated likelihood. This seems particularly relevant to OHS and may be part of the reason that some OHS issues are seen as excessive or, at worst, a joke.
Purdy stated that there are 11 statements of effective risk management. [Modern management writers love numbers. I should write a book called "The hundredth time I have had to sit through a numbered list of strategies at conferences before walking out"] The statements are that risk management
- creates and protects value
- is an integrated part of all organisational processes
- is part of decision making
- explicitly addresses uncertainty
- is systematic, structure and timely
- is based on the best available information
- is tailored
- takes human and cultural factors into account
- is transparent and inclusive
- is dynamic, iterative and responsive to change
- facilitates continual improvement of the organisation.
The implementation of this standard and other international standards is going to be confusing, initially, for Australian managers but the choice is easy. Why follow an Australian standard that needs explaining overseas when there is already an international standard that requires no explanation? Go global and expand your auditing and accountability options.
[Please note that ISO31000 is not an auditable standard but I suspect you will not have to wait long for one.]