What's Hot

Nassim Nicholas Taleb's blog, an inspiring read | Incerto


Friday, July 13, 2012

Retrofitting ISO 31000

There have been some interesting discussions on the G31000 forum over the last week which allude to a future of potential conflict for ISO 31000.

In this short post, we look at some of the headwinds that ISO 31000 is going meet, as the adoption of the standard ramps-up across multiple industries.
  
Enterprise Risk
Enterprise Risk Management is the process of defining, measuring and managing risk across the entire enterprise of a business, the scope and reach of which is broad to say the least.

A good enterprise risk system will take in all aspects of risk management including some of the following; a top level relationship with the board to present a statement of hazards to managers that will assist them in making informed strategic decisions, the governance of risk control within the firm, the capture of risk appetite at various levels of the business and a coherent measure of uncertainty for each objective the business faces. This uncertainty can be found in the credit risk area or in operations and if you leave out any aspect of coverage, you don't really have an enterprise risk management system, what you have is some watered down version of it.

It is stated on the ISO Standards Board website that ISO 31000:2009 is designed for:

ISO 31000:2009 can be used by any public, private or community enterprise, association, group or individual. It can be applied throughout the life of an organization and to a wide range of activities including strategies, decisions, operations, processes, functions, projects, products, services and assets.  
ISO 31000:2009 can be applied to any type of risk whatever its nature, whether having positive or negative consequences. 
ISO 31000:2009 | ISO Standards Board
This all sounds straight forward enough, so then what is the problem?

Well there are two issues. The first is an accidental creation of conflict from the ISO standards board, the other is a missed oversight on what is happening on the ground.  Let's start with the oversight monster first.

The claims for ISO 31000 above that it can be applied to any risk, whatever its nature could fall on operational risk but it could equally capture credit risk or some other kind of ailment as well. Now if you were to quantify the exposure of potential loss in operational risk and you were to use the ISO 31010 guideline to kick this activity off, then you are moving in the right direction. However, if you wanted to measure credit risk in your institution, ISO 31000 would give you little or no kind of guidance on how to achieve this end. As a risk analyst, you would be struggling with why, what and how to go about measuring credit risk and if you applied the techniques from the operational risk spectrum, it wouldn't help you.

So we know that enterprise risk is all risk across the firm and that envelopes the risk silos including credit risk or market risk. However, no guidance on how to connect these two risk management fields is explained in the ISO 31000 umbrella of risk management.  In fact, the great opportunity for ISO 31000 today is to merge the silos but it will only be able to do that if the analysts implementing it, take on a broad understanding of what is going on in these alternate risk functions.

The next hurdle ISO 31000 has to overcome is that it is not the only standard in the ISO toolkit that mentions risk and the space around risk management is becoming rather crowded.  There are standards for quality, performance and risk, supply chain management and risk, business continuity management, in fact the constellation of standards that overlap ISO 31000's core charter is utterly incredible.

So who should own risk management in the firm then?

We know that voices from credit and market risk are going to be powerful at an executive level because the potential fiscal impacts they manage are usually larger in comparison to many other areas of the business. To confuse matters further, we have audit and compliance departments which also steal the ear of the chief financial officer and these people may add complications to a smooth enterprise wide deployment of ISO 31000.

I have chosen to map this little lot below to make it clear.

  
Retrofitting ISO 31000| Martin Davies  [ Click image to enlarge ]

I believe that there should be a single oversight body in a firm that aggregates risk management across a business and as ISO 31000 is centred on risk, it would have the best claim on this management space.  None the less, for ISO 31000 to insert itself among the other risk communities, it is going to need to fill three gaps.

3 Key Gaps to fill
The three key gaps for a smooth integration of ISO 31000 into a firm are loosely explained here:
1 Integrating other risk functions
Firstly, ISO 31000 will need to carefully enable communication channels with other risk functions such as market risk and credit risk. This seems obvious enough on the surface but these communications channels will also need to be 'full duplex' or both way.

The next issue is that receiving risk metrics from a function like credit risk and then different values from market risk, will find a risk analyst pondering on how to aggregate different measures of exposure into one report. From the credit risk unit, the ISO team may be handed variables including Probability of Default, Exposure at Default and from the market risk camp measures such as PV01, duration, delta and gamma aren't uncommon. So the first complication for the ISO 31000 analyst is going to be: How do they create a coherent standard measure of loss for all units of risk which can be added together?

Once we are over the first hurdle, we have another more deeply concealed issues to contend with. That is, credit risk and market risk exposures might happen together or loosely stated; these alternate metrics of risk are probably correlated. This correlation will also need to be measured and if that is done well, the final result should allow the aggregation and correlation of all risk exposures across the enterprise.

Harmonizing the ISO standards
Integrating the other risk functions is only one problem; the next issue is a bit tricky and political. The other ISO standards which infer risk measurement, such as the standard for supply chain security are going to need to be amended so that they can be moved under the ISO 31000 charter. Guidance notes on this will also need to be released and without a statement on harmonization from the ISO standards board, the bickering around who ultimately owns the enterprise risk management space will continue.

3 Updating ISO 31000
Finally ISO 31000 itself needs to acknowledge the other ISO standards and risk silos.  It would be an act of conceitedness not to do so.  How to reach out and integrate each element of the firm wide risk architecture we have described above, requires treatment and a documented professional response.

All this aside, there is some good news for ISO 31000 on the horizon and that is the imminent release of ISO 31004. ISO 31004 is intended to be guidelines for establishing an ISO 31000 risk framework in a firm, it is supposed to explain case studies on how to resolve implementation conflicts in risk management.
  
In theory the ISO standards board has a fortuitous moment approaching, it can wrap-up all this discontinuity of practice with a handful of pages in ISO 31004 but whether it chooses to seize the day in this case and in the true spirit of carpe diem, still remains to be seen.

No comments:

Post a Comment