ISO 31000 IEC, ISO 31010 and Tolerance, Risk Ranking, Crisis and Reputational Impacts
Feb 28th, 2013
Back in 1999, we were giving on a regular basis a course at UBC (Continuing Education, University of British Columbia). It was entitled “Design of Risk Management Systems”. Later, in the book entitled Improving Sustainability through Reasonable Risk and Crisis Management ( A guide to Making Better Decisions ISBN 978-0-9784462-0-8) we promoted a strong linkage between Risk Management and Crisis Management. We also stresse the need for robust, science based, risk ranking methodologies. Today we will look at ISO 31000 IEC, ISO 31010 and Tolerance, Risk Ranking, Crisis and Reputational Impacts.
ISO 31000 IEC, ISO 31010 and Tolerance, Risk Ranking, Crisis and Reputational Impacts
We spoused the principles that constitute ISO 31000 before it was written. We are quite sure like many serious Risk Management professionals. Thus we started reading IEC/ISO 31010 with lots of expectations.
IEC/ISO 31010 covers lots of ground indeed, including lists of available tools to:
- identify hazards (in various contexts),
- determine probabilities (and their approximate distributions, if need be) and finally
- consequences of hazards.
For each tool (like Monte Carlo simulation or Bayesian estimates, etc…) IEC/ISO 31010 defines applicability. Many welcomed this thorough international “house-keeping” effort. However some criticisms have been formulated, sometimes arising from very specific fields, that will most likely be covered in future editions.
ISO 31010 shadow areas
From our perspective IEC/ISO 31010 presents some “shadow areas” that should be discussed:
1) Risk “tolerance/acceptability” is used, but not defined (not even a method is discussed, although historic published examples exist from various countries). This leaves the door open to major confusion and misrepresentations, inefficiencies and mitigative funds misallocation as pointed out by various authors in the last decade.
If properly understood and managed, even an unexploded bomb can become an instrument for social gathering and community safety.
2) Risk “Ranking” is mentioned but a proper procedure is not defined. An example? In a top-ten risk list developed using common practice approaches, one will usually find high likelihood/ low consequence and low likelihood/high consequence risks mixed-up.
3) There is no reference to Crisis and Reputational impacts despite the strong exposures these types of impact can have on the balance sheet of a corporations.
4) Complex consequences metrics needed to cover environmental, long term, etc. risks are not neither developed nor supported.
At Riskope we believe that until a code will stress these points and define proper methodologies (although it may remain a non prescriptive code like ISO 31000) we will be in a situation where a ISO compliant Risk Management approach could lead to confusion and misrepresentations with potential nefarious consequences.
What is your opinion?
Tagged with: Acceptability, environmental, Hazards, IEC/ISO 31010, ISO 31000, long term, risk, Risk Management, tolerance
Category: Optimum Risk Estimates, Probability Impact Graphs, Risk analysis, Risk management, Tolerance/Acceptability
Heya i’m for the first time here. I came across this board and I find It truly useful & it helped me out a lot. I hope to provide something back and aid others such as you helped me.