I just found this very interesting blog post on the blog of Peter Bonisch. You can find the post here and I suggest you read the post in full.
I’ve reacted to this post with my own thoughts on the subject matter. You can find my reply below.
Hi Peter, Mike, Matthew,
Just wanted to jump into this quite interesting discussion. First, when I read heresy, I hear “against dogma”. Now, let’s be clear that dogmatic behaviour is not good under most circumstances. Especially in developing areas such as risk management, which Matthew called the new Wild West only a few years ago (Matthew, I’m paraphrasing, but I really liked the snake oil salesmen reference you made ;-)) we need to make sure that we don’t hold on to dogma’s that are unproven.
However, and this is important as well, what I feel that Kaplan fails to address is the error in expectations we all appear to have with respect to risk management. While not by far the perfect risk management approach, we need to look beyond the limitations of ISO 31000 and look at what it does bring to the table. However, it’s easy to dismiss an approach based on the problems perceived by the experts, while within certain limitations COSO ERM, ISO 31000, AS/NZS 4360 assist in developing a better and better view on what good risk management should be.
Compare this to physics, for example. Any theory which explains even part of what we see and internally and externally shows consistency is considered as a valuable addition to the overall body of knowledge. It explains perhaps only part of the issue, but at least it does that. It may be wrong but it will give us a basis to sharpen our insights. The steady state theory, for example, even while mainly wrong, has significantly contributed to our understanding of how elements were created in the early universe.
This being said, I believe that COSO ERM, ISO 31000 and other risk management approaches will gradually make way for newer approaches that build on the lessons learned from these approaches. Pretty much like Sarbanes-Oxley showed us what not to do to avoid future Enrons or Worldcoms.
Just kicking them to the curb as irrelevant is an easy and even cheap trick which is unworthy of an academic heavyweight such as Kaplan. He certainly has a number of points where he makes a case, but he should look at how each of the current frameworks contributes and how it can be adapted, amended or even completely turned around to be used for the better of risk management.
For the record, I am a reformed list-maker. I don’t agree that ISO 31000 is all about making lists. For me, and how I teach it, it is more about an awareness that there are issues we know, issues we are aware of and issues we are completely unaware of. And that communication and consultation, in whichever form is relevant for your organization (cfr. some of Matthews excellent surveys, by the way) is a key factor in truly treating risk.
That said, we still like to use our little checklists to make sure we have not forgotten anything. They are no longer risk models, they are just simple risk checklists. By ‘relegating’ them from model to checklist we aim to clarify to the users they are merely one of a set of tools we use to assist them in thinking about and discussing risk on a regular basis.