Risk Management Reports

September, 2000
Volume 27, No. 9
 
Global Risk Management Standards and Definitions

Just as our markets and economies are becoming global, so too are the ideas and practices of risk management. They are applied from the Antipodes and Asia to Africa, Europe and the Americas. Yet we still lack any form of commonly-accepted "standard" and a uniform set of definitions of terms. Regional standards exist in Australia, New Zealand, Canada, and, most recently, the United Kingdom and are under study elsewhere. During the past three years, a Working Group of the International Standards Organization (ISO) has been trying, with some difficulty, to reach consensus on a set of global definitions (see RMRs of 3/96, 12/97, 10/99, 1/00, 4/00, and 5/00)

Kevin W. Knight, the author of this month's Report, Chairs that Group. He was also one of the architects of the Australia/New Zealand Standard and is a risk management practitioner in Brisbane, Australia. He tells us the story of the creation of the first Standard and the problems in attempting to create common definitions.

In May 2000, the European Commission, Directorate General Joint Research Centre (DG JRC), Institute for Systems, Informatics and Safety (ISIS), held a seminar at Stresa & Ispra, Italy. Its report sets out very clearly the challenge confronting industry and commerce, both public and private, with respect to developing an internationally accepted generic "standard" for risk-based decision making.

The report makes clear the case for a process that will systematically identify, analyse, evaluate and treat all types of risk. It then states that risk is an integral part of progress and must be effectively managed so that society can reap the benefits. It confirms that good risk management supports consistent decision-making and enhanced public understanding.

It affirms that "several national and international standardisation organisations are developing standards to be applied in various specialised sectors such as medical devices, machinery and offshore equipment." Unfortunately this has not yet led to a uniform global approach. Many risk management practitioners agree. For every supporter there are multiple opponents and an ocean of apathy to overcome. Those who oppose the concept of a generic risk management "standard" fall into two categories. Either the "standard" is seen as proscriptive, removing managerial discretion, or it challenges strongly-held beliefs, particularly of safety and/or insurance practitioners. Both these camps are well organised and vocal in a wide range of national and international forums.

The Australia/New Zealand Standard The Report's statement that "currently, no generic standard across different industries exists" is quite simply wrong. The Australian & New Zealand Standard AS/NZS 4360 - Risk Management, has been available since 1995 and is generic! It was revised and reissued as AS/NZS 4360:1999 in April 1990. It has been extensively adopted by the private and public sectors in Australia and New Zealand and has been sold to many organisations outside the region. The National Health Service in Great Britain has adopted it as the basis of its Corporate and Clinical Governance programme. Standards Australia and Standards New Zealand have also produced additional documents, all available at www.standards.com.au

  • SAA HB141-1999 Risk Financing Guidelines
  • SAA HB142-1999 A Basic Introduction to Managing Risk using the Australian and New Zealand Risk Management Standard
  • SAA/NZS HB143-1999 Guidelines for Managing Risk in the Australian and New Zealand Public Sector
  • SAA HB240-2000 Guidelines for Managing Risk in Outsourcing
  • SAA HB 231-2000 Information Security Risk Management Guidelines.
  • Emergency Risk Management - Applications Guide, (Emergency Management Australia).

Work is proceeding on Handbooks addressing the application of the Standard to Business Continuity Management, Corporate Governance, Occupational Health & Safety and the Healthcare Industry.

Canada has also produced CAN/CSA-Q850-1997 - Risk Management: Guideline for Decision-Makers (see RMR 12/97) (Editor's note: earlier this year the United Kingdom published its own risk management "standard" BS 6079-3:2000 - see RMR 5/00).

Over the past eight years, numerous bodies have made considerable progress in addressing the both generic and specific risk issues. A major feature of this progress has been wide consultation with interested parties throughout the world.

Developing the ANZ Standard The reason why AS/NZS 4360 has been so widely accepted in Australia, New Zealand and globally may lie in the way Standards were developed and approved there.

The process started in 1992 when a Standards Australia questionnaire was submitted on behalf of the Association of Risk & Insurance Managers of Australasia (ARIMA). This led to the distribution of a further questionnaire to a wide range of industry and professional organisations to determine both need and interest. Satisfied of the need and the availability of a representative range of potential members, Standards Australia and Standards New Zealand established a Joint Technical Committee composed of 27 members representing 22 industry, professional and government (Federal, State and Local) organisations.

The Committee first gathered all available information. All submissions and documents were copied and supplied to the members. After several drafts, the Committee produced one for public comment. To ensure maximum exposure the representative organizations were asked to encourage responses from their membership, advertisements were placed in the daily press seeking input from the general public, and copies were supplied to all member organisations of the International Federation of Risk and Insurance Management Associations (IFRIMA). 326 specific comments were received from 55 individuals and/or organisations. Each was addressed by the Committee, in many cases resulting in changes to the draft. The final document received unanimous approval and was published in November 1995.

The strength of this time consuming and occasionally frustrating process was a final document seen as the product of discipline practitioners, who voluntarily accepted it as "best practice."

An additional strength of AS/NZS 4360 was the deliberate decision of the Committee that the standard be generic, setting out a process capable of general application. The temptation to confine it to insurance-related corporate risk was firmly rejected by the Committee in favour of it being a generic process, independent of any specific industry or economic sector.

The Committee began work on industry specific handbooks and/or guidelines for the application of the process to such topics as insurance-related corporate risk, the public sector, outsourcing, the environment, business continuity management, healthcare, etc. A consequence of this work was the decision to revisit the Standard itself in 1998, resulting in its reissue as AS/NZS 4360:1999.

AS/NZS 4360 has become one of the top sellers amongst the 3000 or so Australian Standards. It has been critically acclaimed by a number of global risk management commentators. It has withstood considerable parochial attack in the UK and USA, perhaps because of a reluctance of some to accept that an example of world best practice could be developed in the Antipodes!

Some oppose the development of a Risk Management Standard because they equate adoption of a Standard as being a step closer to government regulation. Certainly Standards are often referred to in Australian and New Zealand legislation but only to ensure that those required to comply have a living document subject to regular review, embodying current best practice. A management Standard should act as a guideline, not as a set of absolutes.

The ISO Initiative In 1996 AS/NZS 4360 became, with some minor modifications, an International Electrotechnical Commission (IEC) Proposed Standard. The original plan was for it to go to the International Standards Organisation (ISO) but because there was no ISO Committee specifically addressing risk management it ended up with the IEC. Its Technical Committee 56, dealing with Dependability, already had assigned Project Risk Management to its Working Group 13. The Working Group accepted the challenge and placed the idea on the agenda for its meeting in Sydney, Australia, in March 1997. It recognised the need for a top level document on risk management, with the Australian Standard providing a start. Any resulting paper would become a joint ISO/IEC Standard, assuming support from a sufficient number of national organisations.

While a majority of national Standards organisations voted in favour, France, Canada and the USA cast negative votes. The French argued that the proposed document was too broad for action by a specific Working Group. They further pointed out TC56 was basically a technical body and had no skills to cover all the aspects involved in the proposal. Canada and the USA did not believe the proposal added to existing material. The French subsequently lodged a successful appeal with the IEC Committee of Action challenging the vote to accept the New Work Item.

This created a vacuum that was filled by the International Standards Organisation Ad Hoc Group on Risk Management meeting in Japan in November 1997.

The original intention of the Japanese Standards Association was to get agreement that (1) a document on Risk Management was required, and (2) a draft should be prepared. The USA, France and Germany continued to oppose the project. Many of the French and German objections were reasonable but were issues that should be addressed when drafting a document, rather than issues that precluded its development. Many of them appeared to be insurance and safety matters, rather than risk management. The USA suggested the possibility of a "best practice" document being issued by an organisation other than the ISO/IEC. This suggestion was rejected

because no such organisation of similar global standing could be identified. The majority proposed a new work item, but there was insufficient agreement as to whether it should be a Standard, a Technical Report or a Guide. Seven of the ten delegations, however, indicated a preference for a Joint ISO/IEC Technical Report or Guide.

In January, 1998, the Technical Management Board (TMB) of ISO decided in principle to establish a Working Group to develop a special publication on risk management terminology. While this was not what the Ad Hoc Group Meeting in Japan recommended, it was a significant starting point since those writing Standards would conform to a global set of terms and definitions, rather than inventing their own. This compromise decision was a result of the continued concern of the USA and some European Union countries about the potential use of any "standard" by certification bodies.

Twenty-one national Standards associations voted in favour, and 12 indicated a desire to be active participants in the Working Group.

In June 1998, the ISO TMB approved the establishment of a Working Group on Risk Management Terminology, with representatives from Australia, Canada, France, Germany, Jamaica, Japan, Norway, Russian Federation, South Africa, Thailand, United Kingdom, and USA along with representatives of IEC ACOS and TC 56.

The first meeting was in Tokyo in October, 1998, and took the task of developing risk management definitions for use by the members of ISO and IEC and various governmental and non-governmental agencies involved in standardisation at international, regional and national levels.

The Japanese Standards Organisation was appointed Convenor and provides the Secretariat. It appointed Hideyu Yoshimura as Secretary to the Working Group:

Mr. Hideyu Yoshimura
Japanese Standards Association
Toraya Bldg. 5F
4-9-22 Akasaka, Minato-ku,
Tokyo 107-0052
Japan
Tel: +81-3-5770-1571
Fax: +81-3-3405-5541
E-mail: yoshimur@tokyo.jsa.or.jp

Following a meeting in Berlin, in October 1999, the Working Group produced a Draft for the ISO TMB to be approved by a vote by the ISO and IEC National Associations. No vote has yet been taken because of difficulties in obtaining support from the IEC Advisory Committee on Safety. A resolution to this impasse is expected before the end of 2000.

Conclusions The Report from the European Commission Seminar in May of this year concludes that risk management will gain in stature and recognition and become an integral component of corporate governance and good management, rather than a fancy name for insurance buying. This will increase the demand for standards or guidelines that enable organisations to demonstrate they meet definable levels of professionalism. The view in Australia has always been that risk management practitioners must be active participants along with other disciplines to ensure a final product that will enhance and advance the management of risk. Sadly, this has not been the case globally where safety practitioners have often taken the initiative leading to a safety bias that compromises the risk management concept espoused in AS/NZS 4360:1999. The success and wide acceptance of AS/NZS 4360 by management is testamony to the wisdom of this more holistic generic approach. The Working Group has also sought a similar proactive response from IFRIMA, with concurrent support from their own national Standards organisations to serve as a counter to the safety practitioners, lest we find risk management standards being taken over by non-risk managers. To date none have followed Australia's lead.

The process of risk-based decision making can be broken down relatively easily into a few formal basic steps, such as identification/characterisation, analysis, assessment, management, and decision-making, a sequence which could, although there are differences in terminology, be widely accepted in principle across industries.

While the process is easily broken into a few formal basic steps, the lack of a common terminology severely hampers acceptance of the principles.

Each step in "risk assessment" (including the above process) is heavily dependent on its specific cultural and regulatory context. To make results widely acceptable, they must be placed in the context of the socio-cultural environment and framed within participation processes in which all stakeholders are involved. Technology can facilitate this involvement. The Internet allows an increasingly well-informed public to participate in decision-making in a way that was inconceivable until recently.

This is precisely why the Australian Standard begins with "Establishing the Context" as its first step. It is critical that the financial, operational, competitive, political (public perception/image), social, cultural and legal aspects of an organisation's functions be examined and understood. This should include its goals, objectives, and strategies to achieve both.

Comparative risk assessment using harmonised procedures could significantly help the understanding of decisions made in other countries or other domains of activities and promote a transparent decision-making process for all stakeholders. Again, the Australian/New Zealand Standard can facilitate this harmonisation as well as ensuring a two-way dialogue among stakeholders about the existence, nature, form, severity, and acceptability of risks.

There is wide consensus that the issue of risk perception plays a major role in the political debate over the desirability and level of acceptance of certain risks. As risk acceptance and judgements on hazardous activities are highly contextual topics, the use of acceptance criteria depends on country, time, activity, risks and related benefits. Any successful "standardisation" should focus on the process underlying risk assessment and not attempt to harmonise risk criteria. On the other hand, for maximum benefit, any standardisation should not be restricted solely to technical elements and the process of risk management. It should cover in some way aspects of decision-making and the management of risk. This is precisely why AS/NZS 4360:1999 stresses the need to establish the strategic, organisational and risk management contexts, to develop a set of risk evaluation criteria, and to define the structure by separating the activity or project into a set of elements.

Standardisation should not direct, much less prescribe, a particular risk assessment approach. Its main objective should be to help stakeholders see more clearly the range of possibilities and to assist them in better decisions, which only they can make.

AS/NZS 4360:1999 specifies the elements of the risk management process but it has never suggested that its purpose is to enforce uniformity of systems. It recognises that the design and implementation of any system must be influenced by the varying needs of the organisation, its particular objectives, its products and services. and the processes and practices that it employs. It assumes that risk makers and risk takers must also be risk managers.

For this reason, a prescriptive guideline or formal "standard" is neither desirable nor realistic. It would hamper wide acceptance and use. What is needed is a "template" that maps the technical steps in the process in a generic way, listing available approaches, methodologies, and detailed, up-dated references. This "template" should focus on technical aspects of risk assessment on a reasonably high level and also include the generic components of decision-making. These include the common elements in defining risk criteria, but avoid laying down what may be considered "tolerable" levels of risk. This is a decision for the stakeholders of an organization and for governments to make. This also involves the "precautionary principle" that is currently the subject of much debate and which lies at the basis of the 1997 EU Treaty on matters of the environment and health.

The Standards Australia publication "International Guide to Best Business Practice in Risk Management" (SAI Publishing, 2000) provides the basis of what the May meeting seeks to develop. Copies are available for purchase from the Standards Australia risk management web site: www.riskbusiness.com

Safety is but one of the components of a risk management process rather than its focus. Risk must be managed at a tolerable level as distinct from a totally risk free level. Taking controlled, informed risks is a sensible everyday essential of life. As a society we take risks to achieve benefits and gains because risk taking is seen as positive, not implicitly negative. This does not mean that safety is discarded but rather absorbed into the overall risk management process. This view is at odds with many safety practitioners who view risk management as a threat to their power and influence in society.

The lack of knowledge amongst those who should know better about the amount of risk management activity within CEN, ISO, and the IEC is not surprising given the lack of involvement of those most concerned with risk management in organisations. Of greater concern is the degree of ignorance within the global risk management community of the actual content of the Australian/New Zealand Standard, its related handbooks, and the endeavours of the Working Group on Risk Management Terminology.

The members of the Australian & New Zealand Joint Technical Committee OB/7 are very committed to the spreading of the holistic generic risk management process set out in AS/NZS 4360:1999 and its related Handbooks. They appreciate the need for its application to be modified to reflect the laws and customs of regions and individual countries. Ultimately, however, the tendency of so many in Europe and North America to want to reinvent the process as if AS/NZS 4360:1999 did not exist is an incredible waste of scarce resources and borders on stupidity.

Kevin Knight, the author of this article, can be contacted at kknight@bigpond.net.au

Copyright H. Felix Kloman and Seawrack Press, Inc.

Return to RMR Table of Contents
RiskINFO Home Page
Additional Topics This Month and Archives