It’s no secret that I love standards (I even confessed to this in a previous blog post).
However, there’s a problem: as soon as you introduce a standard, you’re in danger of turning things into a compliance exercise. Initially, that might not sound so terrible. If you’re compliant with a risk management standard, you’ll be managing your risks properly, right?
Because compliance, or anything else that can be reduced to a ‘check the box exercise,’ very quickly moves the focus from outputs to inputs. So, as long as you have written the procedure, conducted the assessment, and established a governance board, you’ve complied with the requirement set out in the standard. But that doesn’t mean that the procedure is fit for purpose, that the assessment effectively evaluated the risks, or that there’s effective governance in place. It just means you’ve checked off these requirements in the standard.
Unfortunately, the inputs don’t produce the desired output meaning the organization complies with the standard but hasn’t achieved the improvement they were looking for.
Conversely, another firm could have an effective risk management system in place even though it’s not fully compliant with the requirements of ISO 31000. Their system produces the desired outcome even though it doesn’t meet the standard’s exact requirements.
Focusing on the Details Obscures the Intent
But for many, compliance means getting sucked into the weeds and losing sight of the strategic objective You can see this in many of the risk management discussions on LinkedIn. Everyone’s in a lather about the minutiae of the standard or arguing about whether or not risk should be two or three factors (three, obviously). In other words, they’re missing. the wood for the trees.
These discussions have relevance, and there are times when clarification of a rule or improvement of a process is valuable. But my concern increases when the focus is only on the compliance activity, not managing risk.
From a risk management perspective, one way around this is to remember the ISO definition of risk as ‘the effect of uncertainty on objectives’. The whole endeavor is focused on objectives and outcomes, not processes.
So, before you conduct any compliance exercise, I’d always recommend starting from first principles: ask, ‘what effect is this program meant to achieve?’ Keeping this top-level outcome in mind will ensure that your compliance work gets you to that destination – effectively managing your risks – and doesn’t just become a check-the-box exercise.