The aim of this article is to examine the relevance of the ISO 31000 standard in improving risk management practices, with an emphasis on the limitations and myths that may arise within organizations by a formal approach based on a symbolic use of this type of standard. As shown by the neo-institutional approach on standardization, many organizations tend to adopt ISO standards quite superficially in order to reinforce their social legitimacy through the implementation of rational and reassuring frameworks (Boiral, 2003, 2007; Christmann and Taylor, 2006). This type of symbolic implementation is too often mechanistic, ceremonial and disconnected from internal practices (Meyer and Rowan, 1977; Grandy and Mills, 2004). From this perspective, whatever the relevance of ISO 31000 propositions, their application within organizations may be perfunctory and project an idealized image of risk management. A review of the literature on risk and crisis management and an analysis of various crises will help shine a spotlight on the claimed benefits and the paradoxes arising from a mechanistic application of management framework such as the one proposed by ISO 31000. In line with Boholm (2010), Corvellec (2010), Gherardi and Nicolini (2000), Jarzabkowski and Spee (2009) and Whittington (2006), it is suggested that leaders and managers should take the turn from an approach essentially centered on formal strategic planning (strategy as something an organization formally has) to an approach more focused on reflexive strategic praxis (strategy as something an organization really do) in the field of risk management. The proposals set out in the standard will be reviewed, with reference to research conducted by recognized researchers in the field. The article will present the advantages and limits in the application of the standard and propose some recommendations to managers who are planning to integrate a risk management process into the overall strategy of their organization. In this sense, the article aims to stimulate thinking among managers and leaders as well as providing a pre-use warning before implementation of a standard such as ISO 31000.
Like most other ISO management standards, ISO 31000 provides a structured framework intended to meet the needs of any type of organization or situation. In order to be applied to such a vast diversity of activities and risks, the approach proposed in the standard is fundamentally intended to be generic and rational. According to the standard, effective risk management results from the application of a very systematic and structured management process. The criteria for risk assessment proposed in ISO 31000 largely spring from this probabilistic logic, taking into account many aspects, the most common of which are: the nature of the causes and consequences; measurement of the probability of occurrence; estimation of the duration of the potential impacts; the threshold of acceptable risk; the level at which appropriate measures should be taken; and the tendency toward increased entropy and disorder which results from a combination of risks.
After the identification and analysis of risks, the organization should determine those risks for which explicit measures will be taken and those which will be accepted as residual risk. The choice of how each risk is treated is based on the anticipated efficacy of the chosen measures, the legal or regulatory requirements the organization is subject to, the values and preferences of the stakeholders and a cost-benefit analysis. The choice of measures to be taken should be discussed and communicated to various parties, and their efficacy should be periodically evaluated. When resources are scarce, an order of priority should be established and should reflect the costs resulting from implementation of the risk treatment measures, compared with the gains resulting from not taking such measures.
The entire process should be documented and activities recorded in order to maintain an overview of decision-making and respond to legal or regulatory requirements, if applicable. Finally, a periodic review of the entire process of identifying, analyzing and addressing risk should be conducted to reflect changes in the external and internal environments, as well as the emergence of new risks or new methods of managing them. The persons responsible for reviewing and monitoring the process should be clearly designated.
The general principles underlying the ISO 31000 risk management standard have been widely disseminated in the literature, particularly by authors interested in crisis planning and prevention (Table 1).
For instance, according to Perry and Lindell (2003), the assessment of an organization's preparedness is based on four criteria: an evaluation of risks (vulnerability assessment); an evaluation of the ability of the organization and the community to cope with crises (capacity assessment); the training and retention of qualified personnel; and the establishment of a flexible system that can be deployed quickly when a crisis arises. These aspects are clearly covered in the ISO 31000 standard, whose recommendations help users address the main operational requirements of risk management, from risk assessment to integration of risk treatment into the organization's structure and practices.
The recommendations from the literature define virtually the entire framework of risk management in the same terms: defining management's mandate and commitment to adopting a risk management framework, that is, the equivalent of a mission statement (Weick and Suncliffe, 2007); developing a risk management plan or policy, including an analysis of the external and internal environment (Alexander, 2005); defining of the principles and objectives that the plan will be based on (Lerbinger, 1997); identifying mechanisms of accountability (Perry and Lindell, 2003); identifying the resources to be allocated to implementing the plan or policy, and how communication will be handled both internally and externally (Quarantelli, 1988); determining a process by which the plan or policy will be implemented, monitored and updated (Perry and Lindell, 2003; McConnell and Drennan, 2006).
The definition of such a framework also brings together several general principles used to describe high reliability organizations. According to its proponents, the HRO (High Reliability Organizations) model has proven itself in various sectors (Laporte, 1994; Rochlin, 1996; Weick and Suncliffe, 2007), particularly in high-security industries (Leveson et al, 2009) such as aerospace, air traffic control, aircraft carriers in US naval bases and power plant commissioning (Rochlin et al, 1987). Senior management's commitment to promoting a culture of safety and their concern for the continual improvement of risk management plans and processes are two principles set out in the HRO model that are in accord with both the spirit and letter of the ISO 31000 standard. Several other HRO principles are however not reiterated, at least not explicitly, in the ISO 31000 standard, in particular the importance of a staff development program and establishing a system to acknowledge employees who detect risks early. This point will be analyzed further in the next section.
Initially, it was the insurance industry that introduced the concept of risk as a means of reducing uncertainty in calculating premiums (Peretti-Watel, 2001). In this view, risk is calculated in monetary terms, by multiplying the anticipated damages by the probability of the event occurring. As shown by Lupton (1999), with the rise of the welfare state, the twentieth century witnessed a progressive increase in the number of hazards classified as risks, and therefore insurable. Risk as measurable quantity has thus become the preferred tool of risk assessment experts.Footnote 1
A growing number of studies deplore the tendency of managers to limit risk management to this classical positivist model rather than regarding risk management as an ongoing and socially constructed process (Beck, 1992; Perry and Lindell, 2003; McEntire and Myers, 2004; Hansson, 2005). Several studies also emphasize that the concept of risk is a construct that is not directly observable and can therefore have multiple meanings (Duclos, 1987; Rochlin, 1999; Bernard et al, 2002; Galland, 2003). According to Perret et al (2005), reality provides a subtle and complex mixture of clues, signs, information, correlations and partial evidence that do not fit easily into the classical definition of risk. There is thus always an element of subjectivity in the definition of risk (Malenfant, 2009), leading Short (1984) to speak in terms of risks to the social fabric. Douglas and Widalvsky (1982) similarly argue that the concept of risk is strongly influenced by culture and distinguished four cultural types, each with a different attitude toward risk: the hierarchical type (risk-averse), the individualist type (risk-taking), the sectarian type (risks as object of social causes) and the marginal type (distrustful attitude).
Moreover, according to a number of authors, risk management can no longer take the same form as previously, because the potential risks to which our societies are exposed have changed radically and can no longer be understood under a restrictive probabilistic definition of risk (Lupton, 1999; Boin and Lagadec, 2000; Hart et al, 2001; Quarantelli, 2001; Robert and Lajtha, 2002; Galland, 2003; Hansson, 2005; Perret et al, 2005; Denis-Rémis, 2006; Boin, 2009; Power, 2009; Smith and Fischbacher, 2009). For instance, many authors (Noji, 2001; Salehi and Ali, 2006; Monterrubio, 2010) point out the global impact of the resurgence of infectious diseases such as SARS and H1N1 and the necessity to rethink risk management on a global rather than a local scale. Indeed, the apparent proliferation of new transboundary risks is linked to the phenomenon of increasingly tight coupling between systems (Linnerooth-Bayer et al, 2001; Perrow, 1999; Boin and Lagadec, 2000; Smith and Fischbacher, 2009; Arvai and Froschauer, 2010), to the point that a breakdown in any one system eventually has an impact all the connected systems (Shrivastava, 1994; Noji, 2001; Power, 2009). For example, the airline industry is obliged to constantly seek increasingly sophisticated technologies in an effort to ensure security in the context of our ever more crowded air space. A similar phenomenon has been seen in the food industry, which in recent years has faced major problems of food contamination as a result of changes in procedures (for example, the cases of mad cow disease in the United Kingdom) or in how regulations are enforced (for example, the listeriosis outbreak in Canada). These types of problems are major threats that can have strategic impacts for the companies involved, including production stoppages, suspension of activities, product recalls, recourse to only somewhat reliable product tracing methods, and the destruction of the suspected sources of contamination (livestock, consumer products, and so on). 2b1af7f3a8