Jean Cross, Emeritus Professor Risk and Safety Sciences, University of New South Wales, was the chair of the Australian standards committee that developed AS4360 Risk Management Standard. This Australian standard went on to become the foundation for ISO31000, the standard to which virtually every large organisation in the developed world aligns its enterprise risk management framework. (Professor Cross was also kind enough to commend a book by Rob Hogarth and myself called Risk Bandits).
I once asked Jean if she was able to change one thing about the original standard, what would it be? She was quick to identify that the inclusion of a single example of a risk management methodology to determine risk level, was the main regret. That example was the risk matrix.
I seem to remember that Jean reprimanded me for suggesting the matrix example was in the main body when it was actually in an appendix, but she conceded it should have been omitted or other examples of simple tools provided. Most organisations like nothing better than an instant solution to complex compliance issues and consequently the matrix became the default baseline risk assessment process for almost every organisation in the developed world.
Of course, the overall impact of the ISO 31000 Standard was exceptional, a game-changer for organisational / enterprise risk management, and many companies are far more serious about risk management than they could ever have been without her and her committee’s work. Of course, whatever basic, first pass methodology was chosen to estimate qualitative values of risk, there would always have been a need to be an escalation process to more sophisticated risk valuation approaches for material risks to the business.
Consequently. I believe the greatest value I offer businesses is how to identify where that additional risk assessment depth should be applied and what methodologies should be used for that specific client – It’s not a one size fits all situation.
Effective RM delivery involves the full alignment of the Risk Appetite Statement with the available risk processes, the matrix guidance, and only where necessary, more in-depth risk methodologies. Only then can we define the most critical controls in the organisation and ensure they are effectively and continuously verified as working effectively.