FERMA speaks out against moves towards an ISO risk management standard

The Federation of European Risk Management Associations (FERMA) believes that a formal international risk management standard, especially with an externally verified compliance regime, is undesirable and would not benefit European companies.

This is the gist of a position paper issued recently by FERMA on proposals by the International Organization for Standardization (ISO) to create an ISO risk management standard.

FERMA believes that an ISO standard would be too inflexible for such a broad discipline as risk management, which is extremely complex and varied in its application.

The position paper states that “great caution is required in the development of an ISO standard on risk management.”

Instead, it urges the use of a term such as ‘reference guide, framework, general principles or list of best practice’ to describe the document which ISO is developing.

FERMA says it would support a generic guide entitled ‘Risk management system: essentials, principles and terminology.’

Among the disadvantages of an ISO standard from a candidate’s perspective, says FERMA, are substantial internal and external resources needed to implement and maintain the standard, which may have a serious effect on competitiveness, and considerable additional paperwork, without commensurate benefits.

Nor do such standards necessarily accomplish everything they seem to offer, says FERMA.

According to the position paper, industry has already accepted compliance with standards in areas such as quality, environment and safety, which are risk management areas. It continues:

“However, experience has shown that compliance with a standard has never guaranteed totally satisfactory performance. Accidents continue to happen and product liability claims continue to occur. Compliance with an ISO standard can, therefore, give a false sense of security to regulators, clients, shareholders and third parties. This is often aggravated by a certification process which is not always objective and varies greatly from one country to another.”

Reader comment

It seems to me that the FERMA comments re: ISO could apply equally to the BSI business continuity effort (BS 25999-*). A ‘guide’ or other more general term (vs. ‘Standard’) seems appropriate. Unlike FERMA's worry that a ‘standard’ is too limiting for risk efforts, 25999-* offers too little, to the point that ‘mitigation’ is missing from key definitions (e.g. business, risk).

John Glenn, MBCI

•Date: 13th July 2007• Region: UK/W.Europe •Type: Article •Topic: Operational risk
Rate this article or make a comment - click here
UPDATED 19TH JULY