The air traffic crisis provoked by the Icelandic volcano eruption, with its accompanying economic and societal effects, is analysed through the lens of the ISO 31000 risk management Standard by the leader of the group of ISO experts who developed it.
The cloud of ash from the Icelandic volcano, Mt Eyjafjallajokull, which inconvenienced air travel across Europe, has also had significant global effects. The International Air Transport Association estimates that the ash crisis has led to the cancellation of hundreds of thousands of flights and cost the world's airlines many billions of dollars. Some airlines may not recover from the losses incurred.
Surprisingly such an event does not appear to have featured as a risk that airlines and many other companies needed to manage. Apart from the airlines, the closure of the European airspace has impacted on everything from tourism to the flower and fresh vegetable producers in Africa, the garment manufacturers in Bangladesh and the electronic component makers in the Far East.
The eruption of the ash and its subsequent blanketing of much of Europe is a classic example of a low probability, severe consequence event that tends to be overlooked by management when examining potential risk to corporate objectives.
Given knowledge of the activity of the Icelandic volcano and the impact on aviation of past eruptions in Asia, it is surprising that no plans were in place to manage such a disruption-related risk.
Ever-changing risks
The ash cloud is just another example of the ever-changing risks that must be managed in an increasingly global economy with greater reliance on 'just in time' delivery. One has to wonder just how seriously, if at all, top management participate in planning and testing of disruption-related risk scenarios.
Some would suggest that the havoc was caused by a failure of risk management, rather than the failure of boards and top management to effectively manage risk. However organisations with a strong risk management culture, such as the United Parcel Service (UPS) quickly redirected air freight from Asia to Europe to Istanbul and then loaded it onto trucks for delivery to its final destination. UPS was one of the exceptions as others sat and wondered when the ash would blow away and aircraft would resume flying.
Without risk, there is no reward or progress, but unless risk is managed effectively within an organisation, the opportunities will not be maximised and the threats minimised.
Risk is all about uncertainty or, more importantly, the effect of uncertainty on the achievement of objectives. On 15 November 2009, ISO published ISO 31000:2009, Risk Management – Principles and guidelines, to help industrial, commercial, and public sector organisations to confidently address such risks.
ISO 31000:2009 is clearly different from existing guidelines on the management of risk in that the emphasis is shifted from something happening – the event – to the effect of uncertainty on objectives. Every organisation has objectives – strategic, tactical, and operational – to achieve and, in order to do so, it must manage any uncertainty that will have an effect on their achievement.
ISO 31000:2009 sets out principles, a framework, and a process for the management of risk that are applicable to any type of organisation in public or private sector. It does not mandate a 'one size fits all' approach, but rather emphasises the fact that the management of risk must be tailored to the specific needs and structure of the particular organisation.
Significant commitment
ISO 31000 requires significant commitment of board and top management attention, as well as sufficient resources to translate commitment into action. It calls for a serious mandate and commitment from the board, along with management leadership, to ensure it is woven into the organisational fabric and culture across the organisation.
Many organisations prefer to spend time debating whether to introduce 'total risk management', or 'holistic risk management', or 'enterprise risk management', or 'enterprise wide risk management', or 'strategic risk management'. Others are content to settle for a 'tick and flick' compliance programme that keeps the regulators happy.
The really successful organisations, like UPS, work on understanding the uncertainty involved in achieving their objectives and ensuring they manage their risks so as to ensure a successful outcome.
Summarised from an article by Kevin Knight AM* in ISO Focus+, April 2010.
Note: Kevin is Chair of the ISO working group that developed the new ISO 31000 Risk management Standard and the revision of ISO/IEC Guide 73, and a founding member of the Standards Australia/Standards New Zealand Joint Technical Committee OB/7– Risk management.
Kevin is well known through his very active work in the development of risk management Standards and has been active in furthering the risk management profession and the professional development of its practitioners, both worldwide and throughout the Asia-Pacific Region in particular, over the past 25 years.
Kevin can be contacted at: P.O. Box 226, NUNDAH Qld 4012, Australia, email kknight@bigpond.net.au.
*Member of the General Division of the Order of Australia.
→ Buy AS/NZS ISO 31000:2009 Risk management – Principles and guidelines
Related Touchstone articles
As we've reported previously in Touchstone, over the next 3 to 5 years Standards New Zealand will be developing a set of integrated information, communications, and technology (ICT) services to assist us to achieve our business goals. An important element of these services will be the ability to maintain and access Standards New Zealand's historical data.
Continuing our relationship with the Government Shared Services Scheme we have engaged the Department of Internal Affairs (DIA) to identify a feasible and cost-effective data repository solution that will meet Standards New Zealand's requirements. This solution is part of delivering the first phase of our Information Systems Strategic Plan (ISSP).
'Being able to access our data is a critical component in delivering our day-to-day activities,' says Michelle Wessing, General Manager Corporate Services and ISSP Programme Sponsor. 'Like any business, we rely on past data to assist with our operational and management decisions. A centralised data repository allows us to maintain our historical information effectively.'
The DIA's assessment will:
- consider whether it is possible and feasible to warehouse historical data and provide data warehousing that meets the desired outcomes
- determine how and with which existing 'off-the-shelf' solutions the desired outcomes could be achieved effectively and efficiently
- identify any risks or challenges associated with its desired outcome that Standards New Zealand would need to consider when implementing the proposed solution
- identify any warehousing considerations associated with implementing the new data model in the new Enterprise Performance Management System
- identify if there are alternative methods to achieve the desired outcome.
Based on the assessment findings, the DIA will recommend a preferred solution and provide an implementation plan. This is expected in June 2010.