ISO 31000 and the Icelandic volcano crisis

By Kevin Knight

The air traffic crisis provoked by the Icelandic volcano eruption, with its accompanying economic and societal effects, is analyzed through the lens of the ISO 31000 risk management standard by the leader of the group of ISO experts who developed it.

The cloud of ash from the Icelandic volcano which has wreaked havoc on passengers and airports across Europe has also had significant global effects. The International Air Transport Association estimates that the ash crisis has led to the cancellation of hundreds of thousands of flights and cost the world’s airlines many billions of dollars. Some airlines may not recover from the losses incurred.

Surprisingly such an event does not appear to have featured as a risk that airlines and many other companies needed to manage. Apart from the airlines, the closure of the European airspace has impacted on everything from tourism to the flower and fresh vegetable producers in Africa, the garment manufacturers in Bangladesh and the electronic component makers in the Far East.

The eruption of the ash and its subsequent blanketing of much of Europe is a classic example of a low probability, severe consequence event that tends to be overlooked by management when examining potential risk to corporate objectives.

Given knowledge of the activity of the Icelandic volcano and the impact on aviation of past eruptions in Asia, it is surprising that no plans were in place to manage such a disruption-related risk.

Ever-changing risks
The ash cloud is just another example of the ever-changing risks that must be managed in an increasingly global economy with greater reliance on “just in time” delivery. One has to wonder just how seriously, if at all, top management participate in planning and testing of disruption-related risk scenarios.

Some would suggest that the havoc was caused by a failure of risk management, rather than the failure of Boards and top management to effectively manage risk. However organizations with a strong management of risk culture, such as United Parcel Service (UPS) quickly redirected air freight bound from Asia to Europe to Istanbul and then loaded it onto trucks for delivery to its final destination.UPS was one of the exceptions as most sat and wondered when the ash would blow away and aircraft would resume flying.

Without risk, there is no reward or progress, but unless risk is managed effectively within an organization, the opportunities will not be maximised and the threats minimised.

Risk is all about uncertainty or, more importantly, the effect of uncertainty on the achievement of objectives. On 15 November 2009, ISO published ISO 31000:2009, Risk Management – Principles and guidelines, to help industrial, commercial and public sector organizations to confidently address such risks.

ISO 31000:2009 is clearly different from existing guidelines on the management of risk in that the emphasis is shifted from something happening – the event – to the effect of uncertainty on objectives. Every organization has objectives – strategic, tactical and operational – to achieve and, in order to achieve these objectives, it must manage any uncertainty that will have an effect on their achievement.

ISO 31000:2009 sets out principles, a framework and a process for the management of risk that are applicable to any type of organization in public or private sector. It does not mandate a “one size fits all” approach, but rather emphasises the fact that the management of risk must be tailored to the specific needs and structure of the particular organization.

Significant commitment

ISO 31000 requires significant commitment of Board and top management attention, as well as sufficient resources to translate commitment into action.It calls for a serious mandate and commitment from the Board, along with management leadership, to ensure it is woven into the organizational fabric and culture across the organization.

Many organizations prefer to spend time debating whether to introduce “total risk management”, or “holistic risk management”, or “enterprise risk management”, or “enterprise wide risk management”, or “strategic risk management”. Others are content to settle for a “tick and flick” compliance programme that keeps the regulators happy.

The really successful organizations, like UPS, work on understanding the uncertainty involved in achieving their objectives and ensuring they manage their risks so as to ensure a successful outcome.

About the author

Kevin W. Knight AM* is Chair of the ISO working group that developed the new ISO 31000 risk management standard and the revision of ISO/IEC Guide 73, and a founding member of the Standards Australia/Standards New Zealand Joint Technical Committee OB/7– Risk management.

He is well known through his very active work in the development of risk management standards and has been active in furthering the risk management profession and the professional development of its practitioners, both worldwide and throughout the Asia-Pacific Region in particular, over the past 25 years.

He can be contacted at: P.O. Box 226, NUNDAH Qld 4012, Australia. E-mail

* Member of the General Division of the Order of Australia.

Original article by permission by Kevin Knight published on PRIMO Europe website