The new ISO regime focuses on risk to a much greater extent than any of its predecessors. For example, in the guidance document for ISO 9001.2015 risk is mentioned 40 times. In ISO 9001.2008 it was mentioned 4 times.
But it is not just the volume of risk references that has changed. The nature of its focus has too. Whereas in 2008, risk was there for its own sake - to prevent catastrophic errors - in 2015 the focus is on the application of risk to support strategic decisions and create real business value. Its back to our much-discussed "V" word again.
At E Squared we also saw both of these factors - the tenfold increase in risk-based questions and the focus on value - being applied in practice when we were recently audited for our own ISO 9001.2015 certification. The whole thing was about strategic process effectiveness.
So it comes as no surprise to learn that the insurance industry, which bases its entire business model on a deep understanding of risk, has been attempting to use Enterprise Risk Management technology to create real business value. But it may come as a surprise that few insurers have managed to achieve it.
The reason may be the application of the ERM technology itself. Whilst ERM software is good at detecting and managing risk to support strategic decisions involving that risk, it is not good at - nor is to designed for - a determination of value. Trying to adapt it to such is like pushing a square peg into a round hole.
What is needed is a system which integrates risk within its overall determination of value so that risk forms part of a subtle mix that reflects the complexity of the business as a whole.
Maybe ERM is the missing link in the ISO.2105 regime.
few insurers have been able to develop ERM frameworks that support strategic decisions and create real business value