Good evening friends and readers,
Shame on me… On March 6th 2010, I was so excited to purchase my own copy of the Australian standards body latest handbook that I totally forgot to post about it!!!
The reason why I use the word excited is that from a professional perspective, the Australian standards body and the New Zealand Task Force has always been innovators in the field of applied risk management and their publications had never been less than great.
Most people are not aware of this fact, and we tend to forget that the "buzz" around ISO:31000 or the one we experimented with ISO:27005 both originates from beautiful Australia and no less beautiful New Zealand.
Nearly all modern risk management practices in the ISO world find their roots in AS/NZ 4360 and the handbooks created over the past few years by this Oceania think tank.
“Handbook 327 – Communicating and consulting about risks”, like the rest of their documents, is just great. It is, to my knowledge, the first time that somebody provides such a concise and specific view of those two risk management aspects we tend to neglect.
Within a short 28 pages, this self-described “Owner’s Handbook” gives you basic but relevant advices on communication and consulting on the topic of risks within your organization.
The reason it is important that you understand the consulting aspect is that although you might be THE risk specialists, the detectors, the ones who actually see the real day to day and operational risks are out of your reach. And guess what, your discipline is out of theirs.
In short, this document explains you how you can help them, help you!
The first part of the document explains why you should do it and gives you great insights to help you sell your case. It provides you with:
• An overview of the communication and consulting process
• A way to identify stakeholders and engage them in the process
• A fresh perspective on power holder agenda, legitimacy and urgency
• Distortion of the process, the messages and its output
• Managing perceptions (tolerable vs. acceptable risks)
• Managing uncertainty (precaution, measurement and communication)
The second part explains how to do it by asking the right questions and supports you in determining:
• What are the communication objectives?
• What are the communication objectives?
• Who will/should be involved?
• What are the communication channels?
• What needs to be communicated or consulted about?
• How will you communicate and conduct consulting engagements?
• What are the barriers to overcome?
Finally, an interesting element provided within part two is 4 short case studies; one on risk treatment, one on getting people on board, one on relevant risk identification by non-“risk-pro” and finally, one on communication and early involvement benefits.
You might find this document a bit light in content but personally, I see HB 327 as a great reminder of what needs to be kept in mind when acting as the subject matter expert on risk management within your organization.
Our counterparts and customers are often less proficient than we are in the discipline but they are the one with the real knowledge, the "down to earth perspective" we need to provide good input to our top management.
I hope you will enjoy the reading!
Martin Dion (CISSP/CISM)
ISO:27001/20000 Lead Auditor & Trainer
CTO @ Above Security
