A colleague drew my attention to what he called “yet another management standard”. Which got me thinking about where our preoccupation with standards might be heading and where it might end.
Most modern risk management standards allow for exception management. If a company has a formal procedure in place — for example a Disaster Recovery Plan — but something out of the ordinary comes up, then the latest standards provide management with flexibility to vary their response to suit their particular circumstances; in other words, management can generally waive regular procedures and “accept the risk”. The company can remain in compliance with management systems and standards if it documents these exceptions carefully.
So … what if a company says “the hell with this latest management standard, we don’t want to have anything to do with it”. If the standard allows for exceptions, then the company may still be in compliance with the standard by not being in compliance with it.
How about that: a standard you cannot help but comply with!
And then we wouldn’t need auditors. We might even start to make some real progress.
Here’s a less facetious analysis of the perils of over-standardisation: https://lockstep.com.au/blog/2010/12/21/no-algorithm-for-management.