National/International Standards - do we need them?

ERM Expert Blog

Roger Poole

Community Topic(s): ERM

Keywords: standards, ISO, BSI

By Roger Poole, Global Head of Records Management at Barclays Capital

August 27, 2010 - 8:51 AM

**Views expressed in this blog are my personal views and not those of my employer. Any reference to any living person or organisation, past or present, is entirely co-incidental**
 
Here are some thought provoking and (I hope) some challenging thoughts and ideas in respect to National and International standards organisations and the guidance they produce.

To set the scene for this post, I would advise that the particular organisations I am referring to are the International Standards Organisation (ISO) and the British Standards Institute (BSI).

ISO (not surprisingly) develops standards which are adopted by a significant number of countries throughout the world. The use of ISO standards is widespread among many Global and National Corporations. ISO standards cover a wide range of subjects/topics from Health and Safety to Legal Admissibility of documents in court.

The ISO standards are viewed as good practice and are developed over a period of time in a collaborative manner. Each country which is a member of ISO has representatives on the ISO committee. This committee determines the standards it is appropriate and relevant to establish. Once this decision has been made then all member countries provide input from their (local) advisors/committees. In the case of the UK this is the BSI. BSI convenes meeting with subject matter experts to provide guidance into the standards project. This ensures that any Standards released should be workable as all implications of conformance will have been considered by the subject matter experts. Each country provides it's input to the organising group and a draft standard is produced and released (within the ISO membership) for consideration and approval. At this stage some ISO members (such as BSI) may seek input from specialist interest groups such as relevant industry representative bodies etc. These can provide further input, often from the perspective of the practicality of implementation. This input is invaluable - any ISO standards has to be viewed as best practice but also practicable.

So, after much work has been done and much input received in an internationally collaborative way the standard is published.

These standards are optional but generally regarded as best practice. Some Governments require conformance with various ISO standards as a condition of awarding contracts. Compliance without these standards will not guarantee a successful defence in litigation but they will prove you have taken appropriate steps to ensure your business processes are relevant and in line with internationally agreed standards.

So, some input from you please....

Do you have any experiences with building/implementing standards in your organisation? If yes, can you share these experiences with our audience?

Do you have any strong views relating to International/National standards???
 

Report

Add a Comment

You need to log in to post messages. Click here to login.

Comments

Bruno Wildhaber

Submitted by Bruno Wildhaber August 29, 2010 - 2:56 AM

"How can we talk about standardization if we have not even managed to have one electric socket type in Europe"? This is a statement from a friend of mine which is now ten years old and exactly explains what's wrong wit todays standards industry. Yes, it is an industry, because standardization is not a non for profit activity. If you look at the amount of standards published by ISO (a Swiss organization) and the increase in output between 2000 and 2010 you will be astonished. Everything gets standardized because ISO makes money by publishing the standards and the industry creating the standards tries to push their products or services. That's the simple truth and there is a very nice Dilbert series about how standards are being created. Members of the industry meet each other and decide to write a standard on something. The strongest influencer (e.g. the company who can afford to send the most delegates) will dominate the discussion and set direction. This can result in a very useful standard, but the opposite can happen, too. Same with government driven standards. Some governments (like the Australian) are very active in writing standards. There are some good examples like the Records Management or the IT Governance Standard.
Whoever the dominating writer or originator is, they will give a certain direction to this standard. There is a beautiful word in german which describes this: "Stallgeruch", or "smell of the stable". It's a poor translation meaning that you will always be able to identify from which "stable" or clan someone is coming from. So it might not be a good idea to use a standard created for a government agency or large corporation when you're running a nuts and bolts enterprise.
The majority of so called standards published today are frameworks, not standards. They include a set of "best practice" recommendations, but cannot be used as the basis for a one to one implementation in your organization. If you want to make good use of standards, use them as frameworks and take the best from them only selecting the contents you really need. Use them to optimize your organization: It is about optimizing your shop, not implementing "best practice" from a source you don't know! So here are some practical hints how to make the best use of standards:

- Use them as frameworks (e.g. like Cobit) only
- The closer they are to technology, the more value they can deliver
- Define the maturity level of the domain you want to use the standard for before applying the standard. The biggest deficit of a standard is it's inability to address business specific requirements -- yep, this is the nature of a standard..)
- Don't try to get a certification unless you can really identify the benefits
- Always find out from where the standard originates and through which stages of development it went

By the time you've gone through all this, you should know what to do.

Bruno Wildhaber

PS: I've been involved in standardization work in the information security field and have been working with security and RM standards such as ISO 15489, MoReq2 or 27001 for over 20 years.
Report
Was this helpful? Yes No
Reply

This post and comment(s) reflect the personal perspectives of community members, and not necessarily those of their employers or of AIIM International