You want a risk management program that conforms to a particular STANDARD. Standards usually present highly organized risk management systems. But that is not what is needed for many of the threats that our firms face. What We really need is a risk management program that fits our threats.
For example, our response to Terrorism risk is to create a highly cooperative risk management system. We ask everyone to be on the look out. "If you see something, say something".
However, as time goes by and the threats do not emerge as severe and intense adverse events, people will be less and less cooperative. Folks may start to see terrorism as a benign risk, where it would be ok to just say - "everyone take care of themselves".
The threats to our financial system before and during the financial crisis were highly complex. We needed a highly organized risk management approach. Many banks preferred a low cooperation approach. The mismatch was part of why many banks missed the increasing threat.
Right now, many of the threats to business are uncertain and highly unpredictable. The highly organized risk management system that is defined by a STANDARD is not helping much if at all. Adaptability is needed.
See http://wp.me/pevO4-10k for further discussion of these ideas.