An open letter about the definition of risk
I have been open for years about my preference for the ISO:31000 global risk management standard over the COSO products. (I first explained my position at Alex Dali’s ISO 31000 Conference in Paris in 2011.)
Back then, we had the 2009 version, which included a definition of risk and a set of principles. The definition then and now is:
The effect of uncertainty on objectives.
The principles were truly outstanding:
a. Risk management creates and protects value.
Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation.
b. Risk management is an integral part of all organizational processes.
Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes.
c. Risk management is part of decision making.
Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.
d. Risk management explicitly addresses uncertainty.
Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed.
e. Risk management is systematic, structured and timely.
A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results.
f. Risk management is based on the best available information.
The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts.
g. Risk management is tailored.
Risk management is aligned with the organization’s external and internal context and risk profile.
h. Risk management takes human and cultural factors into account.
Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization’s objectives.
i. Risk management is transparent and inclusive.
Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.
j. Risk management is dynamic, iterative and responsive to change.
Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear.
k. Risk management facilitates continual improvement of the organization.
Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization.
The principles have been changed since 2009, and I am not persuaded that they have been improved. But that’s a discussion for another time.
This “Open Letter” is about the definition of risk as:
The effect of uncertainty on objectives.
The current (2018) version of the standard includes these notes to the definition of risk:
Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.
I’m going to discuss this sentence in three phases, working from the last part to the first.
First: Objectives
The standard talks about risk and risk management (by inference) with respect to objectives. In other words, not in terms of dollars and cents (or information assets), but how objectives may be affected.
It is critical in my opinion to understand what effective risk management is all about: objectives.
I prefer to talk about enterprise objectives, although 31000 can be applied to objectives at any level.
Another critical requirement to the effective management of risk – in fact, the effective management of the organization – is that all other objectives support the achievement of enterprise objectives. I like to talk about cascading enterprise objectives down and through the organization.
Far too often, objectives at the business unit or functional level are disconnected from enterprise objectives. Instead, they should be based on what is necessary for the business unit or function to deliver if enterprise objectives are to be achieved.
There’s another critical but subtle point: we are talking about the achievement of objectives. That word, achievement, should be inserted whenever you are talking or thinking about this definition.
Then: Uncertainty
ISO guide 73:2009 added a definition of uncertainty (it is not in the standard itself) as:
Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
While the standard talks about managers taking uncertainty into account, it also talks about a “new uncertainty” appearing.
Frankly, this definition of uncertainty doesn’t make any sense to me. While it may be the common English use of the word, it doesn’t work in this context. (My understanding is that when the definition was being debated among the various constituents, they found it very difficult to agree on a word or phrase because it had different meanings in different languages and ‘uncertainty’ was a compromise.)
The lack of knowledge, the lack of certainty of a potential future “event, its consequence, or likelihood” does not have a direct effect on objectives (at any level).
We should be looking at what would have an effect on the achievement of objectives! That is not a lack of information.
The quality of information impacts how management can address or treat risk (I prefer talking about taking risk), but it doesn’t directly affect the achievement of objectives.
Only actions based on information affect the achievement of objectives.
Events and situations can affect the achievement of objectives.
Events and situations may have an effect on the achievement of objectives.
I like simple terms, so I refer to “what might happen”. So we have:
Risk is the effect of what might happen on the achievement of objectives.
Finally, let’s consider Effect.
For some reason, perhaps under the influence (pun intended) of COSO, the standard defines ‘effect’ as:
…a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.
But we are, or should be focused on the achievement of objectives, not on any deviation from the expected.
What does that even mean, deviation from the expected?
Using that word, expected, already implies some consideration of probability.
Rather than debating whether you can stretch an argument to make sense of this, let’s consider what leadership needs.
They need to achieve enterprise objectives, and they are (or should be) concerned with the likelihood of achieving them.
So let’s measure the effect of risk in terms of how the likelihood of achievement might be affected. As the standard says, that may be positively, negatively, or both.
ISO 31000 is the product of an international organization, and it has been adopted by the standards organizations of many nations around the world.
The International Organization for Standardization is an independent, non-governmental, international standard development organization composed of representatives from the national standards organizations of member countries.
For a while, I was a member of the US national standards body’s (ANSI) working group on the update of the ISO 31000 standard.
ISO has a technical committee, TC262, that is considering updates of the current (2018) version of 31000 and related standards.
This Open Letter is addressed to the memberships not only of TC262 but also the working groups of each of the national standards organizations working to update it.
My advice is to leave the definition unchanged but fix the underlying definition of terms and explain what it all means.
An alternative is to update the definition to say:
Risk is the effect of what might happen on the achievement of objectives.
I welcome your thoughts.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Would you consider including “potential or actual” to the definition of risk and replacing “what might happen”?
The sentence would read: ”Risk is the potential or actual effect on the achievement of objectives”
“Potential” is fine, but the potential effect of what?
I understand your question. Disregard then the replacement suggestion. I would encourage adding “potential or actual”.
If your 2011 presentation on this subject matter was not the single best presentation I have heard in my entire working career, it certainly is in the top 5. It was amazing then and it is amazing now. What is most distressing is that in the year 2024 you have to keep on talking about this stuff. This means to me that very few people really grasp the intricacies of what you are talking about.
The material from COSO was garbage back when it was initially issued and it is the same thing today all these years later. The true test whether the definition is gold or not is for an integrated analytical thinker of which you are one of only a handful, can take an example and using the definition and the principles demonstrate how it looks. Do it please and if you want a quick reference, go back to the case I published in 2010 in John Fraser’s book called JAA Inc in Chapter 22 and it should work but if not, you have the capabilities to demonstrate exactly how it all ties together.
As for why you still need to talk about this in 2024, you know the answer to this. Its because our profession of IIA and AICPA orgnizations sold their souls to the devil. The COSO framework should never have been rolled out in the US but since the Big firms invested such dollars in it, they were stuck with it.
The right thing to have done then was to look at South Africa and the 4 King Reports, at Australia and New Zealand and AS/NZS 4360:2004 and HB 436 at Canada and CoCo at the Uk and the Combined Code of Corporate Governance.
Thanks Arnold (aka anon)
i did not intend to be anonymous but s
why don’t you have a bit of fun
Show an example using all of ISO and then find the smartest COSO supporter you know and ask them to take your model and show how it fits into COSO
Arnold, 31000 is not perfect. One of the issues is that the process appears to assess, evaluate, and treat one source of risk at a time. It doesn’t give much guidance on assessing every source of risk, both positive and negative, so you balance risk and reward to achieve objectives.
I think most people, when they think of risk, associate it with the chance of something bad happening, or the ‘bad thing’ itself. When did anyone last say that there is a risk of something going well, or of turning out better than expected? People ‘take a risk’ to achieve something, but recognise that in doing so, something bad might happen. The problem with using the ISO definition, or some variant of it, is that it is just not how most people think about risk. We (risk practitioners) need to use simple language that our customers (i.e. everyone in our organisations) understands. What is wrong with saying that a risk is something that, if or when it occurs, could stop a company achieving its objectives or damage some aspect of what the company values?
John, you make some excellent points.
I agree that ‘risk’ is about bad things happening in common parlance. The four-letter word not only is about negative effects (or the chance of them) but also evokes a negative reaction from executives who see it as a focus on avoiding failure, when they are focused on achieving success (enterprise objectives).
Grant Purdy and Roger Estell talked about this in their book.
It trashes the whole idea of risk management.
I talked about avoiding the use of the four-letter word in “Risk Management in Plain English”.
The language that uses the four-letter word is one of the two massive problems for ISO, COSO, and also for practitioners.
The other is the influence and demands of the regulators. They are focused 100% on protecting value (and stakeholders’ investments) and 0% on creating value. They are only concerned with managing the potential negative effects.
The trouble with your suggestion is that managing the negative without consideration of the positive is what got us in trouble to start with. It’s what has management considering ERM as something they are forced to do instead of something they want to do.
How about a compromise.
Instead of ‘risk’, talk about ‘risk and reward’ or ‘risk and opportunity’ (which is position taken by the corporate governance code of South Africa and elsewhere)?
Then ISO can add the concept of reward or opportunity to its discussions, adding a definition of the positive side.
This would enable a greater focus on ensuring everything is considered together.
Your thoughts?
Avoiding failure can be an important part of achieving success, of course.
I like the concept of ‘risk and reward’, but sometimes risk has no associated reward. I think that risk professionals should exist to help people:
I believe we should not shy away from focusing on a risk being ‘a bad thing that could happen’, but make sure we apply risk thinking, advice, and analysis in the right context (broadly the two bullet points above).
So I would still say that we should use a simple definition of risk along the lines of it being an event, action or factor that could have an impact on our ability to achieve our objectives.
I agree that there is a need for a definition of risk which is easily understood by those who have to use it in their organisations.
While I like your definition, Norman, I prefer the one I have used in my books.
‘A risk is a set of circumstances that threaten the achievement of objectives.’
It iis usually measured by assessing the impact if it occurs and the likelihood of it occurring.
David, please remember that thereis a range of potential impacts.
Norman, I take your point about the range of potential impacts, which should be considered when attempting to quantify risks. There is a need to ask ‘why am I attempting to measure this risk?’
Not forgetting:
‘An opportunity is a set of circumstances that contribute to the achievement of objectives.’
Douglas Hubbard also defined risk in his book, ‘The Failure of Risk Management,’ as ‘The possibility that something bad could happen.’ This version emphasizes ‘the possibility,’ while your suggested definition highlights ‘the effect.’ Some define risk as an event or a circumstance. I’m not sure who is right, but it’s evident that there are different views on the definition, even among risk management professionals who write books on this very subject.
I’m not going to agree with that. Sure, we need to understand the potential effects on objectives, but it is essential to assess and evaluate the likelihoods of those potential effects. In other words, it’s not about either probability/chance or effects by themselves.
Yes, I simply pointed out the differences in the definition of risk by various professionals. At least I don’t think the definition should be confined to a potential event or a negative situation.
We analyze risk to determine the potential loss amount (expressed as a range) and the probability of experiencing such losses, rather than solely estimating the likelihood of a negative event which is merely one aspect of the broader risk analysis process.
A long as we also analyze potential gains so we can make an informed and intelligent decision,