Reconciling definitions of risk management

What to read first: What is risk management? (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

You may wonder why I offer yet another definition of risk management. My definition of risk management was:

To understand and act on the effects of uncertainty on objectives.

This definition simply collapses elements drawn from the ISO 31000 family into one line, and it is intended to be consistent with that Standard. The main collapsed elements from ISO are the definitions for risk, risk management, and the end result of effective risk management. In this section I present a reconciliation of definitions at those three levels, including comparison with other authorities such as COSO ERM.

You might doubt the conclusive supremacy of ISO 31000. Possibly you are more influenced by COSO ERM or some other standard. Perhaps you know what risk management means in your world, and don’t need any standards to tell you otherwise. I can’t disagree with those positions.

Objections to ISO 31000 are common, but the commonly voiced objections are not based on what the Standard actually says. There are some real problems with ISO 31000, but they are in the direction of incompleteness and opacity. They are not within the concepts of ‘risk’ and ‘risk management’.


Next article for Risk Specialists

What is risk management? It’s not following a risk management process

Risk management not defined by its methods. Risk registers, matrices, and bureaucracy are not part of ISO 31000. Registers and scales do not define Enterprise Risk Management either.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Drill-down articles

What is risk management? Definition of ‘risk’

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Definition of ‘risk management’

ISO 31000 defines risk management for an ‘organisation’, broadly defined, while COSO ERM is only about ‘enterprise’ risk management.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? Defining the end result of effective risk management

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

What is risk management? (CRMA supplement)

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

What is risk management? (CRISC supplement)

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Parent articles

What is risk management? (supplement for risk specialists)

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *