What is risk management? Defining the end result of effective risk management (Specialists)

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

This article assumes you have read What is risk management? (Everyone). The previous article compared definitions of ‘risk management’ from different sources. This third article about definitions looks at the ideal end result of risk management.


The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

After defining ‘risk’ and ‘risk management’, ISO 31000 defines the purpose of effective risk management:

…to ensure the organisation understands is risks and that they are within its criteria. [found at HB 436, 5.7.3.2, summarising Appendix A to ISO 31000]

My collapsed definition of ‘risk management’ also reflects the ISO 31000 ‘purpose’. The ‘understanding’ side is equivalent. My use of ‘act on’ the understanding compresses into two short words all the steps needed to establish criteria, to assess, evaluate and treat risk, and associated communication and consultation processes.

I justify rolling all of that into two words by suggesting that all of those activities will follow, without prompting, from a genuine concern to understand the effects of uncertainty and to fulfil obligations to stakeholders.

The formal Standard spells out those steps more fully, by way of clarifying expectations.

The condition …within its criteria in the ISO definition follows the COSO ERM condition …within its risk appetite. For the limited purposes of understanding the ISO 31000 vision for the result of effective risk management, we can say ‘risk criteria’ is equivalent to ‘risk appetite’. Let’s also assume that the risk criteria represent a fair and accurate understanding between managers within the organisation and the organisation’s stakeholders on the outside.

My collapsed definition of ‘risk management’ does not require that the end state—all risks understood and within appetite—is actually reached. Neither does ISO 31000.

I have a minor issue with the words used in the ISO 31000 vision for the aim of effective risk management. The wording does not specifically recognise maximising the achievement of objectives by recognising that some new, surprising, or uncomfortable risks can be within the risk appetite and can be taken profitably. The ‘profits’ can be for the organisation or for any of its stakeholders.

Further Reading

Main article on What is risk management? (Everyone)

Some other main topics Discrete risk management processes within an enterprise

‘Enterprise Risk Management’ and risk management (coming soon)

All pages on What is Risk Management?

Articles for everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
Extras for risk specialists: What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *