This article assumes you have read What is risk management? (Everyone). The previous article compared definitions of ‘risk management’ from different sources. This third article about definitions looks at the ideal end result of risk management.
The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.
After defining ‘risk’ and ‘risk management’, ISO 31000 defines the purpose of effective risk management:
…to ensure the organisation understands is risks and that they are within its criteria. [found at HB 436, 220.127.116.11, summarising Appendix A to ISO 31000]
My collapsed definition of ‘risk management’ also reflects the ISO 31000 ‘purpose’. The ‘understanding’ side is equivalent. My use of ‘act on’ the understanding compresses into two short words all the steps needed to establish criteria, to assess, evaluate and treat risk, and associated communication and consultation processes.
I justify rolling all of that into two words by suggesting that all of those activities will follow, without prompting, from a genuine concern to understand the effects of uncertainty and to fulfil obligations to stakeholders.
The formal Standard spells out those steps more fully, by way of clarifying expectations.
The condition …within its criteria in the ISO definition follows the COSO ERM condition …within its risk appetite. For the limited purposes of understanding the ISO 31000 vision for the result of effective risk management, we can say ‘risk criteria’ is equivalent to ‘risk appetite’. Let’s also assume that the risk criteria represent a fair and accurate understanding between managers within the organisation and the organisation’s stakeholders on the outside.
My collapsed definition of ‘risk management’ does not require that the end state—all risks understood and within appetite—is actually reached. Neither does ISO 31000.
|I have a minor issue with the words used in the ISO 31000 vision for the aim of effective risk management. The wording does not specifically recognise maximising the achievement of objectives by recognising that some new, surprising, or uncomfortable risks can be within the risk appetite and can be taken profitably. The ‘profits’ can be for the organisation or for any of its stakeholders.|
Main article on What is risk management? (Everyone)
|Some other main topics||
Discrete risk management processes within an enterprise
‘Enterprise Risk Management’ and risk management (coming soon)
All pages on What is Risk Management?