What is risk management? Definition of ‘risk’ (Specialists)

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

This post assumes you have read What is risk management? (Everyone). It compares and reconciles definitions of ‘risk’ from different sources.


The ISO 31000 definition of ‘risk’ is the effect of uncertainty on objectives. [ISO Guide 73:2009, 1.1, quoted in ISO 31000 and HB 436]. If you have a copy handy, it is rewarding to look at the ‘notes’ which follow this definition.

A comparably authoritative definition of risk is from COSO. It is the possibility that an event will occur and adversely affect the achievement of objectives. [COSO ERM]

Both the ISO and COSO definitions of risk refer to objectives. Objectives are central to the understanding of risk and its management.

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

Negative and positive risk

The COSO definition refers to adverse effects, whereas the ISO 31000 definition refers neutrally to just effects. The strict COSO definition of risk does not recognise uncertainty associated with positive outcomes. However, the broader COSO ERM framework does actually recognise the positive side of risk. In COSO ERM, they use the word ‘opportunity’ to refer to an uncertain possibility of exceeding expectations, rather than talking about ‘positive risk’ or similar contortions. They are not actually excluding uncertain wins from ‘risk’.

A practical implication of ISO 31000’s positive-negative neutrality is that we must understand ‘objectives’ to include avoiding undesirable outcomes as much as achieving wanted outcomes.

Event and uncertainty

The COSO ERM definition confines ‘risk’ to the possibility of an event that may or may not occur, whereas the ISO 31000 definition refers to uncertainty. A possible event is one kind of uncertainty. Another important kind of uncertainty is making assumptions that may or may not be correct. While events occur at a specific time, assumptions can be wrong already and it may not be important or helpful to know when the mistake is discovered, if it ever is. The important thing is that there is always risk from assumptions. A special type uncertain assumption is the validity of the cause and effect relationships that are assumed within risk assessment.

I feel the narrower events-only scope of uncertainty in COSO ERM is unhelpful as it simply ignores assumptions and other kinds of uncertainty. If you are formally using the COSO definition of risk, I recommend that you adopt a policy of including in your risk registers assumptions and beliefs that may be wrong, in the same way that you include potential events waiting to happen.

Further Reading

Main article on What is risk management? (Everyone)

Recommended next article:

What is risk management? Definition of ‘risk management’ (Specialists)

ISO 31000 defines risk management for an ‘organisation’, broadly defined, while COSO ERM is only about ‘enterprise’ risk management.

Stream supplements: Risk Specialists Executives Australian Government CRMA CRISC

Some other main topics Discrete risk management processes within an enterprise

‘Enterprise Risk Management’ and risk management (coming soon)

All pages on What is Risk Management?

Articles for everyone The goal of risk management (Everyone) Key Principles for actually managing risk (Everyone) How does ‘risk management’ fit with all the other kinds of ‘management’? What separate activities are specific to ‘risk management’? What is risk management? Examples What is risk management? Thinking too narrowly What is risk management? Less common errors
Supplements for reader streams
For Risk Specialists: What is risk management? (Specialists)
For CRMA Candidates: What is risk management? (CRMA)
For CRISC Candidates: What is risk management? (CRISC)
Extras for risk specialists: What is risk management? Reconciling definitions of risk management What is risk management? Definition of ‘risk’ (Specialists) What is risk management? Definition of ‘risk management’ (Specialists) What is risk management? Defining the end result of effective risk management (Specialists) What is risk management? It’s not following a risk management process What is risk management? It’s not what ‘risk managers’ do

Risk consequences as the final effect on objectives (LinkedIn – registration required)

For Executives: What is risk management? What matters for management (Executives)
For Australian Government readers: What is risk management? (Australian Government)

Leave a Reply

Your email address will not be published. Required fields are marked *