This post assumes you have read What is risk management? (Everyone). It compares and reconciles definitions of ‘risk’ from different sources.
The ISO 31000 definition of ‘risk’ is the effect of uncertainty on objectives. [ISO Guide 73:2009, 1.1, quoted in ISO 31000 and HB 436]. If you have a copy handy, it is rewarding to look at the ‘notes’ which follow this definition.
A comparably authoritative definition of risk is from COSO. It is the possibility that an event will occur and adversely affect the achievement of objectives. [COSO ERM]
Both the ISO and COSO definitions of risk refer to objectives. Objectives are central to the understanding of risk and its management.
The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.
Negative and positive risk
The COSO definition refers to adverse effects, whereas the ISO 31000 definition refers neutrally to just effects. The strict COSO definition of risk does not recognise uncertainty associated with positive outcomes. However, the broader COSO ERM framework does actually recognise the positive side of risk. In COSO ERM, they use the word ‘opportunity’ to refer to an uncertain possibility of exceeding expectations, rather than talking about ‘positive risk’ or similar contortions. They are not actually excluding uncertain wins from ‘risk’.
A practical implication of ISO 31000’s positive-negative neutrality is that we must understand ‘objectives’ to include avoiding undesirable outcomes as much as achieving wanted outcomes.
Event and uncertainty
The COSO ERM definition confines ‘risk’ to the possibility of an event that may or may not occur, whereas the ISO 31000 definition refers to uncertainty. A possible event is one kind of uncertainty. Another important kind of uncertainty is making assumptions that may or may not be correct. While events occur at a specific time, assumptions can be wrong already and it may not be important or helpful to know when the mistake is discovered, if it ever is. The important thing is that there is always risk from assumptions. A special type uncertain assumption is the validity of the cause and effect relationships that are assumed within risk assessment.
I feel the narrower events-only scope of uncertainty in COSO ERM is unhelpful as it simply ignores assumptions and other kinds of uncertainty. If you are formally using the COSO definition of risk, I recommend that you adopt a policy of including in your risk registers assumptions and beliefs that may be wrong, in the same way that you include potential events waiting to happen.
Main article on What is risk management? (Everyone)
Recommended next article:
|What is risk management? Definition of ‘risk management’ (Specialists)|
|Some other main topics||
Discrete risk management processes within an enterprise
‘Enterprise Risk Management’ and risk management (coming soon)
All pages on What is Risk Management?