Defining the end result of effective risk management

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

What to read first: What is risk management? Reconciling definitions of risk management

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

After defining ‘risk’ and ‘risk management’, ISO 31000 defines the purpose of effective risk management:

…to ensure the organisation understands is risks and that they are within its criteria. [found at HB 436, 5.7.3.2, summarising Appendix A to ISO 31000]

My collapsed definition of ‘risk management’ also reflects the ISO 31000 ‘purpose’. The ‘understanding’ side is equivalent. My use of ‘act on’ the understanding compresses into two short words all the steps needed to establish criteria, to assess, evaluate and treat risk, and associated communication and consultation processes.

I justify rolling all of that into two words by suggesting that all of those activities will follow, without prompting, from a genuine concern to understand the effects of uncertainty and to fulfil obligations to stakeholders.

The formal Standard spells out those steps more fully, by way of clarifying expectations.

The condition …within its criteria in the ISO definition follows the COSO ERM condition …within its risk appetite. For the limited purposes of understanding the ISO 31000 vision for the result of effective risk management, we can say ‘risk criteria’ is equivalent to ‘risk appetite’. Let’s also assume that the risk criteria represent a fair and accurate understanding between managers within the organisation and the organisation’s stakeholders on the outside.

My collapsed definition of ‘risk management’ does not require that the end state—all risks understood and within appetite—is actually reached. Neither does ISO 31000.

I have a minor issue with the words used in the ISO 31000 vision for the aim of effective risk management. The wording does not specifically recognise maximising the achievement of objectives by recognising that some new, surprising, or uncomfortable risks can be within the risk appetite and can be taken profitably. The ‘profits’ can be for the organisation or for any of its stakeholders.

Next article for Everyone

Discrete risk management processes within an enterprise (Everyone)

Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit. A risk management process has a scope and objectives. There may be multiple discrete risk management processes across the enterprise. Any discrete risk management process needs to have a definite scope. Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.

For Everyone: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first. Stream supplements are available as drill-downs.

Drill-down articles

What is risk management? (CRMA supplement)

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

What is risk management? (CRISC supplement)

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Previous article for Risk Specialists

What is risk management? Definition of ‘risk management’

ISO 31000 defines risk management for an ‘organisation’, broadly defined, while COSO ERM is only about ‘enterprise’ risk management.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Parent articles

What is risk management? Reconciling definitions of risk management

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *