I’ll first lay out the argument, then list the assumptions I know I’ve made. Here’s the conclusion of the argument:
In annual ‘business’ planning for a work unit, risk consequences are the differences between the planned year-end outcomes and the other outcomes that might be reached at year-end.
The key word is ‘are’. Not affect, predict, indicate or link with, but are.
This conclusion is a very literal interpretation of risk as the effect of uncertainty on objectives [ISO 31000, relying on ISO HB 73], applied to annual ‘business’ planning for a work unit within a larger organisation.
The annual ‘business’ plan has intended outcomes.
It is not certain that the intended outcomes will follow from the plan.
- Outcomes may be disappointing, or they may be better than expected.
- Each actual outcome may deviate from the planned outcome by a little, or by a lot.
- Outcomes may be those intentionally engineered.
- Other outcomes may be unintentional by-products of the managed effort.
|Intended outcome||Unintended outcome|
|Positive effect from uncertainty||Success in reaching an intended outcome that had otherwise been looking doubtful: While looking for oil, you find some and make a good profit.||Unexpected gain (windfall): While looking for oil, you stumble across gold.|
|Negative effect from uncertainty||Failure to reach an intended outcome that had been expected: While looking for oil, you don’t find any, and end up broke.||Unintended consequence (side-effect): While looking for oil, you die from malaria.|
The expected outcome is some version of achieving the intended objectives, without unexpected harms. In the oil example, it might have been: You look for oil and find enough to make it worthwhile. No-one will be injured as a result. All the quadrants represent risk. the yellow planned success is risky because its likelihood is less than 100%. The other quadrants represent risk because they have the likelihood missing from that 100%.
There is ‘risk’ where, and only where, there is a non-zero likelihood of an outcome different from the planned outcome.
- The level of risk increases as the likelihood of that unplanned outcome increases.
- The level of risk also increases as the unplanned outcome is increasingly different from the planned outcome.
In the reverse direction, the level of risk is zero if there is no likelihood or if the resulting outcome matches the planned outcome. A potential event that will not change the outcome is not a risk.
This point is supported by HB 436 2.1 Risks and Objectives.
In annual planning, any potential event during the year represents risk if, and only if, it will lead to a different annual outcome from the plan. Even the most disruptive and alarming event is not a risk if it does not change the outcome.
The same applies to any mistaken beliefs that influence decisions during the year. There is a ‘risk’ of guessing wrongly only when the year-end outcome will be affected. Mistaken beliefs are analogous to unpredictable events. They are both valid forms of uncertainty. This point is spelled out in HB 436 2.2.
In the risk management discipline, the word ‘consequence’ can be used for the difference between the planned and unplanned outcomes, and for how that outcome difference is valued. That value is rarely a monetary value, nor a difference in a numerical measure. It is the subjective value attached by stakeholders.
In the real-world practice of risk management, the word ‘consequence’ is used less helpfully. It is used for all sorts of temporary setbacks, surprises and subjective reactions. Most often those surprises and reactions are carefully rated on scales, but they have no specific link to any agreed objectives.
Risk as the possibility of unplanned outcomes is a literal interpretation of risk as the effect of uncertainty on objectives (ISO 31000, relying ISO HB 73). Objectives are preferred outcomes.
The link between objectives and preferred outcomes is supported in HB 436 (5.3.5, Step 1, with details and examples at C2.2).
There are infinitely many potential outcomes from a year of activity. For practical risk management with a defined scope, it is possible to create a finite list of objectives as preferred outcomes. If the scope of the assessment is practicably tight, the number of objectives might be between four and fifteen. An enterprise example in HB 436 shows eight (Table C1). For projects, the number of objectives might be much larger, perhaps four to fifteen for each of the four Perspectives in PRINCE2 and M_o_R.
Risk ‘consequences’ are the potential unplanned outcomes for each objective. The ‘consequence’ can also be understood as the stakeholder value of the deviation from the planned outcome.
This interpretation of ‘consequence’ is consistent with ISO 31000:2009 5.3.5, but so are very different interpretations of ‘consequence’. My interpretation is supported by HB 436 (5.3.5, Step 2, with details and examples at C2.3).
For annual ‘business’ planning for a work unit in an organisation, the key outcome differences are those that are reached at the end of the planning year.
Some of those differences might be in the nature of ‘track record’ laid down during the year, but only in cases where ‘track record’ remains important at year-end. ‘Water under the bridge’, such as a temporary disruption, is unimportant.
Where you come in
I want you to test my assumptions. They need to be valid before I publish a guide on risk in annual work unit planning. (A draft is on line, marked Beta).
Six known assumptions
These are the assumptions for you to challenge. There are reference numbers.
For all risk management purposes:
- Risk arises when there a non-zero likelihood of an outcome different from the planned outcome, and nowhere else.
- A potential event that will not change the outcome is not a risk.
- Risk ‘consequence’ can refer to the difference between the planned and unplanned outcomes, and to how that outcome difference is valued.
In annual ‘business’ planning for a work unit within a large organisation:
- ‘Objectives’ can be understood and defined as preferred outcomes. It is possible to create a finite list of objectives, each one representing a preferred outcome.
- Risk consequences are the differences between the potential unplanned outcomes and the planned outcomes.
- The key outcome differences are those that are reached at the end of the planning year. Within the risk ‘criteria’, these differences are the consequences.
You might think differently. You might think that accepting all of these ideas is a challenge to versions of Enterprise Risk Management based on standardisation. You might be right about that. But let’s proceed one step at a time.
What’s wrong with this argument so far?
|Risk specialists||Version 3.0 Beta|
|Blog post||Version 1.0|
Previous article for Debate
|Blog post||Version 1.0|
Main article on Risk in work unit business planning