Comparison of the how-to guide with typical corporate prescriptions

The guide differs from typical corporate prescriptions in these ways: Objectives Consequence measures Likelihood measures Level of risk Risk register Overall risk view Negative and positive risk

What to read first: How the how-to guide follows ISO 31000, Risk in work unit business planning: Fast track for risk experts

Risk specialists Version 3.

The table on this page highlights the key differences between the how-to guide and the sort of risk process typically recommended (or sometimes mandated) by corporate procedures. You may hear people say that your corporate process is ‘standard’. If so, both you and they need to understand that neither version of the process detail comes from any formal standard such as ISO 31000, COSO ERM, or the Australian Commonwealth Risk Management Policy. Formal sources are based on principles, not process prescriptions.

The how-to guide in Clear Lines on Audit and Risk:

  • Tries to meet the ISO 31000 Principles (Section 3) more faithfully than the typical corporate process.
  • Makes a start on ‘tailoring’ of risk management as applicable to business planning for work units. ISO 31000 Principle G says that risk management is tailored. The how-to steps include the important tailoring, and that tailoring is done by unit managers themselves.

The same points are made in manager-friendly vocabulary within the manager guide (not all at once). (Direct link)

The guide differs from typical corporate prescriptions in these ways:

Area of risk process Typical method Method in the how-to guide


Forgetting the objectives is against the intention of ISO 31000 5.3.1.

Noted and then left in the background.

Systematic review of objectives, focusing the whole risk management process. (ISO 31000 5.3.1)

This change ensures that that unintended consequences are adequately considered.

Objectives are assumed to be positive achievements to be maximised.

‘Avoidance’ objectives to be minimised are defined along with ‘achievement’ objectives to be maximised. In the method for defining objectives, they are called ‘Dangers’ (direct link to detail).

Consequence measures

The change achieves consistency with the ISO 31000 definition of risk as the effect of uncertainty on objectives. ISO 31000 does not require ‘levels’ at all.

Consequence scale or matrix uses levels of (negative) ‘harm’ in different categories. The categories do not represent anyone’s defined objectives, but are assumed to be universal (negative) concerns.

Generic consequence scale: how I understand it (in depth)

Consequences are a range of success and failure outcome scenarios against each objective, both better and worse than the planned outcome. The outcome resulting from a risk is the measure of risk consequence. (HB 436 5.3.5)

Objective-achievement consequence scale: how I propose it

The change achieves consistency with the ISO 31000 definition of risk as the effect of uncertainty on objectives. Understanding the effect requires clarity on the duration of the effect.

Consequence descriptors refer to a short-term effect, or to an effect of indefinite duration. The neutralising effects of recovery and response actions are not recognised explicitly.

It is never clear whether the assessed consequence is before or after recovery and response steps have been taken. (Response and recovery steps are often confused with risk treatments.)

Outcomes descriptions refer specifically to the position at the end of the planning period. The closing position can reflect an aggregate of short term events during the period, after also considering recovery actions. It can also look forward to the future expected beyond the end of the period.

There is nothing in ISO 31000 or HB 436 that requires equivalences. Some assumed equivalences are clearly nonsense.

Consequence levels are abbreviated to a single word or number that is common across consequence categories. Consequences with the same word or number are implicitly assumed to be equivalent in significance, even if they are of radically different kinds (e.g. human injury and loss of market share).

Single words and numbers may be used as prompts and labels for consequence levels. There is no assumption that consequences of different kinds are in any way equivalent.

Likelihood measures

No standard requires a scale of likelihood levels. HB 436 regards risk as about the possibility of an unplanned outcome, which is consistent with classifying likelihoods over 50% as ‘expectations’, not risks.

A likelihood scale converts percentages or frequencies into 5-10 discrete levels.

Each likelihood is represented by a percentage, with no conversion to a scale. Long-term frequencies can be used in the place of likelihood, or converted into a likelihood in a given period.

‘Risks’ with likelihoods of 50% or more are not understood as ‘risks’. They are reclassified as ‘expectations’ or ‘forecasts’. On this basis, scales showing likelihood above 50% are considered unhelpful at best.

Likelihoods are applied to period outcome scenarios, as well as to specific event pathways or ‘risks’ leading to an unplanned outcome.

Level of risk

Look-up matrix for level of risk (from the consequence and likelihood level). There may be an assumption that higher level risks are unacceptable, and lower levels of risk are fine.

There are no defined ‘levels of risk’. The nearest equivalent to a ‘level of risk’ is the outcome scenario (an imagined future), qualified by its likelihood. The outcome scenario is always spelled out as descriptive text. Risk acceptability is considered on the basis on the organisation’s willingness to accept the outcome’s likelihood in view of the trade-offs incurred by changing that likelihood.

Risk register

There is an argument that ‘inherent’ risk is an ambiguous or nonsensical idea. See HB 158:2010 Delivering assurance based on ISO 31000:2009, Section 1.3.3.

HB 436 clarifies that likelihood is of experiencing the consequences that flow from the event (2.1).

A risk register row identifies ‘the risk’ (event and its consequence), then attaches a single likelihood level and single consequence level to that risk. There may be extra substantive fields for the risk, such as affected objective, hazard class, risk owner, calculated ‘level of risk’. There may be further columns for proposed risk treatments and for likelihood and consequence levels after treatment. There will be other fields for administrative purposes.

The Clear Lines recognise most of these elements as valid and does not specifically recommend anything different. (The Clear Lines do not describe ‘level of risk’ as a number or code word.)

Some differences of usage may come up:

  • The initial likelihood and consequence assessments of a risk are clearly understood as ‘current’ risk ratings (assuming specific established controls and treatment), not as ‘inherent’ risk ratings (assuming no controls or treatments).
  • Where the description of the risk allows for a range of different outcomes from a similar cause, it must be recognised that one pair of consequence and likelihood ratings cannot cover all the included cases. There must be either multiple ratings per risk, or multiple risk rows for one type of risk event, each representing a different outcome and corresponding likelihood.

Overall risk view

Heat maps do not appear in any standards. Neither does the Risk Based Outcomes Forecast.

Summary of all risks by a ‘heat map’ or count of risks at each level.

Risk is summarised as the overall likelihood of each outcome scenario. Typically, those likelihoods are shown within a matrix of potential outcomes, as a Risk Based Outcomes Forecast. These likelihoods represent confidence in overall success, which may be much lower than is comfortable.

Negative and positive risk

All formal standards recognise some version of ‘positive risk’.

Risk is seen as wholly negative, though perhaps necessary to achieve goals. Goals can sometimes be achieved more effectively by taking more risk.

The Clear Lines method allows for ‘risk’ to include the possibility of exceeding expected outcomes – sometimes called ‘positive risk’.

For simple application to business planning, risks are generally assumed to result in falling short of expectations, which is the same as the common assumption that risk is wholly negative. It is also agreed that goals can sometimes be achieved more effectively by taking more risk.

Drill-down articles

Generic consequence scale: how I understand it

Risk specialists Version 3.0 Beta

Objective-achievement consequence scale: how I propose it

Risk specialists Version 3.0 Beta

Previous article for Specialists

How the how-to guide follows ISO 31000

Risk in work unit business planning helps ERM. Risk concept Purpose ‘Framework’ (ISO 31000 Section 4) Establishing the context (ISO 31000 5.3) Consequence criteria Other risk criteria Risk assessment (ISO 31000 5.4.2) Risk analysis (ISO 31000 5.4.3) Risk evaluation (ISO 31000 5.4.4) Risk treatment (ISO 31000 5.5) Risk Based Outcomes Forecast

Risk specialists Version 3.0 Beta

Parent articles

Risk in work unit business planning: Fast track for risk experts

Risk is managed by managers, not specialists. The manager identifies a range of potential outcomes on each objective, pathways to each outcome, and the likelihood of each pathway and outcome. The process is in the spirit, and letter, of ISO 31000 applied to a work unit. It creates a single view of forecast outcomes that includes ‘risk’. Risk specialists work for managers. Managers don’t work for risk specialists. Work unit risk management contributes to Enterprise Risk Management.

Risk specialists Version 3.0 Beta

Main article on Risk in work unit business planning

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.