Definition of ‘risk’

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

What to read first: What is risk management? Reconciling definitions of risk management

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

The ISO 31000 definition of ‘risk’ is the effect of uncertainty on objectives. [ISO Guide 73:2009, 1.1, quoted in ISO 31000 and HB 436]. If you have a copy handy, it is rewarding to look at the ‘notes’ which follow this definition.

A comparably authoritative definition of risk is from COSO. It is the possibility that an event will occur and adversely affect the achievement of objectives. [COSO ERM]

Both the ISO and COSO definitions of risk refer to objectives. Objectives are central to the understanding of risk and its management.

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

Negative and positive risk

The COSO definition refers to adverse effects, whereas the ISO 31000 definition refers neutrally to just effects. The strict COSO definition of risk does not recognise uncertainty associated with positive outcomes. However, the broader COSO ERM framework does actually recognise the positive side of risk. In COSO ERM, they use the word ‘opportunity’ to refer to an uncertain possibility of exceeding expectations, rather than talking about ‘positive risk’ or similar contortions. They are not actually excluding uncertain wins from ‘risk’.

A practical implication of ISO 31000’s positive-negative neutrality is that we must understand ‘objectives’ to include avoiding undesirable outcomes as much as achieving wanted outcomes.

Event and uncertainty

The COSO ERM definition confines ‘risk’ to the possibility of an event that may or may not occur, whereas the ISO 31000 definition refers to uncertainty. A possible event is one kind of uncertainty. Another important kind of uncertainty is making assumptions that may or may not be correct. While events occur at a specific time, assumptions can be wrong already and it may not be important or helpful to know when the mistake is discovered, if it ever is. The important thing is that there is always risk from assumptions. A special type uncertain assumption is the validity of the cause and effect relationships that are assumed within risk assessment.

I feel the narrower events-only scope of uncertainty in COSO ERM is unhelpful as it simply ignores assumptions and other kinds of uncertainty. If you are formally using the COSO definition of risk, I recommend that you adopt a policy of including in your risk registers assumptions and beliefs that may be wrong, in the same way that you include potential events waiting to happen.


Next article for Risk Specialists

What is risk management? Definition of ‘risk management’

ISO 31000 defines risk management for an ‘organisation’, broadly defined, while COSO ERM is only about ‘enterprise’ risk management.

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Drill-down articles

What is risk management? (CRMA supplement)

For CRMA candidates (IIA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRMA Study Guide.

What is risk management? (CRISC supplement)

For CRISC candidates (ISACA): This series assumes you have specialist interest in risk management theory, and that you have a copy of the CRISC Study Guide.

Parent articles

What is risk management? Reconciling definitions of risk management

Seen it all: This series assumes you know risk terms and concepts. It includes references to standards.

Index to the topic What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *