Reconciling definitions of risk management

You may wonder why I offer yet another definition of risk management. My definition of risk management was To understand and act on the effects of uncertainty on objectives.

This definition simply collapses elements drawn from the ISO 31000 family into one line, and it is intended to be consistent with that Standard.

The main collapsed elements from ISO are the definitions for risk, risk management, and the end result of effective risk management. In this section I present a reconciliation of definitions at those three levels, including comparison with other authorities such as COSO ERM.

You might doubt the conclusive supremacy of ISO 31000. Possibly you are more influenced by COSO ERM or some other standard. Perhaps you know what risk management means in your world, and don’t need any standards to tell you otherwise. I can’t disagree with those positions.

Objections to ISO 31000 are common, but the commonly voiced objections are not based on what the Standard actually says. There are some real problems with ISO 31000, but they are in the direction of incompleteness and opacity. They are not within the concepts of ‘risk’ and ‘risk management’.


Next article for Specialists

What is risk management? It’s not following a risk management process

Risk management not defined by its methods. Risk registers, matrices, and bureaucracy are not part of ISO 31000. Registers and scales do not define Enterprise Risk Management either.

Risk specialists Version 1.0 Beta

Drill-down articles

Definition of ‘risk’

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

Risk specialists Version 1.0 Beta

Definition of ‘risk management’

ISO 31000 defines risk management for an ‘organisation’, broadly defined, while COSO ERM is only about ‘enterprise’ risk management.

Risk specialists Version 1.0 Beta

Defining the end result of effective risk management

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

Risk specialists Version 1.0 Beta

Parent articles

What is risk management? (extras for risk specialists)

Risk specialists Version 1.0 Beta

Main article on What is Risk Management?

Leave a Reply

Your email address will not be published.

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.