Reconciling definitions of risk management — Clear Lines on Audit and Risk

You may wonder why I offer yet another definition of risk management. My definition of risk management was To understand and act on the effects of uncertainty on objectives.

This definition simply collapses elements drawn from the ISO 31000 family into one line, and it is intended to be consistent with that Standard.

The main collapsed elements from ISO are the definitions for risk, risk management, and the end result of effective risk management. In this section I present a reconciliation of definitions at those three levels, including comparison with other authorities such as COSO ERM.

You might doubt the conclusive supremacy of ISO 31000. Possibly you are more influenced by COSO ERM or some other standard. Perhaps you know what risk management means in your world, and don’t need any standards to tell you otherwise. I can’t disagree with those positions.

Objections to ISO 31000 are common, but the commonly voiced objections are not based on what the Standard actually says. There are some real problems with ISO 31000, but they are in the direction of incompleteness and opacity. They are not within the concepts of ‘risk’ and ‘risk management’.

➜

Next article for Specialists

What is risk management? It’s not following a risk management process

Risk management not defined by its methods. Risk registers, matrices, and bureaucracy are not part of ISO 31000. Registers and scales do not define Enterprise Risk Management either.

Risk specialists

Version 1.0 Beta

Drill-down articles

Definition of ‘risk’

The main differences between ISO 31000 and COSO ERM definitions of ‘risk’ are about ‘positive’ risk and about ‘uncertainty’ other than events.

Risk specialists

Version 1.0 Beta

Definition of ‘risk management’