The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.
After defining ‘risk’ and ‘risk management’, ISO 31000 defines the purpose of effective risk management:
My collapsed definition of ‘risk management’ also reflects the ISO 31000 ‘purpose’. The ‘understanding’ side is equivalent. My use of ‘act on’ the understanding compresses into two short words all the steps needed to establish criteria, to assess, evaluate and treat risk, and associated communication and consultation processes.
I justify rolling all of that into two words by suggesting that all of those activities will follow, without prompting, from a genuine concern to understand the effects of uncertainty and to fulfil obligations to stakeholders.
The formal Standard spells out those steps more fully, by way of clarifying expectations.
The condition …within its criteria in the ISO definition follows the COSO ERM condition …within its risk appetite. For the limited purposes of understanding the ISO 31000 vision for the result of effective risk management, we can say ‘risk criteria’ is equivalent to ‘risk appetite’. Let’s also assume that the risk criteria represent a fair and accurate understanding between managers within the organisation and the organisation’s stakeholders on the outside.
My collapsed definition of ‘risk management’ does not require that the end state—all risks understood and within appetite—is actually reached. Neither does ISO 31000.
|I have a minor issue with the words used in the ISO 31000 vision for the aim of effective risk management. The wording does not specifically recognise maximising the achievement of objectives by recognising that some new, surprising, or uncomfortable risks can be within the risk appetite and can be taken profitably. The ‘profits’ can be for the organisation or for any of its stakeholders.
Previous article for Specialists
|Version 1.0 Beta
|Version 1.0 Beta
Main article on What is Risk Management?