Defining the end result of effective risk management

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

What to read first: Definition of ‘risk management’ Reconciling definitions of risk management
Risk specialists

The end result of effective risk management is to be sure that the ‘organisation’ understands its risks, and that those risks are acceptable.

After defining ‘risk’ and ‘risk management’, ISO 31000 defines the purpose of effective risk management:

…to ensure the organisation understands is risks and that they are within its criteria. [found at HB 436, 5.7.3.2, summarising Appendix A to ISO 31000]

My collapsed definition of ‘risk management’ also reflects the ISO 31000 ‘purpose’. The ‘understanding’ side is equivalent. My use of ‘act on’ the understanding compresses into two short words all the steps needed to establish criteria, to assess, evaluate and treat risk, and associated communication and consultation processes.

I justify rolling all of that into two words by suggesting that all of those activities will follow, without prompting, from a genuine concern to understand the effects of uncertainty and to fulfil obligations to stakeholders.

The formal Standard spells out those steps more fully, by way of clarifying expectations.

The condition …within its criteria in the ISO definition follows the COSO ERM condition …within its risk appetite. For the limited purposes of understanding the ISO 31000 vision for the result of effective risk management, we can say ‘risk criteria’ is equivalent to ‘risk appetite’. Let’s also assume that the risk criteria represent a fair and accurate understanding between managers within the organisation and the organisation’s stakeholders on the outside.

My collapsed definition of ‘risk management’ does not require that the end state—all risks understood and within appetite—is actually reached. Neither does ISO 31000.

I have a minor issue with the words used in the ISO 31000 vision for the aim of effective risk management. The wording does not specifically recognise maximising the achievement of objectives by recognising that some new, surprising, or uncomfortable risks can be within the risk appetite and can be taken profitably. The ‘profits’ can be for the organisation or for any of its stakeholders.

Previous article for Specialists

Definition of ‘risk management’

ISO 31000 defines risk management for an ‘organisation’, broadly defined, while COSO ERM is only about ‘enterprise’ risk management.

Risk specialists Version 1.0 Beta

Parent articles

Reconciling definitions of risk management
Risk specialists Version 1.0 Beta

Main article on What is Risk Management?

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments are moderated from a sea of spam, so may not be published immediately. Email contact may get a quicker response.