What to read first: Reconciling definitions of risk management
The ISO 31000 definition of ‘risk’ is the effect of uncertainty on objectives. [ISO Guide 73:2009, 1.1, quoted in ISO 31000 and HB 436]. If you have a copy handy, it is rewarding to look at the ‘notes’ which follow this definition.
Both the ISO and COSO definitions of risk refer to objectives. Objectives are central to the understanding of risk and its management.
Negative and positive risk
The COSO definition refers to adverse effects, whereas the ISO 31000 definition refers neutrally to just effects. The strict COSO definition of risk does not recognise uncertainty associated with positive outcomes. However, the broader COSO ERM framework does actually recognise the positive side of risk. In COSO ERM, they use the word ‘opportunity’ to refer to an uncertain possibility of exceeding expectations, rather than talking about ‘positive risk’ or similar contortions. They are not actually excluding uncertain wins from ‘risk’.
A practical implication of ISO 31000’s positive-negative neutrality is that we must understand ‘objectives’ to include avoiding undesirable outcomes as much as achieving wanted outcomes.
Event and uncertainty
The COSO ERM definition confines ‘risk’ to the possibility of an event that may or may not occur, whereas the ISO 31000 definition refers to uncertainty. A possible event is one kind of uncertainty. Another important kind of uncertainty is making assumptions that may or may not be correct. While events occur at a specific time, assumptions can be wrong already and it may not be important or helpful to know when the mistake is discovered, if it ever is. The important thing is that there is always risk from assumptions. A special type uncertain assumption is the validity of the cause and effect relationships that are assumed within risk assessment.
I feel the narrower events-only scope of uncertainty in COSO ERM is unhelpful as it simply ignores assumptions and other kinds of uncertainty. If you are formally using the COSO definition of risk, I recommend that you adopt a policy of including in your risk registers assumptions and beliefs that may be wrong, in the same way that you include potential events waiting to happen.
|Version 1.0 Beta
|Version 1.0 Beta
Main article on What is Risk Management?