The New Risk

In the world of risk management, even the most basic things can get confusing.  When it comes to basics, it’s hard to think of a notion more basic than what ‘risk’ is. 

One of these is the distinction between a risk and the event that triggers the risk.  You can see a little bit of the confusion through the risk management standards.  The AS/NZS 4360:2004 standard considers risk as ‘the chance of something happening that will have an impact on objectives'.  Clearly, risk is closely related to, if not actually, an event (‘something happening’).

Compare this with the newer ISO 31000:2009 standard, which is not only an international standard, but also succeeds the AS/NZS 4360:2004 (i.e., the next version of AS/NZS 4360:2004 is ISO 31000:2009). Here, risk is ‘the effect of uncertainty on objectives’.  It is no longer an event.

Now, this very succinct definition also manages to be very confusing -- there are various discussions in LinkedIn about what it actually is trying to say. 

What then, is the difference, between an event (or a circumstance) that brings a consequence versus a risk the brings a consequence? The key to understanding risk is to focus on the word ‘objective’. Start with the objective. What do you want to achieve? This is the starting point. Literally, without an objective, there is no risk.

Once you have determined your objectives (there can be more than one), think of the various outcomes that deviate from that objective.  The third step is to consider the consequences of those various outcomes.

Let’s work through an example.  Suppose you have a job interview, and you identified your objective to be: arrive at the appointment on time.  What are the various deviations?  You can arrive 5 minutes late, 10 minutes late, 30 minutes late, 10 minutes early, and so forth.  What is the consequence of arriving 10 minutes late?  How about 30 minutes?

You can the look at the different possible events, circumstances, or situations that can cause the deviations: traffic, getting lost, underestimating the time needed for travel, forgetting something and having to go back, running out of petrol, having a car accident, etc.

After identifying possible causes, analyse them and implement mitigation plans for the ones that might be more likely, such as traffic, or underestimating the travel time required.  By mitigating the various events, you are reducing the chances of not being able to arrive on time.

You can also mitigate the risk.  But since risk is not an event, you cannot mitigate it from happening.  Instead you mitigate its consequences. So you mitigate the possibility of the deviation from occurring by addressing the events that can cause the deviation, and you mitigate the consequence of the deviation.

	Old World	New World
Risk	An event, or situation, or circumstance	The deviation from your objective
Consequence	The impact of the event, or situation, or circumstance	The impact of the deviation (regardless of what caused the deviation)
Risk Event	An event that brings about the risk	An event that causes a deviation

A Better Definition of Risk?

I HAVE conflicting feelings about ISO 31000’s definition of risk.  This standard defines risk as ‘the effect of uncertainty on objectives’, a definition that succeeds at simultaneously being both clear and enigmatic. 

Witness the various discussions in LinkedIn about what the definition means.  Look around the web for many online blog entries, articles, and explanations of what the definition mean, and carefully note the certitude shown by those who wrote those online materials about what the definition means.  Notice how they differ in their understanding.

In light of the absence of any clarifying remarks by the writers of the standard (who seem to be non-existent on the internet) about what they meant by their definition, I have settled on my own understanding of what they meant. 

Their definition seeks to succinctly explain the nature of risk.  When they say ‘effect’, they mean ‘phenomenon’.  They don’t mean ‘consequence’ as many online writers seem to  think.  (Or at least, the standard writers should not have meant ‘consequence’ in sense of a risk eventuating bringing forth its consequences!).   The reason why I feel certain ‘effect’ is not ‘consequence’ is because risk is about something that has not yet happened.  If something has not happened, it has no consequence.  Had they said, ‘risk is the potential effect of uncertainty…’, then it would clear they would have meant ‘consequence’.

My current position is that the standard writers are attempting to explain in the definition what the essence of risk is. 

The best way I can think of of what they are saying is by making an analogy, comparing ‘risk’ with ‘shadow’.  I will propose a definition of the word ‘shadow’:

the effect of an opaque, solid object on a light source. 

I like this analogy because it almost perfectly parallels the ISO 31000 definition of risk.  If you have objectives, and you have uncertainty, the intersection of the two brings forth a phenomenon which we call ‘risk’

If you have a light source, and you have an opaque, solid object, the intersection of the two brings forth a phenomenon which we call ‘shadow’.

Remove either objectives or uncertainty, and risk disappears. No intersection, no risk.  Remove either the light source or the solid object, and the shadow disappears.  No intersection, no shadow.  

I have two criticisms for the risk definition though.  First, the definition, while strictly correct, is near to being useless.  It is an academic, technical definition, not an operational definition that can be acted upon by practitioners ‘in the trenches’.   How would risk practitioners explain risk to lay members or board members of the organisation using such a definition? 

My second criticism revolves around the use of the word ‘objectives’.  The Merriam-Webster definition of objective is “something toward which effort is directed : an aim, goal, or end of action”, accurately reflecting the normal day to day usage of the word to mean something that is being strived for, something to be achieved, something not yet.

But risk is not always (nor even most of the time) about something you wish to achieve.  It is often to protect what you already achieved. 

What you already have are also at risk. 

Strictly speaking, if you have good health and you have a desire to maintain that good health, then you sometime speak of such an objective: to maintain my good health.

But what about other things? People do not consciously state that their objective is to ensure that they keep on having a house. Or that their objective is to remain alive. They have an interest in ensuring they remain alive. They have an interest in ensuring their house remains liveable by them. But they are not objectives in the same degree as things they are striving to achieve, such as a job promotion, completion of a project, and so on.

Your health, your job, your finances, your properties, your relationship. your client list, your market position, your current operating efficiencies, your reputation, etc. are all at risk.  These are things you have already achieved; objectives you already attained.  You are interested in protecting them;  they are your interests.

Risk management is (far more) often used to protect existing interests, while also being used as an aid in ensuring we achieve our objectives.  It is in the former where risk management plays a more central role.  Risk management is key to maintaining what we have; it is the means there.  It is only useful in achieving what we do not yet have; here it is not the means.

My proposition is therefore to change the wording of the risk definition from ‘objectives’ to ‘interests’.   Thus risk becomes: ‘the effect of uncertainty on interests’  where interest refers to things we value, such as health, reputation, property.   But it also clearly encompasses as well as things you seek to achieve but have not yet -- your objectives.

I think this change would be an improvement to the definition.

ISO 31000:2009’s Definition of Risk

As anyone involved in risk management knows, a couple of years ago the ISO published their new Risk Management Standard known as ISO/IEC 31000:2009 (ISO 31000 for short).  This standard is new for ISO, and is not replacing an older ISO standard.  For countries like Australia though, which had its own standard (AS/NZS 4360:2004), this new ISO standard supplants that older standard.

One of the innovations coming from ISO 31000 is a new definition of risk.  It is a  concise definition, albeit but strangely phrased. It defines risk as:

"the effect of uncertainty on objectives."

At first glance, it looks straightforward.  But a closer interpretation of the words makes on pause: the what of what on what?  

But before we delve into what it means, let’s compare this definition with the one used in AS/NZS 4360:2004, which was not only the Australian (and New Zealand) standard, but also adopted in several other countries.  As testament to its wide acceptance, the core of ISO 31000, its Risk Management Processes, is taken almost verbatim from AS/NZS 4360:2004.

This is how AS/NZS 4360:2004 defined risk:

"the chance of something happening that will have an impact on objectives." 

Here it’s clear that risk is clearly tied to "something happening".  Risk is an event or a circumstance (together with its chance of happening).

By contrast, in the new ISO definition, risk is the "effect of uncertainty".  What is this ‘effect’? 

ISO 31000 provides an explanation:

Effect - "a deviation from the expected -- positive or negative".

Now, since we are talking about risk, and risk is about future events, we can safely assume that when they say ‘deviation’, they are talking about potential deviation, or a possible deviation, not a deviation that has already happened.

If we take that meaning, then it seems to me that the definition of risk can be translated to:

"the possible deviation … on objectives."

This makes some sense.  Risk is indeed about its possible deviation on our objectives.  We hope to finish a project within 6 months, but it might end up finishing after 17 months. 

But notice that I put in ellipses.  The reason I did that is because if I restore the missing words, the definition of risk becomes:

"the possible deviation of uncertainty on objectives."

Which is clearly gibberish, so let’s parse it further.

In risk management, the word ‘uncertainty’ refers to ‘ignorance’ or ‘lack of knowledge’.   ISO 31000’s definition is aligned with this view:

Uncertainty - "the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood."

Note the definition: ‘Deficiency of information’, lack of information, or lack of knowledge.  This lack of knowledge, does not, I believe, refer to lack of skill, or lack of expertise, but specifically to lack of knowledge about what will happen. 

Given the above, a possible rephrasing of the definition can go like this: 

Risk - the possible deviation, arising from lack of information, on objectives.

The key difference is that in AS/NZS 4360:2004, risk is an event, whereas in ISO 31000, risk is the deviation.  This is not the consequence, but the deviation. 

So for example, we launch a product which we estimate will bring in $20 million dollars.  For AS / NZS 4360:2004, a possible risk is that a competitor might launch a similar product which changes the market dynamics, resulting in lower revenues for us.  For ISO 31000 a risk might be that sales are not as big as we expected.  What are the consequences of that?

This change in the definition of risk has been met with praise, criticism, and confusion.  One of the primary impetus in redefining risk is the desire to better incorporate the handling of ‘positive risks’ in the risk management process.

It certainly makes one rethink.