As anyone involved in risk management knows, a couple of years ago the ISO published their new Risk Management Standard known as ISO/IEC 31000:2009 (ISO 31000 for short). This standard is new for ISO, and is not replacing an older ISO standard. For countries like Australia though, which had its own standard (AS/NZS 4360:2004), this new ISO standard supplants that older standard.
One of the innovations coming from ISO 31000 is a new definition of risk. It is a concise definition, albeit but strangely phrased. It defines risk as:
"the effect of uncertainty on objectives."
At first glance, it looks straightforward. But a closer interpretation of the words makes on pause: the what of what on what?
But before we delve into what it means, let’s compare this definition with the one used in AS/NZS 4360:2004, which was not only the Australian (and New Zealand) standard, but also adopted in several other countries. As testament to its wide acceptance, the core of ISO 31000, its Risk Management Processes, is taken almost verbatim from AS/NZS 4360:2004.
This is how AS/NZS 4360:2004 defined risk:
"the chance of something happening that will have an impact on objectives."
Here it’s clear that risk is clearly tied to "something happening". Risk is an event or a circumstance (together with its chance of happening).
By contrast, in the new ISO definition, risk is the "effect of uncertainty". What is this ‘effect’?
ISO 31000 provides an explanation:
Effect - "a deviation from the expected -- positive or negative".
Now, since we are talking about risk, and risk is about future events, we can safely assume that when they say ‘deviation’, they are talking about potential deviation, or a possible deviation, not a deviation that has already happened.
If we take that meaning, then it seems to me that the definition of risk can be translated to:
"the possible deviation … on objectives."
This makes some sense. Risk is indeed about its possible deviation on our objectives. We hope to finish a project within 6 months, but it might end up finishing after 17 months.
But notice that I put in ellipses. The reason I did that is because if I restore the missing words, the definition of risk becomes:
"the possible deviation of uncertainty on objectives."
Which is clearly gibberish, so let’s parse it further.
In risk management, the word ‘uncertainty’ refers to ‘ignorance’ or ‘lack of knowledge’. ISO 31000’s definition is aligned with this view:
Uncertainty - "the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood."
Note the definition: ‘Deficiency of information’, lack of information, or lack of knowledge. This lack of knowledge, does not, I believe, refer to lack of skill, or lack of expertise, but specifically to lack of knowledge about what will happen.
Given the above, a possible rephrasing of the definition can go like this:
Risk - the possible deviation, arising from lack of information, on objectives.
The key difference is that in AS/NZS 4360:2004, risk is an event, whereas in ISO 31000, risk is the deviation. This is not the consequence, but the deviation.
So for example, we launch a product which we estimate will bring in $20 million dollars. For AS / NZS 4360:2004, a possible risk is that a competitor might launch a similar product which changes the market dynamics, resulting in lower revenues for us. For ISO 31000 a risk might be that sales are not as big as we expected. What are the consequences of that?
This change in the definition of risk has been met with praise, criticism, and confusion. One of the primary impetus in redefining risk is the desire to better incorporate the handling of ‘positive risks’ in the risk management process.
It certainly makes one rethink.