In the world of risk management, even the most basic things can get confusing. When it comes to basics, it’s hard to think of a notion more basic than what ‘risk’ is.
One of these is the distinction between a risk and the event that triggers the risk. You can see a little bit of the confusion through the risk management standards. The AS/NZS 4360:2004 standard considers risk as ‘the chance of something happening that will have an impact on objectives'. Clearly, risk is closely related to, if not actually, an event (‘something happening’).
Compare this with the newer ISO 31000:2009 standard, which is not only an international standard, but also succeeds the AS/NZS 4360:2004 (i.e., the next version of AS/NZS 4360:2004 is ISO 31000:2009). Here, risk is ‘the effect of uncertainty on objectives’. It is no longer an event.
Now, this very succinct definition also manages to be very confusing -- there are various discussions in LinkedIn about what it actually is trying to say.
What then, is the difference, between an event (or a circumstance) that brings a consequence versus a risk the brings a consequence? The key to understanding risk is to focus on the word ‘objective’. Start with the objective. What do you want to achieve? This is the starting point. Literally, without an objective, there is no risk.
Once you have determined your objectives (there can be more than one), think of the various outcomes that deviate from that objective. The third step is to consider the consequences of those various outcomes.
Let’s work through an example. Suppose you have a job interview, and you identified your objective to be: arrive at the appointment on time. What are the various deviations? You can arrive 5 minutes late, 10 minutes late, 30 minutes late, 10 minutes early, and so forth. What is the consequence of arriving 10 minutes late? How about 30 minutes?
You can the look at the different possible events, circumstances, or situations that can cause the deviations: traffic, getting lost, underestimating the time needed for travel, forgetting something and having to go back, running out of petrol, having a car accident, etc.
After identifying possible causes, analyse them and implement mitigation plans for the ones that might be more likely, such as traffic, or underestimating the travel time required. By mitigating the various events, you are reducing the chances of not being able to arrive on time.
You can also mitigate the risk. But since risk is not an event, you cannot mitigate it from happening. Instead you mitigate its consequences. So you mitigate the possibility of the deviation from occurring by addressing the events that can cause the deviation, and you mitigate the consequence of the deviation.
Old World | New World | |
Risk | An event, or situation, or circumstance | The deviation from your objective |
Consequence | The impact of the event, or situation, or circumstance | The impact of the deviation (regardless of what caused the deviation) |
Risk Event | An event that brings about the risk | An event that causes a deviation |