For several weeks, I had been consumed with trying to understand what the new definition of risk really means.
As anyone involved in risk management knows, the ISO late last year published the new Risk Management Standard known as ISO/IEC 31000:2009. One of the innovations in this standard is a new definition of risk -- a rather oddly phrased definition, in my view. The new definition says that risk is "the effect of uncertainty on objectives."
Clear as mud? Compare that with the previous definition used by a de facto worldwide standard. AS/NZS 4360:2004 defined risk as "the chance of something happening that will have an impact on objectives." Here it’s clear that risk is clearly tied to "something happening". Risk is an event or a circumstance (together with its chance of happening).
In the new ISO definition, risk is the "effect of uncertainty". This is quite unfortunate because “uncertainty” is not about how things will happen, but is more about our state of knowledge. Our lack of knowledge about how things will turn out. Events will happen, we just don't know which and when. Uncertainty is our ignorance. Even ISO is aware of this, and notes that uncertainty is "the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or likelihood."
If I replace this meaning of uncertainty in the definition of risk, we come up with:
- Risk = the effect of ignorance on objectives.
Clear as Florida swamp water.
But what about "effect"? What does this word mean? Well ISO 31000 defines effect as "a deviation from the expected -- positive or negative". So if we use that definition, and
insert it into the definition of risk, we get:
- Risk = the deviation from the expected, due to our ignorance, on objectives.
Which is now really realy murky.
An inadvertent clarifying light came last night while I was re-reading Elaine Hall's "Managing Risk: Methods for Software Systems Development". Hall notes that risk is “potential loss.” Since potential means possible, which can be another definition of “uncertain” (not certain = possible = uncertain), and since I know the ISO 31000 wants to incorporate "positive risks" into the new definition of risk, then maybe ISO is trying to say that risk is "loss or gain on our objectives due to events which may occur".
If we rephrase it this way, then it becomes clearer that risk is the loss or the gain (rather than the event).
This is a conceptual shift from the previous definition used in 4360:2004 in which risk is the event and its likelihood ("the chance of something happening")
Let's apply these new definitions to an example risk. Suppose we have to deliver a product by March 30, 2010, and if we fail to deliver it, our client loses $30,000 per day.
Then by 4360:2004's definition that the risk is the event that has an impact on objectives, we have the risk as "risk that product will be delivered late." And the impact / consequence will be that the client stands to lose $30,000 per day.
And by 31000:2009's definition where the risk is the effect of the event, we have the risk as "risk of losing $30,000 per day" and the consequence is whatever the impact of that impact. What about the event of failing to deliver on time? Then that is a cause of the risk.
Both standards recommend qualification (or if applicable, quantification) of the likelihood of the event, so we should apply some description of likelihood to the risk. Let's say the likelihood of meeting the deadline has been assessed at 90%. So our risks are:
- Risk as per 4360: 10% chance that the product will be delivered late.
- Risk as per 31000: 10% chance that the client will lose $30,000 per day.
The definition of risk as per 31000 is consistent with their note: "Note 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.21) of occurrence."
I think I have finally nailed to my satisfaction what the drafters of ISO 31000 mean when
they say risk is "the effect of uncertainty on objectives". I still do not like their definition, and I think it is muddled (primarily because of the desire to incorporate positive risks), but I have a workable meaning now, which I can use for further work.
