The global risk management standard known as ISO 31000 defines the single word risk in section 2.1 of the standard as “the effect of uncertainty on objectives”. This has been debated countless times over the years by risk management practitioners and discussions often rage-on in the LinkedIn G31000 risk management forum around the application of this single definition alone.
All this aside, there are also five notes that accompany the ISO 31000 definition of risk that give weight to this underlying definition and how practitioners should perceive it. These five notes are rarely queried or considered for extension.
In line with our ISO 31000 in the box ideology posting [LINK], ISO 31000 could be extended and evolved by tweaking this area of the standard.
ISO 31000 Section 2.1
Let's take a look at these five notes and then consider a handful of recommended extensions to the note framing bias that currently exists in ISO 31000.
2.1 NOTE 1 ~ An effect is a deviation from the expected — positive and/or negative.
2.1 NOTE 2 ~ Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
2.1 NOTE 3 ~ Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these.
2.1 NOTE 4 ~ Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.
2.1 NOTE 5 ~ Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.
All these current notes can apply to many risk management agendas but NOTE 4 seems to have struck a chord with a large proportion of risk managers. In some cases it has become an unhealthy obsession among practitioners to never consider measuring risk beyond ‘potential consequences of an event and its associated likelihood of occurrence’.
So here is a fleeting thought for today, what other NOTES could we add to section 2.1 in the ISO 31000 standard brief to extend the application of risk management beyond 'the likelihood of consequences'?
Here are a few descriptive examples, straight up, seven of them that highlight when risk is more than just the consequences of an event convoluted with some likelihood of those consequences.
2.1 NOTE 6 ~ Uncertainty can be found in many forms; commencing with a deficiency of knowledge or ‘epistemic unknowingness’ and often expressed as aleatory uncertainty or randomness. These two forms of uncertainty are ideologically different yet overlapping in the way in which they can be interpreted.
2.1 NOTE 7 ~ Uncertainty is often expressed as a measure of volatility within a time series and can be quantified as a continuous time stochastic process.
2.1 NOTE 8 ~ Uncertainty can be found in future and historic events, it may conceal how factors have combined to cause an event in the past and what could lead to a situational recurrence in the future.
2.1 NOTE 9 ~ Error in what we believe can lead to false positives and false negatives. These type I and type II errors are a form of uncertainty that impacts many aspects of our lives, especially when people make decisions based on a premise. There is gap between belief and truth, this gap is uncertainty.
2.1 NOTE 10 ~ What is significant, where do things break, where do they succeed? Small changes in a system may be harmless but uncertainty often exists in the dose / response relationship that describes the state change of any system.
2.1 NOTE 11 ~ The introduction of causal factors to any population sample may result in divergent heterogeneity or uncertainty.
2.1 NOTE 12 ~ Risk can have a bimodal relationship to uncertainty where too much of something or not enough is equally threatening to an objective.
What’s the point with all of this?
Just one point really. Risk is “often expressed in terms of a combination of the consequences of an event and the associated likelihood (2.19) of occurrence.” but not always. There are exceptions to this rule and plenty of them.
Does this really matter?
Yes it does because each of the seven representations of risk I have listed above are usually not quantified by measuring a risks' likelihood of occurrence and its associated magnitude. If we frame risk differently so that it is fit for a specific purpose of observation and in line with our assessment of uncertainty, we also require different kinds of models beyond the convolution of the likelihood and magnitude of a potential event.
Do I believe ISO 31000 should extend the NOTE section 2.1 of the standard --- Yes absolutely that would be favourable because it helps analysts avoid investigating every risk problem with only one analytics tool or seeing all risks as a nail that always needs a hammer. I have uncertainty (the nail) and (likelihood x magnitude) is the hammer. Let’s stop doing this because uncertainty comes in many different forms.