A recent article published by William Storage on "ISO 31000 and Those Who Don't Know History" is an excellent read for all Enterprise Risk Management practitioners, whether you agree with his synopsis or not.
While many of the ISO 31000 "brethren" as William puts it may not see eye-to-eye with his summary; I believe it is important for these standard lobbyists to read his article either way. Risk Managers need to appreciate a wider understanding of how specific definitions are derived rather than blindly use them.
At a conceptual level, different groups of people may modify definitions of risk to fit their unique goals, and I truly believe there is nothing wrong with doing this. If anything, diversity at a conceptual level can be the genesis of great ideas, something the risk management domain always seems to benefit from in the long run.
There is an old saying that goes along the following lines; one should not remove a fence even if it appears to serve no purpose. Only once you can appreciate why a fence was built in the first place can you justly chose to remove it. The same logic applies to using risk tools including risk management definitions.
Where risk managers fail is when they take a definition, risk assessment technique, model or even a piece of advice without questioning the situational functionality of what they are applying to what they are assigning (sorry for any confusion). A Fitness for Purpose Test including an understanding of scope, relevance and limitation should be considered in a risk manager's thinking. Never take anything for granted, especially risk management definitions.
ISO 31000 Definition of Risk
When it comes to the ISO 31000 definition of risk, arguments for and against the global risk standard's concise definition of "Risk is the Effect of Uncertainty on Objectives" have been put forward from various practitioners over the years. The Frank Knight parallel that William Storage describes in his article has been drawn out before.
I agree with William Storage that gaps around Risk Neutrality, Risk-Free Rates (not the same as Zero Risk which exists as much unicorns do), Benchmarks, Appetite, Tolerance, Deviation and Ignorance (a form of uncertainty) could do with some annexure or supplemental delineation in the global risk standard. Mind you, such intellectual accoutrements could generate as many questions as they resolve and it's difficult to maintain a clean standard but a standard that also reasons its position.
Risk Assessment Training Handbooks | Causal Capital
In the schematic above, I have partitioned, connected and explored the elements of the ISO 31000 risk definition to perceive how each word can support 'The Objective' and 'The Subjective' aspects of a risk management framework. There is a whole story underneath each interlinked component as you can imagine and the effort is far from futile because it allows us to understand whether the definition is going to serve us or not in our endeavour to manage risk.
What is useful about the ISO 31000 definition of risk is that it can be applied to Market Risk or Credit Risk considerations in a harmonised manner. It also satisfies some of the inclinations of the audience from the Enterprise Risk Management camp, although the positive outcomes risk concept seems to add some confusion as we are all too aware.
The ISO 31000 definition fails in a dichotomous way when it is compared to a typical reference of the same term acquired from an English dictionary. Dictionaries tend only to perceive risk to be negative which I disagree on and I will put two reasons forward as to why risk can exist in a positive domain but not always in symmetry.
Firstly, it is possible that an unexpected outcome from the loss of an asset can result in a profit taking position and as such; risk can have a positive response.
In the market risk domain, a square hedge [LINK] occurs when a trader takes another risky position to offset inherent risk existing in their objective. If the sum of both sides, The Inherent Trade and The Hedge are 'square' or zero, The hedging action will have closed out the majority of risk that existed in the objective from the outset. Unfortunately for the trader, any opportunity will also be negated with this square hedge strategy. In effect, this risk treatment is wonderful for flattening market risk and also for transferring exposure into other forms some of which will be positive.
It's quite amazing, but the ISO 31000 definition of risk fits this market risk scenario nicely in context, and yet the ISO 31000 community seems to be completely void of market risk practitioners.
What matters here is not whether the risk definition is exactly correct or incorrect, there is no such place of exactness when dealing with anything that works within a realm of chance such as risk management. A one size fits all approach for any management discipline with a charter as broad as Enterprise Risk Management can't be satisfied in such an elementary way.
"Risk definitions need to be concise yet open rather than rambling and explicit so that they can be tailored and applied to a diverse set of circumstances ~ less will become more."
Martin Davies | Causal Capital
The process of investigating how a risk management definition is applied at a situational or commerical level is where the real work is done and It is also an undertaking that risk managers must engage in. The problem at present is not with the ISO 31000 risk definition so much but a lack of commitment to work with the definition and evolve it further.