What is a Risk?
It may seem obvious but, fundamental to the effective management of risk, it is essential that we actually understand what a risk is.
From the outset let me be frank, I consider the definition of risk management in ISO 31000 (the effects of uncertainty on objectives) to be confusing, and, utterly ineffectual as a definition. I make this quite clear in my blogs and my eBook Risk is not a Four-Letter Word.
Effect is defined as “a change which is a result or consequence of an action or other cause”. In essence, an effect is an outcome or consequence, so if we substitute that into the definition it becomes: the consequence of uncertainty on objectives.
In this definition, the focus is on identifying the consequences of the uncertainty, rather than what the actual uncertainty is. Confusing, I know, and so the now superseded AS/NZS 4360 defined risk management as:
the chance of something happening that will have an impact on objectives
Whilst this definition was certainly more focussed on events (something happening), it was more geared towards the chance of something happening (i.e. the likelihood). So, this definition can be expressed as: the likelihood of something happening that will have an impact on objectives.
Neither of these definitions, in my view though captures the essence of what the risk is: the event that we are trying to prevent from happening.
To that end, I have developed a definition that I think more meaningfully describes what a risk is. To me there needs to be a real focus on the actual thing we are trying to stop: in other words, seeing a risk as a potential event, as shown in the definition below:
“A possible event/incident/issue that, if it occurs, will have an impact on the organisation’s objectives”
This definition focusses on the event, not the consequence or the likelihood.
When you hear people say: they obviously didn’t manage the risk very well, it is, always, after an incident, issue or disaster, so, this definition makes much more sense.
So, what does this mean for us?
It means that we need to focus more on identifying the thing we are trying to stop from happening.