The Uncertainty Created by the Risk Management Definition
Okay –this might be controversial – but as a risk management professional – I truly dislike the risk management definition.
There I said it!!!!!!!
I believe the effect of uncertainty of objectives has actually created uncertainty within the risk management fraternity since its release in 2009.
Let me take you back to the good old days of AS/NZS 4360:2004 which defined a risk as a chance of something happening that will have an impact on objectives. This definition had it all – something happening (an event), a chance (Likelihood) and an impact (Consequence).
I am afraid, however, the current definition does not give us the same clarity.
Let’s break it down: The effect of uncertainty on objectives.
Effect is defined as “a change which is a result or consequence of an action or other cause”. In essence, an effect is an outcome or consequence. So if we substitute that into the definition: The consequence of uncertainty on objectives.
So what does this mean?
To my way of thinking the skewing of the definition towards being a consequence of uncertainty has taken away two of the most important aspects of risk management; the event itself and the Likelihood that event will actually occur……… but wait, there is more.
A little known ISO document also released in 2009 is ISO Guide 73:2009. This guide provides the definitions of generic terms related to risk management. It aims to encourage a mutual and consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk, and the use of uniform risk management terminology in processes and frameworks dealing with the management of risk.
This is where it gets really funky…………
ISO Guide 73:2009 defines uncertainty as “state, even partial, of deficiency of information related to a future event, consequence or likelihood”.
So what do we have now?
The consequence of a state of deficiency of information related to a future event, consequence or likelihood on objectives.
I work in the risk management field and have done so for a number of years now and to be honest, I have absolutely no idea what this definition is trying to tell me. Even worse than that – I have no idea how I explain it to others and so I default to the previous definition because I know that it makes sense.
I understand that a review of ISO 31000 may be taking place in the near future. If any of the participants involved in that review happen to read this – please, please, please give us a definition we can work with – maybe the effect of uncertain events on objectives may be worth consideration.