A better definition for risk management?
"The effect of uncertainty on objectives."
“It’s just semantics,” he said with a dismissive wave of his hand.
Have you ever been involved in a conversation where try how you might, it took several attempts before the other person understood what you were saying? Or observed a discussion where the participants were blithely unaware that they were talking about different concepts?
I suspect you might have been nodding your head as you read the above paragraph. A conversation perhaps about the difference between threat and risk? Risk management can be like that.
I love the simplicity and inclusiveness of the ISO 31000 definition of risk:
the effect of uncertainty on objectives
and think it is probably the best of many alternatives for a definition of risk. Not least of all because it recognizes that all risks produce benefits or positive outcomes.
Most people who are not risk professionals of course, still see risk as "a situation involving exposure to danger" without any benefits. But let's leave that for the moment and focus on the definition in the international risk management standard.
The ISO 31000 definition of 'risk management' however, leaves me underwhelmed.
"coordinated activities to direct and control an organization with regard to risk"
That seems to be a somewhat circular and unhelpful definition. Not least of all because individuals also manage risk. As do informal groups that are not in the same organization. But rather than just criticize the definition, I thought I'd make an attempt at improving it.
If we accept the ISO 31000 definition for risk, it follows that managing risk involves:
"managing the effect of uncertainty on objectives"
There is nothing particularly wrong with that of course. But it is still a bit vague for my liking. And there are very few situations where you would want to manage risk by increasing uncertainty.
Perhaps if you are facing near-certain bankruptcy or standing in front of a firing squad, you might be keen to do anything to introduce more uncertainty. But for the rest of us, I'd suggest we generally want to reduce the effect of uncertainty when it comes to our objectives.
Someone with a quantitative risk background might also suggest that risk management is about reducing volatility. So an even better definition might be "reducing the volatility of objectives" or "reducing the effect of uncertainty on objectives."
To put it in a more positive light, risk management might then be re-defined as:
"increasing the certainty of achieving objectives."
What do you think? Should the definition of risk management be something like the following?
"Activities to increase the certainty of achieving objectives."
Perhaps something to consider for the next update to ISO31000?
Please comment below or email me if you have thoughts on improving it.
By the way, the next time someone accuses you of using semantics, thank them for the compliment. What they are saying is that you care about what you say, and try to use the best words to convey the meaning.
When people say "It's just semantics" they are implying that words and their meanings do not matter. But what can you achieve if you cannot use words with a certain degree of precision? That is what semantics is really about. And why it is important.
Risk is confusing. Even the word has no consistent definition. I used to understand it more when I was 17 years old than I do now. Then again, I knew more about everything then than I do now. Even today, my experience is that if you ask ten people for a definition of risk, you're likely to get 20 definitions. So, up to you. Choose the one you like and stick to it. Try to convince your friends that risk is the effect of uncertainty on Caribbean lifestyles. As you like. If you have an unusual definition, at worst, you'll just be taking on more risk. And you'll learn more. A win-win.