“I define nothing. Not beauty, not patriotism. I take each thing as it is, without prior rules about what it should be.”
It might be tempting to skip this part of risk management and go straight to the more interesting bits, especially after that quote from Bob. That would be tempting. But even if you are an experienced risk manager, the definitions are essential. I won’t repeat them throughout this book as I’m assuming you also have ISO 31000, ISO 73, etc. handy beside you but some are worth a mention.
I usually stick to the terms and definitions as outlined in ISO31000 risk management standard. Some terms, deserve a little more commentary as they are key to organizational risk postures and philosophy. For the sake of simplicity, I've chosen to use the terms threat/hazard/adverse to refer to negative risk. Opportunity/benefit/desired can refer to positive risk. According to ISO31000, risk refers to both positive and negative potential outcomes.
Before I go on, it’s worth talking about the different uses of the word risk. It’s tempting to consider risk as being negative. That is after all, how it’s defined in most dictionaries and used in general language. The criticism that comes from many quarters is that only risk professionals use the word 'risk' for both positive and negative outcomes. This is a fair comment, but the naysayers overlook two key issues:
ISO 31000 is the international standard; and,
All risks have both positive and negative outcomes.
Refers to the processes and systems used to manage risk (both positive or negative).
Refers to positive risk or achievement of desired outcomes.
Threat Mitigation or Hazard Management
These terms have both applied to mitigation of undesirable outcomes. Threat is more likely to refer to human sourced risks (e.g., security risks). Hazard is more often used to refer to non-human initiated risks (e.g., safety, engineering, hazardous materials, etc). In reality, you can interchange these terms, and the differences are about definition than substance. ISO31000 does not define the terms for threat or hazard, but the New Oxford American Dictionary defines them as follows:
Threat: a person or thing likely to cause damage or danger (e.g., hurricane damage poses a major threat to many coastal communities)
Hazard: a potential source of danger (e.g., a fire hazard or a health hazard)
Source is another word which is often used interchangeably with threat or hazard. I prefer to use term source sparingly but generally define it as follows:
a precursor to a hazard and often to a human element (e.g., the source of the health hazard was inadequate management and leadership).
ISO31000 talks about likelihood as the “chance of something happening." This is a succinct definition, and it's worth exploring the idea a little further. Likelihood can also mean probability, frequency, chance, prospect, possibility, likeliness, odds, feasibility, and more.
Of these, it is useful to break them up into three main ways of expressing or assessing the likelihood, which I’ll call chance, frequency, and probability. For our purposes I'll define them as follows:
Chance: a qualitative assessment of likelihood (e.g., low, medium, high)
Frequency: the rate at which something occurs or is repeated over a given sample. (e.g., accidents per 100,000 flights, incidents per year). Frequency is another way to express probability, but natural frequencies are easier for homo sapiens to interpret.
Probability: a statistical or actuarial assessment of likelihood (usually expressed as a number between 0 and 1)
'Likelihood’ can mean any of these in a generic sense. You’ll find examples of this illustrated in the risk matrix in the table below.
Table 1: Likelihood Table Examples
Before you can manage risk (at least according to ISO31000), you need to understand risk attitude and culture. Attitude is a great catch-all term, but it is worth describing what it means in practice.
Table 2: Risk Attitude Examples
Risk attitude is sometimes referred to as risk preference, appetite, tolerance or capacity. Most of us can sum it up as the amount of risk an organization or individual seeks to accept in pursuit of value. An organization (or individual) can be risk avoiding, risk averse, risk neutral, risk tolerant or risk seeking. Any or all, depending on context.
The amount of risk a person or entity is likely to tolerate will vary due to a wide range of factors. Organizational culture, expected benefits, perceived losses, awareness of the risks, experience, and level of knowledge about mitigation strategies, can all affect risk attitude. The beliefs, values, and emotional state of senior leaders will also effect risk attitudes.
If you think about examples from your own life, you'll see areas where your risk attitude changes. Having children can change your risk attitude from a risk-seeking skydiver to a risk-averse parent (at least while your kids are growing up). We also have different risk attitudes in different aspects of our life. You might be risk seeking while riding dirtbikes on the weekend and risk-averse with your investment portfolio. You might also be risk tolerant in your career, taking contracting roles for better pay, or risk-averse, preferring steady work. Take Amazon.com for example. At the start, they were risk-seeking and took some all-or-nothing risks to gain market penetration. They weren't the only book company trying to dominate the industry, but; with the benefit of hindsight; they were the most successful. By 2050 Amazon will likely be even bigger and as a result, more risk-averse. This is a normal progression from startup to mega-corporation. You might say Amazon is risk-tolerant (risk-savvy would be another word) at the moment. It's likely to pass through a phase of being risk neutral if it moves to become risk-averse.
What Does It All Mean?
Despite this nice discussion of risk attitude, threat, hazard, etc., the main takeaway, is that you need clear definitions. It doesn't matter if everyone in the known universe agrees with them (they won't), so long as all your stakeholders agree.
And don't copy and paste the standard definitions from ISO31000 or anywhere else for that matter. Your context is unique. You need to make some decisions about the words you will use. Discuss which definitions you need, and define them in writing. Can, may, should, and must are all important words in the English language with subtle but important distinctions. Likewise, accountability, responsibility, probability, frequency, and chance. Some of the biggest problems I see time and time again in risk management (or general management for that matter) stem from lack of agreed definitions. Don't let that be you.