The definition of risk that I favor is from the ISO 31000 global risk management standard:
“Risk is the effect of uncertainty on objectives.”
A quick word about “uncertainty”. ISO defines it in a very peculiar way: “Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.” In other words, they don’t see it as an event or situation that might occur, but the fact that we don’t have perfect knowledge about the range of its potential effects and the likelihood of those effects. Let’s be honest. We NEVER have perfect knowledge about what might happen in the future- but we can do our best to estimate it.
Do the effects and their likelihood change as we learn more about the likelihood of a devastating earthquake? No.
I prefer to talk about “what might happen” rather than “uncertainty”.
Today my focus is on “the effect… on objectives”.
I have yet to see this adequately addressed by any standard, framework, or guidance.
An event or situation can have different effects on different objectives!
For example, an organization may set enterprise objectives for:
- Revenue
- Market share in total, by product group, or by individual products or services
- Direct and indirect costs, in total or in terms of…
