Bear with me for a moment or two, and set aside the standards and frameworks that provide definitions of “risk” and “risk management”.
Why?
As Grant Purdy (the grandfather and, IMHO, the grandmaster of risk management) together with the late Roger Estall proclaimed in the highly-rated Deciding: A guide to even better decision making (2020), there is no commonly-accepted definition of either term. I said the same thing when I wrote the earlier and equally highly-rated book, Risk Management in Plain English: A Guide for Executives: Enabling Success through Intelligent and Informed Risk-Taking (2018).
While I prefer the ISO 31000 definition of risk to anything else that is out there (and I quote it often[1]), it is not clear by just reading it what it means. “Risk is the effect of uncertainty on objectives” may mean something to some (but not all) risk practitioners, but it is generally misunderstood and misused. For a start, what is meant by ‘uncertainty’? It’s not a lack of certainty – you can never be certain. Having more knowledge may not even increase certainty and it doesn’t change whether you will achieve objectives; only actions will do that.
While the ISO definition is intended to include both positive and negative effects, that is not clear when you just read or quote the…
