It might be tempting to skip this section of ISO31000 or to go straight to the sections that you are interested in, especially after that quote from Bob. That would be tempting... But even if you’re already experienced with risk management, the definitions are key in terms of the thinking behind ISO31000. I won’t repeat them throughout this book as I’m assuming you also have ISO31000 handy beside you, however I’ll expand on some key terms in the relevant sections.
Throughout this book, I’ll stick to the terms and definitions as outlined in ISO31000 risk management standard. The following terms however deserve a little more commentary as they are key to organizational risk postures and philosophy. For the sake of simplicity, I've chosen to use the terms threat/hazard/adverse to refer to negative risk and opportunity/benefit/desired to refer to positive risk. According to ISO31000, risk refers to both positive and negative potential outcomes.
Before I go on, it’s worth talking about the different uses of the word risk. It’s tempting to consider risk as being purely negative. That is after all, how it’s defined in most dictionaries and used in general language. The criticism that comes from many quarters is that only risk professionals use the word 'risk' to refer to both positive and negative outcomes. This is a fair comment but the naysayers overlook two key issues:
- The standard and this book are both written for risk professionals; and,
- There is no risk that does not have both positive and negative outcomes.
Risk ManagementRefers to the processes and systems used to manage risk (both positive or negative).
Opportunity RealizationRefers to positive risk or achievement of desired outcomes.
Threat Mitigation or Hazard ManagementThese terms have both been used to refer to mitigation of undesirable outcomes. Broadly speaking, one could say that threat is more likely to refer to human sourced risks (eg: security risks) while hazard is more often used to refer to non-human initiated risks (eg: safety and health, engineering risks, hazardous materials etc). ISO31000 does not specifically define the terms for threat or hazard but the New Oxford American Dictionary defines them as follows:
- Threat: a person or thing likely to cause damage or danger (Eg: hurricane damage poses a major threat to many coastal communities)
- Hazard: a potential source of danger (Eg: a fire hazard or a health hazard)
- a precursor to a hazard and often to a human element (eg: the source of the health hazard was inadequate management and leadership).
Likelihood, Probability and FrequencyISO31000 talks about likelihood as the “chance of something happening". Although this is a wonderfully succinct definition it's worth exploring a little further. From the risk management perspective, likelihood can be viewed in a number of ways, including probability, frequency, chance, prospect, possibility, likeliness, odds, feasibility, promise and many more.
Of these, it is perhaps useful to break them up into three main ways of expressing or assessing likelihood, which I’ll call chance, probability and frequency. For our purposes of this book I'll define as follows:
- Chance: a qualitative assessment of likelihood.
- Probability: a statistical or actuarial assessment of likelihood.
- Frequency: the rate at which something occurs or is repeated over a given sample. Strictly speaking frequency is another way to express probability however as you’ll see from the examples, it is generally a superior way for most people to interpret statistical data.
Where this book refers to ‘likelihood’ it means any or all of the above in a generic sense. You’ll find examples of this illustrated in the risk matrix in the table below.
Risk AttitudeBefore you are able to effectively apply ISO31000 you will need to understand organizational risk attitude and culture as an essential step. Attitude is a great catch-all term however it is worth describing what it means in practice.
It’s also sometimes referred to as risk preference, appetite, tolerance or capacity and can be summed up as the amount of risk an organization or individual seeks to accept in pursuit of value. An organization (or individual) can be risk averse, risk neutral, risk tolerant or risk seeking, and the amount of risk a person or entity is likely to tolerate will vary due to a wide range of factors, including organizational culture, expected benefits, perceived losses, awareness of the actual risks, past experience and the level of knowledge about mitigation strategies. The organizations resilience, beliefs and values or emotional state of senior leaders can all effect risk attitudes.