A risk by any other name...

"Most controversies would soon be ended, if those engaged in them would first accurately define their terms, and then adhere to their definitions."

Tryon Edwards

Defining 'risk' should be a relatively simple matter. Despite this, it remains a contentious aspect of risk management, and represents one of the more significant differences between the various disciplines, standards and methods of risk management.  Personally, I like the ISO31000 definition of risk which is the “effect of uncertainty on objectives” because it is succinct and includes the concept of desired and undesired outcomes. 


Positive and Negative Outcomes of Risk?
For the sake of completeness, it’s worth looking at a couple of other definitions. One of the areas which is becoming less contentions, but is still not universal, is the question of whether risk includes both positive and negative outcomes so let's look at this question first. 


According to OHSAS 18001:2007, “Risk is Combination of the likelihood and consequence(s) of a specified hazardous event occurring.”  The New Oxford American Dictionary defines it as “a situation involving exposure to danger” while ‘AS9100 Revision C Aerospace and Defense Quality Standard’ defines risk as “An undesirable situation or circumstance that has both the likelihood of occurring and a potentially negative outcome.”   and the International Aerospace Quality Group define risk as “a measure of future uncertainties in achieving program performance goals within defined cost and schedule constraints. It has three components: 1. a future root cause, 2. a likelihood assessed at the present time of that future root cause occurring, 3. the consequence of that future occurrence.” 


The above definitions are how we typically perceive risk. But are they right?  Not in my opinion, nor in the opinion of the subject matter experts who signed off on ISO31000. Risk definitely involves exposure to negative outcomes, however it’s all but impossible, to imagine a scenario where a risk doesn’t also offer benefits.  If, for example, you lose a months salary at the casino, you would probably see this as a negative outcome but for the casino, the same event is a positive outcome.  It may even turn into a positive outcome for you if it serves as a cheap lesson to prevent you from gambling in future.   We could debate this concept but instead let’s take a look at the issue through the lens of some scenarios. 

• Scenario #1: Ian, a professional soldier and friend of mine, works for private military company’s (PMC) in a variety of war zones. He undoubtedly takes risk and puts himself into “a situation involving exposure to danger” but is that the end of the story?  No. Not by a long shot.  Ian who has a PhD and was a senior staff officer in the Australian Army takes home a very significant pay packet which helps him put his kids through school and save for university. He also uses his considerable skills to bring peace to conflict regions and his intelligence analysis helps saves the lives of combatants and non-combatants alike. Ian also gets a lot of ancillary benefits like travel, adventure and camaraderie among his peers.
• Scenario #2: Michelle travels overseas regularly for business and often to dangerous parts of the world.  Her employer spends a lot of money putting in place measures to protect her while there. Are they addressing risk? Yes, of course. But they are spending that money on security to achieve a benefit. Without the security measures put in place the organization couldn’t achieve it’s core mission to “help Australian businesses of all sizes, across all sectors, to succeed in international trade and investment”. And without the risks that Austrade takes, the Australian community would in turn receive much reduced economic benefits.
• Scenario #3: A gambler puts $135,300 down on ‘red’ at the roulette table. Ashley Revell, a 32-year-old Londoner, sold all his possessions and stood in a rented tuxedo on Sunday 11th of April 2004 surrounded by family and friends to bet everything on a single spin of the roulette wheel. The ball landed on red 7 and he walked away with $270,600.  He took a risk not because he wanted to be exposed to danger but because he wanted to be exposed to opportunity. Equally, the casino was working on the same basis. Risk may not be a zero sum game but in this (unusual) case the casino was on the negative consequences (losing) side of the equation.
• Scenario #4: Two hijacked aircraft fly into the World Trade Centre towers. Although, a tragic event with massive negative consequences, it also brought a range of positive outcomes to some groups, not least of all being enormous profits to the defense industry.  Some of the definitions provided above also include the concept that risk involves “a specified hazardous event occurring” which is something I would take issue with. A risk doesn’t have to be identified for it to exist.  The 9/11 attack is just one of many instances where risk existed but wasn’t specifically identified until after the event.

Including both desirable and undesirable outcomes makes our use of the word ‘risk’ slightly different from it’s common usage in the community and leaves it open to the criticism that only risk professionals use in this way.  This is a fair comment but it overlook two key issues:

• ISO 31000 was written for risk professionals; and,
• There is no risk that does not have both positive and negative outcomes.

An increasingly large number of standards are adopting the concept of positive and negative consequences.

• “A possible occurrence which could affect (positively or negatively) the achievement of the objectives for the investment.”  (Risk Analysis & Management for Projects - RAMP)
• “An uncertain event or set of circumstances that should it or they occur would have an effect on achievement of one or more project objectives.” (APM Body of Knowledge)
• “An uncertain event or condition that if it occurs has a positive or negative effect on a project’s objectives.” (A Guide to the Project Management Body of Knowledge)

All of these are fine in their own way but the wonderfully succinct ISO31000 definition sums up the same principles in just five words.


Is There Risk Without Objectives?
One other key element in the above definitions and the ISO31000 definition is the use of the word ‘objectives’.  To my mind, without objectives, there is no risk. OK, that’s semantics to a certain extent, but by way of example lets consider the risks associated with cancer or earthquake (and yes, by themselves they are 'events' not 'risks' so let's consider the risk of dying at the hand of those events):

• An earthquake cannot hold any risk for me if I don’t have the objective of living a long injury free life (equally if keeping my house intact isn't an objective of mine then there is no risk in that regard).  
• Equally if I contract cancer but have no concern about living or dying, cancer is just an event for me not a risk.    

Sure they can have consequences and we can calculate probabilities, but they are measures of risk – not risk, per se.  You might argue that my being injured in an earthquake is material, but if I don't care, then it’s probably only material to my family or external observers.  By way of example,  we can measure the likelihood and consequence of a leaf falling from a tree. But is it a risk for the leaf? Perhaps it's a risk for me if it covers my lawn and I have to rake it up. Sure there is 'risk' but... if there are no objectives (like me keeping my lawn clean) then let's not call it a risk. It's just an event -  and therefore, outside our sphere of concern. This might sound slightly pedantic, but the terminology is critical to getting traction in risk management.