Sunday, August 26, 2012

What is Risk Management?

I love the simplicity and inclusiveness of the ISO 31000 definition of risk ("the effect of uncertainty on objectives") and think it is probably the best of a large number of alternatives for a definition of risk.  On the other hand, the ISO 31000 definition of 'risk management' - "coordinated activities to direct and control an organization with regard to risk" leaves me more than a little underwhelmed. So, rather than just criticise it, I'd suggest the following thoughts in support of a 'better'(?) definition.

If we accept the ISO 31000 definition for risk then it follows that 'managing risk' = 'managing the effect of uncertainty on objectives"?

We could take this argument further by suggesting that if we have objectives, we would like to achieve them. If that is the case, then we could define 'risk management' as 'reducing the effect of uncertainty on objectives'.

A quantitative analyst (quant) might suggest that risk management is all about reducing volatility, but that definition is still rather vague. With their focus on volatility and pricing, quants are more focussed on reducing something abstract, than achieving objectives, so a better view of managing risk might be something like: risk management = 'increasing the certainty of achieving objectives'.

And that gets my vote for a better definition of risk management. What do you think?


  1. Spot on. Couldn't get simpler and concise then that

  2. There is an ontological error in the ISO 31000 definition of risk.
    It should be: "risk is the potential effect of uncertainty on objectives"

    Your definition of risk management is very good and works even better with the corrected definition of risk!