I have just read an interesting Risk Doctor Briefing from Dr. David Hillson (see: http://www.risk-doctor.com/publications-briefings.asp)
The new ISO31000 “Risk management – Principles and guidelines” standard published in November 2009 has made a significant change to the definition of ‘risk’. Most standards have settled on the definition:
Risk is an uncertainty that, if it occurs, will have an effect on objectives
The new ISO definition is:
Risk is the effect of uncertainty on objectives
This definitional shift has two aspects, the first; the focus of David’s briefing, is the likely reopening of a more or less concluded debate on risks, threats and opportunities. The ISO definition removes much of the focus from opportunities.
The other more significant issue is the time shift implicit in the definitions. If risk is an uncertainty that may occur, the focus of risk management is forward looking and proactive, seeking to maximise opportunities and minimise threats.
If risk is the effect of the uncertainty one presumes the risk event must have occurred to create the effect and consequently risk management is a reactive process managing the effects – not really risk management at all, if the effect has occurred, it is a fact or an issue, not an uncertainty.
It reminds me of the story about the project manager who proudly stated every risk that had adversely affected his project was listed in the risk register and wondered why he was fired……
I hope the ISO definition is quickly amended to read ‘Risk is the potential effect of uncertainty on objectives to ensure risk management keeps its forward looking focus. Other aspects of the standard have this focus – it’s a pity the definition is inconsistent with these other parts of the Standard.