There is an important semantic distinction that is often missed when discussing risk management. When you say “risk”, are you talking about “Risk”? or are you talking about “a risk”? Let me explain.
I am capitalizing this word just so I can keep myself on point. “Risk” is an idea – a concept. The adjective is “risky”. This relates to the potential of something bad happening. When you drive a car with your eyes closed, you are experiencing “Risk”.
ISO 31000 defines “Risk” as the effect of uncertainty on objectives.
COSO ‘s ERM Framework defines “Risk” as the possibility that an event will occur and adversely affect the achievement of objectives.
On the other hand, when people talk about “a risk” they are commonly thinking about a specific event or occurrence. It is one of the specific bad things that could happen. When you drive a car with your eyes closed, you experience many risks — you could hit a tree, you could drive into a ditch, etc.
ISO 31000 says that risk is often characterized by reference to potential events and consequences, or a combination of these.
COSO’s ERM Framework takes a different approach. They focus on ‘events’ as a major specific topic and say that an event is an incident or occurrence from internal or external sources that affects achievement of objectives. The implication is that an event with a negative impact is a risk, while an event with a positive impact is an opportunity.
So what does this mean?
This means that you need to be careful when talking about risk. Sometimes you may be talking about the general uncertainty of a strategy relative to its ability to actually achieve its goal — “this is a risky strategy”. Other times you’re talking about specific events. “What’s our biggest risk?” Unfortunately, we’re saddled with the same word being used in different, although obviously related, ways.
In my next post I’ll talk about this a little more.