Risk Assessments – what are we assessing?

In recent posts, I wrote about the difference between “Risk” (uncertainty) and “risks” (events that could cause harm). Now let’s think about the implication of this distinction when it comes to performing a risk assessment.

ISO 31000 says that a risk assessment is the overall process of risk identification, risk analysis, and risk evaluation.

COSO’s ERM Framework indicates that it allows an entity to consider the extent to which potential events have an impact on achievement of objectives.

When actually performing an assessment, ISO 31000 says that it is expressed in terms of the combination of consequences and their likelihood. COSO says that management assesses events from two perspectives – likelihood and impact. Both stick with the idea of the two axes – i) how impactful is the risk? and ii) how likely is it to occur?. This approach tends to focus on assessing “risks” — the events that could occur and cause harm. However, in an earlier post I wrote  about the problem that exists if you take this approach.

Should we be assessing “risks” (events) or should be assessing “Risk” (uncertainty)? Let’s look at an example to help us think this through.

I’m a little concerned about my 10-year-old car. It is presenting me with some transportation uncertainty. Here’s an immediate clue — the word ‘uncertainty’ popped up. What I’m really looking for is an answer to “Is the car sufficiently reliable, or do I need to do something?” I’m not really looking for a prioritized list of every component, its potential impact, and the likelihood that the component will fail.

Said another way,

  • my Goal is Reliable Transportation
  • my current Strategy is to Retain my Current Car As-Is
  • the Risk Assessment needs to tell me Is this a good Strategy?

The Risk Assessment needs to tell me if the level of uncertainty (“Risk”) is appropriate given this Goal and Strategy. The technique for actually accomplishing this is to identify potential events ( “risks”), along with their likelihood and impact, in order to make the final evaluation of whether the current Strategy is acceptable.

The technique for performing the risk assessment is to look at individual “risks”, but the reason that we’re performing the risk assessment is to evaluate the level of “Risk” within the strategy and determine whether the uncertainty is appropriate given the overriding goal.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s