In recent posts, I wrote about the difference between “Risk” (uncertainty) and “risks” (events that could cause harm). Now let’s think about the implication of this distinction when it comes to performing a risk assessment.
ISO 31000 says that a risk assessment is the overall process of risk identification, risk analysis, and risk evaluation.
COSO’s ERM Framework indicates that it allows an entity to consider the extent to which potential events have an impact on achievement of objectives.
When actually performing an assessment, ISO 31000 says that it is expressed in terms of the combination of consequences and their likelihood. COSO says that management assesses events from two perspectives – likelihood and impact. Both stick with the idea of the two axes – i) how impactful is the risk? and ii) how likely is it to occur?. This approach tends to focus on assessing “risks” — the events that could occur and cause harm. However, in an earlier post I wrote about the problem that exists if you take this approach.
Should we be assessing “risks” (events) or should be assessing “Risk” (uncertainty)? Let’s look at an example to help us think this through.
I’m a little concerned about my 10-year-old car. It is presenting me with some transportation uncertainty. Here’s an immediate clue — the word ‘uncertainty’ popped up. What I’m really looking for is an answer to “Is the car sufficiently reliable, or do I need to do something?” I’m not really looking for a prioritized list of every component, its potential impact, and the likelihood that the component will fail.
Said another way,
- my Goal is Reliable Transportation
- my current Strategy is to Retain my Current Car As-Is
- the Risk Assessment needs to tell me Is this a good Strategy?
The Risk Assessment needs to tell me if the level of uncertainty (“Risk”) is appropriate given this Goal and Strategy. The technique for actually accomplishing this is to identify potential events ( “risks”), along with their likelihood and impact, in order to make the final evaluation of whether the current Strategy is acceptable.
The technique for performing the risk assessment is to look at individual “risks”, but the reason that we’re performing the risk assessment is to evaluate the level of “Risk” within the strategy and determine whether the uncertainty is appropriate given the overriding goal.