For a blog that is supposed to be about risks and risk management we thought that it was important to make a post about the concept of risk itself.
In the English language when people use the word risk in general conversation, it is almost always in a negative sense as in: “this is too risky” or “I wouldn’t want to risk that” (1), and historically in many risk management books and systems there has also been a focus or emphasis on risk as something to be avoided too.
These include the original 2009 version of the world’s most widely used risk management standard (ISO 31000:2009) which defined risk as the “chance or probability of loss“, and one of the world’s most prolific Health and Safety standards (OHSAS 18001:2007) which described it in terms of the likelihood and impact of hazardous events and exposures. (2)
In other words risk was a combination of how likely it was that a particular bad thing would happen, and how serious it would be if it did.
This type of approach has some merit, of course. We want to be able to identify the things that can hurt us or harm us, our businesses and the other things we care about and in this sense risk management becomes a process for protecting ourselves.
However the problem with that idea is that it ignores the other side of risk, which is that there can be some good and desirable outcomes from “risky” choices we make too. When we buy into a particular stock or fund for example we are thinking about both the potential gain we might make from our investment as well as the possibility of loss.
We also know that there always seem to be trade-offs in risk-related decisions. Adding protection in one way is almost always going to bring limitations in others.
For example if we think the weather is going to be cold we might take a heavy coat with us to wear when we go out however if turns out to be not quite as cold as we expect it’s either going to be frustratingly warm for us, or we are going to have the inconvenience of carrying that big coat around with us all day.
Likewise if we choose not to buy the stocks and shares of smaller companies because we are worried about losing our money if they go out of business, (as smaller companies are generally-speaking more likely to than larger ones), we are also going to miss out on the possibility of investing in companies with some of the best financial returns available in the market.
Often this becomes a matter of resources too. If I am a Chief Information Security Officer responsible for protecting my firm’s information systems and assets I will have to make decisions about how I allocate the financial resources that are available to me to do this.
So if I choose to spend a lot those resources for example, on training staff about their online behaviour and being alert to the human behaviours that can lead to information security problems this should reduce the possibility that one of them does something that is going to be harmful to my firm’s system, but this might mean means there is less money available to hire some extra security administrators or to develop a new Security Operations Centre.
What changed in between 2009 and 2018 when the ISO / IEC 31000 standard was updated was that risk stopped being viewed in this standard as primarily something negative and instead the emphasis was put on risk being about the uncertainty of outcomes or formally “the effect of uncertainty on objectives“. (3)
In this way risks can be negative or positive, either things that have a positive effect on whether your objectives are achieved, which are frequently described as opportunities, or hazards or threats when they are likely to make you less likely to achieve your objectives.
Managing risk is therefore managing the effect of uncertainty in a way that allows us to achieve our objectives.
If that’s still difficult to grasp and it’s certainly not an easy idea, then in practical terms when you are wondering about what is a risk, just try to think about “risk” as being similar to uncertainty, and “risks” as either good or bad things that could happen, and this is probably going to be sufficient for you unless you are involved in a technical level of risk management.
(1) By the way if you a native speaker of a language other than English and the idea of risk is treated differently we’d be interested to hear about.
(2) “Risk is a combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s)“
(3) It had been described that way in other standards and approaches some time before ISO adopted it, including for example the UK’s M_O_R qualification.
If you haven’t already read it, it is good to read this our post on terminology and definitions to give this one a bit more context.