Definition of Risk

I was always happy with the accepted way that risk was defined. That being the combination of the probability that something would happen, combined with the severity of its impact, or variations on that theme with slightly different wording. OHSAS 18001:2007, for example, defines risk as “the combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health that can be caused by the event or exposure(s)”. The reason I like that definition is mainly because it is easy to understand and you can actually do something practical with it. It means that you could plot risk on an x-y axis, and look at ways at treating the risk by looking for ways to move it down either axis, or preferably both.

The recent definition of risk that I have seen being thrown about (i.e. “the effect of uncertainty”) has me baffled. I first came across it in the CD for ISO 9001:2015, but it has its origins, apparently, in ISO 31000. I’ve tried to analyse the definition and understand the rationale. Maybe I just wasn’t getting something? Anyway, I thought I’d jot down the results of my own analysis (I still don’t get it, by the way)

My first issue with defining risk as “the effect of uncertainty” is that the effects of uncertainty are nearly always behavioural. Most often it could be fear or caution. Now if the risk is the effect of uncertainty, and the effect of uncertainty is fear, that means fear is risk. Now that’s not right is it? Fear is a reaction to the risk, not the risk itself. That said, you can actually reduce the fear by reducing the likelihood or impact of the event, but again the reduction in the fear would be a consequence of the action taken, you are not actually treating the “risk” (i.e the fear under this definition). The other anomaly I believe exists in this definition is that if we are to actually treat the risk (i.e the behavioural consequence of uncertainty, be that fear or caution or whatever) we could actually reduce the effects by the administration of sedative drugs, alcohol, a nap in a quiet room or a spot of counselling. Again, can that be right?

So, basically, risk just cannot be defined as the effect of uncertainty. Not only is it impractical (as you would be able to reduce “the risk” just by getting folk to calm down a bit somehow) but it inexplicably messes about with something that actually works very well.  I’d be interested to hear any other perspectives on this because, as it stands, I am just not getting this at all.

This entry was posted in ISO 9000, Risk & Assurance and tagged , , , , , . Bookmark the permalink.

6 Responses to Definition of Risk

  1. Bill S says:

    I agree with you, and thanks for the blog and the opportunity to respond. There are times when I really despair, and this is one of them. We have clowns who run round with their heads stuck up their own backsides and these are the people who invent new definitions/ requirements to impose on businesses who will be baffled by the changes. It will however, keep the army of consultants/advisers/certification bodies in employment until the next changes are imposed. Approximately 99% of business in the UK are classed as SME’s, about 95% have less than 30 employees. Let’s get real and give them a standard that will be aimed at 99% of businesses, not the 1% who will have regulatory officers, Quality/Environment/H&S professionals working for them.

  2. Shaun says:

    Thanks for taking the time to read and comment, Bill. My frustration is that the comments feeding in to the reviews are often biased in favour of people who have time on their hands and a high tolerance for tedious debate. This often means busy and successful people are excluded. Does the standard ever look after the interests of purchasing organisations? Does it really define system attributes that purchasers actually CARE about? Will it mean they can do fewer second party audits? Probably not …

  3. Jane Bennett says:

    I agree with you in that I don’t get this new definition of risk, either. It isn’t common sense at all and whenever I mention it to people their reaction is pretty consistent: a wrinkling of the brow, closely followed or accompanied by “huh?”
    Huh indeed. It is a stupid definition to me, and I much preferred the apparently now discarded one, along the lines of the probability of occurrence of an event combined with the consequences or severity if it did. Made sense.

    But I’m confused about why you say that the ‘effects of uncertainty are nearly always behavioural’. Why so? Because surely when we’re talking of risk management in organisations ( as I assume we are), then this doesn’t follow, as now you’re talking of effects as purely being experienced by the people in those organisations, not the effect on the organisation itself.

    Although I like the rest of your argument, in that all that would need be done to treat risks then, would be counselling, medicinal applications of suitable sedatives and so forth.

  4. Shaun says:

    The effects of uncertainty can only be behavioural, Jane. At least so far as the primary effect goes. It is only a human that can judge whether they are uncertain or not, and the primary effect of that judgement will be what they do as a result. That is, get nervous, become cautious, change their spending patterns, get scared, hide under the bed or whatever. Can you give me an effect of uncertainty that doesn’t have a primary behavioural effect? You’ll note that I was limiting my argument to “risk” being the “effects of uncertainty” and exploring the implications of that definition if we were to accept it. I was not stating what I think risk actually is, or what the management of risk should involve.

    Now, you can use technology and algorithms to calculate the DEGREE of uncertainty, but the EFFECTS of that level of uncertainty will be on the behaviours of the affected humans.

  5. Michael says:

    Hi Shaun.

    And, if you are to take fear to the next level … you must also conclude that the fear is environmental, as well. What one fears somewhere, another may experience absolutely no fear somewhere else … and for the exact same event (or issue).

    With fear being behavioural and environment driving behaviour, risk then becomes potentially anything or nothing to any and all persons.

    Risk as it has history been addressed … probability v. severity … seems to me to make the only real sense. This ‘formula’ transends all of my above thoughts here as it’s essentially mechanical, not subjective. I prefer a clean condition of thinking when discussing risk; rather than the new ‘warm-fuzzy’ type of definition.

    BTW, on another subject, are you finding that the more we ‘evolve’ with the standards, the more grey everything is becoming? Soon, what is written can and will mean anything anybody wants it to mean; or virtually nothing to nobody. My head is starting to spin a bit here; time for my wine cooler … and it’s only mid-afternoon. ;-D.


  6. Shaun says:

    I was thinking that, Michael. It seems the more open the process has become to comment, the more open the sluice gates have become, with natural consequences. Having been involved in part of this process in the past, I will also suggest it favours people who have a lot of time on their hands and strong opinions. You can work out for yourself what special type of person that defines. I’ve said before that my main frustration is that I am not confident that looking after the interests of purchasing organisations is the main objective – and it should be. Bill (first comment above) also makes a valid point that as technology is enabling companies to deliver with a smaller and smaller labour force, does it really consider the management system dynamics of companies that serve some impressive clients, but aren’t very big themselves?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.