524

Appendix A: The Language of Risk and ISO 31000

Risk-Informed Decision Making Risk Management Model

Establish Decision Context

Consult, Communicate, and Collaborate

Risk Assessment
Identify Risks

Monitor, Evaluate, Modify

Analyze Risks

Evaluate Risks

Risk Management Decision

FIGURE A.1  Risk-informed decision making risk management model adapted from ISO 31000
risk management process. (Source: Casualty Actuarial Society 2003.)

3. One common, overarching process for identifying, analyzing, evaluating,

and treating risks
4. Guidance on how that process should be integrated into the decision-mak-
ing processes of any organization

Leitch (2010), however, found that some definitions in the ISO documents have
meanings different from those of ordinary language and other terms that change their
meaning from one place to another. He concluded that “many of the definitions in ISO
31000:2009 are not clear and meaningful, let alone close to the actual usage of the
terms.” So it is obvious that there are some who believe the language has a long way
to travel before it is unified.
ISO 31000 defines risk as the effect of uncertainty on an organization’s objectives.
In Chapter 1, I have said risk is the chance of an undesirable outcome and went on to
explain that uncertainty is the mother and father of that chance. The words are dif-
ferent and some may argue, perhaps successfully, that they have different meanings. I
would disagree and find the definitions quite similar in meaning, especially insofar as
they both embrace a notion of risk as an outcome of hazards and opportunities. Point
by point, it would be possible to take the ISO language and find its counterpart in the
content of this text. Unfortunately, the language of risk defies standardization at this
point in time. I would like to assure readers that the risk analysis discussed through-
out this text is no different in principle and relatively little different in fact from the
risk management process described by ISO. It is, however, shockingly different at
times in how the language is used. ISO and the world of practitioners this book will
appeal to sometimes use the same words to mean different things. Other times they
use different words to mean the same thing. On occasion they even manage to use the
same words to mean essentially the same things.
Appendix A: The Language of Risk and ISO 31000 525

RISK DIALECTS ISO AND THIS BOOK

The same words can mean different things: ISO considers risk analysis
to be one of the tasks in risk assessment. Others consider risk analysis
to be the overarching concept, one task of which is risk assessment.
Different words can mean the same thing: ISO’s “level of risk” and this
book’s “risk estimate.”
The same words can mean the same thing: “risk acceptance,” for example.

ISO defines risk management as the coordinated activities to direct and control an
organization with regard to risk. In this sense it is close to the overarching concept
of risk analysis while being simpatico with the notion of a risk management activity
introduced in Chapter 3.
Purdy (2010) identifies eleven principles of risk management embodied in the ISO
standard. These are that risk management should:

1. Create and protect value

2. Be an integral part of all organizational processes
3. Be part of decision making
4. Explicitly address uncertainty
5. Be systematic, structured, and timely
6. Be based on the best available information
7. Be tailored
8. Take into account human and cultural factors
9. Be transparent and inclusive
10. Be dynamic, iterative, and responsive to change
11. Facilitate continual improvement of the organization

All of these are fully consistent with the principles put forth in this book. While
that point-by-point discussion to establish the equivalence of the two dialects may be
useful, it is not possible. Doing so would essentially require reproducing the informa-
tion contained in ISO documents, which are considered proprietary information and
are available for a fee from the ISO.
In place of an ISO glossary, I have reproduced the ISO relationships among terms
based on their risk management principles and guidelines. Numbering and indenta-
tion of the layout of the ISO language is faithful to the structure of the January 4, 2008
draft of ISO/IEC CD 2 Guide 73. The numbering system indicates the terms that are
subservient to higher order terms.

3.1 Risk
3.2 Risk management
3.2.1 Risk management framework
3.2.2 Risk management policy
526 Appendix A: The Language of Risk and ISO 31000

3.2.3 Risk management plan

3.3 Risk management process
3.3.1 Communication and consultation
3.3.1.1 Stakeholder
3.3.1.2 Risk perception
3.3.2 Establishing the context
3.3.2.1 External context
3.3.2.2 Internal context
3.3.2.3 Risk criteria
3.3.3 Risk assessment
3.3.4 Risk identification
3.3.4.1 Risk source
3.3.4.2 Event
3.3.4.3 Hazard
3.3.4.4 Risk owner
3.3.5 Risk analysis
3.3.5.1 Uncertainty
3.3.5.2 Likelihood
3.3.5.2.1 Exposure
3.3.5.3 Consequence
3.3.5.4 Probability
3.3.5.5 Frequency
3.3.5.6 Resilience
3.3.5.7 Vulnerability
3.3.5.8 Risk matrix
3.3.5.9 Control
3.3.5.10 Level of risk
3.3.6 Risk evaluation
3.3.6.1 Risk attitude
3.3.6.2 Risk appetite
3.3.6.3 Risk tolerance
3.3.6.4 Risk aversion
3.3.6.5 Risk aggregation
3.3.7 Risk treatment
3.3.7.1 Risk acceptance
3.3.7.2 Risk avoidance
3.3.7.3 Risk sharing
3.3.7.4 Risk financing
3.3.7.5 Risk retention
3.3.7.6 Risk mitigation
3.3.7.7 Residual risk
Appendix A: The Language of Risk and ISO 31000 527

3.3.8 Monitoring and review

3.3.8.1 Monitoring
3.3.8.2 Review
3.3.8.3 Risk reporting
3.3.8.3.1 Risk register
3.3.8.3.2 Risk profile
3.3.8.4 Risk management audit

This structure provides some useful information about how ISO has organized its
thoughts about what this book calls risk analysis. First, notice that risk management
is the unifying concept, not risk analysis. Managing risk is a quite suitable focus for
many of the organizations that use the ISO principles and guidelines. Many other
practitioners rely on risk analysis as the unifying concept for its three components
of management, assessment, and communication. Each of these three components is
found in the ISO risk management description.
Extracting from the outline presented here, the ISO risk management process con-
sists of five steps and two ongoing processes, as indicated in Figure A.2. Using the
abbreviations RC for risk communication, RM for risk management, and RA for risk
assessment, the ISO steps are equated to the risk analysis components where the same
work is accomplished according to the language used throughout this text. Thus,
looking at the ISO risk management process as a whole, it includes risk management,
risk assessment, and risk communication and is compatible with the risk analysis
view that dominates much of applied practice.

Establish the Context = RM Task

Communication and Consultation = RC Task

Risk Assessment = RA and

Monitor and Review = RM Task

Risk Identification = RM Task

RM Tasks

Risk Analysis = RA Task

Risk Evaluation = RM Task

Risk Treatment = RM Task

FIGURE A.2  Mapping the ISO risk management process into the three components of risk analysis
as described in this book.
528 Appendix A: The Language of Risk and ISO 31000

Undeniably there are major differences in terminology. As noted earlier, risk analy-
sis is seen as a subset of risk assessment in the ISO terminology. The risk assessment
steps contained within the rectangle mix what I and others would call risk manage-
ment and risk assessment. Despite the differences in terminology, all of the same
work gets done in both dialects.
Purdy (2010) has characterized the publication of ISO 31000:2009 and Guide
73:2009 as “a very significant milestone in mankind’s journey to understand and har-
ness uncertainty.” And so it may be. Twenty-five ISO committee members voted for
the standard with only one voting against it. This support was unprecedented in ISO.
It is being formally adopted by many states to replace their national standard and is
causing other standard-setting bodies to revisit their documents. Before all is said and
done, this may be a significant step forward in achieving the four goals set out above
by Purdy. If it succeeds in this endeavor, little of the content of this book will be
devalued. At the present time and for the foreseeable future, most government agen-
cies and those directly affected by them tend to follow the risk dialect used through-
out the body of this text.
I repeat, the language is messy. Not everyone is enamored of the ISO effort, nor should
we expect them to be. Leitch (2010) summarized his review by saying ISO 31000:2009:

1. Is unclear
2. Leads to illogical decisions if followed
3. Is impossible to comply with
4. Is not mathematically based, having little to say about probability, data, and
models

It is my hope this book contributes some to the development and maturation of the
discipline and that readers brought up on the ISO dialect will find it worth the effort
to become familiar with the dialect used here.

A.3  Enterprise Risk Management

Enterprise risk management is another term of art that has found common usage in the
risk community. The Casualty Actuarial Society has an Enterprise Risk Management
(ERM) Committee that in 2003 espoused the ERM process summarized in Figure
A.3. It is based on the Australia/New Zealand Risk Standard AS/NZS 4360, which
was a precursor to ISO 31000. They define ERM as a “discipline by which an organi-
zation in any industry assesses, controls, exploits, finances, and monitors risks from

Analyze/ Assess/ Treat/

Establish Identify Integrate
quantify prioritize exploit
context risks risks
risks risks risks

Monitor and review

FIGURE A.3  Overview of enterprise risk management process steps.

Appendix A: The Language of Risk and ISO 31000 529

all sources for the purpose of increasing the organization’s short- and long-term value
to its stakeholders.”
As was the case for ISO 31000, the ERM community practices the same principles
and works with the same toolbox. The cubbyholes the concepts are organized into and
many of the words by which they are called differ, but substantively there is little to
no difference from the practices outlined in this book.

A.4  Observations
Everyone with whom I work uses the risk dialect used throughout this book. It is a
fractured language, as I have admitted from the outset. Many others can make the
opposite contention that everyone with whom they work uses the ISO dialect. Those
who follow the ideas set forth in this book and those who follow the ISO standard are
all doing essentially the same things.
I see great value to a standardized language and a process that is firm in its prin-
ciples yet flexible in the details. Consequently, I would have readily adopted the lan-
guage of ISO 31000 and ISO Guide 73 except for one detail. That detail is that the
ISO language and guidelines are neither broadly recognized, accepted, nor used yet
by risk practitioners in government and many industries.
It would seem to me that the language of risk is not only fractured by the many
disciplines that have spawned it, but also by the large macroenvironment sectors
that use it. The public sector is taken for the moment by the language used in
this book. Likewise, their clients and customers are inclined toward that dialect.
The so-called Red Book—Risk Assessment in the Federal Government: Managing
the Process (NRC 1983)—risk assessment model of hazard identification, dose-
response, exposure assessment, and risk characterization, for example, has deep
roots in many sectors. It will not soon be sacrificed to risk assessment as risk iden-
tification, risk analysis, and risk evaluation. Too many people are vested in their
own dialects.
On the other hand, the ISO principles and guidelines represent the only risk man-
agement model some sectors have ever known. It is my hope that as the language of
risk continues to evolve, the principles found in this book will remain useful to all
those interested in risk, no matter which dialect they speak.

REFERENCES
Casualty Actuarial Society Enterprise Risk Management Committee. 2003. Overview of
enterprise risk management. http://www.casact.org/research/erm/overview.pdf.
International Organization of Standardization. 2009a. Risk management—principles and
guidelines. Geneva, Switzerland: International Organization of Standardization.
———. 2009b. Risk management—vocabulary. Geneva, Switzerland: International
Organization of Standardization.
National Research Council. 1983. Committee on the Institutional Means for Assessment
of Risks to Public Health. Risk assessment in the federal government: Managing the
process. Washington, DC: National Academies Press.