Working In Uncertainty

The fundamental flaws in ISO's definition of ‘risk’


The definition of ‘risk’ currently promoted by ISO (in Guide 73:2009 and repeated most prominently in ISO 31000:2009) is fundamentally flawed and should be withdrawn. This article explains the flaws in detail.

The definition

Definitions of terms in standards are different from ordinary dictionary definitions. Whereas dictionaries try to explain the meanings of words, standards offer a phrase that can be substituted for the term being defined.

The definition of ‘risk’ given in Guide 73:2009 is that the word ‘risk’ can be replaced by the words ‘effect of uncertainty on objectives.’ A note to this definition explains that an ‘effect’ is a ‘deviation from the expected’. Another note explains that ‘uncertainty’ is ‘the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequences, or likelihood.’

The fundamental flaws

Risk is not an effect

Risk is not an effect. This might take a bit of thinking about, and you might be wondering if perhaps it could be some kind of potential effect, but the fact is that risk is not an effect. This was pointed out to me by Austen Leitch (my son). It's good to know the next generation is capable of such clear and logical thinking.

Risk is not an effect on objectives

The words ‘effect of uncertainty on objectives’ can be rather hard to think about clearly because they are abstract and the terms used have multiple possible meanings. Consequently, it can be hard to spot the second fundamental flaw, especially if you start with the expectation that the words will make logical sense, somehow.

To unravel these words I suggest you ask yourself: If risk was in some way an effect, how exactly can uncertainty affect objectives? What kind of effect could uncertainty have on objectives? Note carefully that the definition does not say ‘achievement of objectives’ or ‘expectations about achieving objectives’. It just says ‘objectives’. So, in some way, the idea is that risk is the effect of uncertainty on objectives per se. Objectives are things we choose. Could it be that being uncertain leads people to choose objectives different to those they would have chosen if they were not uncertain? Perhaps this is true to some extent, but are such influences really what ‘risk’ is? Most people I am sure would say ‘no.’

Either the intention was to define ‘risk’ in this very subtle and odd way, or the words do not match the intention, or both.

The note on ‘effect’ does not help. If we substitute it for ‘effect’ in the definition we get:

‘deviation from the expected of uncertainty on objectives’

This isn't even grammatical and defies interpretation. What if we substitute for the words ‘effect of uncertainty’? We get:

‘deviation from the expected on objectives’

This is no better. What if we try to compensate by writing the best interpretation of the note, which is:

‘deviation from the expected objectives caused by uncertainty’

This might be closer to the intention, but now we have the idea that there are expected objectives and actual objectives that are different from them as a result of uncertainty.

Almost certainly, the intention of the committee members was to connect ‘risk’ in some way with uncertainty, with objectives, and with outcomes being different from those either anticipated, planned, or hoped for. The words they have chosen completely fail to do that in a meaningful way.

Additional ambiguities and errors

In addition to the most fundamental problem identified above, the ISO definition has some further flaws.


The word ‘expected’ has at least three important meanings in English.

  1. ‘Expected’ can refer to an outcome thought more likely to happen than not. For example, we might say that a contestant in a competition is ‘expected’ to win.

  2. ‘Expected’ can refer to the probability weighted average of a variable with a probability distribution. This is a mathematical idea, but long established and known to many people.

  3. ‘Expected’ can refer to something that ought to happen. For example, we might say that every soldier is expected to do his duty. Here the word ‘expected’ means more than just that we think it is likely; we also think that soldiers ought to do their duty.

All three of these might conceivably be the basis for calculating deviations. The ISO definition does not say which is intended.

Risk and risks

ISO 31000:2009, which is a guide to risk management, shifts between talking about ‘risks’ and talking about ‘risk’. The ‘risks’ are things that can be counted and listed. ‘Risk’ is something that cannot be counted. Clearly, these are different ideas. The lack of a clear distinction is a problem in ISO 31000:2009 and helps to promote the myth that managing risks and managing risk are the same thing.

The ISO definition of risk as ‘effect of uncertainty on objectives’ preserves the ambiguity, which just perpetuates the confusion.

Uncertainty and events

The note explaining the meaning of uncertainty does so entirely in terms of events. However, uncertainty in ordinary English is a much broader concept. ISO's definition is unnecessarily narrow and unhelpful. Again, it shows confusion between managing risk and managing risks (which are events that might happen).

Uncertainty and likelihood

The final words of the explanation of ‘uncertainty’ talk about being uncertain of the likelihood of an event. This is confusing the likelihood of an event with frequency measured across a sequence of similar events. The only likelihoods that do not reflect uncertainty are shown by the probabilities 1 and 0.

Mistaken intentions

The committee responsible for this definition had two intentions that are clear but mistaken.

To redefine ‘risk’

The intention was to take the established English word ‘risk’ and give it a new, different definition. In ordinary English the word ‘risk’ is almost always associated only with bad things that might happen. We do not say that there is ‘a risk I might win a lot of money in a draw’. And yet, the ISO definition sought to include nice surprises as well as nasty ones.

It is much better to consider all potential outcomes when taking decisions than to consider only bad outcomes, so it makes sense to describe approaches to risk management that take all outcomes into account. However, redefining ‘risk’ was not necessary in order to do this and has led to confusion.

It is unreasonable to expect readers of the standard to put aside the meaning of familiar words like ‘risk’ and adopt new and very different meanings.

To base value on objectives

The intention was to define the importance of risk/risks in terms of ‘objectives’. This is too narrow for two reasons:

  1. There are times when we have not yet defined objectives but still we have a situation that gives value to outcomes. This definition of value in terms of objectives means that risk management cannot be applied to the task of establishing objectives.

  2. Not everyone defines objectives. Some people use different words for the same concept. Others use different concepts, such as a value model or objective function, interests, goals, targets, budgets, and so on. This definition in terms of ‘objectives’ pushes readers towards establishing ‘objectives’ rather than using other ideas that serve the same purpose.

Why a poor definition was written

It is true that committees can produce poor designs, usually because of conflicting ideas and illogical compromises. It is true that some members of the committee involved do not have English as their first language. It is also true that this committee has a long track record of lengthy, unpleasant battles, and that when a decision appears to have been made many members do not want to revisit it and experience more unpleasantness and wasted time.

All these may have contributed to the fundamentally flawed definition published by ISO.

However, beyond all these is a cause of far greater importance, which is the sheer difficulty of writing a single, clear definition for an abstract word that already has many similar but different meanings in the English language. Here, to illustrate the difficulty, are some common senses in which ‘risk’ is used:

  • (noun): a set of possible outcomes/futures e.g. ‘There is a risk that this might go wrong.’

  • (noun): a stochastic variable in a decision-support model e.g. ‘Project cost risk.’

  • (noun): a number calculated using a risk measure e.g. ‘The risk is 0.735.’

  • (noun): an insurance contract, viewed from the insurance company's perspective e.g. ‘Should we accept this risk?’ (that is, should we agree this contract to insure a customer for some particular possible calamity?)

  • (verb): do something that means that an item you value could be lost, killed, or damaged e.g. ‘If we take that route we will risk our lives.’

  • (noun): state of being unable to predict an outcome of interest e.g. ‘This decision is being taken under risk.’ (Frank Knight suggested a more specific interpretation based on his Frequentist beliefs, which was that decisions under ‘risk’ are ones where you know the possible outcomes in a future situation and their probabilities, but do not know which outcome will occur.)

  • (noun): state of being unable to predict an unwanted outcome of interest e.g. ‘If we do that we will be at risk of getting lost.’

  • (adjective): a qualifier of rather indeterminate meaning e.g. ‘Risk report’, ‘Risk culture’, ‘Risk review’.

What should be done instead

Coming up with a single, clear, unambiguous definition for ‘risk’ is too hard. Redefining ‘risk’ in a new way is a bad idea and unhelpful. The best approach is not to define ‘risk’ in standards at all. There is no need to lay down a strict definition and expect people to agree with it.

The best way for a standard like ISO 31000 to tackle the many different views as to what risk and uncertainty are is to offer advice that applies to all reasonable senses of the words and to state this in the scope section. The scope section should also explain the wide scope this implies because, of course, most readers will have their own views of what the terms mean and these will tend to be narrower than the scope of ISO 31000.

Alternatively, if it is felt that a more specific statement of scope is needed, then a good option for many modern risk management standards would be to define it as situations in which it is currently hard or impossible to predict outcomes of interest. This would agree, broadly, with the use in phrases like ‘decision-making under risk/uncertainty’ and ‘facing risk’ but with the restriction to negative outcomes removed.

If there is a need to define more specific concepts useful in talking about risk management then the glossary should define more specific phrases (potentially phrases including the word ‘risk’) to name the specific concepts that are needed.

ISO should withdraw the current definition of ‘risk’ and minimize its use of special terms related to risk. Where such special terms are needed, each concept should be given a phrase to identify it that is easily identifiable and does not have well established conflicting meanings in the English language. These phrases can also be chosen so that they are largely self-explanatory, which is also helpful.

Hundreds of people receive notification of new publications every month. They include company directors, heads of finance, of internal audit, of risk management, and of internal control, professors, and other influential authors and researchers.

Please share:            Share on Tumblr


Words © 2015 Matthew Leitch. First published 27 May 2015.