What is risk, and how can it be expressed? Should risk be defined through probabilities or should risk be defined through uncertainties? That is what Eyvind Aven and Terje Aven are attempting to explain in their paper On how to understand and express enterprise risk. In the paper, they claim that different international standards, such as the AS/NZS 3460 Risk Management Standard, the COSO ERM framework and the ISO 31000 Risk Management Standard do not provide adequate guidance on these issues and lack the necessary precision. Thus, they establish their own framework, where risk has two main components, namely 1) the impact of events and consequences (outcomes), and 2) the associated uncertainties (probabilities).
Familiar trains of thought
Terje Aven is perhaps one of Norway’s most prominent risk researchers, with more than 130 publications on risk-related issues, and in this article he picks up familiar thoughts and threads from papers previously reviewed on this blog, first and foremost perhaps his article from 2010 on how to define and describe risk, and also his 2007 paper that contained a framework for unifying risk and vulnerability, where uncertainty is a major part of the equation, just as it is here.
Three different perspectives
The paper starts off by comparing three definitions of risk:
1) AS/NZS 4360
Risk is the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence
2) COSO ERM
Risk is the possibility that an event will occur that adversely affects the achievement of objectives. Risk is described by likelihood and impact.
3) ISO 31000
Risk is the effect of uncertainty on objectives. An effect is a deviation from the expected (positive or negative). Risk is often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence.
and looks at how these definitions are different from each other and what this entails for the understanding of risk.
What makes them different?
The paper makes a major point in highlighting that these definitions are perhaps not contradictory, but nonetheless slightly inconsistent:
- all refer to objectives as a point against which risk is measured
- AS/NZS and COSO refer to probabilities or possibilities as the main pillar of risk, while ISO uses uncertainty
- AS/NZS and ISO accommodate both desirable and undesirable outcomes, while COSO only refers to undesirable consequences
- all definitions pair consequences and likelihood
- all lack a precise definition of likelihood and probability
Thus, they are perhaps more confusing than actually clarifying what risk is. Would you agree?
What are the problems with these definitions?
There are three questions that arise from these definitions:
- Should risk be linked to objectives?
- Should risk be defined through probabilities or should risk be defined through uncertainties?
- Is it possible to establish a unified perspective?
The preliminary answer is that
- Objectives are a two-edged sword. First of all, an objective either way may hide the overall best solution, and who is to say what the right objective really is, and thus, which consequences that are really undesirable or desirable?
- Probabilities are not a certainty, they are a tool and nothing more than numbers that are used to express uncertainty, and as all tools, they have their limitations.
- Considering that the three definitions are quite divergent, a unified perspective may seem impossible from the outset, but it doesn’t take too much reformulation to come with a more holistic point of view, and that is the topic of this article
So how can we establish a view of risk that captures all perspectives?
A unified perspective?
The unified framework for enterprise risk assessment and risk management the authors come up with rests on 3 main pillars:
- Risk is covering two components
a) the impact of events/consequences in relation to some reference
b) the associated uncertainties
- Risk is expressed using knowledge-based or judgemental probabilities
- These probabilities are conditional on a background knowledge which may be based on many assumptions.
The figure below illustrates the concept:
I think the figure perfectly captures all elements of risk, the impact (positive or negative), the probability of said impacts, and the uncertainty associated with the probabilities, shown by the size of the squares marking the impacts.
Not all of Terje Aven’s discourses on risk are easy to follow as they tend to be highly quantitative in nature; this one is spot on, and I think he has a major point. Having said that, there wasn’t much enterprise risk in the article, and the example case didn’t shed much light on it either. Personally, I’d say that enterprise could have been omitted from the title without making much difference. In fact, I think that would indeed have been a better title.
Aven, E., & Aven, T. (2011). On how to understand and express enterprise risk International Journal of Business Continuity and Risk Management, 2 (1), 20-34 DOI: 10.1504/IJBCRM.2011.040012