ISO 31000: Dr Rorschach meets Humpty Dumpty

Much advice is proffered in cyberspace about how to manage risk: at the time of writing, tapping “risk management” into Google yielded 72 million hits. Do you sometimes (frequently?) on reading risk management guidance get to the end without a clue as to what the guide expects you, the risk manager, to actually do?

I am currently having this problem with ISO 31000 – Risk management — Principles and Guidelines. The International Standards Organization published these guidelines in 2009 and with them appears to aspire to global leadership, if not domination, of the risk management industry. According to Kevin Knight, leader of the group that produced the document, it is comprehensive and global in reach – it “provides principles and practical guidance to the risk management process” and it applies to everyone everywhere – it is “applicable to all organizations, regardless of type, size, activities and location and should apply to all types of risk.”

A game anyone can play
I have now read it many times and still do not know what is expected of me. And I think I have worked out why. It repeatedly tells me to do what is “appropriate”: it tells me that my involvement with stakeholders should be “appropriate and timely”; that I should consider “the most appropriate ways to communicate with [stakeholders]”; that I “should allocate appropriate resources for risk management”; and that I should “communicate and consult with stakeholders to ensure that [my] risk management framework remains appropriate.” The guidance to do the “appropriate” thing appears 34 times in 26 pages.

What is “appropriate”? Those deploying the word appear to assume that all readers will share its meaning. But anyone plugged into discussions about the influence of disparate cultural perceptions of risk will appreciate that this is a facile assumption. All these “appropriates” are Rorschach inkblots. The famous Rorschach test is known as a projective test. Subjects are shown ambiguous stimuli (inkblots) and asked to say what they see. Although psychologist have failed to reach a consensus on the interpretation of the answers it is clear that different people project very different meanings onto ambiguous stimuli.

“Appropriate” is not the only inkblot in ISO 31000. There are 33 “effectives” (“this International Standard establishes a number of principles that need to be satisfied to make risk management effective.”); 13 “culture/culturals” (“Risk management takes human and cultural factors into account.”); 9 “relevants” (I should ensure that “risk management remains relevant and up-to-date”); 8 “comprehensives” (I need “to generate a comprehensive list of risks”); plus 4 “acceptables” and 4 “tolerables”.

Using this (incomplete) list of inkblots I divide 105 inkblots by 26 pages and award ISO 31000 an inkblot score of 4.03. It is a game that anyone can play and I offer it as a way of quantifying the sense of vague dissatisfaction generated by so much of the current risk management literature.

Humpty Dumpty
Humpty famously told Alice “When I use a word it means just what I choose it to mean — neither more nor less.”

One word in ISO 31000 is most definitely not an inkblot. “Risk” is defined as “the effect of uncertainty on objectives – positive and/or negative”.

The document is forcefully determined that the meaning of the word should be absolutely clear to all readers. Section 2 contains 29 terms and definitions elaborating on the meaning of “risk” and its use in the document – supplemented by 44 explanatory notes. Section 3 contains eleven “principles” that turn out to be further definitions, e.g. “d) Risk management explicitly addresses uncertainty.”

But all this is not sufficient. To be absolutely confident that one is on the ISO 31000 wavelength one must master Risk management – Vocabulary (ISO Guide 73:2009). This is a 15-page dictionary further elaborating the terms and definitions of ISO 31000. An example: ISO 31000 refers to “stakeholders”, but one needs the ISO vocabulary to be confident of knowing what this word means – “a person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity”. The Guide provides 49 such examples (supplemented by 56 more notes).

The ISO definition of risk – “the effect of uncertainty on objectives – and/or negative” – is described by the leader of the group that produced it, as “pivotal”. Certainly it is the pivot, the authors are determined, around which all discussion of risk management should rotate. But they have a couple of problems.

The first is that their definition of risk as something “positive and/or negative” is shared by no other dictionary. “Risk” as the rest of the world uses the word is negative. It is
• · “the possibility that something unpleasant or unwelcome will happen (http://oxforddictionaries.com/definition/risk) , or

• · “A probability or threat of a damage, injury, liability, loss, or other negative occurrence that is caused by external or internal vulnerabilities, and that may be neutralized through preemptive action” (http://www.businessdictionary.com/definition/risk.html ), or

• · “possibility of loss or injury : peril, someone or something that creates or suggests a hazard” (http://www.merriam-webster.com/dictionary/risk)

The established dictionaries have the merit of defining words as most people use them. With its idiosyncratic definition the ISO appears to aspire to establish itself as a priestly caste with a private vocabulary inaccessible to the vulgar horde.

There has been an attempt by ISO supporters to gain a foothold in other dictionaries. The Wikipedia definition of risk is in agreement with the established dictionaries: “Risk is the potential that a chosen action or activity (including the choice of inaction) will lead to a loss (an undesirable outcome).” (http://en.wikipedia.org/wiki/Risk).

But then an ISO enthusiast took advantage of Wikipedia’s open-editing facility to add the following: “The ISO 31000 (2009) /ISO Guide 73 definition of risk is the ‘effect of uncertainty on objectives’. In this definition, uncertainties include events (which may or not happen) and uncertainties caused by a lack of information or ambiguity. It also includes both negative and positive impacts on objectives. Many definitions of risk exist in common usage, however this definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts [my emphasis added].”

The ISO definition may well be now shared by several thousand linkedin “experts”, but the problem is that they are vastly outnumbered by the hundreds of millions of other lay and expert risk managers who share the dictionary meaning – who understand risk to be something negative. From Britain’s Health and Safety Executive (mantra “Reducing Risks, Protecting People”) to the quants who calculate Value at Risk, most risk experts still side with the dictionaries. The consoling mantra of day traders after a bad day is “No risk, No Reward”. Outside the ISO club risk means what the dictionaries say it means.

A second problem encountered by the “expert” advocates of ISO 31000 is that their job as risk managers involves communicating with non-experts. Their definition of the key word “risk” that will be central to these communications is not only not in the dictionaries that most of the non-experts are likely to consult, but can be found only in ISO 31000 and the supplementary vocabulary ISO Guide 73. These documents cost CHF 112 ($104) and CHF 86 ($80) respectively.

When Alice questioned the meaning of a word that Humpty Dumpty had used he replied, “The question is which is to be master — that’s all.” In attempting to assert its mastery over the word risk, a word requiring 178 expensive terms, definitions and notes before those deploying it can be confident that they know what they mean by it, the ISO experts face a challenge. “When I make a word do a lot of work like that, said Humpty Dumpty, I always pay it extra.” Payment is likely to take the form of tears of frustration.

ISO 31000 and the IRM
In 2010 the IRM published an endorsement of ISO 31000 in a document entitled A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000. It says “this guide [the IRM Guide] provides a structured approach to implementing risk management on an enterprisewide basis that is compatible with both COSO ERM and ISO 31000.”

It runs into an immediate problem. ISO and COSO cannot agree on the meaning of the word at the centre of the exercise – “risk”. COSO sides with the dictionaries and views it as negative – “the possibility that an event will occur and adversely affect the achievement of objectives” while ISO defines it as “positive and/or negative”. Humpty Dumpty has yet to pronounce.

The IRM document shares with ISO 31000 an impressively high inkblot count – words onto which readers will project variable subjective meanings. In 17 pages it has 21 “appropriates”, 16 “significants”, 14 “effectives”, 14 “culture/culturals”, 13 “effectives”, 7 “comprehensives” and 4 “sufficients” – yielding an inkblot score of 5.3 – or 36 if you add the 523 occurrences of “risk” which, thanks to the ISO/COSO definitional conflict, has itself become an inkblot. The sentence “Achieving a good risk aware culture is ensured by establishing an appropriate risk architecture” conveys the flavour of the difficulty confronting those seeking to standardize risk management guidance. Which definition of risk will the health and safety officer, investment banker, compliance manager, financial regulator, or teacher producing a risk assessment for a school trip, have in mind when reading this sentence?

Although “culture” appears liberally in both documents it is used without content. There is no apparent awareness, acknowledgement or application of the substantial literature by behavioural economists, psychologists, anthropologists and members of other academic disciplines on the influence of cultural biases. The subtitle of the seminal work Risk and Culture, by Douglas and Wildavsky almost 30 years ago is “An Essay on the Selection of Technological and Environmental Dangers”. Ever since then cultural influences on the threats that people select to worry about, or choose to ignore, have generated an impressive literature. Why are GMOs shunned in Europe while planted over millions of acres in the United States? Why do middle-aged women have much lower road accident rates than young men? Who worries about global warming, and why? And what induced some derivative traders to place bank-busting bets? ISO 31000 appears oblivious to such questions. Why?

In an article in Risk Analysis Grant Purdy, one of the principal architects of ISO 31000 describes it as “a new globally accepted standard for risk management”. Accepted globally? Accepted by whom? Most, the vast majority, of the people around the globe interested in risk management have never been asked. They have never read it, and probably never heard of it. The academic world is comprehensively ignorant of it because it can be found in no libraries. If it, and its associated vocabulary, were to be made available in libraries sales of these documents at CHF 198 would be severely compromised.

No academics I know are likely to pay such a sum for the privilege of reading them. For a start they would not be interested in writing about something almost none of their colleagues had heard of – I have only been able to join this discussion because an anonymous friend sent me bootleg copies.

The academic world depends on open access to sources. The IRM is so sensitive to ISO’s aggressive protection of its copyright that it declares in its introduction that “Permission to reproduce extracts from ISO 31000 ‘Risk management – Code of practice’ is granted by the BSI.” Academics are not in the habit of seeking permission to reproduce extracts from sources that they are commenting upon.

Purdy acknowledges that ISO 31000 creates “challenges for those who use language and approaches that are unique to their area of work but different from the new standard and guide. The need for compromise and change is” he insists “the inevitable consequence of standardization.” In a world where the vast majority use approaches that are free, and communicate in the language of the standard dictionaries, the unique approach and language of the ISO “new standard” appear unlikely catch on.


3 pings

  1. Alex Dali says:

    Dear author,

    After reading your article, I have a simple question to ask : During these 5 years of difficult elaboration of the ISO 31000 Risk Management Standard, where have you been ?
    The developement of an ISO document is an open process based on consensus, have you been involved at all ?

    Indeed, it is much more easier for you to “destroy” than to build and advance the discipline of risk management.

    Wake up and look around you. See the present situation resulting on the way organisations manage their risks. If you are satisfied, you should be ashamed. If you wish to change or improve the life of billions of affected citizens, you should create an alternative or build on existing proposals.

    If you wish to submit your alternatives ideas, I invite you to join the official discussion group on the content of the ISO 31000 Risk Management Standard
    We have reached 7000+ members and growing with 100 new members every week.

    Here is the link :

    Hope to read you soon again.
    Till then, have a nice time.

    Alex Dali, MBA,ARM
    Moderator of the ISO 31000 Risk Management Standard group

  2. johnadams says:

    Dear Alex
    “Have I been involved at all?” The answer is no: a) I was not invited and b) I had not heard of your “elaboration”. It is not as though I had been avoiding the subject of risk. If you look at the blogs, books, presentations and essays on my website you will see that I have been involved with almost every facet of the subject for many years.

    I am unclear as to whether you consider all my contributions to the subject destructive – or just my most recent essay.

    I am neither satisfied, nor ashamed. I have been making what some consider positive contributions to the subject since before (judging by their youthful appearance) some of the contributors to your Linkedin discussion groups were born.

    You invite me to submit ideas to your discussion groups. I have tried. I briefly joined this group led by Alpaslan – “How do you define Risk Management under ISO 31000 guidance?” (http://www.linkedin.com/groups/How-do-you-define-Risk-1834592.S.93827328?qid=eaf57ecf-5a99-4c1a-a4fe-0da566a07f7a&trk=group_most_popular-0-b-ttl&goback=.gmp_1834592 ).

    In one submission I offered what I considered a constructive proposal: that you would have more success communicating with the people that you were trying to recruit if you used words such as “risk” as they are defined by Oxford and Webster, than if you insisted on your own idiosyncratic definitions.
    Alpaslan replied with a conspiracy theory that I confess I had not heard before: “John, I would have agreed with you if the word ‘risk’ was English, but not. …
    Do you think Oxford has more right to define risk? Well, I don’t think so. At least not anymore. It might have been true in 100s years ago where UK was an great Empire where there was no sunset over its reign.”

    As someone who consults the Oxford dictionary frequently, I found this contribution to linguistics discouraging.

    Best wishes

  3. Dr. Robert Davis says:

    Excellent post John.

    I would like to see people representing ISO 31000 trying to give a sensible response to your piece.

  4. Alex Dali says:

    Dear John

    In the ISO process in developing standards, each country is free to apply and participate. Generally, the ISO representative in your country contacts the best experts in a particular field – in this case – Risk Management. Because the attendance of each country is limted to 3 delegates, many countries create a mirror national committee which could be as big as 100 stakeholders from different sectors. I am sorry to read that you have not been invited during these 5 years of elaboration of the ISO 31000 Risk Mangement Standard.
    However, given the fact that you seem to be well-involved in risk management, it is surprising to read that you have “not heard of its [ISO 31000] “elaboration” from 2004 till its publication in November 2009…including during the 4-6 months public consultation proposed to anyone before the final version ? Strange !
    I have to admit that I am not aware of your publications in risk management. I read your essay and it is clear for any reader that it is rather destructive, for an “expert” in risk management with your profile.
    When I read what a “life-time student” like Felix Kloman, I am surprised that so many positive contributions, simple, clearly-written, have not been taken into consideration. Maybe, you are a person in the same category. The good news is ISO document are regularly reviewed and maybe it is still time for you to be involved in the current elaboration of the ISO 31004 guide for implementation of ISO 31000.
    Talking about the Linkedin discussion groups which was started three years ago, in March 2009, we have covered so far hundred of topics with thousands of comments. Since we run this discussion forum exclusively on ISO 31000 and it is well-managed by 10 moderators, we have been successful in attracting a lot of people (7000 members to date), coming from various sectors.
    Since you only join last month, it probably means that you have not heart about our group before (same as for the ISO 31000 development). You refer to one of our excellent moderators, Alpaslan who was referring to the fact that the origin of the word “risk” is not English. Please go the specific discussion on this topic here : http://goo.gl/gp96t
    As said, you are new in this discussion forum, so I invite you to take the time to read the thousands of comments made so far. In order to help new members, we have created a user guide which you can download here : http://goo.gl/0dCfp
    We would appreciate to read your perspective on the following topics :.

    Business continuity
    Finance & banking
    Audit & compliance
    Public sector
    Health & safety sector
    Project risk management
    Human factor and safety
    Sustainable development
    Information security
    Physical security
    Security and resilience
    Standards and management system
    Education & Training
    About ISO 31000
    About ISO 31010 – Risk assessment
    Risk Management Framework
    Risk Management Process
    Certification of organisation
    Best practices
    About this group
    About the Global survey 2011
    ISO 31000 expanding in the world

    Of course, the definition of “risk” is controversial, given the hundreds of comment it has attracted. However, you should be wise enough to adopt the logic of your friend Felix Kloman who said :
    “The minus side of ISO-31000: too much of it may congeal into concrete as hordes unthinkingly adopt its
    verbiage and processes.The plus side of ISO-31000: thousands of thinking people around the world now have a starting point (and it is only that) to consider how to create a better and more disciplined approach to dealing with uncertainty.”
    As Felix, you should be able to see the global picture and not be easily discouraged with the linguistic not matching harmoniously the Oxford dictionary.

    Best regards
    Moderator of the ISO 31000 Risk Management Standard group on LinkedIn

  5. johnadams says:

    Dear Alex
    Where to start?
    You invite me “to take the time to read the thousands of comments made so far.” It would make a start, if we are to have meaningful discussion, if you would take the time to read my small number (4) of comments to Alpaslan’s group.

    You cite with approval, and in support of your views, the work of Felix Kloman. In a response to Arnold Schanfield’s urging to heed the wisdom of Felix Kloman I wrote the following: “Arnold, I too am an admirer of Felix Kloman – not least for his willingness to consider arguments that might change his mind. I know that you are a member of his email forum – we are both on the distribution list. Perhaps you missed his email of 4 January. As the culmination of a discussion on this topic that we had on his forum he wrote: “John: I will toss in the towel! I think you are right, that the generally accepted meaning of the word “risk” is indeed negative and that trying to define it otherwise is tilting at windmills.”

    Since then (24 February) Felix has copied my “destructive” blog to his Risk Management Group with the following introduction: “RM Group: John Adams sent me this morning his latest blog on how we misinterpret the word “risk.” This was, of course, the subject of a recent dialogue within this group, one in which I gave up my some-twenty-year battle for a broader definition and use of the word “risk” itself. When the overwhelming usage of the word is negative, I agree with John it is useless to try and redefine it more broadly for a small coterie of disciples. I have thrown in the white towel!”

    You encourage me to get involved in “the current elaboration of the ISO 31004 guide for implementation of ISO 31000” and say that I should “not be easily discouraged with the linguistic not matching harmoniously the Oxford dictionary.”

    My reason for declining your invitation can be found in your own words quoted in another of my contributions to Alpaslan’s group that you appear also not to have read: “As Alex said to Norman Marks in a discussion elsewhere: ‘one cannot use two ‘dictionaries’ at the same time, especially when definitions are so different’.” You continued in that exchange to say “it is impossible to start a discussion on risk management topics with someone if we disagree on terms and definitions.” I agree.

    The ISO definition of “risk” is central and indeed crucial to your enterprise. So crucial that it is deemed necessary to deploy 178 terms, definitions and notes in ISO 31000 and its ancillary dictionary to make absolutely clear what ISO means by it. To now describe the ISO definition of risk as not matching the Oxford definition “harmoniously” is disingenuous. Words matter. You cannot have a coherent discussion if the participants cannot agree on the meaning of the words they are using.

    I am afraid that I have no interest in “the elaboration for implementation” of a guide focused on a definition that all those relying on the Oxford and Webster dictionaries do not share. My disinclination to join your enterprise is strengthened by your support for Alpaslan’s theory that all those trusting the Oxford dictionary are dupes of a post-imperial (neo-colonialist?) lexicographical conspiracy.
    Best wishes

    PS Alex, I note from your profile that you are President of the Global Institute for Risk Management Standards. I am further embarrassed. Not only had I not heard, until recently, of ISO 31000, but I had also not heard of your Global Institute. Google yields no information. Can you help? Do you have a website that describes your mission?

    PPS I would encourage readers who have had the stamina to get this far to take up Alex’s challenge to read (at least some of) the comments on his Linkedin site – http://goo.gl/0dCfp.
    Perhaps starting with the group to which I was briefly a contributor – http://www.linkedin.com/groups/How-do-you-define-Risk-1834592.S.93827328?qid=eaf57ecf-5a99-4c1a-a4fe-0da566a07f7a&trk=group_most_popular-0-b-ttl&goback=.gmp_1834592.

  6. David Hancock says:

    Dear John
    Here’s my twopenneth for what it’s worth:
    Let me first declare my position I am at best ambivalent to ISO 31000 and even more so (if that is possible) to ISO 31004. However I do feel that is is a helpful tool for some people in assisting them to distil and manage a particular element of uncertainty which they believe will prohibit them from acheiving their objectives and in my experience belief goes a long way to managing uncertainty. Therefore like Felix I tolerate it, I personally believe it is a working platform from which I can teach a true understanding of the management of risk which is far more influenced by the behavioural side than the application of any process no matter how global but they should be applauded for attempting to codify such a difficult and ambiguous subject. On the basis of risk being both positive and negative you also allude to the two sides of risk in your risk thermostat based on reaction to rewards (upside) and accidents (downside) and you state “there is no effective top-loop counterweight I believe this is their attempt to achieve that. In some circles it is sometimes called opportunity rather than risk. One of the problems with having such a diverse committee from many member states is that it is difficult to get a consensus for how one conveys that concept and Risk” is defined as “the effect of uncertainty on objectives – positive and/or negative does appear to do it for many practitioners so it is prehaps a step in the right direction. The other area that makes it simpler for them is that they only perceive one type of risk and not 3 by combining (your lexicon) ‘perceived directly’ and ‘perceived by science’ and ignoring virtual risk not necessarily a correct approach but would take a long times to discuss here and even longer I’m sure to do with an international ISO commitee or with 7,000 so called experts in risk management.
    To answer your question I do not believe that the Global Institute for Risk Management Standards has any bone fide connection with the the ISO committee and is a company registered in France which attempts to take its credibility from the fact that it consists of a linked in group with 7,000 members! (Alex if I am mistaken the please respond). As for ISO 31000 being a global standard I take it with the same pinch of salt that goes with the World Baseball Series.
    PS you can find me on Linkedin or even happier to discuss over coffee somewhere in London.
    All the best

  7. Alex Dali says:

    Sorry to say that I have no time to start an argument with each of you.

    My only point is : Most of the people consider that risk management is too much compliance/reporting oriented instead of helping for better decision-making and improve the performance of organisations. I am working on trying to change this, not to discuss on ISO vocabulary (this definition needs to be reviewed in 2014 and it will be as any ISO document). In the meantime, there are more urgent things to do.

    Regarding to G31000, my LinkedIn profile says : the newly-created G31000 – Global Institute for Risk Management Standards, a Nonprofit Organization, aims to raise awareness about the ISO 31000 Risk Management and associated ISO standards. We are launching a few initiatives on ISO 31000. One of them will be the First international conference on ISO 31000 scheduled in Paris, on 21-22 May 2012. Maybe we will meet there. The official launch of G31000 activities is scheduled at the May conference in Paris.
    Any other information is purely speculative.

    See you in Paris, maybe.
    Best regards

    PS : John : Yes, you are right to feel embarrassed for not having heart of the development of ISO 31000 since 2004/2005 (instead of “breaking silos”, maybe your network of contacts should open the doors of the Tower of Babel). But no, you should not feel embarrassed for not having heart of G31000 since it has been created in December 2011 and there is no public information about it.

  8. Harry Daly says:

    David Hancock says “they should be applauded for attempting to codify such a difficult and ambiguous subject.”
    Applauded for trying to codify ambiguity?
    “Codified ambiguity” is a succinct summary of ISO’s achievement. Oxford and Webster are quite clear about the meaning of “risk”. ISO has rendered it ambiguous. Now when I buy a lottery ticket I have to worry about the risk of winning.

  9. Mike Chalkley says:

    Perhaps if they used the word ‘chance’ instead it would read better? 😉

  10. johnadams says:

    Dear Alex
    You say that the ISO vocabulary needs to be reviewed in 2014. Meanwhile you are not interested in discussing it.
    You argue in your Linkedin on-line discussion group: “When it comes to risk management, there’s no room for a ‘failure to communicate’. Success in ISO 31000 risk management is about winning the communication battles.”
    You also say, in the group rules for participants: “Using a common language of risk terminology is important. Please use in your discussions terms and definitions referred in ISO31000 and ISO Guide 73.”
    As I have already noted, you have maintained that “it is impossible to start a discussion on risk management topics with someone if we disagree on terms and definitions.” I am unclear about how you expect to communicate with people outside your group who use a different dictionary, especially those who have not invested in the expensive ISO Vocabulary.
    I note from your online profile that until last December you were the Managing Director of ATLASCOPE, a company that offers advice on “la prévention des risques industriels”. What dictionary was Atlascope using when discussing the prevention of risks with its customers?

    Best wishes

  11. Harry Daly says:

    I like Mike Chalkley’s suggestion that Alex Dali doesn’t understand the difference between the English words ‘chance’ and ‘risk’. Much better that–for him–than that he takes for sense, the nonsense talked by the egg in Lewis Carroll’s world through the looking-glass. Can he, perhaps, like the White Queen in the same world, remember forwards as well as backwards? If he can, I’m afraid no lifeline Mike Chalkley throws him will ever be long enough.

  12. Harry Daly says:

    It’s not very good form, of course, to follow up a comment of one’s own with another comment of one’s own but, even so, I do have a question that I think Kevin Knight ought to answer. If ISO 3100 is. “applicable to all organizations, regardless of type, size, activities and location and should apply to all types of risk.”, it must apply to ISO 3100 itself and to the risk of being misunderstood or, even, of talking and writing nonsense. So my question for Mr Knight–or anyone else–is: if one uses words in a sense so private that no other user and no dictionary recognises it, does one risk being not just misunderstood but talking outright nonsense? And, if one does, does it follow that ISO 3100 should refuse to warrant itself?

  13. John says:

    I think it’s important to be clear that of the 7000+ members of the group, most are there only to keep an ear on developments (or look for potential employers or potential employees), and are not necessarily supportive of ISO31000 or active participants in the discussion.

    I for one am a member, but detest the wordings of the standard.

  14. johnadams says:

    Alex (if you are still with us) you said in your first comment (25 Feb) that your Linkedin group is “the official discussion group on the content of the ISO 31000 Risk Management Standard”. I assumed that you were speaking with the approval or authorization of ISO (“official – having the approval or authorization of an authority or public body” – Oxford again).

    David Hancock, with whom you do not have time to argue, suggests (29 Feb) that your Global Institute does not have “any bone fide connection with the ISO committee” and “attempts to take its credibility from the fact that it consists of a Linkedin group with 7,000 members!” Your Linkedin site certainly looks official. It features the official ISO logo, and when I click on it, it takes me, not to the official ISO website, but to another part of your Linkedin site. Does this mean that you speak with the approval and authorization of the ISO?

    Now John (comment 6 March) sheds a new light on your membership. Members, it would appear, are not necessarily supporters. Indeed I would appear to be amongst the 7000+. Do you have any idea what percentage of your “membership” would describe themselves as supporters of ISO 31000?


    I have a number of comments to make John and will try to be as brief as possible and hopefully this dialog can be continued

    I do oftentimes John get to the end of reading risk management guidance without a clue as to what the guide expects me to do to your point. However, I would say that ISO 31000 leaves me with much clearer expectations that much of the current gibberish in the marketplace such as COSO ERM or the recently released draft of COSO internal control and numerous other documents do not

    Let me articulate my thoughts to justify this position while trying to address your various points

    Kevin Knight has made accurate statements about ISO providing principles and practical guidance that can be applied everywhere. Yes this is an accurate statement he is making.

    John- you state that you have read ISO 31000 and still do not know what is expected of you. So I ask:

    ISO was developed over a three year period by hundreds of practitioners from around the globe. You have been practicing risk management and teaching it for many many years. Naturally you must have seen drafts of this document and provided input to it or not?

    Second- did the thought ever dawn on you that this guide is only a standard for principles, process and framework and that an implementation guide would follow, which it will be?

    Third- such document was not developed in a vacuum. It was built off the principles of AS/NZS 4360:2004 and ancillary documents such as HB 436. Was it not? And isn’t it true that the first of such documents appeared in the marketplace in 1995? So are you suggesting that this is the first time you have ever seen a document such as ISO 31000?

    Fourth- ISO 31000 is not for folks that have no background in this field. It is expected that a plethora of other risk management guidance be used as well. For example, John Shortreed wrote an interpretation of ISO 31000 which was published In John Fraser’s book. I walk away with additional implementation strategies when I read such chapter and in fact have a clear understanding of what to do.

    When you for example discuss stakeholders- you need to understand who these are both internal and external- think BP and the confused state of the Board, what their needs and expectations are and have a two way communications process. The implementation guide will lay this out in greater detail. This was not the intent of the standard.

    The principles are clear and as well are discussed in the chapter by John Shortreed. The implementation guide will spell things out further which is much more than I can say about the 300 page COSO ERM guide.

    You also make reference to the definition of risk and express concerns about including the upside. I am having difficulty in comprehending your train of thought here. Please elaborate.

    Several additional comments but in totality I would say quite strongly that I disagree with your position and willing gladly to debate this further.

  16. johnadams says:

    How could I possibly be ignorant of ISO 31000 and its precursor documents? As I have already explained they are extremely expensive and cannot be found in libraries. The BSI online shop will sell me a copy of ISO 31000 for £140.00. You speak of AS/NZS 4360:2004 appearing “in the marketplace”. Exactly. I have just found it on Google and it is still for sale at £162.43.

    We appear to live in parallel universes. As I said in my blog “No academics I know are likely to pay such sums for the privilege of reading them. For a start they would not be interested in writing about something almost none of their colleagues had heard of – I have only been able to join this discussion because an anonymous friend sent me bootleg copies.”

    You ask me to elaborate. If you find the 2000 words in my Humpty Dumpty blog, plus further comments, insufficient elaboration, perhaps you could have a look at my book “Risk” (available on Amazon) or try Googling “risk thermostat” + “Adams”.

  17. John Shortreed says:

    Wow, My hope was that eventually with the publication of ISO 31000 we could move on to a more “shared” vision of risk and risk management. I started in risk in 1980 on dangerous goods, then moved on to health issues, blood systems, transport of all sorts, workplace health and safety, etc. often with nice discussions with John Adams and his books. I also was involved in the Canadian standard for risk analysis, and later the risk management standards in 1997 and 2010. Also served on the working groups for Guide 73 (2002, and 2009) and ISO 31000. Continue with work last year on Internal Audit and ISO 31000.
    IN the 31000 working group we spent 5 days over about 6 meetings with extensive consultation between them, the resulting defintion is a good as it gets. Since 31000 was to be an umbrella standard it was expected that those who needed more detailed defintions (even those who wanted to stick to negative consequences only) could do it within the existing envelope. I note that when I looked it up about 6 years ago one of the Oxford/webster dictionaries had risk as a Hazard and the other as risk (both Guide 73 definitions, which I agree that if we do not use them we can not communicate.
    Where the general English dictionary defintion was acceptable to the working group we did not define special meanings. so ‘significant’ ‘appropriate’ etc. just mean what we mean in everyday language.
    In everyday discorse it usually takes several hours or even several meetings to be sure all involved know what the other means. In fact, the widespread use of risk matrices to frame and agree on organization’s strateic objectives and plans, depends very much on this meeting of minds.
    In risk and risk management circles, I am rather dismayed but not surprised that it is difficult to get meeting of minds on what the concepts are behind the words. This was true in the 31000 working group and the Canadian 2010 standard group as well. I expect it is also true in the 31004 group. It certainly is very evident in the Linked In discussions where the use of Guide 73 terminology is the exception.
    I think 31000 is a central middle ground very general statement of current good practise. (you may know that the Canadian crossed the road to get to the middle)
    Just for example, on the positive versus negative – if it is good to reduce the effects of uncertainty on negative objectives, why would it not be advantageous to enhance the positive objectives, using the same tools of risk assessment and methods of risk treatment? The risk management loaf was only 1/2 baked previously, it needed to be turned over in half wauy through baking.
    The question arises, what is the alternative to 31000? We see the outcomes of other appraoches and they are not pretty, with the 2008 world wide liquidity crisis front and center, followed by the current problems in Europe.
    If one looks at progress since the start (perhaps) of risk controls when it was decided, right or wrong, the captain must go down with the ship or they would be killed. Then we had accountants who had to certify books of companies, then we had groups who evaluated the creditworthness of organizations, then we had quality control of processes with the Deeming touch that made products work the way they were supposed to – compare existing cars with those of my youth (drove first in 1947 when a 200 km journey involved changing 1.3 tires and 1.5 stops to clean the carberator (ps that year I failed spelling).
    31000 intent is to improve the quality of decision making (since every one is advised to use the risk management process as one input into the decision considerations), in the same way that ISO 9000 improved processes, and ISO14000 improved environmental protection. Are the three flawed – of course they are – can they be improved – of course they can – is there a credible alternative approach – so far none (keeping in mind that the ISO standards are generalized to the point where they can pass the vote – not that easy the first time Guide 73 was within one vote of failing to pass.
    I am dismayed with attempts to bad mouth 31000 with no alternative proposed rather that continuing willy nilly with existing methods – most of which if faced with a team of 3 competent (regular dictionary meaning) auditors who used 31000 as an audit framework, – would easily be shown to be deficient and could by the addition of some of the missing bits made quite a bit better. This I have seen several times as a member of one panel or another. Similarly on the other hand, areas such as avoiding infection in hospital labs and ensuring correct dignosis, the use of methods developed over many decades with constant review and improvements, when compared to 31000 fair rather well. Similarly when you find organizations “under control” often investigation turns up that the risk management they practise (including the selection of new initatives to maximize objectives of the organization) also compare well to 31000.
    Is 31000 a little hard to get your mind around – yes it is, mainly because it is so general. However, I have found that the understanding is correlated with those who know how to do effective risk management (generlly they assess the risk, consider controls to treat the risk and implement and monitor the controls and the risk – think McDonalds, for those who as local politicians have served in their kitchens, where the learning time is under aminute as to how to cook a burger, and the monitoring and control of quality (given their level) is 99.99%. These organization’s risk management is pure 31000
    So I would encourage people to stop bashing 31000 and either propose an alternative that a majority of the countries who get involved can accept after study by their home committees, or start working, using Guide 73 terminology to make things work better and have better expressions of the concepts and implementation.
    Pleased to respond to issues I did not address. All views are mine and not those of either ISO or the Canadian Standards Association (goes without saying but better say it anyway, given that when I made comments to a ministry in S. Korea I was uncharacteristically advised I had the wrong face. The advice given was about trends in Internal Audit and Risk Management that are rather far along in Canada and taken here as the right thing to do.

  18. Andy Reynolds says:

    Just to add a light-hearted note: the reason why the risk manager community wants the definition to include upside is because spending your whole career providing only the missing pessimism reflex to starstruck execs is demoralising. Risk management methods can be adapted to embrace opportunities, and doing so enables one to break through the glass ceiling above which everything will always work out better than expected.

  19. johnadams says:

    You hoped that ISO 31000 would lead to “a more ‘shared’ vision of risk and risk management.” As I have already pointed out ISO does not do “sharing” – except amongst those behind its dauntingly high paywall. Although ISO 31000 insists that “this International Standard can be used by any public, private or community enterprise, association, group or Individual [all 7 billion of us?]” it is accessible only to that minute percentage of the world’s population willing to pay £140.00 for the privilege.

    I recently accepted an invitation to speak at the annual conference of the Society for Risk Assessment in Zurich in June. I inquired of those who invited me whether those participating in the conference would be familiar with ISO 31000. They replied that most would not, and that I would have to first explain what it contained before venturing criticisms. I have yet to meet an academic with an interest in risk who has read ISO 31000.

    Last night, at a college dinner, I sat opposite someone who professed an interest in risk. His business card said he was a professor of “Strategy and International Business”. He had not heard of ISO 31000. The astonishment of Alex and Arnold (see comments above) that I had not heard of ISO 31000 reveals a failure to appreciate what a tiny constituency the global standard of ISO is appealing to.

    Spain is likely to be a special challenge. It has law against risks in the workplace – Ley de Prevención de Riesgos. I have accepted an invitation to speak at the “10º Congreso Internacional de Prevención de Riesgos Laborales” in Bilbao in May. The very title of the conference denotes a definition of risk incompatible with that of the ISO.

    You say that “ ‘significant’ ‘appropriate’ etc. just mean what we mean in everyday language.” This is the point I was trying to make. Who is “we”? In debates ranging from road safety, to GM crops, to global warming and financial regulation participants fail to agree on what facts are significant and what actions are appropriate. The words are Rorschach inkblots.

    You ask the 31000 bashers – me – to propose an alternative. Here I take refuge in Cultural Theory. I place ISO 31000 in the Hierarchist quadrant of Mary Douglas’s Grid-Group scheme – risk is (should be) reducible to something manageable. Within this quadrant (and within the paywall?) words such as “significant” and “appropriate” have common meaning. Outside this quadrant, and paywall, such words have variable meanings. While most outside the paywall might agree with Oxford that risk means “the possibility that something unpleasant or unwelcome will happen” estimates of possibility and the nature of the unpleasantness vary widely – and are likely to continue so.

    The future will continue to be to be uncertain, and people will continue to argue about what to do about it – “willy nilly”.

    Best wishes
    John A

  20. john Moffat says:

    Excellent and common sense article.
    If Risk Management is to be successful it HAS to be understood by the majority.

  21. Pierre Sonigo says:

    Hello John,

    I really enjoyed your article. I always believed that a global standard in Risk management was useless because impractical.

    Risk management is an integral part of management and management of an entity cannot be standardized.

    The scope of risk management is broad and its application extremely complex. It is taught at many schools and universities. Although the subject is the same, the contents of the subject material are very different. The field of risk management is still in rapid development with new concepts and ideas emerging on a regular basis. This field, therefore, requires on-going monitoring.

    Risk taking is essential to an entity’s survival. “Acceptable risks” can have a wide range of definition and appreciation depending on size, ownership, management styles, type of activities and markets. In the end, risk taking is entrepreneurial. How can you put this in a standard?

    To grow corporations need to be more nimble and creative in developing new industries and products. Corporate managers need to be less risk-averse. But new rules and regulations are making them more reluctant to take risks. Attitude towards risks in organizations worldwide depends on educational, domain competence and socio-political biases.

    There is no consensus, among practitioners, on scope, processes and tools for risk assessment and risk treatment. Meaningful and practical ways to calculate probability and severity of risk, two essential theoretical elements of risk evaluation, for example, have yet to be developed.

    There are no generally accepted, consistent and comparable performance indicators for risk management, or accepted methods to do meaningful costs benefits analysis.

    A major part of today’s risk manager’s responsibilities is to establish the most appropriate ways to finance internally and externally the potential impact of risks. Can this process, including the use of insurance realistically be standardized and certified?

    Risk management is organized differently in corporations (reporting, scope, size…). Job descriptions of risk Managers or Chief risk Officers vary widely.

    Communication on risk issues is intricate It is not in the best interest of our corporations for risk communication to be standardized.

    The decision making process in managing risk is fundamental. We do not believe this can be totally encompassed in a standard.

    Finally, risk management is still considered more an Art than a Science. Is Art subject to standards?

  22. johnadams says:

    Your comments on an International Standard, and observations on the nature of risk management more widely, are much appreciated. They are both compelling and intriguing.
    Intriguing because I note from the FERMA website that FERMA has received liaison status to the international group which is in the process of producing a practical guide to the implementation of the ISO 31000 risk management standard. I also note that the FERMA nominee assisting ISO to produce an implementation guide, Vice President Julia Graham, “was closely involved in the preparation of ISO31000, published in November 2009 and now a widely accepted standard.”
    I am intrigued to learn more about the way in which “International Standards” get agreed and promoted and “widely accepted” – and then sold at prices that preclude most of the world knowing anything about them.
    Within FERMA how do differences of view between the Secretary General – “I always believed that a global standard in Risk management was useless because impractical.” – and the FERMA vice president who was” was closely involved in the preparation of ISO31000” (and now in its implementation), get resolved? – and then promoted as something that the whole world should salute?

  23. Pierre Sonigo says:


    Just to make things clear: my comments on your article and on the necessity of an ISO standard are personal(FERMA was not mentionned) and certainly not the present official FERMA position on the subject. FERMA has a Board of Directors were all subjects are discussed democratically before an official position is taken and as FERMA Secretary general I will stick to the official point of view. FERMA’s position has in fact evolved over time. FERMA has been strongly opposed to ISO 31000 before it was published and I personally participated in ISO meetings to defend the points I made in my earlier mail. Unfortunately we have not been successful in preventing the standard from being published although we would have preferred an ISO Guideline on the subject. We have been successful however in getting our position against certification taken into account. Now that the Standard exists we have elected to be represented in the Working groups to continue to have our position heard.

  24. Vincent says:


    You might find amusement in a discussion in the PRMIA Linkedin group.
    The person who started the discussion asks:

    “If Risk includes both Upside and Downside why do we have concepts like Risk/ Reward? Any dictionary in whichever language defines Risk as anything but Upside. If we want to redefine risk as both upside and downside surely then we should rewrite the foundation of the word: contained in the dictionary. The effect will be dramatic for one all regulation require re-writing.”

    The group is “PRMIA – Professional Risk Managers’ International Association”

  25. Eric says:

    John – I’d be extremely interested to hear your opinion on COSO ERM, as it’s the other major framework/standard/pick-a-label (very well-entrenched in the US) that purports to cover risk and risk management.

    That said, while I prefer the more dictionary-aligned modified definition of risk from OCEG, “the undesirable effect of uncertainty on objectives”, the rest of the ISO 31000 standard has been a huge benefit in terms of helping to cut through the massively cluttered thinking held by a lot of folks about the concept of risk.

    The development process may leave much to be desired in terms of transparency, but given the current state of affairs, where “risk” is commonly conflated with “compliance” and the statement “risk only matters in relation to objectives” is revolutionary, even a tiny amount of very-general common ground is sorely welcome.

  26. David G Wilson says:

    Picking up only one of the many points from this excellent article and subsequent discussion:

    “Risk management is an integral part of management and management of an entity cannot be standardized”

    Having overcome any language barriers and set aside political in-fighting – a big ask, it would appear – IF conventional RM were (1) up to the job of being (2) an “integral part of management”, that would be better for all concerned. Although I do agree that (3) “management of an entity cannot be standardized”, that is only “true” of conventional tools.

    Add to that, (1) it is not (2) it is not, and (3) the tools developed to “manage” complicated risks lack the requisite variety to begin to handle the complexity of businesses in the new modernity: we can’t fix today’s problems with yesterdays tools.

    By viewing the entity as a “living system”, measuring and monitoring both complexity (a source of risk) and resilience (required for survival) to maintain the fitness or health of the system, is something that we (Ontonix) already do with a wide range of systems: biological, IT, business, aerospace, automotive, etc.

    I hear very little discussion, in any forum, about the “high level” criticisms and failures of current practices. Which are the same in anyone’s language:

    Roads to Ruin: http://wp.me/p16h8c-QJ
    RBS & Olympus: http://wp.me/p16h8c-RS
    Towers Watson… : http://wp.me/p16h8c-159
    Structural engineering for business: http://wp.me/p16h8c-V6
    thinking in systems (pres.)…: http://wp.me/p16h8c-DL

    To quote Dave Snowden (Cynefin), “Practice without sound theory does not scale” and I would have thought that THE major concern?

    Even economists are coming round to the view that the classical theories of 50 (even 200) years ago need re-examined for the Digital Age. The view of a business as an “independent”, linear, entity in a Gaussian world and the tools/techniques used to manage them are now, clearly, inadequate for inter-connected business systems and networks : non-linear and “fat-tailed” (Power Law distribution). All of which presents itself as a major headache for risk modelling and Actuaries rating risk on the basis of the data from a now past era.

    So, surely, we are confronted, not only with the (aleatory) Uncertainty of the unforeseeable, but the (epistemic) uncertainty of the unforeseen…which we are underestimating by assuming it to be and treating it as risk?

    I could not agree more with David Hancock’s call, from a couple of years ago, for a more scientific approach, which I took to mean more objective, quantitative and rigorous…none of which are words that could realistically be applied to such “fluffy” and incomplete guidelines that provoked this excellent article and a discussion better suited to the English classroom or playground!

    More power to you JA!


  27. Alpaslan Menevse says:

    The word “risk” comes from the Arabic word “rizq” ( uncertain objectives that are known to (potentially) exist of any type) not as Oxford says. I am afraid no English dictionary has a right to take a root word in different language and impose on me with a different meaning.
    Sorry, but you are missing something very important. Australia which was a colony of England once, has made the difference and I think this bothers you most.
    I don’t understand Alpasian’s colonial point. Can anyone help?
    I am from an ex-colony called Canada – if that sheds any light on my problem.

  28. Harry Daly says:

    I do think hat Kevin Knight–or someone else on that side of the argument–ought to answer the question I asked earlier. Kevin Knight says, ISO 31000 is “applicable to all organizations, regardless of type, size, activities and location and should apply to all types of risk.” If so, it must apply to ISO 31000 itself and to the risk of being misunderstood or, even, of talking and writing nonsense. So my question for Mr Knight–or anyone else–is: if one uses words in a sense so private that no other user and no dictionary recognises it, does one risk being not just misunderstood but talking outright nonsense? And, if one does, does it follow that ISO 31000 should refuse to warrant itself?

  29. David Hancock says:

    I find it interesting that Alpaslan should suggest that the word risk draws its roots from the Arabic rizq and I would like to at least put some challenge to that, I am not an expert in the Arabic language but from various dictionaries:

    From the root r-z-q which has the following classical Arabic connotations:

    . to receive something beneficial, especially as a gift
    . to be provided with the necessities of life
    . to receive a portion, share or lot
    . to be supplied with a means of subsistence

    The root r-z-q points to the idea of the receiving of anything beneficial, particularly a gift, whereby something is nourished, sustained, or helped to grow physically, mentally or spiritually – not something I would connect with the present usage of risk. In my opinion (narrow I agree) the construct of risk would be unusual from a muslim perspective and be in tension with inshallah ‘If Allah wills it’ or “by the will of Allah”

    However, during the Middle Ages the term riscium was used in relation to highly specific contexts – mainly sea trade and its ensuing legal problems of loss and damage.
    In the languages of the sixteenth century, the words rischio and riezgo emerged, believed to originate from the Italian risicare ‘to dare’, and in the English language the term ‘risk’ appeared only in the seventeenth century and seems to have been imported from continental Europe. However it was used more in the terms of good or bad fortune rather than risk as used today.

    and as for ISO 31000 being derived from AS/NZS 4360 if it is, it is a poor copy.
    For information AS/NZS 4360:1999 defines risk as “The chance of something happening that will have an impact on objectives. It is measured in terms of consequence and likelihood”.

  30. Felix Kloman says:

    I am apologetic for joining this “discussion” so late and so may further confuse minds rather than enlighten. But here goes.

    First a disclaimer. At John Shortreed’s suggestion I joined his Canadian Working Group for IS0-31000 (even though my only claim to being a Great White Norther is some 65
    years of playing ice hockey!) early in its deliberations and I may have made some modest contributions. I admired and wrote about NZ-AS 4360 when it first appeared and I still believe joint international reflections on what we are trying to do are warranted. But let’s call them working hypotheses, not “standards,” and let’s distribute them free of charge.

    Second, words and their multiple meanings will always confuse us. I’m reminded of the observations of Fritjof Capra (a physicist and student of Eastern mysticism, who wrote in The Tao of Physics (1975) “The words of our language are thus not clearly defined. They have several meanings, many of which pass only vaguely through our mind and remain largely in our subconscious when we hear a word.” He went on to suggest that the “inaccuracy and ambiguity of our language is essential for poets” but that science and mathematics try to replace words with symbols and rigorous connections. So we are inevitably condemned to struggle with words and their multiple meanings. “Risk” is part of that struggle: the “r-z-q” of Islamic fatalism, noted by David Hancock, the Latin “riscium” referring to losses in trade cited by John Adams, and, of course, the Italian “riscare,” to dare, in Peter Bernstein’s landmark book. Even the Chinese have changed meanings: the Chinese symbol for “risk” is (I am advised by a knowledgeable friend) is a combination of the two characters for “wind” and “hazard,” but over the centuries, their meaning has morphed into “opportunity or danger.”

    So where does that leave us? Perhaps we should step back and re-start the process. We are all concerned about uncertainty in our futures. We no longer accept the fatalism of superstitious religions and prefer to rely more heavily on scientific approaches. Our goal, simply, is to anticipate possible future conditions and then adapt as best we can. This clearly includes a broad range of possible outcomes, favorable and unfavorable. As the word “risk” is so uniformly regarded, at least in the English-speaking world,as a negative outcome, we need another monicker. I “threw in the towel” on my preferred definition of the word but that does not mean I subscribe to a discipline that focuses entirely on bad results.

    So let’s shift this discussion towards a fresh approach to what we are trying to accomplish, recognizing that we will always be saddled with easily and frequently mis-interpreted words.


  31. Ed Lewis says:

    I would like to make a point or two about the need to manage the risk of ‘risk management’. My perspective is as an Australian academic who has worked on international standards (but not ISO 31000) and who is a lurking member of THAT Linkedin group.
    1. You can be reassured that academics can – and do – get copies of ISO standards for free, if their library subscribes to the online services provided by their national standards bodies (or their commercial arms, such as SAI Global or BSI Shop). I would be surprised if UCL did not have such a subscription.
    2. I agree that these standards cost a lot. On one hand, they are prepared by volunteers, who often pay their own way to the domestic and international meetings that are used to produce the standards. On the other hand (sounding like an economist) I suppose the fees reflect the costs of editing, publishing, marketing, and distributing these publications. Perhaps for an organization facing annualised costs of risk in the millions, paying a hundred pounds or so (plus training fees and the like) is a small investment. Impecunious academics and consultants can make use of point 1.
    2. So, there are academics who know about ISO 31000. There are about 400+ entries on Scholar Google citing studies referring to the standard. As well, the Australian committee that produced AS/ NZ ISO 31000:2009 contains representatives from two Universities, with others shown as ‘additional interests’. We do make use of the standard in our courses about Risk Management.
    3. International standards have a difficulty in defining terms so that they are generally understood in different countries. For example, ‘management’ does not translate well as a concept in Korean. The question is not how ‘risk’ is defined in English but how it translates into French (the other language used for Guide 73) and other languages. I can only presume that was one of the reasons why 31000 defines risk in the odd way that it does.
    4. Yes, I agree that the definition is awkward, to say the least but not because of the positive/ negative note about ‘effect’. I am uncertain that ‘uncertainty’ can, of itself, have an effect. I prefer the AS/ NZS 4360 definition or my own, but now is not the time to sell that … I will try to work through OB 007 or OB 05 to change the definition in the next version of the standard, which leads me to the next point …
    5. Although I do not know the membership of the BSI RM1 committee, I would hope that IRM is represented and so, perhaps, you could raise your points officially through them as part of the review that is built into the standards process. As the standard says, it is a “living document”. But I would anticipate fighting the fight about such a fundamental part of the standard as its definitions would be bloody.
    6. My concerns, and of others such as Popova-Clark (www.dataanalytics.com), are more about the general practice of risk management represented in the Standard, such as the description of likelihood vs expectancy or the limited consideration of risk treatments rather than the over-emphasis upon risk analysis – made manifest in AS HB 89:2012 or ISO 310010. As Popova-Clark (almost a neighbour of Kevin Knight, so no nationalistic bias there) says, “ISO 31000 is better but not there yet”.
    7. In my experience, most of the blokes working on such standards are willing to listen, so let’s talk to them.

  32. Magezi Rubaale says:

    Dear Alex,

    I have read your article and find out that it focuses more on theoretical approach of the definition of risk. Why do I say theoretical, I find that you only rely the definition as stated in the dictionary. You maintain that a risk is only negative as per the definition.

    As a practitioner in Tax Administration and an agriculturalist I would like to share with you my practical experience so that you understand the concept of risk in a practical perspective as a positive hyena.

    Positive risk: As a tax administrator am give a target at the beginning of the financial year when I exceed the target (POSITIVE RISK) the Ministry of Finance is forced to give a much higher target the following year in anticipation that the same will be achieved wow the factors which led to the over achievement of the target are negated. This same theory is well explained by the cob web theorem.

    Negative Risk: I fail to get the target

    Along the line of argument I would like to express my support to the ISO 31000:2009 standard as the bedrock of risk management having identified the weak areas in the COSO and AS/NZ Standard. However, the two are not wholly weak they started the journey which has been improved by the ISO 31000.

    Alex thanks for opening the Pandora Box on the interpretation of what risk is in the theoretical perspective.

  33. Dave Ingram says:

    I keep running into this argument about the definition of risk. I have a different spin on the issue here. First, I keep hearing that risk management needs to pay attention to favorable outcomes as well as negative. That is, I believe, the main reason that the definition of risk was modified for ISO 31000 and by others who make up definitions for perfectly good English words. I do not see anyone disputing that point. Second, there is fairly strong history of that definition in financial risk management. Quite a bit of financial economics uses a two sided definition of risk. Most everyone admits that was used there to make the horribly complicated math just a little easier. Third, while the dictionary definition, Oxford or other, of risk allows for it to be all about a possibility of future adverse consequences, there is not a similar word for the possibility of future favorable consequences. Finally, I have never observed any of the adherents of the two sided risk definition actually use the word in that sense for very many sentences. They usually have to immediately shift to separate terms for “upside” and “downside” risk. Which must be evidence of something, possibly that the idea itself of a two sided definition does not actually work, if you are going to use standard dictionary definitions for the rest of the words in your sentences.

  34. Michael Percy says:

    I’m probably a bit late into this conversation as I only recently discovered it. This was coincidentally about the same time that I discovered ISO31000 (about 2 days ago)

    I operate predominantly within the industrial safety sector, initially within the UK and now within Australia (references to AS4360 noted) and most often within the field of industrial safety risk assessments. I have developed various safety standards for clients and use standards in a day to day context as an engineer. I have therefore been very interested to read the dialogue here.

    I think John has some interesting points, his observations on the skewing of the definition of the word ‘risk’ is spot on, why take a commonly understood word / concept and try to convince people that it now means something different in the context of risk management. The arguments that the Oxford definition should not be used is ludicrous. The fundamental concept of standards is to ‘standardise’ information, concepts and requirements so that there is NO ambiguity. The primary purpose of a standard is so that anyone can take it and understand the intent contained therein. Choosing to take the fundamental underlying concept of ‘risk’ and then change it’s meaning serves only to create ambiguity. Not a very good start in my opinion.

    Whilst the semantics of the word ‘RIsk’ appear to alter the base dynamics of the overall risk management concept outlined within ISO31000 (depending on how you interpret it) and serve only to confuse the intent (if ever the intent could be clear), I would argue that for an English language standard, standard English should be used. The point of the standard is to purvey the intent in a concise an easily understandable manner and misusing the English language will not achieve that.

    It might be a little fun for the academics to argue semantics and indulge themselves with word root analysis, but this is the same behaviour that has likely ended up with such a skewed meaning for the word ‘risk’ being included in the first place.

    Ironically I took a quick look at the aforementioned linkedin group and was amused at some of the so called ‘definitions’ of ‘Risk Management’. I am not particularly sure that either the word ‘definition’ nor the phrase ‘Risk Management’ were particularly understood at all. Most of what I read there seemed to be little more than regurgitated mantras. If these are the same group that were involved in the development of the standard then it is plain to see how such a bastardised interpretation of the concept ‘risk’ arose.

    Semantics aside, I think that most seem to be missing that the most important thing with any standard is intent. Not the meaning of a single word. The shift in risk management from using negative indicators to a positive or predictive indicators is well known, especially within safety circles. The dualistic concept of positive and negative consequence is now used in place of the negative idiom of ‘risk’. This is partly to remove the negative interpretation of risk and the traditional failing or lagging indicators and partly to allow the concept of forward thinking predictive risk management to develop.

    If the term ‘risk’ is not the most appropriate to be used for ISO31000 due to it’s unfortunate negative meaning then find a more appropriate term, don’t try and bend the definition of ‘risk’ to suit. It’s just asking for trouble. This is not some convoluted third party framework we are talking about here, this is an international standard. I’m sure that somewhere there is a standard that defines how standards should be written and I’m sure that it would be very clear on it’s use of language. I am equally sure that it would not advise to simply make words up.

    John, whilst you argue that ISO31000 does not tell you what “appropriate” means, appropriate is in fact a relative term. It is the same as likelihood and consequence. There are no literal definitive meanings. Meaning will be different for different sectors and applications.

    What you are asking for here is the holy grail of risk management. The magic answer that tells everyone what it is that they are supposed to do. Well unfortunately whilst such a talisman may exist within the hallways of academia, in the real world it is figuratively and literally impossible to define.

    However, that is not the most surprising thing. The most surprising thing is that in fact, it SHOULD NOT be defined. For a start how CAN you define it? what metrics do you use to measure it? Such an exercise reminds of Robert M Pursigs Phaedrus’ attempt to define quality. it simply is not possible.

    Since the ’70’s and ’80’s we have been moving away from safety standards that prescribe pre-defined courses of action. If you did what was asked for, and nothing more, you would be deemed ‘compliant’ and that would be all that you needed to do you. However, the reality that Safety was little more than an inconvenience did little to actually improve accident rates. The change to ‘performance’ based self regulated standards, where if called upon you have to demonstrate that you are doing as much as reasonably practicable to address the reasonably foreseeable is now the norm.

    The concept of ‘appropriate’ within todays risk management frameworks is therefore widely understood and accepted to safety professionals. Defining it would merely serves to reduce its effectiveness. We have just spent the best part of 30 years or more moving away from such archaic definitions, let’s not start now.

    The problem, therefore, with ISO31000 is that it does not correctly define it’s core concepts, or the intent of how it recommends risk is managed with regards to items such as adequacy (of controls). Such concepts have been widely adopted within the safety sector for decades, have been employed in the military and naval sectors since WW2 and NASA since the ’50’s. The problem therefore is that it simply needs to be explained in a context that is appropriate to it’s application in all sectors to which ISO31000 applies.

    ISO31000 should be as equally applicable to fiscal management as bio-engineering or industrial safety, it should outline the fundamental concept and how to apply it. It should tell you how to best determine the metrics that are suitable for your application, how to measure consequence and determine probability. If it cannot deliver this then it should be shelved in favour of more targeted risk management standards such as ‘Safety risk management’, ‘Bio-lab risk management’, etc…

    In my experience these are the main issues with risk management, no one can agree on how to measure such items, they are the bane of nearly every risk management system out there. Everybody wants the holy grail definition of what “appropriate” or “acceptable” should be, but it simply does not exist. (and should not).

    Clarification or at least better guidelines on how to define such metrics that are appropriate to each and every application or industry sector would therefore be of greatest value to risk management. As with all academia, it is not the answer that is important, but understanding the tools to help you determine it.

    Potentially ISO31000 is too broad so-as to encompass every industry sector and every situation with suitable detail. Its value is therefore diminished by the lack of detail therein. This was the same issue with AS4360. Too broad to be of any real use. Unless the core concept is clearly defined, it is of very little value other than as a very basic outline.

    Michael Percy.

  35. Alpaslan Menevse says:

    Since I have not noticed this post before and some of the comments reference my prior assertions in my topic ” Origin of Risk”, I wanted to share the facts and beliefs I have used for my assertions at the referenced topics. My intention is not to discuss further but, place a mark for future risk managers to encourage them to read more about history from different sources in order to have wider perspective instead of sticking with dogmas which has the highest level risk overall in the world.

    1) Dictionaries are not for defining words but they are for describing some of the common usages
    2) There is no dictionary on the world exist that has a right to impose a meaning for a word.
    3) I believe, only professionals of the related profession can and should suggest and mandate a terminology for their own profession.
    4) Standards can mandate using terminology because they are made by voluntary and independent professionals.
    5) “Rizq” is a word that is used to describe potential outcomes and objectives in the future that are currently hidden from the receiver. The rizq can either be beneficial or detrimental based on their sources of origin and the methods of procuring them.
    6) “Risky” is a word first used by Dutch and Portuguese sailors on their maps to designate “unknown/undiscovered areas” not “dangerous areas” to mark the potential benefit together with danger they may encompass. It is quite possible that the sailor took the word from Arabs of Andalusia whom supplied the knowledge for The Renaissance in Europe. So it is not an original English word.
    7) So it would make sense to say that risk is a word that is derived from Arabic “Rizq” but in SECULAR form.
    8) There is no other word else than ”rizq”, that is so closely aligned with the ISO 31000 meaning.

    Even I was within the G31000 group at the time of the post, I am not part of it any more so, any comment would be sent to me directly to alpaslanmenevse@gmail.com much appreciated.

  36. Marcus Jones says:


    The way your reffering to the ISO and it document waffle is oh so familiar. You get the same waffle and gobbley-gook from the IMO. In its publication a lot of which is meaningless.

  37. Dr Albert Owusu says:


    Please read my paper entitled “Quantitative risk assessment a Pragmatic Approach”

    You may find it helpful. Send further comments to me directly, please.


    Reference Citc8-2015.

    Looked on Google. Could not find. Sorry. JA

  38. Delicious food blog says:

    Thanks for any other informative blog. The place else could I am getting that type of info written in such a perfect
    manner? I have a project that I’m simply now running on,
    and I have been at the glance out for such information.

  39. FirstRenato says:

    I have noticed you don’t monetize your page, don’t waste your traffic, you can earn additional bucks every month
    because you’ve got high quality content. If
    you want to know how to make extra bucks, search for: Boorfe’s tips
    best adsense alternative

  40. Margareta Bullard says:

    Hi there!

    You Need Leads, Sales, Conversions, Traffic for john-adams.co.uk ? Will Findet…


    Don’t believe me? Since you’re reading this message then you’re living proof that contact form advertising works!
    We can send your ad to people via their Website Contact Form.

    IF YOU ARE INTERESTED, Contact us => lisaf2zw526@gmail.com


  41. apartment says:

    Thank you for subscribing. Hope your weather is nice like it we are enjoying
    up here in W. Mass.

  42. click here says:

    of course like your web site however you have to test the spelling on quite a few of
    your posts. Several of them are rife with spelling issues and I in finding it very
    troublesome to inform the truth on the other hand I’ll definitely come
    again again.

  1. We need to talk about COSO (6/7): Assumptions about culture « The risk debate says:

    […] a strong culture,” again without definition or explanation.  As leading risk thinker John Adam observes, the term is like a Rorschach inkblot: any reader is free to project his or her understanding on […]

  2. I love Paris in the springtime, but not this week « The risk debate says:

    […] associated with the contorted and rule-bound use of language in the Standard still loom large.  John Adams has addressed these issues […]

  3. ISO 31000: Dr Rorschach meets Humpty Dumpty…splat!!! | Get "fit for randomness" [with Ontonix UK] says:

    […] via ISO 31000: Dr Rorschach meets Humpty Dumpty | John Adams. […]

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>