Risk Management Terminology

According to ISO 31000:2018, risk management is the coordination of the activities that direct and control the risks faced by an organization. The purpose of risk management is to create and protect value. It improves performance, encourages innovation, and supports the achievement of objectives.

Organizations of all types and sizes must deal with external and internal factors that make it uncertain whether they will achieve their objectives. Managing risk is an iterative process and helps organizations to set strategy, achieve objectives, and make informed decisions.

Managing risk is therefore an integral part of governance and leadership. It is fundamental to how the organization is managed and should be included in all activities.

ISO 31000:2018, “Risk Management – Guidelines” describes the principles, framework, and process for managing risk. These components might exist in full or in part within an organization. However, they may need to be adapted or improved so that managing risk is efficient, effective, and consistent.

Risk is defined as the effect of uncertainty on objectives. An effect is a deviation from the expected. The effect can be positive, negative, or both. It can address, create, or result in opportunities and threats.

Risk is usually expressed in terms of risk sources, potential events, their consequence, and their likelihood.

  • Risk Source is an element which alone, or in combination, has the potential to give rise to risk. Organizational factors can be a source of risk.

  • An Event is an occurrence or change of a set of circumstances. An event can be something expected (which does not happen), or something not expected (which does happen). An event can be a risk source.
  • Consequence is an outcome of an event affecting objectives. A consequence can be certain or uncertain and can have positive or negative, direct or indirect, effects on objectives. Any consequence can escalate through cascading and cumulative effects.
  • Likelihood is the chance of something happening, for example, a probability or a frequency over a given time period.

ISO 31000:2018
See ISO 31000:2018, “Risk Management – Guidelines”, for more details on establishing a risk management program. You can order the standard at this ISO web page for about $90.