Why I worry First about Uncertainty and then about Risk
One of the reasons I prefer the ISO 31000:2009 global risk management standard to COSO’s Enterprise Risk Management – Integrated Framework is the difference in the way they each treat the concept of uncertainty.
The ISO standard’s Introduction starts with this:
“Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on an organization’s objectives is ‘risk’”.
COSO’s ERM Framework’s Executive Summary similarly and appropriately starts with a discussion of uncertainty:
“The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept [italics added for emphasis: ndm] as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.”
So both discuss uncertainty, but I struggle with the idea that you accept different levels of uncertainty (per COSO) rather than decide whether the potential effect is acceptable (i.e., the ISO approach).
This is especially true when you consider that uncertainty may have a range of possible effects, some of which may even enhance your ability to perform.
As an organization looks to its future, it establishes a vision, goals, and objectives together with strategies and plans for achieving them. But, the path to achieving those objectives is always uncertain. Factors that may be external or internal to the organisation create sources of uncertainty. Successful organisations consider and respond to these sources.
For example, an organization may have uncertainty about:
- The future demand for its products and services, especially if it plans to introduce new products
- The actions of its competitors
- Whether its suppliers will be able to provide the materials required to meet customer demand, with the required quality, when they are needed, and at affordable prices
- The activities of regulators and other agencies
- Whether it will be able to retain key employees
- Whether its employees will comply with the law or follow procedures.
Risks are not events. But we characterize risk by using descriptions of what might happen and what it could lead to in terms of the effect on our objectives.
A single area of uncertainty, such as the level of customer demand following the introduction of a new product, may have several possible outcomes. Those outcomes will have different effects on the ability of the organization to achieve or surpass its objectives. Some outcomes will have a beneficial effect, enabling the organization to perform at or higher than plan. Others will have a detrimental effect, calling into question the achievement of the plan.
We can compare and evaluate risks by considering the range of potential outcomes, whether they are beneficial or detrimental, and the likelihood of the effects.
Assumptions and presumptions (for example, with respect to how people or systems will behave or how events might occur) are a common source of uncertainty. It is necessary, therefore, to be aware of assumptions inherent in plans and forecasts, and to address the underlying uncertainty. For example, a forecast or plan may assume that the new product will generate demand in line with prior predictions. But that is not certain, and if the new product launch is to be successful actions may need to be taken to improve the likelihood of success. I believe the process in the ISO standard is the one to follow to identify the actions required.
For an organization to be successful, it must:
- Understand the sources of uncertainties in its path to achieving its vision and objectives
- Assess the significance of the potential effect(s) by considering what could happen, what it could lead to, and the likelihood(s) of those outcomes
- Evaluate if the level of risk is acceptable and, if not what steps should be taken to modify the risk
- Act to modify the risk – by creating or changing controls
- Continuously monitor and periodically review the sources of uncertainty and the related controls to ensure that the level of risk remains acceptable
One of the strengths of the ISO 31000:2009 standard is this focus on uncertainty and the effect that it has on an organization’s objectives. It enables an organization to recognize and respond to uncertainty so that it optimizes the likelihood that it will be successful.
So why do I say that I prefer to focus on uncertainty first? Because it is easier to talk to management about the uncertainty they face as they direct and manage the organization towards achievement of objectives. Once we know those sources of identity, we can assess their potential effects and the likelihood of those effects – and act to optimize the likelihood of achieving or surpassing objectives.
If we only ask about what management fears, I fear that our identification of uncertainty and its effects (i.e., risks) will be incomplete.