According to the International Risk Management Principles and Guidelines standard (AS/NZS) ISO 31000:2009 (“ISO 31000”), risk is defined as “effect of uncertainty on objectives”. This definition has two important implications:
• Risk is a neutral term (neither positive nor negative). It simply describes the potential for deviation from an expected outcome. Risks can therefore be subdivided into Threats & Opportunities to indicate whether their influence on an objective is positive or negative.
• As risk is effect of uncertainty on objectives, risks cannot be expressed without first defining the objectives to be achieved. An objective can be financial, schedule, or health and safety related to name a few. Therefore, the first aspect of the Risk Management Process is “Establishing the Context” of the environment in which the risks are to apply.
A risk definition should identify both cause and effect, and at a minimum should be rated for probability and assessed against all applicable impacts. As described in the section on Risk Attributes, it is essential that risks are expressed to avoid ambiguity and misinterpretation.
ISO 31000 defines Risk Management as “Coordinated activities to direct and control an organisation with regard to risk”. The PMI Practice Standard for Project Risk Management (PRM) and the UK Association for Project Management (APM) both define the Project form of risk management as conducting the processes (see Section 2.2) and the PMI Practice Standard goes on to explain the purpose of PRM as being to increase the outcomes of positive risks and decrease those of negative risks.
ISO 31000 incorporates eleven Principles which it asserts are required to achieve effective Risk Management. All are important, but it is worth stating the first three to indicate the importance of Risk Management:
a) Risk Management creates and protects value
b) Risk Management is an integral part of all organisational processes
c) Risk Management is part of decision making
ISO 31000 defines a framework for Risk Management to ensure that Principle b) above will be achieved by enabling Organisations to include the Risk Management framework in the organisation’s overall management framework. In the case of a Project, the Risk Management framework can be incorporated in the Project Execution Plan and supporting Procedures.
The elements of the Risk Management Framework are elaborated in ISO 31000 under the following five headings:
1. Mandate and Commitment
2. Design of framework for managing risk
3. Implementing risk management
4. Monitoring and review of the framework
5. Continual improvement of the framework
