Because RISK is the "effect of uncertainty on objectives" (according

to ISO 31000), how risks should be described? Please give some

examples of risk descriptions satisfying that definition.
http://lnkd.in/jPWpAk - Effect

Comment(57)
Like(12)
Follow
Report spam
Anne Crenshaw, Glen Hutchinson, Charles Thuo, +9 like this

Martin Davies
This is a very good question and there are so many pieces of information I would tag against a risk
description. Here is the top 10 but I can think of many more pieces of knowledge I would include in
the description of a risk:
[1] I would give the risk a name for reference sake.
[2] A list of impacts that might occur as a consequence of the "Risk Event" or the actualization of the
risk occurring.
[3] A timeline on how long the exposure lives, some risks are short lived, some risks have a long life.
[4] A list of causal factors which might combine to drive the risk event or outcome.
[5] A list of of controls which might be used to prevent the causal factors intertwining, these are
preemptive controls and a list of restitution controls or post event controls.
[6] A list of control owners and a list of stakeholders who are potentially impacted by the risk
outcomes.
[7] A set of references to internal or external occurrences of the event happening before (which is
going to require the risk to be assigned to a category). Are we dealing with a new potential hazard or
a pre-existing condition with loss and incident data?
[8] A connection of the risk to an objective(s), ie which objectives are impacted from the occurrence
of the risk and [2] what are the impacts.
[9] A set or list of indicators which show the existence or presence of the causal factors listed in item
[4].
[10] The variability or uncertainty of these indicators and references to the causal factors.
... what else; there are plenty more features that could be included into the risk definition.
January 3, 2013
o
Like(4)
o
Reply privately
o
Report spam

Francesco De Cicco
"Because risk is 'effect of uncertainty on objectives', the description of risk needs to convey both
elements: in other words, make clear which objectives are being referred to and the source of
uncertainty and how it could lead to consequences.
The process of defining the risk criteria involves considering the principle manifestations
of each of the organizations objectives that are important to the organization. For example for a
retail business, two manifestations of a high level objective to build shareholder value could be
annual rate of return on investment and rate of customer retention. These manifestations
effectively frame the type of consequences that might arise for each objective.
The risk identification process (see ISO 31000:2009, 5.4.2) examines sources of risk and the
mechanism of how those sources could result in consequences and the type of those consequences.
Therefore the risk description should include this information in sufficient detail to be useful in the
next of the risk assessment steps.
This can be illustrated using the retail store example above: Most types of retailing depend on free
access to the goods on sale by potential customers, without prior vetting. Some people are dishonest
but the retailer generally does not know which customers are in this category. The staff within the
store and perhaps the stores CCTV surveillance will detect (or deter) some thieves as might
electronic tags on goods but the store will not know whether all thieves will be detected in this way.
So, there is uncertainty. While a single theft might have little impact, the retailer will need to be very
attentive to cumulative loss while also not making the security arrangement so unfriendly as to
depress sales. Therefore, the risk associated with uncertainty regarding the honesty of shoppers
could be expressed in this way: 'failure to detect and prevent dishonest acts by shoppers resulting in
reduced return on investment of greater than -5%'.
In practice, much shorter risk descriptions are often used (e.g. shoplifting) but this insufficiently
characterizes the effect of the uncertainty and later, when the risk is being analysed and evaluated
and, possibly, additional risk treatments are being considered, there is insufficient information about
the risk to allow sound decision making.
No fixed formula can be provided for risk descriptions but as a general guide, the description
should: make clear which objective is at risk; the source of the risk; and the sequence through
which the effects on the objectives could be experienced".
Source: ISO WD2 31004.
Do you agree?
January 4, 2013
o
Like(3)
o
Reply privately
o
Report spam

Martin Davies
Francesco, I agree with your statement "In practice, much shorter risk descriptions are often used
(e.g. shoplifting) but this insufficiently characterizes the effect of the uncertainty and later"
AND I also agree with your statement "there is insufficient information about the risk to allow sound
decision making."
Which is why I try to encapsulate the 10 points I have listed above in the description of each risk.
Some risk managers simply put this into a table or database for each risk they register and I believe
the use of a database or even an excel spreadsheet table will improve the recognition of exposures.
Such systems with the relevant fields in place also streamline the capture and reporting of complete
risk information.

January 4, 2013
o
Like(4)
o
Reply privately
o
Report spam

Martin Hopkinson
Francesco,
I consider any risk description to be incomplete unless it includes each of the following three
elements:
* Context (statement of relevant fact(s))
* Source(s) of uncertainty (e.g. event triggers, factors that influence uncertainty in effect)
* Effect(s)
Here is a simple example:
* Context: My son is allergic to nuts - my objective is to prevent the consequences of earting them.
* Source(s) of uncertainty: Potential causes of inadvertent eating of nuts, including use of new food
products, visits to friends and interactions with peers at school.
* Effect: Anaphylactic shock - probable need for urgent hospital treatment.
There are a variety of ways in which this checklist can be deployed into a risk description. For
example, in addtition to a risk title, many risk register tools include three fields to capture risk
descriptions. However, you can also use it to draw more complex structures such as influence
diagrams.
You point out rightly that the objective(s) affected by the risk should be in the risk description. In
practice, I ensure that this information is included in either the context or effects statement.
January 4, 2013
o
Like(4)
o
Reply privately
o
Report spam

Julian du Plessis
Martin, both of you, presents very good points/elements to consider. I however don't think it should
all be included in one long sentence to describe a risk. It appears it is a matter of how the risk is
presented to get buy-in / acceptance for its existence.
January 4, 2013
o
Like(0)
o
Reply privately
o
Report spam


Bruce Zaccanti
Also important as key point of consideration is enterprise tolerance for risk - inherent and residual the defined risk must then be understood in terms of impact to employees, assets and stakeholders,
then ownership must be asigned for monitoring and effective reporting of deviations from the risk
tolerance based in likelihood and singificance to the enterprise
January 4, 2013
o
Like(1)
o
Reply privately
o
Report spam

Martin Hopkinson
Julian, I agree that a long sentence or paragraph tends to be an unattractive way of describing a risk
and an inefficient format for other people to read. It is partly for that reason that I break the
description into three elements I identified in my earlier post. I also tend to use bullet points,
particularly when identifying sources of uncertainty. To take my earlier nut allergy risk example, I
might describe the primary sources of uncertainty thus:
Inadvertant eating of nuts:
1. contained in food products we have not previously used.
1. found or offered when visiting friends' houses.
1. in food swapped with peers at school.
A useful feature of such a list is that it provides a point by point means of checking whether or not
you have implemented all appropriate action. In other cases (although, perhaps not in this example)
you can also see important relationships between the various sources of uncertainty.
January 4, 2013
o
o
o

Like(0)
Reply privately
Report spam

Martin Davies
I am also supportive of Julian's comment, a long sentence or paragraph description for each risk
doesn't present well and the pertinent details become lost in the verbosity of the description.
Also different stakeholders of this information are going to need it for different purposes:
// Team managers want to see what risk appetite policy is connected to each risk they own.
// Auditors will want to ascertain which controls are connected to which risks and who is responsible
for those controls.

// Executive managers and planners will want to understand the likelihood / severity of each risk and
whether that has changed overtime.
and so on ...
Different people extracting alternate information out of the same risk registry.
I agree with Bruce's statement as well; that each risk will be identified, then assessed, evaluated and
treatment information captured. Just as ISO 31000 outlines in Clause 5 of the ISO 31000 process.
Given Clause 5, risk registration through to risk evaluation; this is a continual and iterative process,
where new information is being received in the risk register perpetually. Concisely each risk
description, the entire risk register document is a "living document" that is continually changing or
being appended to.
January 5, 2013
o
Like(1)
o
Reply privately
o
Report spam

Julian du Plessis
If I may suggest, since it is a matter of how the risk register is compiled/presented, I would provide
the risk description and all relevant information in a table with following columns:
1. - Objective > this needs to be articulated first to make the link to the ISO31000 defn
1. - Risk > describe the uncertainty or event to understand the issue. ISO suggests the cause may be
included as part of the description. I prefer to highlight it separately to show the Cause/Effect and
Risk/Consequence relationship
1. - Cause > to indicate and understand the source of uncertainty per Martin H
1. - Consequence > to indicate and understand why the risk may be an issue/concern
1. - Effect > to indicate it is eventual/final impact on the objective
Well the rest of the table may be dedicated to the old faithful PiM information, and for those who
prefers it the IR and RR combined with the Controls/Risk Treatment identification and rating. The final
table design is your prerogative and it should ID the Risk Owner of each risk or shall I say owner of
the objective.
Martin H if you would allow me to illustrate using your example:
Objective To stay healthy by eating food free of nuts or deemed safe for my allergic condition
Risk Eating food that may contain traces of nuts that has not been identified
Cause Preparer of food is unaware of my condition
Nutritional information on Food label is inaccurate
Unfamiliar with food brand
Consequence May go into an Anaphylactic shock (there may be others?)
Effect Severe personal injury or even Death?
(I am not very knowledgeable with Anaphylactic shock or nut allergies)
The complete the rest of the table I guess is straight forward?

January 5, 2013
o
Like(4)
o
Reply privately
o
Report spam

David Hulett, Ph.D. FAACE

I look at risks from the risk source perspective, but the definition literally means the "effect of
uncertainty on objectives. I believe that is describing the effect, not the source of the effect. It may
be the difference between system risk (which could be the result of many individual risks acting
together) and "a risk" which is one of the root causes of that effect.
I have always distinguished in the project management world between (1) "project risk" that is
overall impact of many risks and uncertainties on the final objective, say finishing on time, and (2)
the risks that cause project risk.
I believe that the ISO 31000 definition identifying the image of a risk or perhaps many risks projected
on the objective. This has to be distinguished from the root causes of that image, the risks and
uncertainties themselves. Interestingly, this discussion thread went directly to (2) above, not to the
definition in ISO 31000.
January 5, 2013
o
Like(1)
o
Reply privately
o
Report spam

Martin Hopkinson
@ David, I think these are really good points, particularly those on differentiating between overall
risk and contributing risks. Unfortunately I think you might be giving ISO 31000 too much credit
when you say that its definition of risk pertains to overall risk. If you read the notes to the definition
of risk e.g. NOTE 5 related to the meaning of uncertainty and linking it to the likelihood of events, it
seems somewhat ambivalent.
@ Julian, your risk description includes all three of the elements that I previously described as being
essential - but I am not sure what has been added by splitting it into five parts rather than three. I
can see some case for a separate definition of the objective. However, I would choose to combine
the consequence and effect into one.
January 5, 2013
o
Like(0)
o
Reply privately
o
Report spam

David Hulett, Ph.D. FAACE

Martin,
Yes, ambivalent, after all those months and years of consultation. Maybe the term "event" covers
what I understand as a risk, but if so, why not use the word everyone understands.

I was part of the US TAG and made these suggestions several times, but we got in the ISO 31000
discussion late and nobody was interested in cleaning up the basic definition. I suggest the emperor
needs some clothes.
January 5, 2013
o
Like(1)
o
Reply privately
o
Report spam

Francesco De Cicco
Julian, in my table I would include:
>
>
>
>
>
>

Unit/Project/Process/Activity
Objective
Risk (effect of uncertainty on objective)
Cause (risk source/threat/hazard/opportunity)
Consequence (negative/positive)
Likelihood (of the consequence)

And, as you said, "the rest of the table may be dedicated to the old faithful PiM information, and for
those who prefers it the IR and RR combined with the Controls/Risk Treatment identification and
rating (...)".
I am one of those who prefer to use IR and RR...
January 7, 2013
o
Like(1)
o
Reply privately
o
Report spam

Julian du Plessis
Francesco you may be interested in the disuccssion on "Is there a difference between Risk and Risk
Event " which can found here http://lnkd.in/m85AQ8
Martin H, I agree with you. The split IMO is useful to present the risks better. Yes, one can combine
the consequence and effect, I however believe there is a degree of differentiation to aid decision
making. There may be say a negative consequence, but the eventual effect may not necessarily
require any further action.
January 7, 2013
o
Like(0)
o
Reply privately
o
Report spam

Mohamed Sadek
By way of clarifying this important issue concerning risk decription, it is worth mentioning that ISO
31000 definition of risk is global in its nature ! It includes both types of economic risks (ie,the

speculative risk and the pure economic one ).

If we try to analyise each one ,we will find that both affecting the objectives of any organization !
For example, If a big fire exists in a factory (a pure economice risk) , the damages resulting from that
fire will certainly cause losses and delay/reduction of the factory planned production of the year
during which the fire exisited which mean that the organization objectives of that year was
negatively affected !
On the other hand,If we have a visibility study showing that the expantion of that factory to the
double will increase the organization profit by 20%( speculative risk) and the organization followed
the recommendtions of this study which cost it a big investments and this expectation was not
obtained, this will mean that the objective of the organization was negatively afffected as well !
last but not least ,the first type of risk mentioned above is the function of the insurance experts while
the second one is the function of the econonmists !
While assuming the above clarifying with simple examples the ISO 31000 difinition from my personal
point of view ,i am ready to provide more if required .....
January 7, 2013
o
Like(0)
o
Reply privately
o
Report spam

David Michael
An example of Martin Davies' Item 4 is the combination of factors that contribute to an event or
outcome that is already exposed to potentially high levels of uncertainty. In our recent examination
of food security in Australia we concluded a Black Swan event for failed food security could not be
dismissed, the results of which would have adverse consequences for domestic and international
consumers, especially those on low incomes. Refer to Food Security 2050. Final research report for
NCCARF (Griffith University) on 'Australian food security and climate change adaptation: How
prepared are food industry leaders'.
http://www.nccarf.edu.au/publications/food-security-risk-management-and-climate-change
The Black Swan potential arises from a combination and co-incidence of climate change, normal
adverse weather conditions, population growth, diversion of agricultural land to non-food uses,
excessive food consumption by people with high incomes and growing income gap between the
wealthy and the vulnerable. Treatment of this risk is challenging, in part because of the diverse
nature of the causal factors (including external influences) and diffuse ownership of the risk.
Government and corporate policies can contribute to a solution but it's a case that underlines the
importance of continuous improvement with measurable performance indicators.
January 8, 2013
o
Like(0)
o
Reply privately
o
Report spam

Sean Coleman
The risk descriptions should be understood by those evaluating them and ideally should be
quantifiable/qualifiable or measurable to some extent. In practice I find that you need to create a
scale or parameter in the risk description e.g a serious fire resulting in a loss of a manufacturing
facility or warehouse with more than --- worth of stock. In articulating identifying and evaluating risks
it is vital that the objectives are considered but bear in mind that there is a strong likelihood that a
given risk will impact several objectives e.g major interruption to supply chain -- effects reputation
-competition- income etc.

In essence there are several issues and layers associated with individual risks and these should be
evidenced but not necessarily within a risk register. The individual risk description or articulation
must be as specific as possible so that it can be ranked treated and checked . Often I have seen
people insert reputation as an individual risk which in IMO is an impact. It is too difficult to deal with
as there are too many parameters.
January 8, 2013
o
o
o

Like(0)
Reply privately
Report spam

Martin Davies
I agree with Sean's statement that risks can sit in a tree like structure, for example:
Power outage [Event] leads to Loss of data [Event] leads to Missed Orders [Event]
and so on.
We could of course have Loss of data [Event] because of user malpractice [Event], a separate tree of
events.
I also agree with this statement "Often I have seen people insert reputation as an individual risk
which in IMO is an impact."
Reputation risk is an impact in my opinion and can often be inserted as an additional event in a tree
of risk events. All this aside, I find reputation risk can also sit on its own and occur without a prior risk
event occurring.
January 8, 2013
o
Like(1)
o
Reply privately
o
Report spam

Francesco De Cicco
Martin, to "sit risks in a tree like structure", I have applied Fault (Success) Tree Analysis to certain
risks (only qualitatively at first) to take initial advantages of Boolean algebra...
January 8, 2013
o
Like(1)
o
Reply privately
o
Report spam

Martin Davies
Francesco,
This is the way to go, Bayesian networks are good for this as well, random forests and Path
Dependent Partial Least Squares (PLS), there are so many ways to skin a cat ... I am working on a

complete PLS program at the moment that will do this type of modelling inline with a
multidimensional BowTie diagram. I have the R-Project code kind of working, just need to write up
the example.
I would be really interested in seeing your Boolean algebra method, especially if you have it
documented, do you have it running in software?
January 8, 2013
o
Like(1)
o
Reply privately
o
Report spam

Francesco De Cicco
Martin, the general method for FTA I have used ever since I was a young boy :-) comes from System
Safety Engeneering and it is summarized
here:http://www.hq.nasa.gov/office/codeq/risk/docs/ftacourse.pdf
There are plenty of softwares on FTA... Now I am working to apply FTA (and STA) in
administrative/business processes within the context of ISO 31000.
January 8, 2013
o
Like(0)
o
Reply privately
o
Report spam

Martin Hopkinson
The comments on tree-like structures above are an important point, and often overlooked in
conventional "flat" risk registers.
One of the concepts I have found to be particularly useful is that of composite risks. A composite risk
is the collective effect of contributing risks. The composite risks concept allows you to commence
with risk identification and analysis at a very high level and progressively increase the degree of
detail through successive iterations of the risk management process, focusing on those composites
that matter most to during each successive stage.
In principle, almost any risk can be found to be a composite if you persist with identifying sources of
uncertainty - so, in principle you can continue to derive lower levels of detail ad infinitum. Of course,
in practice, you tend to quickly reach a point where ever increasing detail stops being useful or
practicable. Also, as risks are decomposed, you lose sight of the significance of interrelated sources
of uncertainty. Thus, one of the skills in risk management is to know when to stop decomposing.
Another thing to notice is that as you decompose, some sources of uncertainty start to feature in
multiple risks. The tree analogy thus has limits - some leaves in the risk tree are connected to
multiple branches. This is another reason why you have to stop decomposing at a sensible point,
particularly when modelling risk.
January 8, 2013
o
Like(1)
o
Reply privately
o
Report spam


Martin Davies
Francesco,
This NASA paper is fantastic, I like it very much because it explains the theory and gives practical
examples.
POINT 1 - Data housing
If we extend this definition process we have been discussion above, across an entire company, we
are going to end up with a lot of data. In effect, the risk description methods that we have all been
discussing in this forum become high in volume and a spreadsheet is unlikely to be suitable for
capturing such intel; there is just too much data.
The risk manager is going to need a risk database or system. Now I know a lot of analysts worry
about finding an appropriate software vendor and most of them are selling potions but I am avid fan
of building our own risk solution from the ground up and I wrote a blog on this herehttp://goo.gl/Kl7Yn
If you know what you want, it only takes a matter of weeks to build an entire risk solution.
POINT 2 - Fault Tree Analysis
When creating a fault tree network we have to be careful that we don't build in systemic dependency
both on entry points to hazards and causal path flow. I am a big fan of fault trees because they can
be explained to business unit managers, they can be set up to capture data easily and they can also
be extended into a binomial model or markov chain and combined with monte carlo to create a final
probability distribution function of potential loss.
Other techniques which are worth investigating in this area of risk analysis include:
Neural Networks, Recursive Partitioning, Bayesian Networks, Markov Chains, Random Forests, Path
Dependent Partial Least Squares, Extended Multiple Discriminant Analysis.
Francesco, I am at the moment developing a process similar to what you are doing but I am going
about it using Path Dependent Partial Least Squares and when I am finished, I will share my
presentation with you, in fact; everyone here.
POINT 4 - Systemic Randomness vs Systemic Determination
On Martin's point "Another thing to notice is that as you decompose, some sources of uncertainty
start to feature in multiple risks" this is very true, it is a potential limitation of fault trees as I
described above. Bayesian networks can solve this problem but they have a different issue of
potentially "over fitting" and this is one of the reasons why I am a looking into PLS and Extended
Markov Chains but they are more complex to apply statistically.
January 9, 2013
o
Like(1)
o
Reply privately
o
Report spam

Charles Thuo
Does it mean when there are no objectives or none have been set there is no risk involved?
January 9, 2013
o
Like(0)
o
Reply privately
o
Report spam


Martin Davies
Charles, the objective has to remain, this is a very good point that you make.
So with each Event-Impact, the outcome on any underlying objective(s) needs to be listed and
mapped.
[1]
[2]
[3]
[4]

So risks connect to causal drivers and causal drivers connect to controls

Risks also connect to impact or outcomes
Outcomes are connected to objectives impacted
Outcomes are also connected to controls

I know it sounds complex but have a look at the presentation I have shared http://goo.gl/Kl7Yn. On
slide 3, I describe how various risk management components are linked and on slide 5, I show an
example database that suits aspects of what you are saying above and what I have listed in points
1,2,3,4
For what its worth, it will only take a day or so to build such a database, if you are working with IT
database people that are on top of it and a risk manager who has a clear vision on what they want to
achieve with this. These two human elements are often not the case but it can be done when they
are.
Early last year I worked with an African company to build such a database, the risk team and myself
sat in a room in Dubai from about 10:30 to 16:00, minus a lunch break and our database was built
and operational by the end of the day.
January 9, 2013
o
Like(0)
o
Reply privately
o
Report spam

Peter BLOKLAND
The general mistake I see often happening is the conviction that risk or objectives can be isolated
and treated in an isolated way.
As soon as you have an objective there's risk. As soon as you have risk there's some objective
involved. But it's never isolated. It's always the result of a web of smaller and bigger elements of a
whole.
You can compare risk with the universe. Within the universe you could select a galaxy and in this
galaxy you can determine a solar system and within this solar system you can see planets and on a
planet you can find countries and within those countries you can find cities and within those cities
you can find companies and with a company you can find strategic objectives and within those
strategic objectives you can find targets and within those targets you can find tasks and with these
tasks, you can find people and they have all their individual targets, goals objectives, purpose, ... and
there's no 100% certainty about any of them. Everything is connected and can influence other
elements in the system.
So we have to put boundaries on the system we are dealing with. The more confined you put the
boundaries, the easier to determine the objectives, however, the lower your quality of perception will
be and the higher uncertainty.

As long as there's even only one objective left, there's risk, because such a closed and confined
boundary on a system incurs high uncertainty by lack of information of the bigger whole..
As soon as you open up the boundaries, more objectives start to interact, influencing again overall
uncertainty.
etc...
so I completely agree with Francesco:
"Because risk is 'effect of uncertainty on objectives', the description of risk needs to convey both
elements: in other words, make clear which objectives are being referred to and the source of
uncertainty and how it could lead to consequences"
January 9, 2013
o
Like(2)
o
Reply privately
o
Report spam

Alan Fotheringham
I think we need to make sure we don't lose focus here.
We need to balance the need for brevity with the need to capture three essential pieces of
information - the event/circumstance ( industrial accident) ; the source ( lack of care etc);and the
nature of the impact in relation to value drivers ( human, financial,reputational, legal and etc). This is
very similar to the approaches Martin and Julian have suggested.. As Julian ( and Francesco and Peter
) have noted, the objective should be recorded as well - though (depending on the organisation) I
don't always insist on it because the answer is often "All".
Many organisations get fed up trotting out a full "three part" description - and insist on using a short
name like "Health and Safety' but i think it very important to keep reminding them of the three
elements to ensure that they focus their attention appropriately.
In noting consequence and likelihood rating columns Fransesco has moved on into the analysis and
evaluation stages of the process - which - together with an assessment of the effectiveness of
current controls - would draw on many of the details Martin has mentioned.
It seems to me that this is thoroughly constructive thread which I hope others will read
January 10, 2013
o
o
o

Like(2)
Reply privately
Report spam

Julian du Plessis
Alan, my personal experience with bringing in the objectives have been it exposes line management
with regard to how well they understand the business and the overall operating model. Yes, it does
leave some bruises on the risk officer and the identification and acceptance of the relevant risk
almost impossible.
January 10, 2013

o
o
o

Like(0)
Reply privately
Report spam

Peter BLOKLAND
A model that can help you in setting boundaries to your "system" and describing
risks:http://www.slideshare.net/BYAZ
I will not describe the whole model, but from top to bottom you go from the strategic to the
executioner level.
At each level there are objectives.
At all levels there's a certain level of perception (i.e; influence of attitude and how reality is perceived
cfr Chris Argyris and his ladder of inference for more on this : a short
video :http://www.youtube.com/watch?v=K9nFhs5W8o8 ).
Starting from the strategic objectives, going down to all underlying operational objectives and
objectives at the executioner level, will bring you the clarity to search for strengths & opportunities
(+risk) and weaknesses and threats (- risk) closing the loop into the actual results in your context
which will further feed your reality and attitude.
Understanding the loops in the model, seeing the interdependence of goals and objectives at all of
these levels will guide you to your priority risk and it's definition.
January 10, 2013
o
Like(1)
o
Reply privately
o
Report spam

Rahul Magan,MBA Finance

@ Francesco - I fully disagree with the thoughts of " RISK is the "effect of uncertainty on objectives"
as if this is the case then this is sheer lack of Risk management policies on Organizations behalf
which them to nowhere.
In Fx markets Risk is nothing but presence of exposures and failing to mitigate these exposures is
known as Risk event..
Would be great to have yours or others contrarian thoughts...
January 10, 2013
o
Like(0)
o
Report spam

Peter BLOKLAND
Rahul,
An event that doesn't influence any objective (of anyone), is just an event. Nobody will give a damn.

Linked to an objective however it becomes risk. In other words, exposure only means something if an
objective is involved.
Starting from objectives puts everything in perspective.
January 10, 2013
o
Like(0)
o
Reply privately
o
Report spam

Martin Hopkinson
Peter,
Like some others contributing to this discussion, I get a bit frustrated with the fixation that most risk
management standards have with objectives. Perhaps this is because, to me, the word objective is
associated with hard and fast measures.... and I believe that you can identify and manage risks prior
to having established such measures. For example, you can use a risk management process to help
set such measures at sensible risk-adjusted levels e.g. when setting a project budget.
Personally, I would prefer to see a definition of risk along the lines of "uncertainty that matters",
rather than uncertainty that has an effect on objectives.
January 10, 2013
o
Like(0)
o
Reply privately
o
Report spam

Peter BLOKLAND
Martin,
My view on this:
Take on a broader perspective on the word objective. It's anything that matters!
Staying / becoming healthy, making a profit, becoming successful, reaching the top of the mountain,
reaching the other side of the street, ....
If you see risk, you see things that matter. These things are related to objectives. Societal,
organisational, individual. Ask yourself "what purpose, aspirations, goals, targets, objectives, ... could
be involved?"
It provides a clear starting point to determine and analyse risk.
January 10, 2013
o
Like(0)
o
Reply privately
o
Report spam

Martin Hopkinson
Peter, if your interpretation of the word objectives is "anything that matters", then we would be in
agreement.
January 10, 2013
o
Like(0)
o
Reply privately
o
Report spam

Peter BLOKLAND
I guess this is the ISO31000 point of view, otherwise it wouldn't make sense. How I read it, it's only
expanding the view, not changing it.
Thanks!
January 10, 2013
o
Like(1)
o
Reply privately
o
Report spam

Francesco De Cicco
> MARTIN Davies, I have accessed your blog and found the solution you are developing quite
interesting. Yes I will appreciate to know the new presentation!
> RAHUL Magan, I think Blokland explained the meaning of Risk according to ISO 31000 very well....
And how I would define Objective? Let's see...
In the area of Quality Management, ISO 9000:2005 defines Quality Objective as follows:
"Quality objective: something sought, or aimed for, related to quality.
Note 1 Quality objectives are generally based on the organizations quality policy.
Note 2 Quality objectives are generally specified for relevant functions and levels in the
organization."
Therefore, I would say that an Objective is "something sought, or aimed for, related to... 'staying /
becoming healthy, making a profit, becoming successful, reaching the top of the mountain, reaching
the other side of the street', .... ", as illustrated by Blokland.
The effect of uncertainty on (quality, etc.) objectives is ... Risk!
January 11, 2013
o
Like(2)
o
Reply privately
o
Report spam


Rahul Magan,MBA Finance
@ Peter - In most of the times there is no objective attached to risk management or risk
management policies.
Like when a Trader takes any Option Contracts vs. Plain vanilla forward contracts then there is no
objective behind this trade because you are living under open blue sky and not sure where you land
up.
January 17, 2013
o
o

Like(0)
Report spam

Alan Fotheringham
@Rahul - This site is dedicated to the discussion of enterprise risk management - as under ISO 31000
. In this context the relevant objectives are the objectives of the organisation. Organisations always
have objectives - though these may not always be clearly stated. One of the benefits of 31000 is that
it forces directors and senior executives to focus on organisational objectives- and to develop
strategies and action plans accordingly
As Peter says the effect of uncertainty on (achievement of) these objectives.......IS Risk.!
[ PS I like your photo. I presume you are the one standing up!]
January 17, 2013
o
Like(0)
o
Reply privately
o
Report spam

Peter BLOKLAND
@Rahul,
Why make a trade if there's no objective to do so. Seems odd to me. I suppose the obvious objective
of traders is to make a profit or something alike.
It's not because you haven't consciously determined or named objectives, that there aren't any!
If you manage risk, it's to maximize the outcome of an objective. If this is not the case, what are you
managing?
January 18, 2013
o
Like(2)
o
Reply privately
o
Report spam


Rahul Magan,MBA Finance
@ Alan - We are having millions of examples before us who are having ISO 31000 based Risk
Management policies however the real intention is something else and moreover we all have to
agree that these ISO standards are either old in nature or turning obsolete hence forth won't be able
to help Organizations to mitigate their Risk Management objectives.
I am not so sure why the world not agreeing to agree that majority of the Risk management models
are either obsolete.
@ Peter - If you compare trades done by Swing Traders then majority of their traders are of without
objective or they are always playing on Implied Volatility to earn gains on their derivatives portfolio.
January 18, 2013
o
Like(0)
o
Report spam

Donna Galer
In order for all levels in the organization to understand the impact of risk on objectives, the simpler it
can be stated the better. Here are some examples:
* risk of interest rates remaining low and the uncertainty surrounding financial markets in general
may require larger than expected contributions to the company's pension plan, putting the
corporation;s three year budget goals and projected earnings in jeopardy within a range of X to X.
* risk of greater regulation and rebuilding requirements in the area where our products are processed
into finished products may create in supply delays and increased costs over the next two years,
which may impact final sales volume/recievables and margin by a factor of X for sales and Y for
margin.
Hopefully, this addresses the original post.
June 8, 2013
o
o
o

Like(2)
Reply privately
Report spam

Er.SN Agarwal
Yes bur still needs more delibration
June 9, 2013
o
o
o

Like(0)
Reply privately
Report spam


Peter van Nederpelt
Another approach may be possible. Let me use Julian's example. In his example the next 'area's' can
be distiguished.
1. Health of Julian
1. Safety of the food that Julian eats
1. Accuracy of the nutritional information on the food label
1. Awareness of the food preparerer of Julian's condition
1. Familiarity of Julian or the preparer with food brand
An area is - as you can see - a combination of a characteristic (safety) and a noun (food).
These area's are dependent on each other. Problems with area 3, 4 and 5 may cause problems with
area 2. Problems with area 2 may cause problems with area 1.
Or the other way around: Area 1 is dependent on area 2. Area 2 is dependent on area 3, 4 and 5. This
is the top down approach.
Risks are identified by identifying the right areas that are related to the objective which is in this
case a healthy Julian.
For each area various steps can be taken such as what are the requirement for the area and which
measures should be taken to control the area.
This approach is part of the Object-oriented Quality and Risk Management (OQRM) model. Search for
OQRM at Google if you want to learn more about this model.
June 9, 2013
o
o
o

Like(2)
Reply privately
Report spam

Martin Hopkinson
Peter, one thing I notice from your example is that numbers 2-5 in your bullet point list are what I
would term "sources of uncertainty". I would contend that that a risk description is incomplete if it
does not identify the relevant source(s) of uncertainty. (See the third post in this discussion). So, I
think your example is useful, and I will go and do the OQRM Google search.
Like youself, I frequently use a bullet point list like this within risk descriptions. It is a habit that
forces you to think through the different sources of risk rather than just being satisfied with the first
one that came to mind.
June 9, 2013
o
o
o

Like(0)
Reply privately
Report spam


Peter van Nederpelt
Martin,
Yes, number 2-5 are sources of uncertainty or a risk source as ISO 31000 call this term. And, there is
a hierarchy between these sources.
Key to the OQRM approach is the concept of focus area's which is.a combination of a characteristic
(safety) and a noun (food). Each focus area can be managed by taking the right actions.
I agree, that you should identify different sources of risk in order to be complete.
June 9, 2013
o
o
o

Like(0)
Reply privately
Report spam

Samuel Demuth
I understand (and sympathise with) the attempt - but this specific examples aim is far too coarse.
Your layers are failing you at point 2.
Without delving too deeply it is implicitly understood that the health of Julian is only partly
underwritten by food (consumption).
It is implied (but its hard to be certain) that the levels under 2 are intended to be fullsome - in this
they fail - partly because the definition at 2 is inadequate (I consider) - unless this is only intended in
turn to be an attempt at a partial coverage - in which case why choose these limits (?) and (more
importantly) not state them...
So; suggest :
1. Balance of consumption for the purpose of net nutritive value brought into contact with Julian.
All these elements are required and important.
The "balance" recognises that any one thing that is required for Julian to remain healthy if eaten to
exclusivity will be unhealthy to the point of being deadly.
"consumption for the purpose of net nutritive value" recognises that not all things that are eaten are
beneficial (at all, or in the quantities consumed) specifically for the purposes of nutrition - oral
medicines; or are purely incidental (nasal mucus and anything it contains).
"brought into contact ..." recognises that things that are eaten in the belief that they will be
beneficial nutritively may not be so to the extent believed at the outset (the food may be off - or it
may "disagree" with the individual) regardless of labelling.
Cautionary Notes
Food brought into contact with Julian non orally may cause harm (onions being cut - chilli in various
locations). Various foods incorrectly cooked. Beer in sufficient quantities to drown in (black swan - is
that a brand name ?).
Not all consumption need be orally administered.
This suggests various avenues for further (additional) examination.
The lesson I suppose is : understand the system and the context.

June 10, 2013

o
o
o

Like(1)
Reply privately
Report spam

Julian du Plessis
Well Samuel I am still alive.
June 10, 2013
o
o
o

Like(1)
Reply privately
Report spam

Peter BLOKLAND
Undoubtedly this is the positive effect of uncertainty on (your) objectives!
Often we take too many things for granted, where it requires a dedicated attention and commitment
to succeed in the long term.
June 11, 2013
o
o
o

Like(1)
Reply privately
Report spam

Peter van Nederpelt

Samual,
I agree the example could be more specific and complete.
I just tried to illustrate the concept of 'focus areas' which is new in the domain of risk management.
June 11, 2013
o
o
o

Like(0)
Reply privately
Report spam

Samuel Demuth
@Peter
The method you propose has NOTHING wrong with that I can see.
What I wanted to point out is that a good method inappropriately applied can lead you into believing

that the system under scrutiny is understood and "covered", when that is not quite the case.
While looking at Risk in depth we are careful to ensure that we HAVE Risk overlaps - but also that we
know what the overlaps are. Overlaps are a better place to be than "underlaps" - but in all cases
whatever the "Lap" status - its the knowledge of the "competence" (for want of a better word when
talking about a decifit) of your own knowledge and comprehension of the systems which is vital.
If you know that you don't have it covered - thats great !
If the other alternative is not to know that you don't know it.
I see, understand and APPLAUD what you are attempting.
The care that is needed is in the layering - you are trying to jump to the end stages too quickly probably for the purposes of demonstration - but that can lead us astray.
The criticism is not of the technique.
This is intended more as a warning - the technique works and it has clear applicability.
Be careful and thoughtful in how it is applied and it can continue to serve us well.
June 11, 2013
o
o
o

Like(0)
Reply privately
Report spam

Samuel Demuth
@Julian
I'm so relieved. You be careful out there with those dangerous quantities of food.
June 11, 2013
o
o
o

Like(1)
Reply privately
Report spam

Peter van Nederpelt

Samual,
I totally agree, You should cover all areas. Therefore, you must know and comprehend the system.
You should be aware of the risk of 'underlap' and black swans.
June 11, 2013
o
o
o

Like(2)
Reply privately
Report spam

Samuel Demuth
In my posting responding to Peter on the layers what was intended to be a number 2 (two) has been
mysteriously rebadged as a 1 (one). I didn't do it - apologies for any confusion as a result.

Finally (if it helps) I find that I prefer to think of Hazards (Risk Sources) as a series of overlapping fans
made of feathers.
June 11, 2013
o
o
o

Like(0)
Reply privately
Report spam

Peter BLOKLAND
You can also look for those events, causes and potential consequences that will support your
objectives! These are the risks you want to take! But be aware of the negative consequences that go
with this risk taking, as these are the risks you run. They are always linked with each other, but
behave differently and require a different attention and treatment.
June 11, 2013
o
o
o

Like(0)
Reply privately
Report spam

Matthew Barrett
This is a great point Peter. I think it illuminates an earlier discussion of what constitutes a strategic
risk; some risks are intentional and worth taking.
June 11, 2013
o
o
o

Like(1)
Reply privately
Report spam

Er.SN Agarwal
Very difficult to have defination of Risk, It has to be continuiously redifned as more and more risk
factors comes to light. It is VARIABLE FACTOR
June 13, 2013
o
o
o

Like(0)
Reply privately
Report spam

Mark Donnelly
If you want to see what real safety is today
http://risksafetycritique.blogspot.com.au/

6 months ago
o
o

Like(0)
Report spam