ERM’s Language Problem
ERM has a language problem.
Many of us moved from risk management to enterprise risk management (ERM) without updating our lexicon. We now focus on taking a broader approach to managing risk while we continue to use terminology that limits our ability to implement that approach. Two of the most important words that need deeper understanding and better articulation are “risk” and “uncertainty.”
It’s not hard to find writing that equates “risk” with negative outcomes. Indeed, in a quick perusal of “Risk Insider” columns on ERM, there are numerous examples that describe “risk” as a threat and use the terms “risk” and “uncertainty” interchangeably.
It takes awareness and perseverance to update our language when it comes to risk; without that, we tend to fall back on common usage. Dictionary definitions don’t help, since they typically rely on historic, common usage and that doesn’t support the evolving approach to managing risk. Insurance dictionaries define risk as a probability or threat of damage, injury, liability, loss or negative occurrence. Merriam-Webster offers four options: 1) “possibility of loss,” 2) “someone or something that creates or suggests a hazard,” 3) “the chance of loss” (and a few variations on that) and 4) “the chance that an investment will lose value.” All of these definitions tie risk to negative outcomes.
ISO 31000 defines risk as the effect of uncertainty on your objectives. It is not the effect alone, or the uncertainty alone, it is the intersection of those uncertainties with your objectives that creates risk.
Some practitioners try to get around that by adding words. Examples include “risk and reward” or “risk and opportunity” (the connotation of “risk” is still negative in both) or the clumsy terminology “upside and downside” risk. (The problem is that “upside and downside” describe potential effects or outcomes, not the risk itself.) These expressions can be confusing and problematic and they do not help change the narrative.
However, even in common language, there are opportunities to expand our understanding. To “take a risk” or say that something is “risky” acknowledges that the outcomes are uncertain. Outcomes can be positive or negative, and are often a mix of both. That starts to sound more like ERM, doesn’t it?
When we drafted the international standard on risk management, risk experts from around the globe spent an enormous amount of time working to get this right. We knew that the definition itself would expand our thinking and refine our approach.
ISO 31000 defines risk as the effect of uncertainty on your objectives. It is not the effect alone, or the uncertainty alone, it is the intersection of those uncertainties with your objectives that creates risk. It’s an incredibly important distinction from the common usage definitions. It keeps organizational objectives at the heart of the process and recognizes that not all uncertainties will have an impact upon strategy or objectives. And the uncertainty that does affect strategy, goals or objectives doesn’t always affect the organization in negative ways; the ISO 31000 definition is neutral about the effects of uncertainty.
As our ERM programs evolve and we consider a broader range of uncertainties and outcomes, it is imperative that we become more exact in our use of language. That will help us (and our clients) view risk – with clarity and precision – from a broader lens.