top of page

Update to ISO 31000 (2018) observations # 3 – what is a risk?

Updated: Feb 2, 2022

The recent update to ISO 31000 has retained the existing definition of risk.  This is disappointing.

That definition fails the tests of common sense and of consistency.  Para 3.1 of ISO 31000 first defines risk as "effect of uncertainty on objectives" and then in the same paragraph it explains that risks are usually expressed in terms of risk sources, potential events, their consequences and their likelihood.   These four aspects of risk are much more than "effect of uncertainty" - which is akin to to just one of them - consequence.   So the definition is neither sensible nor complete, even according to ISO31000 itself.

The continued focus on "potential events" also reflects outdated thinking.  It results in many organisations operating both a risk register and an issues register.  This implies that management issues and risks are unrelated and can be managed separately.  Yet every 'management issue' is also a source of risk because it has implications for future performance and outcomes, almost always with associated uncertainty.

A systems thinking approach to risk is inclusive, does not separate, and considers everything that that could impact on purpose or outcomes, together and at the same time.  Modern, effective leaders do this intuitively - one very real reason that risk frameworks based upon standards such as ISO 31000 seem (to those leaders) to be red tape and low-value.  While the increased focus in ISO 31000 (2018) on integration seems to be going in the right direction, the underlying thinking in the standard is still very much separating, reductionist.  This is inappropriate for our complex, highly interconnected world.

Think about a risk as any combination of factors that involve uncertainty and implications for your purpose and outcomes. If you want to talk about a modern definition of risk feel free top contact us at

8 views0 comments


bottom of page