ISO 31000 and Those Who Don’t Know History

William Storage – Dec 8, 2016
VP, LiveSky, Inc.
Visiting Scholar, UC Berkeley History of Science

Risk: “the effect of uncertainty on objectives.”
ISO 31000 risk definition

ISO 31000, along with other frameworks, uses a definition of risk that is not merely incompatible with the common business and historical usage; it is highly destructive to its own goals. A comment on a recent LinkedIn post about “positive risk” asked fellow risk managers, “can we grow up?” I share the frustration. ERM must step into the real world, meeting business on its own terms – literally.

The problem with an offbeat definition of risk isn’t just a matter of terminology. The bad definition is at the heart of several derivative concepts, which ultimately lead to contradictions and confusion. That confusion is not lost on CEOs and boards of directors. Proponents claim that these audiences welcome ERM and that they align strategies accordingly, e.g. COSO 2009: “boards and management teams are embracing the concept of ERM”. But dig into this recent Deloitte survey, like many before it, and you’ll see that the self-congratulatory self-assessment projected onto boards comes with some less optimistic hard data. For example, Deloitte’s data actually shows that just over half of even financial-service boards get updates on top risks, and less than half of those get such updates more than once a year.

I’ve recently had the chance to speak about risk management with a few Fortune-500 CEOs (telecom, insurance and healthcare) and a number of their board members. Unsurprisingly, these folk tend to be learned – some downright expert in science and math. Many were aware of ERM’s quirky use of “risk” and related terms central to science, and did not need prompting to express dismay. All five healthcare execs I spoke with told me their boards have no contact with ERM output.

A retired CEO told me she suspected that ERM’s “positive risk” concept is a turf grab – a way for risk managers to inject themselves into strategic decisions. Of course, risk managers have good evidence that risk should move upstream in the decision process. But idiosyncratic language and muddled reinterpretations of core analytical concepts are unlikely to persuade educated executives. If you think otherwise, try searching the web for praise of an ERM framework by a board of directors or top executive.

To understand why the issue of defining risk is one of several big changes that ISO 31000 and some of its brethren must undergo, a historical perspective on risk and the roots of ERM’s conception of it may help.

Risk started with probability theory, which, oddly, did not emerge until the 16th century. Before that, despite widespread gambling, humans, possibly for religious reasons, could not imagine any way to predict the future. As historian Ian Hacking  (The Emergence of Probability) wrote, “someone with only the most modest knowledge of probability mathematics could have won himself the whole of Gaul in a week.”

Then Geralomo Cardano realized that, whether or not through the will of God, rolling two dice resulted in more sevens than twos. Pascal and Fermat later devised a means of calculating probability based on a known problem-space. Soon after, John Graunt realized he could predict future death rates based on historical data.and, With help from Huygens and Bernoulli, statistical inference was born.

While annuities and mutual-aid societies existed in ancient Rome, modern insurance had to wait for Graunt’s concepts to spread. Only then could probability and statistical inference (as these terms are used where italicized above) become a rational basis for setting premiums, as shown by Edmond Halley, who discovered other regularities in the natural world.

“Insurance Against Risk”

Risk insurance was soon widespread. Risk‘s Latin root means danger, and that’s how the term was used in insurance. The 1828 American Dictionary of the English Language says risk signifies a degree of hazard or danger. It explains that “the premiums of insurance are calculated upon the risk.” In insurance, science, medicine, and engineering, risk is a combination of likelihood and severity of a hazard (potential loss); and that how the term is used everywhere outside of ERM and some Project Management imitators.

For example, in Google’s data, the top 25 two-word collocations starting with “risk” all associate risk with cost or loss:

risk bigrams

Further, in Google’s data “positive risk” or similar expressions do not occur in the first 10,000 bi-grams ending in “risk,” despite the popularity of that concept in blog posts and on LinkedIn.

Defining risk as the effect of uncertainty on objectives causes many problems. One is that we don’t know the context of uncertainty; another is that it omits mention of loss. The rationale for this omission is that the consequences associated with a risk can enhance the achievement of objectives.

This rationale confuses risk-reward calculus with the concept of risk alone. Despite claiming to be neutral about risk (not the same thing as risk-neutrality) nearly all usage in the ISO 31000 is in terms of risk being tolerated, retained/transferred, shared, reduced, controlled, mitigated or avoided.


To understand risk as the effect of uncertainty on objectives, we must know what is meant by uncertainty. Again, this isn’t just an exercise in philosophy of language. Uncertainty has been a problem term since Frank Knight (Risk, Uncertainty & Profit 1921) chose to redefine it (misuse, according to Frank Ramsey and other of Knight’s contemporaries) in two ways – incompatible with each other and with the standard use in math and science. We see echoes of Knight’s work in risk frameworks.

Knight’s concept of uncertainty relevant to this discussion is the one in which he equates risk with “measurable uncertainty”:

“To preserve the distinction which has been drawn in the last chapter between the measurable uncertainty and an unmeasurable one we may use the term “risk” to designate the former and the term “uncertainty” for the latter.” 

Knight’s critic (as we can infer Ramsey, Kolmogorov, von Mises and de Finetti were) might point out that Knight has constructed a self-referential definition; but a charitable reading of Knight is that risk equals uncertainty and uncertainty equals ignorance, in the non-pejorative sense, i.e., “unknown unknowns.”

Even in the charitable interpretation, Knight’s usage makes dialog with math and science nearly impossible, since in those realms we call the measure of uncertainty probability, (whether the frequentist or subjectivist variety). That is, it is not merely Knight’s language that is at odds with math and science, it is his world view and ontology.

Effects of Uncertainty

If the uncertainty in ISO 31000’s definition of risk is the Knightian variety, i.e., ignorance, then uncertainty describes an agent’s state of mind.The immediate effect of that uncertainty is necessarily a reflection on his/her/its ignorance, if there is an effect at all (a person unaware of his uncertainty would not be uncertain).  Given that the only possible first effect of awareness of a state of ignorance is cognitive or emotional, defining risk as the effect of uncertainty (the sort of Knightian uncertainty described above) is unworkable. Risk is certainly not an emotional response or a mental state of reflection, yet that is what a literal reading of ISO 31000 would require, assuming Knightian uncertainty.

If instead of Knight’s understanding of uncertainty, we use the math/science meaning of the term, things are only slightly better. If uncertainty involves a known problem space (as opposed to ignorance) the effect of uncertainty in any situation would be to affect our decisions. We might deliberate on what to do about quantified uncertainty (and therefore quantified risk). If we follow a subjectivist interpretation of probability we might choose to gather more information with which to refine our estimated probabilities (modify our uncertainty by updating our priors). But in neither of these cases, where uncertainty is not ignorance, would we call what we’re doing about uncertainty (the effect it has on us) “risk.” Here, uncertainty is a component of risk; but risk is not the effect of uncertainty on objectives.

An obvious remedy is to abandon arcane conceptions of risk and accept that a few centuries of evolution of rational thought has given us a decent alternative. Risk is a combination of the likelihood of an unwanted occurrence and its severity. This holds however we choose to measure or estimate likelihood, and regardless of how we measure severity. It does not require that we multiply likelihood times severity; and it allows that taking risks might have benefits. Further, it addresses the role of analysis of risks in decision making, i.e., “objectives.” I think this is where ISO 31000 was heading, but went off course, leaving much confusion in its wake. It’s time for a correction.

– – –

ISO 31000 risk definition


Are you in the San Francisco Bay area?

If so, consider joining the Risk Management meetup group.

Risk management has evolved separately in  various industries. This group aims to cross-pollinate, compare and contrast the methods and concepts of diverse areas of risk including enterprise risk (ERM), project risk, safety, product reliability, aerospace and nuclear, financial and credit risk, market, data and reputation risk.

This meetup will build community among risk professionals – internal auditors and practitioners, external consultants, job seekers, and students – by providing forums and events that showcase current trends, case studies, and best practices in our profession with a focus on practical application and advancing the state of the art.

2 thoughts on “ISO 31000 and Those Who Don’t Know History

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s