CHAPTER 1: WHAT IS RISK?

Risk has many meanings and even more definitions. We will be looking at some of these in relation to management systems.

In the context of this pocket guide – which relates to management systems – the more important question is why is the idea of risk so important to the ISO 9000 family of standards? And, how can this approach help you to develop a risk-based management system?

As a starting point, ISO 9001:2015 sees risk “as the effects of uncertainty on an expected result.”³ ISO 31000 defines risk “as the effects of uncertainty on objectives.”⁴ Later, we will talk more about the differences between these and the definitions of risk in other standards. However, the key starting point is how the organisation views risk itself, rather than analysing how to define risk.

The ISO 9000 family of standards follows ISO’s Annex SL framework (which is a relatively short document that is certainly worth reading). If we follow this framework, we have moved from simply seeing risk as the negative outcome of a probability towards seeing risk as the effects of uncertainty; this risk of uncertainty can also produce positive outcomes. For example, a better than expected order book is great, but only if we have the planning and resources in place to meet the demand – it a risk to plan for just as much as poor market performance is.

The definition of risk doesn’t specifically consider countermeasures and controls. These can be defined as interventions of a temporary or permanent nature to prevent or mitigate a risk arising, or an unplanned event reoccurring. Interestingly, ISO 27001:2022 has requirements for identifying vulnerabilities, e.g. a vulnerability does not become a risk unless there is a threat to exploit it. But, how can we be aware of potential risk without considering vulnerabilities in any process, whether a standard urges us to or not? It is always important to remember that Annex SL’s definition of risk represents just the tip of the iceberg with regard to the layers of meaning it should provoke in terms of a strategic and tactical response to it within an organisation.

In fact, ISO has said: “The purpose of risk management as outlined in ISO 31000 is the creation and protection of value.”⁵ This idea of creating and protection of value can be seen in this broad definition of risk and opportunity that Annex SL assumes. We need a systematic approach to managing both the positive and negative risks that could compromise value (be these political, financial, ethical, technical, safety, branding, production and distribution, etc.).

Although a lot of discussion about risk is siloed, e.g. health and safety risk, financial risk, ethical risks, etc. (often with practitioners who have their own specific training and mindsets), there needs to be an overarching risk management framework. This will ensure all of these silos work towards the same ultimate objective.

One interpretation of Annex SL is that it assumes organisations are moving away from silo thinking and that risk is no different to any other process, i.e. risk management policies should sit across the organisation, and, only at tactical level do the different sector expectations come in, e.g. financial, health and safety, etc.

To consider this point from another direction we, as individuals, concern ourselves with managing uncertainty so as to protect our assets or the plans we are making for them – be that our own life or the future stock market valuation of our business. This will be peppered with many individual risks and opportunities that create or inhibit those strategic, planned outcomes occurring. In fact, many legends and popular entertainment stories are based on the quest premise – the almost impossible is eventually achieved after facing many challenges and vicissitudes, as well as receiving unexpected help along the way. Or, in other words, the risk journey. Management systems experience such things all the time, just as we as individuals do. Risk management is fundamental to the achievement of almost all goals – so risk itself isn’t the starting point – rather it is the exposure or response to the opportunity or goal being sought.

The individual propensity or desire to accept risks or pursue opportunities varies among individuals and organisations. In simplistic terms, risk-adverse organisations avoid uncertain outcomes as far as possible, devoting considerable resources to doing this. Risk takers, in contrast, will not accept that there are outcomes they cannot manage and will pursue all opportunities. Of course, most individuals fall at various points between these two extremes.

Wider societal risks – pandemics, major chemical incidents and wider political risks that go beyond the scope of the individual or an organisation – would also fall under this idea of protecting against uncertainty and, as we have seen with COVID-19, some organisations were better placed than others to manage or adapt to the ongoing, changing outcomes of the pandemic.

This risk universe isn’t just an individual or one organisation, but a whole region, a nation, the world – where there are many obstacles to achieving what is planned or, sometimes, ensuring an unplanned event doesn’t arise, or is at least mitigated. COVID-19 is one example of this, which, in turn, spurred on many millions of decisions relating to opportunities as well as other risks. This can also be true of ISO standards – some, such as ISO 9001, are focused very much on the individual organisation – big or small – adopting them, whereas ISO 31000 and ISO 14001 can be interpreted from an almost global perspective in terms of how the organisation interacts with interested parties.

Although some risks and opportunities can be forced upon us, others can be rejected or openly embraced – some organisations are more open to risk then others – this is called risk appetite. It is not overtly discussed in Annex SL, although it is under ISO 31000. Without understanding our risk appetite, simply defining risk is not the starting point it might otherwise appear to be.

Risk appetite is the desire, or propensity, to accept or avoid certain levels of risk in the pursuit of organisational objectives at both a strategic and tactical level. This applies to individuals, organisations (private, public and not for profit) and governments but, for brevity, we will use the term organisations.

Risk appetite needs to be distinguished from risk capacity. Risk capacity is how much risk an organisation can financially accept. This can change over time and will impact an organisation’s risk appetite, i.e. all other things being equal, if the financial resources of an organisation start to diminish, then it is likely that the desire to voluntarily accept risk will be more critically examined, unless the organisation has real risk takers in that, say, the leadership team decide that one big, risky deal will solve all their immediate problems. This type of scenario reflects what is sometimes called risk tolerance – how far will an organisation stray from its usual risk appetite, i.e. almost never at all or, at the other extreme, what is risk tolerance? Again, a management system should be viewed as a tool to make sure that decisions being reached are made with the best possible management information, which will at least help the most appropriate decision to be made.

Risk appetite is influenced by risk awareness, i.e. different management teams will have a greater awareness of the vulnerabilities and risks that their organisation faces. This is one reason why the more sector-driven standards in the ISO 9000 family have much to inform those in totally different sectors, e.g. ISO 27001 with its very specific emphasis on breaking down the components of risk and the types of controls needed to address them. Arguably, if we don’t understand our risk universe we can’t really understand if our decisions are based on our own risk appetite or not, i.e. if we are totally unaware of a particular risk or cluster of risks in the organisation, would it change our decisions?

Was the risk-based approach to management such a significant change to the ISO 9000 family of standards?

The short answer is ‘no’ or, rather, management systems could always be risk-based before the risk-based approach became a requirement of the ISO 9000 family of standards.

When ISO 9001:2015 was first published, some commentators questioned why a management system needed to be risk based. The answer that emerged became clear: the Plan-Do-Check-Act Cycle (PDCA or Deming Cycle)⁶ that ISO 9001 was based on can be interpreted or adapted to any risk-based approach to management. This was true even when PDCA was adopted by ISO long before any implied link to risk was referred to.

When Annex SL first adopted this risk-based approach to management, it was seen as an integral part of the PDCA. Although Deming himself focused on the reduction of waste and the promotion of teamwork, among other factors, the development of management systems wasn’t yet to the level where risk and opportunities were the key drivers – we were yet to achieve consistency of outputs. But PDCA is all about making choices – resources devoted to that could be used elsewhere, e.g. business opportunities that could have been pursued but weren’t. In other words, what economists call ‘opportunity cost’, which reflect a mixture of both risks and opportunities.

A circular process model can only work if we can move from Plan to Do to Check to Act and then feed back into the Plan element – in other words – the risk and opportunities that happen in the risk journey can be inhibitors and enablers to us achieving a consistent process of PDCA.

Figure 1: The PDCA cycle

It should be remembered that although PDCA seems to be a very linear reflection of processes, one can only achieve this linear progression with consistent delivery of each stage of the process – be it the highest strategic planning or assembling the cheapest component.

This is why risk, certainly in terms of ISO 31000, can be iterative as well as linear. In reality, this also applies to the ISO 9000 family of standards. The need for consistency in product delivery processes was a given long before risk and opportunities became familiar terms.

Organisations that are implementing, for example, ISO 9001 or ISO 27001 today, may express concern about a risk-based approach to management. However, we must consider that the difference between Do and Plan reflects the assessed risk and the actual outcomes to date; and Act and Check, in turn, reflects how effective we are at both identifying and controlling both actual and emerging risks, and then devising countermeasures in response to those controls that are not effective. This involves many decisions that the leadership team need to agree and implement.

This leads on to the tricky part – lots of risk-based decisions need to be made at each of the PDCA stages. These will be based on what the organisation and its stakeholders want, and how the leadership team chooses to pursue its desired goals, while maximising opportunities and mitigating risks. This is all very easy to say of course. A management system exists to provide a framework to do this and provide management information every step of the way or – to put it another way – let’s go back to ISO’s statement that “the purpose of risk management is the creation and protection of value.”

In any event, the ISO 9000 family of standards isn’t necessarily consistent with the way risk is defined. Some standards, such as ISO 27001:2022 (for information security management systems) and ISO 22000 (food safety management systems), define – and structure the standard itself – around a clearly understood industry expectation of risk and the response to it. Others, such as ISO 9001, are more generic in terms of being risk based, so they can apply to an extremely wide number of organisational types and sizes. In fact, it could be argued that risk management has become somewhat siloed, e.g. safety, information security and financial risk have a number of surprising communalities.

This shouldn’t be seen as an inhibitor. Every organisation that wants to have an external assessment against one of these standards needs to come up with their own approach to opportunities and risk that meets their organisation’s obligations, goals and priorities. This is where documents such as Annex SL and ISO 31000 can stimulate strategic thinking and practical strategies to implementing a management system that could be externally assessed.

In the process of considering all this we will also look at the lessons of other management system approaches, e.g. COBIT^® 5 and CoCo which, although were defined for specific purposes, can assist in understanding how a risk-based management system can be crafted.

The purpose of the management system isn’t just to provide a consistent approach to processes or even, in the worst case, a consistent bureaucracy. It should manage both opportunities and the risks that can impact upon them.

What is the risk universe?

So, rather than trying to define ‘what is risk?’, perhaps we should also look at the universe around this term.

The term risk universe can be interpreted in a number of ways, but in our context, it is the total number of risks an organisation – or a business or professional sector – takes or might face. This can be broken done into different silos or specialities, e.g. operational risks, financial risks, regular risks, technological risks, etc. Broadly within this definition, there is a distinction between strategic risks and those which are tactical. Equally, the distinction between risks voluntarily accepted and those that cannot be directly influenced (such as political risk or extreme weather events) can be seen. Risks that can’t be influenced to the level that aligns with the risk appetite of the organisation, might suggest more resources devoted to business continuity and/or wider risk transfer mechanisms, such as insurance.

In this pocket guide, we will look at some sector-specific approaches to risk that can inform a much wider risk universe, and as explained in the Introduction, we will consider wider insights that we can derive from sector-based frameworks and protocols.

One good example concerns the risk and benefits relating to remote working. Although the main focus will be with, for example, ISO 27001 compliance, there are others risks relating to health and safety (e.g. display screen equipment regulations); there are productivity risks, impacts on teamwork and impacts on the induction of new staff members, etc. To break that down further to, for example, the use of Wi-Fi in remote locations, we have regulatory risks (such as the General Data Protection Regulation (GDPR)), productivity risks (which might be positive or negative), the greater risk of phishing attacks and the financial and technical implications of investing in a wider virtual private network (VPN). It is obvious that the decisions that need to be made here aren’t simply those concerning information security, but wider risks are involved. ISO 31000 can help develop a mindset that sees these interrelationships where the circumstances might not be so obvious.

In the next chapter, we will look at ISO 31000:2018 and how this can also influence risk-based thinking (RBT) applied to the ISO 9000 family of standards.

³ ISO 9001:2015.

⁴ ISO 31000:2018.

⁵ IWA 31:2020, Risk management – Guidelines on using ISO 31000 in management systems, www.iso.org/standard/75812.html.

⁶ W. Edwards Deming (1900–1993) was an engineer, statistician and business thinker who developed the PDCA Cycle based on the work of a fellow American, Walter A. Shewhart (1891–1967), who had developed a statistical process model that was expressed as a circular process cycle. Both the Shewhart and Deming Cycles have not only influenced Annex SL and ISO standards, but other respected approaches such as Kaizen and Lean.