Risk is an interesting concept because there are a number of definitions and interpretations. And this bears on quality because the lack of consistency can make deployment difficult.
Two elements to risk can be seen in the below definitions. There is upside risk and there is downside risk. Some risk definitions have this and others don’t.
Upside risk is opportunity risk, the reward that can be achieved in undertaking a new endeavor. Downside risk is the risk of loss. For example, project risk is the inability to achieve project objectives within cost, schedule, and quality constraints. Process risks are the risks of producing nonconforming products or services due to unstable and incapable processes.
Below are common risk perspectives and definitions:
- “The chance of something happening that will have an impact upon (business) objectives. It is measured in terms of consequences and likelihood.”[1]
- “A situation or circumstance, which creates uncertainties about achieving program objectives.”[2]
- “The possibility that an event will occur and adversely affect the achievement of objectives.”[3]
- “The risk of loss due to deficiencies in information systems, business processes, or internal controls as a result of internal or external events.”[4]
- “Risk is the probability that an event or action may adversely affect the organization or activity under review.” [5]
Elements of most risk definitions include the following:
- Defined process targets and business objectives exist.
- Expected and unexpected variation and variances result in higher risks.
- Possibility of harm or loss can occur as a result of variances.
- Probability of an undesirable event with critical consequences can be estimated.
Again, it’s critical that you establish a common definition of risk before you start any risk initiative.
[1] Australian/New Zealand Standard, AS/NZA 4360, Risk Management, 1999.
[2] FAA Programmatic Risk Management, 2002.
[3] COSO, Enterprise Risk Management Framework, COSO webpage, 2003.
[4] Trembley, Ara, “Raising the Level of Risk Assessment,” National Underwriter, May 1, 2000.
[5] IIA, “Standards for the Professional Practice of Internal Auditing,” Glossary, November 14, 2000.
Leave a Reply