‘Intangible’, ‘the effect of uncertainty on objectives’, ‘likelihood’, ‘probability’, ‘consequence’, and ‘impact’ – do these perennially-used terms add clarity to risk management practices or do they just dilute and confuse what we do? asks Tony Thornton, ERM and business continuity expert

Being intangible, invisible and inaudible, the concept of risk is difficult to understand – it’s like trying to understand the meaning of time. Therefore, we need a definition of ‘risk’ before we can start to apply it.

There are plenty around, and not all of them consistent. Take the international standard version – “the effect of uncertainty on objectives”. This is such a vague definition that it requires to be followed by five ‘notes’ to bring a little more clarity.

Besides, uncertainty has no effect on your objectives whatsoever. Objectives are decided by management, documented and cascaded down though the organisation. Where is the risk in that?

The risk is associated with ‘things’ that might occur which may somehow affect the achievement of this objectives and cause some action or some review to be take place. The Institute of Internal Auditors version of ‘risk’ alludes more closely to this.

We need a definition of ‘risk’ before we can start to apply it.


Other definitions including the Institute of Risk Management’s definition, introduces the concepts of ‘likelihood’ or ‘probability’, and ‘consequence’, or ‘impact’, or any other word of similar meaning to reach a definition.

Risk is a vague enough concept without having to define it by using two equally vague concepts. ‘Probability’ is a theoretical value based upon hypothetical data. ‘Likelihood’ is just a reflection of someone’s instinct. ‘Impact’ and ‘consequence’ are nothing more than a best guess, often simplified to ‘worst case scenario’. What sensible executive would make a decision based upon hypotheses and guess work?

The fact is that ‘risk’ cannot and should not be defined. It should merely be recognised for what it is: a particular situation at a particular future time which because of the nature of your business at that time, is of particular interest to you.

However, that situation is not isolated, it is part of a much bigger picture made up of other coinciding situations, which all interact and interconnect and which collectively make up the state of the present at that point. The particular situation which gives cause for interest is furthermore only part of a chain of events, formed from multiple cause-and-effect pathways.

Recognition of this helps us to understand and to better influence those cause-and-effect pathways. For example, take a high-risk industry, say petrochemicals. A manager responsible for asset integrity might record in a risk register that ‘explosion occurring at the plant’ is a future risk. It’s not a risk; it’s an explosion at the plant. The reason that the explosion at the plant might occur is because of multiple cause-and-effect pathways all converging.

Multiple cause-and-effect pathways

For example; the concern that led this manager to record his risk might be ‘corrosion’. One possible cause-and-effect chain could be as follows:

The situation that the corrosion has got to levels so critical as to allow a loss of containment and subsequent ignition of a flammable gas has been caused by not managing corrosion levels effectively, which was caused by the lack of an effective asset integrity assurance programme, which has been caused by either the lack of such a programme or the failure to implement such a programme, which may be caused by poor management or a lack of resources, which may have caused by lack of training or lack of recruitment, which may be caused by a lack of trainers, a lack of courses or cut-backs and lay-offs, which may have been caused by the company’s poor performance, which may have been caused by changes in the market, which may have been caused by the entry of a competitor with a new, alternative product… etc.

The fact is that ‘risk’ cannot and should not be defined. It should merely be recognised for what it is: a particular situation at a particular future time which because of the nature of your business at that time, is of particular interest to you.

Furthermore, that the explosion has taken place could cause a fatality or serious injury of a worker, which could cause the worker’s family to sue for compensation and to go to the press with claims of neglect and bad management, which could spread and escalate via social media which could inspire a freelance journalist to undertake an investigation into the exposure of workers to hazardous situations in the petrochemical industry….etc.

Of course, there would be almost incalculable derivations on the theme, and it is impossible to know whereabouts to intervene in an effort to influence these chains of events. If we were to try and define our ‘risk’ using our short analysis above, the ultimate description of the ‘risk’ is: ‘competitor introduces new product to market, causing freelance journalist to publish report on workers conditions’.

Redefining risks

Risk Managers traditionally try to get over this problem by identifying the ‘event’ and then assessing the immediate causes and effect of that event, which in our example would probably be defined something like; ‘excessive corrosion levels lead to explosion, causing fatality and loss of production’.

But this is entirely misleading. The explosion surely is an outcome, a cause of something else. In this case, corrosion. So, the ‘event’ is corrosion. Therefore, we can re-define the risk as follows: ‘lack of proper asset integrity programme causes unacceptable levels of corrosion leading to explosion’.

Once again though, the unacceptable level of corrosion is the state of things at a future time, caused by something else. Furthermore, the description above does not capture the idea that someone could die. So once again, we need to look at the multiple long, interplaying chains of cause-and-effect on order to properly understand our ‘risk’.

The notion of defining risk in terms of probability and impact, is therefore necessarily based upon the following:

“Given examination and calculation of all of the possible interrelated cause-and-effect pathways that lead up to this part of the chain that I have decided to define as my ‘event’, as well as the examination and calculation of all the possible cause-and-effect pathways, which are triggered by the ‘event’, I can estimate that the risk is ‘X”.

Really, is someone arrogant enough to claim to be able a put a value to risk, having considered all of the factors? If the answer is ‘no’, then where is the value on describing risk in terms of ‘likelihood’ and ‘impact?’ And to say that risk is about ‘uncertainty’, is a statement of the obvious, but how useful is that definition, then?

If risk can’t be defined, and it can’t be described, how we assess it is even more curious. Contemporary practice is to use a risk matrix; an imposter that has surely pulled off one of the most immense frauds ever to be introduced to business…