Keywords: enterprise risk, ISO, COSO, International Organization for Standardization, Committee of Sponsoring Organizations, international standards, risk definitions, uncertainty, defined objectives, arbitrary objectives, best solutions, value creation, consequence dimensions, impact scales, severity scales, risk perspectives, event impacts, associated uncertainties, probabilities, oil industry, Statoil, Norway, business continuity, risk management
On how to understand and express enterprise risk
In this paper, we address the problem of describing enterprise risk. Several international standards on risk management provide guidelines for this purpose, including the COSO enterprise risk management framework which defines risk as the possibility that an event will occur that adversely affects the achievement of objectives, and the ISO standard on risk management which defines risk as the effect of uncertainty on objectives. However, these perspectives on risk can be challenged, in particular the idea of founding the concept of risk on meeting defined objectives. Our concern is that such a perspective could easily lead to the wrong focus – meeting some more or less arbitrary objectives rather than finding the overall best solutions and measures from a value creation point of view. In the paper we argue that the consequence dimension of risk is better expressed by some impact or severity scales, in line with risk perspectives stating that risk has two main components: 1) the impact of events and consequences (outcomes); 2) the associated uncertainties (probabilities). An example case of a large oil company is used to illustrate the ideas and perspectives.