It is important to understand the definition of risk as the basis for an effective risk program to support the organisational purpose and strategic objectives. Business performance and success, therefore.

ISO 31000 defines risk as the “effect of uncertainty on objectives” with Note one adding additional context. Note 1: An effect is a deviation from the expected. It can be positive, negative or both, and can address create or result in opportunities and threats.”



It is clear that the intention is that “risk” entails both consideration of the positive and negative effects of uncertainty on objectives.

Using the term “risk and opportunities” has two problems associated with it.

  1. First problem: Putting the terms “risk” and “opportunities” next to one another, basically means that they are different and mutually exclusive, otherwise you will only use one. It reinforces the incorrect view that risk only has a negative effect. That is not true, as per the stated definition of risk, but also the following practical example:
    • To start a business or develop and operationalise a product you have to take risk. In fact, if you take too little risk, your competitors might leave you behind or you may move to slowly. On the other hand, if you take too much risk, you could be over the cliff. The art is to take appropriate levels of risk in the context of the organisation (or part of the organisation) and in support of well-considered objectives.
  2. Second problem: As the positive effect of uncertainty that may result in opportunity taking is already considered as per the previous point, the term “risk and opportunity” contains a double emphasis on opportunity by stating it separately as well.

The purpose of risk management is the creation and protection of value (ISO 31000) and these two terms both inform “value creation” that is expected of the governing body as per ISO 37000 (Governance of organisations). The King IV Corporate Governance Code also recognises in the definition that “risk includes uncertain events with a positive effect on the organisation (i.e opportunities.  (Although this definition was not consistently applied after the initial definition was changed based on comments provided.)

The above reality is also recognised by saying such as we are taking risk for reward. In fact, not taking well considered risks are one of the biggest problems in a fast-changing world. Change is the only constant, whether via a big change program, a project or continuous improvement. And it is universal, even for medical equipment. You take risk to develop and introduce a heart pacer. You do not just try to bring the risk down. We are always looking for the potential to doing things more effective, faster and cheaper in support of well- considered strategic objectives.

About RISTCO (Pty) Ltd   RISTCO = RIsk STrategy COrrelated

RISTCO is an internationally active governance, strategy, risk and performance management consulting and training house. It provides bespoke or general training that also include international standard certification training via an ISO 17024 accredited Certification Body, PECB. Kindly refer to the RISTCO consulting services and the training calendar