AI GRC Director | AI Risk Manager | Quantitative Risk Lead
Speaker, Corporate Trainer and Executive Advisor
When Risk Assessment Must Happen And What Actually Constitutes A Risk: Foundational Principles For Enterprise Risk Management
Risk Assessment Must Precede Decisions, Not Follow Them
The most fundamental and most frequently violated principle of enterprise risk management is that risk assessment must be conducted before decisions are made. Before an investment is committed. Before a business plan is approved. Before a strategic initiative is authorized. Before resources are allocated to a course of action. The entire purpose of risk assessment is to inform the decision, not to document the uncertainties that remain after the decision has already been taken.
This principle is not a matter of professional preference. It is an explicit requirement of every major risk management framework.
ISO 31000:2018 establishes that risk management must be integrated into organizational processes, including governance, strategy setting, planning, and decision-making. Clause 5.4.1 states that the purpose of risk assessment is to support decisions, and Clause 5.2 requires that risk management be embedded in all activities of the organization, which necessarily includes the planning and approval processes through which strategic and operational decisions are formalized.
The COSO Enterprise Risk Management Integrating with Strategy and Performance framework, updated in 2017, positions risk assessment within the Strategy and Objective-Setting component, meaning that risk is evaluated as part of the process through which the organization selects its strategy, defines its objectives, and establishes the performance targets against which it will measure success. Under this framework, the risk appetite is defined during strategy setting, and the risk assessment is conducted before objectives are finalized, not after they have been approved and communicated to the organization.
The IIA International Standards for the Professional Practice of Internal Auditing reinforce this orientation by requiring that the internal audit function evaluate the effectiveness of risk management processes, including whether risks are identified and assessed in connection with organizational objectives and strategic decisions.
When risk assessment is performed after a decision has been made, it ceases to be risk management. It becomes risk documentation. The decision has already been taken, the resources have already been committed, and the assessment becomes a retrospective exercise that identifies exposures the organization has already accepted, knowingly or unknowingly, without the opportunity to modify the decision, adjust the plan, or establish appropriate risk treatments before the exposure is incurred. This sequence is precisely the condition that produces strategic surprises, budget overruns, and governance failures.
What Risk Assessment Actually Evaluates: The Assumptions Behind The Plan
A risk assessment conducted in support of a business decision does not evaluate abstract or theoretical risks. It evaluates the assumptions upon which the business plan, the investment case, or the strategic initiative depends. Every business plan is constructed on a set of assumptions about future conditions: projected revenues, cost structures, market demand, input prices, competitive dynamics, regulatory stability, operational capacity, and execution timelines, among others. The plan's financial projections and expected outcomes are only as reliable as these assumptions. Risk assessment exists to test them.
The two core dimensions of every risk assessment are probability and impact, and both must be evaluated in direct relationship to the assumptions of the specific plan under consideration.
Probability measures the likelihood that an event or condition will occur that causes an assumption to prove incorrect. It may be expressed as a percentage, a frequency, a qualitative rating, or a probability distribution, depending on the nature of the risk and the sophistication of the assessment methodology. The purpose of probability assessment is to challenge the implicit optimism that most business plans contain and to identify the events and conditions most likely to cause the plan to deviate from its expected trajectory.
Financial impact measures the monetary consequence that would result if the assumption proves incorrect, expressed in terms of the effect on the plan's projected revenues, costs, margins, cash flows, or capital requirements. Impact assessment translates uncertainty into the financial language that decision-makers require. A risk that has high probability but negligible financial impact may warrant monitoring but not mitigation. A risk that has low probability but catastrophic financial impact may warrant significant investment in contingency planning or risk transfer. Without impact quantification linked to the specific plan under review, the risk assessment cannot inform the decision it is meant to support.
Three Categories Of Risk To Business Plan Assumptions
The risks that threaten business plan assumptions manifest in three distinct forms, each requiring different analytical approaches.
Volatility of assumptions refers to the continuous variability in key drivers that the plan treats as fixed or narrowly bounded. Commodity prices, interest rates, foreign exchange rates, energy costs, labor market conditions, and demand elasticity are all subject to ongoing fluctuation that can cause actual outcomes to diverge significantly from the plan's projections. Volatility risk is best analyzed through sensitivity analysis, which tests how changes in individual variables affect the plan's outcomes, and through Monte Carlo simulation, which models the combined effect of simultaneous variation in multiple assumptions across thousands of scenarios to produce a probability distribution of potential outcomes. These techniques reveal the range of financial results the plan could produce under realistic variation of its assumptions, replacing the false precision of a single-point forecast with a distribution that reflects the genuine uncertainty.
Discrete events are specific, identifiable occurrences that may or may not happen during the plan's time horizon. They are typically characterized by a definable probability and a significant impact that would alter the plan's trajectory if the event materializes. Examples include a major regulatory change, the entry of a new competitor, the loss of a key customer or supplier, a supply chain disruption, a technology failure, or a geopolitical event affecting a critical operating jurisdiction. Discrete events are best evaluated through scenario analysis, which constructs alternative versions of the plan's environment and tests the plan's resilience under each scenario. Unlike volatility, which represents continuous variation around a central tendency, discrete events represent step-changes in the operating environment that can invalidate entire categories of assumptions simultaneously.
Incidents and operational failures are events that originate within the organization's own operations and processes, such as IT system outages, fraud events, quality failures, workplace safety incidents, or environmental breaches. These events threaten the plan's assumptions about operational continuity, cost stability, and execution capacity. They are typically assessed through probability-impact analysis and evaluated against the organization's operational risk framework and loss experience data.
A comprehensive risk assessment addresses all three categories because each affects the plan's assumptions through different mechanisms, operates on different time scales, and requires different risk response strategies.
What Is Not A Risk: Known Costs And Budgeted Events
One of the most common errors in enterprise risk management is the treatment of known costs and recurring events as risks. They are not.
If an event is certain to occur, if its timing is known, and if its financial impact can be determined with reasonable precision, it is not a risk. It is a cost. It belongs in the budget, not in the risk register. The defining characteristic of risk is uncertainty, whether in the probability of occurrence, the timing, the magnitude of the impact, or some combination of these. When uncertainty is absent, risk management has no role to play.
For example, a commercial lease with a contractual annual escalation clause does not create a risk of increased occupancy costs. The increase is contractually defined, its timing is known, and its amount is calculable. It is a budgeted cost. Similarly, a contract that contains a penalty clause for nonperformance does not create a risk at the moment the organization decides to breach the contract. At the point of the decision, the organization knows that the penalty will be incurred, it knows the amount, and it knows when it will be payable. The penalty is a known cost of the decision, not a risk. It should be included in the financial analysis of the decision as a certain cash outflow, not assessed in the risk register as an uncertain event.
Recurring operational events that the organization experiences with predictable frequency and predictable cost, such as routine warranty claims, expected employee turnover within normal ranges, standard maintenance expenditures, or seasonal demand fluctuations that fall within historical patterns, are similarly not risks. They are normal operating costs that should be reflected in the operating budget and financial projections of the business plan. Treating them as risks inflates the risk register with items that do not require risk management action and dilutes the attention and resources that should be directed toward genuine uncertainties.
The boundary between a known cost and a risk is the presence of meaningful uncertainty. When a warranty program historically generates claims at a consistent rate within a narrow band, the expected claims are a budgeted cost. When a product recall event could generate claims at a magnitude far exceeding historical norms, that potential event is a risk. The distinction is not about whether the cost category exists in the budget. It is about whether the specific event or condition under consideration could produce an outcome that deviates materially from what the plan assumes.
How Risks Should Be Treated: Contingencies, Insurance, And Reserves
Once genuine risks have been identified and assessed, the organization must decide how to treat them. The appropriate risk response depends on the nature of the risk, its probability and potential impact, the organization's risk appetite, and the cost of the available response options.
Risk contingencies are pre-planned responses that the organization will activate if a specific risk event materializes. Contingency plans define the actions, resources, and decision authorities that will be deployed in response to identified risk scenarios. Financial contingencies, often expressed as contingency budgets or management reserves, provide the funding to execute these responses without requiring emergency reauthorization. A business plan that identifies significant risks but contains no contingency provisions for addressing them has not completed the risk management process. It has merely documented its exposures.
Risk transfer through insurance is the mechanism by which the organization shifts the financial impact of specific risk events to an insurer in exchange for a premium. Insurance is appropriate for risks that have low probability but high potential impact, where the cost of the premium is proportionate to the exposure, and where the insurance market offers coverage that matches the organization's specific risk profile. The existence of insurance coverage does not eliminate the risk. It transfers the financial consequence. The operational impact, the reputational impact, and the management attention required to respond to the event remain with the organization. Insurance should be integrated into the risk assessment as a response mechanism, and the adequacy of coverage should be evaluated against the organization's assessed risk exposure.
Reserves are financial provisions established to absorb the impact of risks that are probable and estimable but whose precise timing or amount remains uncertain. Under accounting standards including IAS 37 Provisions, Contingent Liabilities and Contingent Assets and ASC 450 Contingencies, organizations are required to recognize provisions for risks that meet specific probability and measurability thresholds. Reserves differ from contingency budgets in that they are recognized in the financial statements as liabilities or provisions, whereas contingency budgets are typically held as unallocated funds within the approved budget.
The selection among these treatment mechanisms, along with risk avoidance, risk mitigation through controls, and risk acceptance, should be documented as part of the risk assessment and presented to the decision-makers alongside the business plan. When a board or executive committee approves a business plan, they should understand not only the plan's expected outcomes but also the risks that threaten those outcomes, the treatments that management proposes, and the residual risk that the organization will carry after those treatments are applied.
A Failed Control Is Not A Risk: Understanding The Vulnerability-Threat-Risk Chain
One of the most pervasive conceptual errors in enterprise risk management is the classification of failed or deficient controls as risks. A failed control is not a risk. It is a vulnerability.
The distinction matters because it determines whether the organization responds with the correct framework and the correct set of actions. Risks, vulnerabilities, and threats are different concepts that interact in a specific causal sequence, and conflating them leads to risk registers that are cluttered with control deficiencies rather than genuine risks, risk treatment plans that focus on fixing controls rather than addressing the threats that exploit them, and governance reporting that overstates the organization's risk profile by counting every process weakness as a risk.
The correct analytical sequence, well established in information security risk management through ISOS 31000 AND 27005 and the NIST Risk Management Framework but equally applicable to enterprise risk management, operates as follows.
A vulnerability is a weakness or deficiency in a process, system, or control that could be exploited. A segregation of duties conflict in the ERP system is a vulnerability. An inadequate third-party due diligence procedure is a vulnerability. An unpatched server is a vulnerability. A missing approval step in the procurement workflow is a vulnerability. Each of these conditions represents a weakness that increases the organization's susceptibility to harm, but none of them is a risk by itself.
A threat is an event, actor, or condition that could exploit a vulnerability. A fraudulent employee is a threat. A cyberattacker is a threat. A regulatory enforcement action is a threat. A market disruption is a threat. Threats exist independently of the organization's vulnerabilities, but they can only cause harm when they encounter a vulnerability that they are capable of exploiting.
A risk exists when a threat is capable of exploiting a vulnerability in a way that produces a measurable impact on a defined objective. The risk is not the vulnerability. The risk is not the threat. The risk is the combination of the threat, the vulnerability, and the impact on objectives, assessed in terms of probability and consequence. Under the ISO 31000 definition, risk is the effect of uncertainty on objectives. A vulnerability that exists but faces no credible threat does not constitute a risk to objectives. A threat that exists but encounters no vulnerability it can exploit does not constitute a risk. Only when threat and vulnerability intersect in a manner that could affect the achievement of a measured objective does a risk exist.
This chain has direct practical implications for how organizations should manage their risk registers and their control remediation programs. When an internal audit identifies a control deficiency, the appropriate response is to evaluate the deficiency as a vulnerability, assess the threats that could exploit it, determine whether the exploitation would affect a measured objective of a business plan or strategy, and only then classify the resulting exposure as a risk if the analysis supports that conclusion. Control deficiencies that face no credible threat, or that would not affect measured objectives even if exploited, should be remediated as process improvements but should not populate the enterprise risk register.
This distinction also prevents the common problem of risk registers that contain hundreds of control-level findings, each classified as a risk, which overwhelms leadership with operational detail and obscures the genuine strategic and financial risks that require governance attention.
Uncertainty Versus Risk: Why The Distinction Matters For Decision-Making
ISO 31000 defines risk as the effect of uncertainty on objectives, which means that uncertainty is an intrinsic component of risk. However, uncertainty and risk are not the same thing, and the distinction has practical consequences for how events are managed.
Risk involves uncertainty that can be characterized, at least approximately, in terms of probability and impact. Even when precise quantification is not possible, the organization can establish a range of likely outcomes, assign qualitative probability ratings, and estimate the order of magnitude of potential consequences. This characterization is what makes risk manageable. It enables the organization to compare risks, prioritize them, allocate resources proportionately, and select appropriate treatment strategies.
Deep uncertainty involves situations in which the probability of the event, the magnitude of its impact, or both are fundamentally unknown. The organization cannot assign a meaningful probability because it lacks the information, the historical data, or the conceptual framework to do so. Under these conditions, traditional risk assessment techniques that depend on probability-impact estimation are not effective. Deep uncertainty requires different approaches, including robust decision-making frameworks, adaptive strategies that perform reasonably well across a wide range of scenarios, and real-options thinking that preserves flexibility and defers irreversible commitments until more information becomes available.
The practical implication for business plan approval is that the risk assessment should clearly distinguish between risks that can be assessed with reasonable confidence, risks that involve significant estimation uncertainty and should be treated with wider contingency ranges, and areas of deep uncertainty where the plan's assumptions may be fundamentally untestable. Decision-makers who are presented with a risk assessment that treats all uncertainties as equally measurable are receiving a misleading picture of their exposure.
The Temporal Dimension: Risk Exists Before The Event, Not After
Risk assessment is inherently forward-looking. It evaluates events and conditions that may occur in the future and that could affect the achievement of the plan's objectives. This temporal orientation is what makes risk assessment valuable for decision-making: it provides the information needed to anticipate, prepare for, and respond to threats and opportunities before they materialize.
Once an event has occurred, it is no longer a risk. It is a reality that must be managed through incident response, crisis management, or operational decision-making. The frequently cited observation that rain is not a risk when it is raining captures this principle concisely. When the event has materialized, the uncertainty is resolved, and the appropriate management framework shifts from risk management to operational response.
This distinction has important implications for how organizations manage their risk registers over time. Risks that have materialized should be removed from the risk register and transferred to the appropriate operational management framework, whether that is an incident management process, a crisis management protocol, or a remediation program. A risk register that retains events that have already occurred becomes a historical record rather than a forward-looking management tool, and it fails to serve its primary purpose of informing decisions about future exposure.
Similarly, risks that were identified during the planning process but were not treated in time become issues that require immediate management attention. The contingency plan, which was designed to be activated if the risk materialized, becomes the operational plan. The risk management framework did not fail in this scenario, provided that the risk was identified and the contingency was prepared. What failed is the organization's ability to prevent or mitigate the event before it occurred, which is a different evaluation.
Risk Impact Is Multi-Dimensional
A single risk event can produce impacts across multiple dimensions simultaneously, and a comprehensive risk assessment must capture this multi-dimensionality.
Financial impact includes direct costs, revenue losses, margin compression, increased capital requirements, penalty payments, litigation costs, and remediation expenses. Financial impact is typically the primary dimension that decision-makers focus on because it translates directly into the plan's projected financial outcomes.
Operational impact includes disruption to business processes, loss of productive capacity, supply chain interruption, and degradation of service delivery. Operational impacts may precede, cause, or compound the financial impact and should be assessed in terms of their duration and severity.
Legal and compliance impact includes regulatory sanctions, enforcement actions, license revocations, contractual breaches, and litigation exposure. These impacts may carry financial consequences that exceed the direct cost of the triggering event, particularly in regulated industries where a single compliance failure can result in enterprise-threatening penalties.
Reputational impact includes loss of customer trust, damage to brand equity, reduced investor confidence, and diminished ability to attract talent or business partners. Reputational impacts are the most difficult to quantify but can be the most consequential over the long term.
A risk event may create different probability and impact profiles across each of these dimensions, and in some cases the information available may be sufficient to characterize the impact with confidence in one dimension while remaining deeply uncertain in another. The risk assessment should present this multi-dimensional view transparently. Where the impact in one or more dimensions is effectively certain while remaining uncertain in others, the certain impacts should be treated as costs and included in the plan's financial projections, while the uncertain impacts should be assessed and treated through the risk management framework.
From Risk Registers To Decision-Quality Intelligence
Enterprise risk management is not an administrative exercise that produces risk registers for audit review. It is the discipline through which organizations generate the decision-quality intelligence that boards, executive committees, and investment committees need to approve business plans, authorize investments, and commit resources with informed confidence.
A risk assessment that arrives after the decision has been made is too late. A risk register that contains known costs alongside genuine risks is unfocused. A register that classifies control deficiencies as risks is conceptually confused. An assessment that treats all uncertainties as equally measurable is misleading.
The organizations that derive genuine strategic value from enterprise risk management are those that have established the discipline to assess risks before commitments are made, the analytical rigor to distinguish between genuine risks, known costs, vulnerabilities, and deep uncertainties, the governance maturity to present risk-adjusted scenarios alongside baseline plans for informed approval, and the operational commitment to maintain contingencies, insurance, and reserves proportionate to the exposures they have accepted. These are not aspirational capabilities. They are the foundational requirements of effective governance in any organization that operates under uncertainty, which is to say every organization.
References
International Organization for Standardization. ISO 31000 Risk Management Guidelines
Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management Integrating With Strategy And Performance
Committee of Sponsoring Organizations of the Treadway Commission. Internal Control Integrated Framework
Leading market practice in risk adjusted planning, scenario analysis, contingency planning, and control deficiency evaluation
Get the latest in corporate governance, risk, and compliance on Twitter