Ayse Nordal B Sc. and M Sc, METU, Licentiate NHH

  1. A little story

Let us assume that you are going to visit a new country, a new city. Unfortunately, you cannot speak the language of this country. You book a hotel and receive information about its location. It lies 4 km. from the city center, a 20-minutes’ walk. You receive a city map too. You appreciate that since your mobile phone does not have an app for maps. Further, you receive information about the airport train which can take you to the city center.

The hotel informs you that a famous classical violinist is visiting the city and tickets are available both for the day you arrive in the city and for the day after your arrival. You order a ticket for the day you arrive. The concert is on 2 hours after your arrival.

When you arrive in the country, you find out that you forgot the map at home and your mobile needs to be charged.

The situation you are in is a state of uncertainty. You do not have knowledge and information which could have ensured that you have arrived at your hotel within the expected 20 minutes. COSO, Enterprise Risk Management defines this state as follows: “not knowing how or if the potential events may manifest”. (1) Similarly, ISO defines the concept as follows: “Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.”(2).

The only way you can manage this uncertainty is by getting access to more information.

According to ISO 31000, the risk is the effect of uncertainty on objectives. An effect is a deviation from the expected. It can be positive and negative and can address, create, or result in opportunities and threats. (3) In our case, the threat is that you go around the city for several hours without reaching your hotel, and you miss the concert. However, the uncertainty can have a positive result too. The hotel may lie at the next corner, and you may have almost 2 hours at your disposal.

The risk definition in COSO ERM is: “The possibility that events will occur and affect the achievement of strategy and business objectives….events can have possible outcomes which should also be considered”.(4) COSO ERMs definition would lead you to the same conclusions as to the ones above.

You can manage the threat which is described above by proactive and/or reactive actions. For instance, you could manage the risk of deviating from the expected minutes of walk and missing the concert by buying your ticket for the next days’ concert. Another way to manage your risk would be taking a travel dictionary with you, as a proactive action. To be able to take advantage of the possible opportunity, you could have planned an extra activity which could take less than 2 hours.

The conclusion from our little story is that tackling uncertainty necessitates access to knowledge and information. The positive and negative deviations from the expected outcomes are managed by proactive and reactive risk management measures. The conclusion would be the same if our story was about a project, a process, a business unit, or an organization.

  1. Why did we tell the story?

Some project management sources use their own terminology for uncertainty and risk. They introduce the concept of uncertainty management. (5)  This is defined as the sum of risk management and opportunity management. According to this definition, risk consists only of threats and undesired events. This terminology deviates fundamentally from the definitions of well-known standards and frameworks, as FERMA, ISO, and COSO. (6)

The following figure would visualize the difference:

Figure 1. Uncertainty and risk

The definition employed by said project management sources assumes that outcomes that are defined as risks can only take values inferior to the expected outcome. This implies a special probability distribution. Further, if you try to describe the figure which is given above with mathematical equations, you will end up with two different ones. One of them will be an addition. The other will be a conditional probability equation.

  1. Do we need our own terminology in project management?

When defining its scope, ISO 31000: 2018 underlines that the standard «…can be applied to any activity, including decision-making at all levels…» (7). In the same way, FERMA states that the Risk Management Standard «…is not something for corporations or public organizations, but for any activity whether short or long term…»(8). COSO-ERM underlines too that  «… concepts and principles of enterprise risk management set out in the publication apply to all entities regardless of legal structure, size, industry, and geography…”(9)

Organizations implement enterprise risk management by integrating it into all their activities, processes, and functions. If the projects employ a set of concepts that differ considerably from the ones used by the rest of the organization, this will not only make integration difficult but will also hinder internal communication in the organization.

Many organizations certify themselves by ISO management standards. The terminology used by these standards builds on ISO 31000. For instance, ISO 9001 Quality management standard, ISO 27001 Information Technology standard, and ISO 14001 Environmental management standard approach to risk and uncertainty in the same manner.

Introducing a set of concepts only to be used by project management would complicate the certification work. Therefore, it would be å good idea to critically evaluate the terminology and agree on a common language in the organization.


  1. Enterprise Risk Management, June 2017, p:110
  2. ISO 31000:2009, Risk Management Guidelines, p:2
  3. ISO 31000: 2018, Risk Management Guidelines p:1
  4. COSO, Op.cit.p:9
  5. http://v1.prosjektnorge.no/index.php?subsite=pus&pageId=429
  6. FERMA, Federation of European Risk Management Associations, A Risk Management Standard, Brussels, 2003 p:1
  7. ISO, 2018 Op. cit. p: 1
  8. FERMA, Op. cit. p:1
  9. COSO, Op. cit p:3

Y. Ayse B. Nordal
fotokred: qrn/Annlaug

Ayse Nordal – kursleder i Risikostyring/Risk Management

Ayse Nordal er B Sc. og M Sc. i økonomi og statistikk (teknisk universitet) og lisensiat i anvendt sosialøkonomi og makroøkonomi (NHH). Hennes spesialområder er strategisk planlegging, internkontroll og risikostyring, og er sertifisert akkreditert risikoleder (Risk Manager).

Flere fagartikler fra Ayse finner du her


A Simple Scenario-based Qualitative Model for Assessing Start-up Risk

Author: Y Ayse Nordal

Collapse ButtonQuick Abstract
ISO 31000:2018 Risk Management Guidelines and COSO:2017 Enterprise Risk Management framework have two important and common characteristics. Firstly, they connect risks with business objectives. Secondly, they define risks as potential events that represent both positive and negative deviations from the expected. When a start-up company assesses its risks….  Se www.qrn.no/blog

KRN Academy RM  m/ grunnkurs og lederkurs med mulighet for sertifisering EOQ Risk Manager – neste åpne kurs i riskostyring kommer i mai – samtlige nivå