As if he held the truth somehow to be self-evident, Jim DeLoach of Arthur Andersen, in a landmark paper written in 1995, prescribed the need for a common risk language in any enterprise risk management (ERM) initiative. Without any apparent fear of contradiction, he stated the need for a common risk language as gospel truth. I have never seen any evidence presented that this is the case now (or was the case then). I have still never seen any cogent case mounted to support the assertion. Yet I have seen the same claim reiterated almost universally. In my view, far too much time is spent in ERM on the issue of language. There is no need to invent or impose a new language in relation to management of risk or loss or failure; on the contrary, it is downright dangerous to do so. The nearer we stay to dictionary or generally-accepted definitions of terms, the better. Let's be careful, as far as possible, to stick to terms as they are understood in general usage. When in doubt, refer to the OED and be prepared to explain meanings.
The notion that all sectors and disciplines should abandon their existing languages and terminologies in favour of an ISO-imposed approach (or any other approach) is neither realistic nor, if it were, even helpful. Such attempts at creating 'corporate newspeak' are seldom sustainably successful; people simply revert to how they always used terms or the common definitions of terms borrowed for the purpose.
My argument would be that the language is not the issue. Nor is the problem use of specific terms – appetite, preference, tolerance, limits. By and large, the meaning of these words qua terms is clear. As Gareth Morgan has pointed out, they are simply metaphors that are more or less meaningful and resonate with users so persist and fall in to common usage. Most of the technical arguments around preferences and tolerances are dwarfed (in my experience) by misapprehensions about quantification and what can and cannot be counted or measured reliably.
After all, perhaps the most misused term in the whole field is "risk" itself. ISO makes a passing nod at the issue of uncertainty, but the different types of uncertainty or sources of uncertainty, while well articulated in the strategy literature, are almost never referred to in the same documents insisting that a common definition of risk be adopted. Epistemological issues of uncertainty are unaddressed by ISO yet are so critical as to have created a post-crisis fissure in the field of risk in financial economics.
As Knight pointed out in the 1920s, uncertainty is partially a knowledge problem, but also partly an insoluble problem of subjective estimation of an unknowable future. These differences are not splitting hairs or purely semantic; they cannot be solved with a common language. They are fundamental problems of limits to the potential efficacy of risk management practice. The are the real boundary issues in risk.
The on-going ISO-led attempt to use "risk" differently from either common usage (ie. possibility of loss) and from previous technical usage (ie. Knightian 'risk') is hardly the right starting point for expanding effective risk practice. Nor is the assumption of the need for a vocabulary that is externally imposed rather than one derived from existing, accepted uses of terms in finance, statistics, economics or other relevant disciplines. You will never persuade an engineer that in relation to risk, the term 'tolerance' means something different from the dictionary definition or the common engineering usage. So why bother? I am not denying the importance of accuracy or clarity. I am merely questioning the utility of arguing that peoples' existing knowledge of terms needs to be overturned for form. I just think it is the wrong place to start.
So let’s look at the issue empirically.
Many organisations that have invested extensively in common definitions for risk and from industries where risk comes with clearly understood meanings have failed. I am sure that many that have invested systematically in consistent interpretations have not failed. Neither set of observations proves or disproves the point. Most management of risk in most (non-financial sector) firms goes on despite rather than because of formal risk management systems (excluding treasury and risk transfer programmes). The vast majority of strategic decision-making is, currently, not conducted in terms that derive from risk management (of the ISO or any other variety), yet adaptive strategy is clearly one of the key elements of any firm's management of uncertainty in its strategic environment. Given that more than half of firm failures and material idiosyncratic value losses are attributable to strategic error or mis-step (according to BAH research last decade), this matters. It is not a matter, typically, of vocabulary.
In financial services, the underlying risk challenge is not one of use of terms; it is the availability and provenance of reliable securities data and structure of data for inter-bank and bank-regulator transmission and analysis. There is enormously useful work being devoted to this and quite properly. Here ISO (led by Karla McKenna of Citi) has a very important role to play as has SWIFT (in a group in which I used to participate). Or it is the application of valuation models pressed way beyond the limits of their original restrictive assumptions or the inferential utility of their underlying data. Neither of these is a vocabulary problem, at least in the semantic sense.
If the field of debate is, say, nuclear power, there will be an engineering language specifically around that and the physical risks associated with it. But the costs associated with both containment (engineering) and containment failure will be physical (introducing an existing vocabulary around radiation sickness) and financial, for which we already have a vocabulary.
I struggle with the notion that a 'common language' is necessary here. Or, more precisely, a new common language. My argument is that we already have all the terminologies we need within the different disciplines represented in the firm. Ultimately, to provide "common criteria to allow decision-makers to compare dissimilar risks," everything has to be reduced to a comparable basis; to a number – cost or loss – or to a probability or confidence interval (however calculated) or both. Therefore, that number is ultimately financial and the languages are finance and statistical inference or probability. There are already languages for all of these. Why attempt to develop a new one when perfectly acceptable ones already exist?
Everyone brings personal and professional experience of risk to what they do. The role of the risk manager is not to alter, amend or correct that experience to fit terms. It is to provide a bridge between peoples' existing experience and insights and to provide the common criteria to allow decision-makers to compare dissimilar risks. And, wherever practicable and useful, to quantify and ensure that the methods used for doing so, and for integrating the results, are analytically robust. Ultimately, the languages of risk are finance and physical harm and the operands are inference, causality and probability – statistics.
What we need is more realism about what we can and should be aiming to achieve in management of risk. People who have no particular knowledge of epistemological debates or cultural research methodologies or corporate financial management or statistical inference cannot suddenly be expected to be expert therein because of a new job title or a course on an ISO standard. Nor should risk managers expect others, who may be far better schooled in some of these areas, to conform to their restrictive interpretation of terms that bear on consideration of risk-taking and management of risk and uncertainty. For example, regardless of how simple they may make life, risk maps using point-based estimates of risk cannot, technically, be meaningful. And yet they are used extensively in corporate risk practice.
We should start with establishing a common basis for thinking analytically about uncertainty and the effect of potential alternative futures on corporate performance. We should examine the assumptions about the future that underpin our expectations of that performance and how it will be achieved. We should examine what has gone wrong elsewhere for lessons as to how wrong we may be in our assumptions and how the environment can shift unexpectedly in terms of context, macroeconomic conditions, consumption preferences or technology (and how we may position ourselves to exploit such changes). We should scan the environment for emerging risks or for indicators of such shifts in operating conditions. And we should be very careful – skeptical, indeed – about apparently self-evident truths. They are better left to the Founding Fathers.