There has been much debate recently over the definition of risk management. Cutter Consortium recently surveyed IT managers about their organizations' risk management practices. Some interesting findings about the definition of risk surfaced.
Close to half of the respondents (49%) use the traditional definition of risk, in which risk is a "negative," and that risk management primarily deals with negative consequences of some event. Nearly the same number (44%) are evenly split between the definition of risk that could include positive consequences of some event, as well as negative aspects. (See Figure 1 below.)

Figure 1 -- Definition of Risk
Robert Charette is a Cutter Consortium Fellow and author of a new report, The State of Risk Management 2002: Hype or Reality?, analyzing the results of this research. States Charette, "Within this second group, about half are using the definition of risk that explicitly includes positive or negative effects, and half define risk as being any deviation from a plan. Only 4% use the common accountant's definition of risk, 'the amount one can lose,' which most likely reflects our survey sample set of IT managers. The definition of risk as the difference between means and ends, which is often how risk is defined in gap analysis by strategic planners, was selected by merely 2%."
Charette took a deeper look at whether practicing "formal" risk management influenced an organization's definition of risk. Explains Charette, "We examined our data to see whether those using formal or informal approaches to risk management leaned one way or the other in terms of which definition is favored. From our data, those organizations that use formal risk management seem to favor the more traditional definition over the definitions 'inclusion of negative and positive effects' or 'deviation from a plan.'" (See Figure 2 below.)

Figure 2 -- Risk Definition Used by Organizations Practicing Formal Risk Management
For those organizations that manage risk formally, 34% said that they have a separate oppor-tunity management process, 45% said that they do not, while 21% said it is embedded within the risk management process itself. Surmises Charette, "Therefore, 55% of those practicing formal risk management in our survey consider opportunities in some structured approach."
When he looked at organizations that use risk management "informally," Charette found a more pronounced shift from the traditional definition of risk. Only 43% are using the traditional definition of risk management; 25% use the negative/positive effects definition, and 23% use the deviation from the plan definition. "What we see is that the traditional definition is used less [43%] than the other definitions of risk [48%]. It will be interesting to see when organizations move from informal to formal risk management whether their definitions of risk will remain the same or change." Charette plans to track this in future studies.
To schedule an interview with Robert Charette, contact Media Relations at press@cutter.com. For more information about Robert Charette visit www.cutter.com/meet-our-experts/charetter.html.