Author: Tony Ridley MSc CSyP FSyI CAS SRMCP is a senior government and corporate executive in enterprise risk, security and resilience, a Chartered Security Professional, Fellow of The Security Institute, Security Risk Management Certified Professional, and doctoral researcher in transnational security, risk and resilience management sciences, applied.
Words do not just describe the world. They shape what we see in it.
In risk work, that distinction matters more than most practitioners acknowledge. Definitions determine what we notice, record, compare, and act on. Get the language wrong at its foundation, and everything built on top of it is structurally compromised, regardless of how sophisticated the framework appears.
ISO 31000 defines risk as “the effect of uncertainty on objectives.” The intent is reasonable: connect risk to decision-making and recognise that outcomes can be positive or negative. The problem is what this framing quietly excludes.
Objectives are human constructs. Hazards are not. A flood, a disease outbreak, a supply chain failure, these exist independently of whether an organisation has articulated coherent objectives. When risk is defined through the lens of objectives, weak objectives produce weak risk statements. Slow-moving, systemic threats can be dismissed as out of scope simply because they do not visibly threaten what has been documented, rather than what actually exists.
Why language is the instrument panel
Corpus linguistics offers a useful lens here, and it is worth explaining plainly. Corpus linguistics is the study of language in use. That is, analysing large collections of real text to understand what words actually mean across different contexts, rather than what we assume they mean.
One of its foundational principles is disarmingly simple: you shall know a word by the company it keeps. The words that consistently appear alongside a term reveal its working meaning in practice, not just its dictionary definition.
Apply this to “risk.” In safety practice, it keeps company with harm, exposure, and consequences. In finance, with volatility and return. In cybersecurity, there are threats and vulnerabilities. None of these communities is wrong. But none of these uses is interchangeable, and a single standardised definition cannot flatten those differences without losing something essential in each domain.
This is not theoretical. When different parts of an organisation use the same word to mean materially different things, risk assessments become collages rather than coherent pictures. Rankings become arbitrary. Appetite statements become incoherent. Mitigations become inconsistently targeted. The unit of analysis, the stable “thing” that should be identifiable, comparable, and treatable, dissolves.
Consistent units of analysis are not optional
Risk analysis depends on the same discipline as any other measurement: consistent units. A finance team recording risks as deviations from plan—including upside—and a safety team recording risks as exposures to harm are not working from the same unit of measure. Aggregating their outputs produces numbers, not insight.
My preference is explicit structure: risk as consequences (C), assessed under uncertainty (U), and explicitly conditioned by the strength of knowledge (K) underpinning the judgement. That discipline forces clarity, what could happen, how uncertain we are, and how robust the underlying evidence actually is, rather than allowing “risk” to float as a catch-all label for whatever feels important this quarter.
The practical ask
This is not an argument against ISO 31000 as a reference tool. It is an argument for language governance within organisations that use it. Define what a risk statement must contain. Audit how key terms are actually used across functions and geographies. Maintain a working glossary that preserves consistent units over time.
Words are the instrument panel. If the dials are mis-calibrated, so are the decisions that follow.