Following on from recent blog there has been an interesting discussion in the ISO31000 group as to whether “objective” should be defined in the standard. As the standard defines risk as “the effect of uncertainty on objectives” this is an important question. There is a diversity of views but I suggest that anyone who has done some management training would have come across SMART objectives (Specific, Measurable, Attainable, Relevant and Time Bound). Therefore I am not sure objective needs to be defined in the standard.

What is often less clear is how objectives should be developed. Within an organisation there will be visions and goals which are overarching. How to achieve these will be through various plans (strategic, business, programme, project etc). Each of these plans should have objectives. Each subordinate (supporting) plan should reflect the objectives of the higher plan but will be more specific.

So in an organisational sense there should be objectives that an organisation is setting out to achieve at many levels.

So what are the risks of achieving these objectives? Risk management should be undertaken by the team responsible for achieving particular objective(s). They can then identify the risks (and opportunities) that could have an effect on those objectives. They may also analyse the level of risk in terms of impact on the objective(s) so as to help prioritise treatment actions.

In order to undertake a risk workshop the objectives need to be clearly described at the outset (so the impact of a risk on the objectives can be assessed). However, it is quite usual for objectives to be refined during a risk workshop which is a beneficial by-product of the risk management process.