A risk objective is an objective, owned by a party, that aims to reach and maintain a state of affairs in which the risks associated with a specific set of its objectives become, and/or remain, acceptable. The (business) process that seeks to realize risk objectives is referred to as a risk management process - this is in line with well-known ISO standards, such as ISO 31000, ISO9001, ISO27001, etc.
- Organizations (specifically those with a rather large scope of control) are known to classify their (regular) objectives according to (business) topics such as finance, (information) security, safety, quality, legal, human resources etc. This allows them to specify risk objectives that are particular to such topics, and define equally specific risk management processes for that.
- Organizations that realize that their departments (and sub-departments) are actually parties that each have their owns set of objectives, may require such departments to specify their own risk objectives and associated risk management process(es). This enables such organizations to specify risk objectives that (only) seek assurances that their departments are properly specifying their own objectives, and manage the associated risks.
- Organizations are also known to create risk objectives that fit traditional risk management processes, e.g. as defined in ISO standards.
- Organizations may classify their objectives using the formalization of objectives (and the governance and management pattern), e.g.
- expectations, i.e. objectives the result of which is consumed, but not produced by the organization. Such objectives are not managed but governed, and hence require a corresponding risk management process;
- obligations, i.e. objectives the result of which is produced by the organization and consumed by (at least) one other party. Such objectives are managed, and also require communication with the consuming parties;
- controls, i.e. objectives the result of which is produced and (only) consumed by the organization itself. These objectives must be managed and governed by the party that owns them.
We have observed that (the management of) the risks associated with the objectives that risk management processes pursue themselves, are often 'forgotten', i.e. these objectives are not in the scope of any risk management process. Parties should set risk objectives that aim to mitigate the risks associated with (the objectives pursued by) their risk management processes.
- is associated with one or more (classes of) objectives that are controlled by the owner of the risk-objective;
- is associated with one or more normative frameworks that these (classes of) objectives are to comply with;
- may be associated with appropriate assessment frameworks that auditors must use to determine the level of risk.