Why It’s Holding Organisations Back — and How ISO 31000 Points the Way Forward

By Peter Blokland, PhD
General Manager BYAZ bv

1. A Comfortable but Dangerous Misconception

Over the past months, a familiar phrase has been reappearing in ISO and ESG circles: “risk and opportunity.”
It sounds balanced, even sophisticated, as if risk were the dark side of the moon and opportunity the bright one.

But this linguistic comfort blanket hides a deep conceptual flaw.
The idea that risk and opportunity are two separate things is not just outdated; it’s harmful. It keeps organisations trapped in a 20th-century mindset that treats risk as something negative to be avoided and opportunity as something positive to be chased, instead of recognising that both are manifestations of the same phenomenon: the effect of uncertainty on objectives.

That definition, from ISO 31000, changed everything. Or at least, it should have.

2. Why “Risk and Opportunity” Is a False Dichotomy

Before ISO 31000 (2009), risk was typically defined as “the combination of probability and consequence”.
It seemed logical: quantify the likelihood of bad things happening, estimate their impact, and you can control risk.
The problem is that this thinking reduces risk to an event-centric notion of loss.

The ISO 31000 definition turned that on its head:

Risk = the effect of uncertainty on objectives.

In one stroke, risk became objective-centric instead of event-centric, and the possibility of positive outcomes was implicitly included.
There is no need to add “opportunity” as a counterbalance, because risk already includes both positive and negative effects.

When we reintroduce “risk and opportunity,” we dismantle that conceptual integrity.
We imply that risk is bad and opportunity is good, resurrecting a primitive dualism that ISO 31000 explicitly moved beyond.

It’s like returning to Newtonian mechanics to explain quantum physics: comforting, simple, and utterly inadequate.


3. The Ontological Error: Mistaking Sources for Effects

At the root of the confusion lies an ontological mistake, one that philosophers would call a category error.

Those who speak of “risk and opportunity” confuse risk sources with risk itself.
A risk source is any element that can cause an effect on objectives. Some have mostly positive potential (like innovation or market expansion), others mostly negative (like cyber threats or supply-chain disruption).

But the risk only exists when that potential actually affects an objective, a result to be achieved.

In other words:

  • Risk sources exist in the environment.
  • Risk emerges in the relationship between those sources and objectives.

Opportunities are therefore not the “positive side of risk.” They are merely one type of risk source, one that can, depending on how it is managed, create or destroy value.

Treating opportunity as something different from risk blinds organisations to the systemic truth: the same source can produce both success and failure depending on leadership, timing, and context.

A new technology, for example, is not an “opportunity” by nature. It is a risk source, one that may lead to innovation and growth if well managed, or bankruptcy and obsolescence if mismanaged.

4. The Systemic Nature of Risk: Beyond Probability

Understanding risk systemically means recognising that it is not a static variable but a dynamic network of interactions.

James Reason captured this vividly in his Swiss Cheese Model of organisational accidents.
He noted that although the defensive layers and holes seem fixed on paper, in reality they are constantly shifting, opening, closing, and interacting in unpredictable ways under changing local conditions.

This is what ISO 31000 refers to as the effect of uncertainty: the ever-changing relationship between objectives and the environment in which they exist.
Each objective can itself become a risk source for another objective, forming an interconnected web of causes and effects.

The “uncertainty” in this definition is therefore not a root cause of risk; it is a manifestation of these shifting relationships.
Managing risk is not about reducing uncertainty, it’s about understanding and managing the system of risk sources so that uncertainty has less destructive and more constructive impact.

5. The Leadership Dimension: From Fear to Stewardship

In practice, the false dichotomy of “risk and opportunity” distorts leadership behaviour.

When risk is seen as negative, organisations naturally develop avoidance cultures:
layers of compliance, endless checklists, and “risk registers” filled with problems to be minimised.
Meanwhile, the so-called “opportunities” are delegated to innovation teams or business development units, as if they were part of another universe.

This split leads to a loss of coherence in decision-making. It creates two vocabularies, two logics, and two sets of metrics, one defensive, one offensive.
In reality, both sides are about the same thing: how objectives are achieved under uncertainty.

Ethical and effective leaders recognise this unity. They don’t manage “risk and opportunity”, they manage objectives through uncertainty.
They treat every risk source, whether it looks like a threat or a chance, as a potential lever for value creation.
They cultivate dialogue, foresight, and systemic awareness, because these are the tools that allow uncertainty to be turned into progress.

6. Why “Risk and Opportunity” Persists

If the conceptual case is so clear, why does the “risk and opportunity” language keep resurfacing, even within ISO itself?

The answer is partly political and partly psychological.

  • Politically, many frameworks (ESRS, CSRD, certain ESG standards) still use the outdated wording “risks and opportunities.”
    For the sake of alignment, some ISO committees are tempted to follow suit, even at the cost of internal inconsistency.
  • Psychologically, people are drawn to binary thinking. It feels natural to label things “good” or “bad,” “threat” or “opportunity.”
    It gives an illusion of control and moral clarity, even though the world doesn’t work that way.

Unfortunately, such simplifications are not harmless. They shape mental models, governance structures, and performance systems.
They make organisations reactive instead of adaptive, fragmented instead of holistic.

7. The ISO 31000 Perspective: A 21st-Century Framework

ISO 31000 offers a fundamentally different paradigm, one that belongs firmly in the 21st century.

It defines principles, framework, and process as an integrated loop, not a checklist and it offers a coherent set of definitions that are the guiding mental models to make things work.
It places leadership and commitment at the core, and requires that risk management be integrated into governance, strategy, and decision-making.
It rejects the notion of risk as something negative, and instead positions it as the natural context of every objective.

Under ISO 31000, managing risk means:

  1. Understanding objectives: what results the organisation seeks to achieve.
  2. Identifying risk sources: elements that can influence those objectives.
  3. Analysing interactions and effects: how uncertainty manifests through those relationships.
  4. Evaluating and managing: making informed decisions that create and protect value.
  5. Continuously learn and improve: to stay ahead or abreast of change.

This approach unifies strategy, performance, and resilience.
It bridges the gap between opportunity and threat, turning risk management from a compliance exercise into a leadership discipline.

8. A Practical Illustration

Take a company developing a new product.
Traditional thinking splits the challenge into two conversations:

  • The risk register lists potential problems: delays, cost overruns, market rejection.
  • The opportunity analysis lists potential gains: new customers, higher margins, market share.

Two documents, two teams, two disconnected realities.

Under ISO 31000, the organisation would instead start from its objectives, for example, “launch a profitable product that strengthens our brand and customer loyalty.”

Every factor that could affect that objective, supply chain, technology, regulation, consumer trends, brand reputation, becomes a risk source to be understood and managed.
Each may yield positive or negative effects, depending on how it is handled.

The team then manages those sources in an integrated way, turning uncertainty into a field of possibilities.
The question shifts from “What could go wrong?” to “How do we ensure the desired result under changing conditions?”

That is risk management in the ISO 31000 sense, not fear, but foresight.

9. The Cost of Conceptual Regression

Reintroducing “risk and opportunity” doesn’t just create semantic confusion. It undermines the intellectual integrity of modern risk management.
It sends mixed signals to practitioners, educators, and policymakers.
It encourages the illusion that by adding the word “opportunity,” we have become more positive, when in fact, we have become less precise.

Worse, it risks producing another generation of professionals trained to separate what should be united: the capacity to understand, anticipate, and steer effects on objectives.

Clarity of thought is the foundation of clarity in action. If our definitions are wrong, our systems will be wrong and so will our results.

10. Towards Conceptual Integrity

The way forward is not to invent new slogans but to master the concepts we already have.
ISO 31000 provides a complete and coherent language:

  • Risk: effect of uncertainty on objectives.
  • Risk source: element that, alone or together, can give rise to risk.
  • Consequence: the outcome of an event affecting objectives.
  • Objective: a result to be achieved.
  • Uncertainty: deficiency of knowledge or information.

These terms form one logical system. Break it apart and meaning collapses.

Our task as professionals and leaders is to defend that clarity, not dilute it for the sake of superficial alignment with outdated practices.

11. Conclusion: Keep ISO in the 21st Century

The language of “risk and opportunity” belongs to a world that is no longer adequate for the complexity we face. In a world of interdependence, acceleration, and systemic change, risk cannot be managed as a threat and opportunity as a gift. They are two sides of the same coin and that coin is minted in uncertainty.

ISO 31000 gave us the conceptual tools to move forward. We should use them, not undo them. Managing risk means managing objectives and that includes everything we hope to achieve and everything that could prevent us from doing so.

Let’s keep risk thinking in the 21st century, where it belongs.