UPDATE 2: I have added a link to an Excel sheet that includes all the known definitions, and their ISO sources. — CP
Inexplicably, the latest DIS version of ISO 9001:2015 injects yet another alternate definition of the term “risk,” pushing it further away from that of the ISO 31000 standard on risk management.
The DIS definition included in the ISO/DIS 9001:2015 is now “effect of uncertainty on an expected result.” This marks the fortieth definition of risk produced by ISO — an organization, remember, founded to standardize things like definitions. As of right now, the following definitions all reside in different ISO standards.
- a function of the probability of occurrence of a given threat and the potential adverse consequences of that threat’s occurrence.
- chance of injury, damage or loss postulated by considering the consequence of a threat and the likelihood of its occurrence
- combination of the chance that a specified hazardous event will occur and the severity of the consequences of the event
- combination of the frequency, or probability, of occurrence and the consequence of a specified hazardous event
- combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of the incident caused
- combination of the likelihood of occurrence of harm and the severity of that harm
- combination of the probability and the degree of the possible injury or damage to health in a hazardous situation
- combination of the probability of an event and its consequence
- combination of the probability of an event and the consequences of the event
- combination of the probability of harm and the severity of that harm
- combination of the probability of occurrence of harm and the severity of that harm
- combination of the probability of occurrence of harm and the severity of that harm; indicating the probability that an adverse effect on soil functions will occur under defined conditions and the magnitude of the consequences of the effect occurring (see ISO/IEC Guide 51:1990)
- combination of the probability of the occurrence of a hazard in a particular situation and the consequences or extent of harm to the individual to be expected from the hazard
- combination of the probability or frequency of occurrence of an event and the magnitude of its consequence
- combination of the probability that a specified undesirable event will occur combined with the severity of the consequences of that event
- effect of uncertainty
- effect of uncertainty on an expected result
- effect of uncertainty on objectives
- exposure to the chance of injury or loss as applies to safety
- expression of the probability that an adverse effect on soil functions will occur under defined conditions and the magnitude of the consequences of the effect occurring
- factor, R, that reflects both likelihood, L, of the occurrence of a hazard in a particular situation and severity, S, of the consequences or extent of harm to the individual to be expected from the hazard R = L × S
- function of the probability of occurrence of a given threat and the potential adverse consequences of that threat’s occurrence
- likelihood of a security threat materializing and the consequences
- likelihood of the occurrence of an event or failure and the consequences or impact of that event or failure
- numerical estimate of the probability or likelihood that a given hazard will occur
- potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization
- probability of a specific undesired event occurring so that a hazard is realized
- probability of an event (e.g. failure, damage) multiplied by its consequences (e.g. cost, fatalities, exposure to personal or environmental hazard)
- probability of loss or injury from a hazard
- probability of the occurrence of a hazard and the severity of its outcome
- product of probability and consequences for an undesired event or action
- qualitative or quantitative likelihood of an event occurring, considered in conjunction with the consequence of the event
- quantitative or qualitative measure for the severity of a potential damage and the probability of incurring that damage
- term describing an event encompassing what can happen (scenario), its likelihood (probability) and its level or degree of damage (consequences)
- the combination of the probability of an event and its consequence.
- the possibility that a particular threat will exploit a particular vulnerability of a data processing system.
- the potential for realisation of an unwanted event, which is a function of the hazard, its probability and its consequences
- the probable rate of occurrence of a hazard causing harm and the degree of severity of the harm
- undesirable situation or circumstance that has both a likelihood of occurring and a potential negative consequence on a project
- value of what can be lost if infringement occurs
The 40 definitions above appear in over 140 standards currently available from ISO. The list was derived from scouring ISO’s Online Browsing Platform, and may not even be a complete accounting. Originally, ISO 31000 was touted as being the harmonization standard for all those others, but apparently has not succeeded.
For an MS Excel® sheet featuring all the known definitions and their ISO source documents, click here. Note: it is in .xlsx format, for MS Exce® l 2007 or higher.
Positive vs. Negative Risk
The DIS of 9001:2015 also seems to want to straddle the fence on whether risk can be both negative and positive, a recent position taken by ISO and being pushed on its TC’s. While the DIS definition includes a “Note 1” acknowledging positive risk:
Note 1 to entry: An effect is a deviation from the expected — positive or negative
… it then includes a Note 5 that half-contradicts it:
Note 5 to entry: The term “risk” is sometimes used when there is only the possibility of negative consequences.
The first four notes were taken from Annex SL, with TC 176 apparently adding the fifth note itself. The fifth note references ISO 9000:2014, which is currently in DIS stage itself, so we can assume that standard will also tilt towards negative risk only.
The fact that ISO is struggling to such a degree over the definition of the word shows that it was not prepared to tackle risk management as a standard, much less incorporate it into all management system standards through its TMB-directed Annex SL mandate. The negative reaction has been immediate. One source close to ISO 31000 called the new definition “a farce” and said TC 176 were “imbeciles.” Another risk management professional said the 9001 definition is “recursive” and the that the ongoing wrangling of definitions was “tragicomic.”
If ISO can’t standardize a definition of something, what are the rest of us supposed to do?