As reported previously — all the way back in 2014 — ISO has struggled to come up with a single definition of the term “risk.” At that time, ISO had at least 40 (as in forty) definitions of the term spread out over 140 (as in one-hundred-and-forty) standards. The problem was ignored for decades until two standards decided to fight each other: ISO’s flagship standard ISO 9001 and its (then) newer risk management standard, ISO 31000.

The “Risk” of Silos

There is one truism in ISOworld: different technical committees, each responsible for developing their particular standard, hate each other. And the TC for ISO 31000 was not well-liked by anyone, much less the TC for ISO 9001.

The ISO 31000 group itself grew out of a fairly complicated set of controversies (I won’t rehash it here, but I have a YouTube video going over the whole thing.) Newly minted and blessed by ISO HQ, the group was flush with power, smug as can be, and headed by an incompetent, bumbling toady who could barely bathe, never mind run a committee.

Not to be outdone on the ego front, the ISO 9001 folks had prior decades to hone their hubris, so were not about to be told what to do by some new upstart, no matter how new and shiny they looked.

So the two TCs started to fight, somewhat publicly, over whose definition of risk was better, which brought the whole thing into the public eye — not helped by the fact that while the “quality” press ignored the debacle, Oxebridge was reporting on it in real-time. You’re welcome.

Over the next nine years, many TCs would just adopt ISO 31000’s definition, and the overall number of “risk” definitions in ISO’s catalog decreased but still generated a good deal of controversy. The remaining conflict was largely due to the fact that the bumbling unwashed toady had cribbed an already-controversial definition of “risk” from the Project Management Institute (PMI), which claimed that “risk is positive.”

No, Risk Isn’t Positive, You Dummies

Now let’s pause on that for a second, because I got words. Until that time, most people with functioning goo in their brainpans understood that “risk” was something you either avoided or mitigated. You want to take risk, sure, but you do so with your glutes clenched in the hope you can squeak out a benefit and not have disaster strike. The risk is bad, but it has the potential for a benefit — an opportunity, if you will — if you can manage it properly.

This negative definition of risk also happens to align with the English dictionary, as well as that of nearly every other language ever spoken by man-apes. risk has always been understood as something bad that you have to manage or push through in order to get to the good stuff.

Now, thanks to Mr. Beardtoad and PMI, risk was “good.”

This never made sense, because in the same standards that insisted “risk is good,” they were telling you to mitigate it. You don’t mitigate good things, you mitigate bad things. Saying otherwise is like telling the High School football team to “get out there and work your darnedest to lose the big game!

But because so many ISO standards users just parrot whatever ISO tells them, we now have an entire generation of folks insisting “risk is good,” and promptly blowing shit up and killing people.

OK, I’m off my soapbox.

Enter the Goons

A lot of people started to push back on ISO’s wrong-headed attempt to adopt a single, acceptable definition of “risk.” This was especially true since different industries have different ideas on risk, and standardizing “risk management” was a dumb plot to begin with. Insurance actuaries have a very different view of risk than, say, manufacturing engineers, and they all disagree with the notions of pharmaceutical companies. Heck, the definition changes depending on your income level: an hourly worker at Tesla has a very different idea of risk than their idiot, billionaire boss does. The ability to afford lawyers does that.

In reality, “risk” can take on dramatically different meanings depending on which angle you’re looking at it from.

So ISO was always going to fail in this, and folks like me were telling them that for nearly a decade. But the consultants running around bragging about “being on an ISO committee” were not to be deterred, and kept at it. The rest of us were watching them like the scientist standing over the mouse-maze, watching the poor creatures scramble to find an exit before the gas kicked in.

A lot of (metaphorical) blood was spilled, too. Within the ISO 31000 TC itself, the members couldn’t agree, and during one official meeting, the delegates devolved into a shouting match, threatening to sue each other for defamation. It was a complete shit-show, and was unraveling in front of the entire world.

So ISO’s goon squad, the Technical Management Board (TMB), put a team on it. They created a joint task force with the intent of finally using their brute muscle to force everyone to use a single definition, preferably that from ISO 31000. I presume they had uniforms with scary black jodhpurs and menacing red logos on the chest.

But even the goon squad couldn’t re-write reality, because — again — trying to standardize “risk” was as stupid as trying to standardize “schadenfreude.” You cannot standardize concepts that have multiple definitions and interpretations depending on the scenarios. (Look up the word “set” and see how many definitions the dictionary has for it.)

So the TMB has been forced to surrender, and has now issued a final Resolution, announcing that they are abandoning tilting at this particular windmill, and will now allow TCs to make up their own definitions for “risk” whenever they like:

So, this particular drama is now over, but don’t fret, masochists! ISO is currently cooking up some other mind-bogglingly bad ideas that will keep you up at night, like converting standards to expensive online-only subscription services, rather than selling them as downloadable PDFs.

About Christopher Paris

Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.


ISO 14001 Implementation