As reported earlier, ISO had 40 definitions of the term “risk” as of May 2014, when the DIS of ISO 9001:2015 introduced “effect of uncertainty on an expected result.” Since that time, a few more were bandied about (“effect of uncertainty on objectives” and the more-to-the-point “effect of uncertainty“), so it’s not clear which of those was number 41. We’ll just combine them all into that slot.
The current effort by Switzerland, led by Bruno Bruehwiler of the consulting firm Eurorisk, would introduce yet another variant, by declaring the term as meaning “the effect of uncertainty on objectives, activities and requirements.” Apparently tiny Switzerland wants the world to know it’s still a powerful force in standards development by revealing it has a nearly nuclear-powered ability to confuse the fuck out of everyone.
The Swiss re-definition comes in their proposal for a new standard set to “compete” against ISO 31000, called Management of Risk: Reducing Uncertainty and Enhancing Resilience. The Swiss are currently trying to get it to replace ISO 31000, but are likely to fail, but it’s not stopping them. The Bruehwiler camp has shown a combination of ignorance of most ISO directives, and disdain for the rest, so it’s anyone’s guess as to what he might try to pull.
But the inability of ISO to come up with a standardized definition for the very concept they are alleging to standardize is proving to be humiliating for the organization, as well as unintentionally hilarious. It’s also caused friction with the International Labor Organization, and caused ISO’s PR boss Katie Bird to get all sheepish:
Thank you for your comments regarding the multiple definitions for risk – it is a valid point. Sometimes multiple definitions of concepts are needed, due to the very different sectors and contexts in which they are applied. However, it is obvious we need to avoid unnecessary proliferation of definitions, as they may lead to confusion. One of the objectives of ISO’s Online Browsing Platform we launched two years ago is to allow standards developers to easily find definitions that already exist so they don’t reinvent them. We encourage its use, a constant effort towards increased harmonization.
Which means, in English, “ISO has no idea what to do about this problem.”
As a result, I propose the following 43rd — and final — definition of the word risk: the effect of uncertainty as demonstrated by the inability to standardize the definition of the effect of uncertainty.
Postscript: To keep it handy, here’s a list of the 40 definitions of “risk” as they appear in published ISO standards right now; this doesn’t include the variants proposed during ISO 9001 development, or this latest Swiss mutation.
- a function of the probability of occurrence of a given threat and the potential adverse consequences of that threat’s occurrence.
- chance of injury, damage or loss postulated by considering the consequence of a threat and the likelihood of its occurrence
- combination of the chance that a specified hazardous event will occur and the severity of the consequences of the event
- combination of the frequency, or probability, of occurrence and the consequence of a specified hazardous event
- combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of the incident caused
- combination of the likelihood of occurrence of harm and the severity of that harm
- combination of the probability and the degree of the possible injury or damage to health in a hazardous situation
- combination of the probability of an event and its consequence
- combination of the probability of an event and the consequences of the event
- combination of the probability of harm and the severity of that harm
- combination of the probability of occurrence of harm and the severity of that harm
- combination of the probability of occurrence of harm and the severity of that harm; indicating the probability that an adverse effect on soil functions will occur under defined conditions and the magnitude of the consequences of the effect occurring
- combination of the probability of the occurrence of a hazard in a particular situation and the consequences or extent of harm to the individual to be expected from the hazard
- combination of the probability or frequency of occurrence of an event and the magnitude of its consequence
- combination of the probability that a specified undesirable event will occur combined with the severity of the consequences of that event
- effect of uncertainty
- effect of uncertainty on an expected result
- effect of uncertainty on objectives
- exposure to the chance of injury or loss as applies to safety
- expression of the probability that an adverse effect on soil functions will occur under defined conditions and the magnitude of the consequences of the effect occurring
- factor, R, that reflects both likelihood, L, of the occurrence of a hazard in a particular situation and severity, S, of the consequences or extent of harm to the individual to be expected from the hazard R = L × S
- function of the probability of occurrence of a given threat and the potential adverse consequences of that threat’s occurrence
- likelihood of a security threat materializing and the consequences
- likelihood of the occurrence of an event or failure and the consequences or impact of that event or failure
- numerical estimate of the probability or likelihood that a given hazard will occur
- potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization
- probability of a specific undesired event occurring so that a hazard is realized
- probability of an event (e.g. failure, damage) multiplied by its consequences (e.g. cost, fatalities, exposure to personal or environmental hazard)
- probability of loss or injury from a hazard
- probability of the occurrence of a hazard and the severity of its outcome
- product of probability and consequences for an undesired event or action
- qualitative or quantitative likelihood of an event occurring, considered in conjunction with the consequence of the event
- quantitative or qualitative measure for the severity of a potential damage and the probability of incurring that damage
- term describing an event encompassing what can happen (scenario), its likelihood (probability) and its level or degree of damage (consequences)
- the combination of the probability of an event and its consequence.
- the possibility that a particular threat will exploit a particular vulnerability of a data processing system.
- the potential for realisation of an unwanted event, which is a function of the hazard, its probability and its consequences
- the probable rate of occurrence of a hazard causing harm and the degree of severity of the harm
- undesirable situation or circumstance that has both a likelihood of occurring and a potential negative consequence on a project
- value of what can be lost if infringement occurs
About Christopher Paris
Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001 and Surviving AS9100. He reviews wines for the irreverent wine blog, Winepisser.