{"id":3361,"date":"2014-05-16T11:11:11","date_gmt":"2014-05-16T15:11:11","guid":{"rendered":"http:\/\/www.oxebridge.com\/emma\/?p=3361"},"modified":"2014-05-19T14:24:28","modified_gmt":"2014-05-19T18:24:28","slug":"dis-of-iso-9001introduces-a-fifth-definition-of-risk","status":"publish","type":"post","link":"https:\/\/www.oxebridge.com\/emma\/dis-of-iso-9001introduces-a-fifth-definition-of-risk\/","title":{"rendered":"DIS of ISO 9001 Introduces ISO&#8217;s 40th Definition of &#8220;Risk&#8221;"},"content":{"rendered":"<p><a href=\"http:\/\/www.oxebridge.com\/emma\/wp-content\/uploads\/2014\/05\/risk.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignright  wp-image-3363\" style=\"margin: 10px;\" alt=\"risk\" src=\"http:\/\/www.oxebridge.com\/emma\/wp-content\/uploads\/2014\/05\/risk.jpg\" width=\"482\" height=\"304\" srcset=\"https:\/\/www.oxebridge.com\/emma\/wp-content\/uploads\/2014\/05\/risk.jpg 602w, https:\/\/www.oxebridge.com\/emma\/wp-content\/uploads\/2014\/05\/risk-150x95.jpg 150w, https:\/\/www.oxebridge.com\/emma\/wp-content\/uploads\/2014\/05\/risk-200x126.jpg 200w\" sizes=\"(max-width: 482px) 100vw, 482px\" \/><\/a><em><span style=\"color: #ff0000;\">UPDATE 1<\/span>: I was wrong to say the definition in ISO\/DIS 9001:2015 was only the fifth definition of risk within ISO standards.\u00a0It&#8217;s the <strong>FORTIETH<\/strong>. \u00a0This article has been updated accordingly. &#8212; CP<\/em><\/p>\n<p><em><span style=\"line-height: 1.5em;\"><span style=\"color: #ff0000;\">UPDATE 2<\/span>: I have added a link to an Excel sheet that includes all the known definitions, and their ISO sources. &#8212; CP<\/span><\/em><\/p>\n<p>Inexplicably, the latest DIS version of ISO 9001:2015 injects yet another alternate definition of the term &#8220;risk,&#8221; pushing it further away from that of the ISO 31000 standard on risk management.<\/p>\n<p>The DIS definition included in the ISO\/DIS 9001:2015 is now &#8220;effect of uncertainty on an expected result.&#8221; This marks the fortieth definition of risk produced by ISO &#8212; an organization, remember, founded to standardize things like definitions. As of right now, the following definitions all reside in different ISO standards.<\/p>\n<ol>\n<ol>\n<li>a function of the probability of occurrence of a given threat and the potential adverse consequences of that threat&#8217;s occurrence.<\/li>\n<li>chance of injury, damage or loss postulated by considering the consequence of a threat and the likelihood of its occurrence<\/li>\n<li>combination of the chance that a specified hazardous event will occur and the severity of the consequences of the event<\/li>\n<li>combination of the frequency, or probability, of occurrence and the consequence of a specified hazardous event<\/li>\n<li>combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of the incident caused<\/li>\n<li>combination of the likelihood of occurrence of harm and the severity of that harm<\/li>\n<li>combination of the probability and the degree of the possible injury or damage to health in a hazardous situation<\/li>\n<li>combination of the probability of an event and its consequence<\/li>\n<li>combination of the probability of an event and the consequences of the event<\/li>\n<li>combination of the probability of harm and the severity of that harm<\/li>\n<li>combination of the probability of occurrence of harm and the severity of that harm<\/li>\n<li>combination of the probability of occurrence of harm and the severity of that harm; indicating the probability that an adverse effect on soil functions will occur under defined conditions and the magnitude of the consequences of the effect occurring (see ISO\/IEC Guide\u00a051:1990)<\/li>\n<li>combination of the probability of the occurrence of a hazard in a particular situation and the consequences or extent of harm to the individual to be expected from the hazard<\/li>\n<li>combination of the probability or frequency of occurrence of an event and the magnitude of its consequence<\/li>\n<li>combination of the probability that a specified undesirable event will occur combined with the severity of the consequences of that event<\/li>\n<li>effect of uncertainty<\/li>\n<li>effect of uncertainty on an expected result<\/li>\n<li>effect of uncertainty on objectives<\/li>\n<li>exposure to the chance of injury or loss as applies to safety<\/li>\n<li>expression of the probability that an adverse effect on soil functions will occur under defined conditions and the magnitude of the consequences of the effect occurring<\/li>\n<li>factor, R, that reflects both likelihood, L, of the occurrence of a hazard in a particular situation and severity, S, of the consequences or extent of harm to the individual to be expected from the hazard R = L \u00d7 S<\/li>\n<li>function of the probability of occurrence of a given threat and the potential adverse consequences of that threat&#8217;s occurrence<\/li>\n<li>likelihood of a security threat materializing and the consequences<\/li>\n<li>likelihood of the occurrence of an event or failure and the consequences or impact of that event or failure<\/li>\n<li>numerical estimate of the probability or likelihood that a given hazard will occur<\/li>\n<li>potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization<\/li>\n<li>probability of a specific undesired event occurring so that a hazard is realized<\/li>\n<li>probability of an event (e.g. failure, damage) multiplied by its consequences (e.g. cost, fatalities, exposure to personal or environmental hazard)<\/li>\n<li>probability of loss or injury from a hazard<\/li>\n<li>probability of the occurrence of a hazard and the severity of its outcome<\/li>\n<li>product of probability and consequences for an undesired event or action<\/li>\n<li>qualitative or quantitative likelihood of an event occurring, considered in conjunction with the consequence of the event<\/li>\n<li>quantitative or qualitative measure for the severity of a potential damage and the probability of incurring that damage<\/li>\n<li>term describing an event encompassing what can happen (scenario), its likelihood (probability) and its level or degree of damage (consequences)<\/li>\n<li>the combination of the probability of an event and its consequence.<\/li>\n<li>the possibility that a particular threat will exploit a particular vulnerability of a data processing system.<\/li>\n<li>the potential for realisation of an unwanted event, which is a function of the hazard, its probability and its consequences<\/li>\n<li>the probable rate of occurrence of a hazard causing harm and the degree of severity of the harm<\/li>\n<li>undesirable situation or circumstance that has both a likelihood of occurring and a potential negative consequence on a project<\/li>\n<li>value of what can be lost if infringement occurs<\/li>\n<\/ol>\n<\/ol>\n<p>The 40 definitions above appear in over 140 standards currently available from ISO. The list was derived from scouring ISO&#8217;s Online Browsing Platform, and may not even be a complete accounting. Originally, ISO 31000 was touted as being the harmonization standard for all those others, but apparently has not succeeded.<\/p>\n<p>For an MS Excel<strong>\u00ae<\/strong> sheet featuring all the known definitions and their ISO source documents,<a href=\"http:\/\/www.oxebridge.com\/downloads\/Riskdefs.xlsx\" target=\"_blank\"> click here<\/a>. Note: it is in .xlsx format, for MS Exce<strong>\u00ae\u00a0<\/strong>l 2007 or higher.<\/p>\n<p><strong>Positive vs. Negative Risk<\/strong><\/p>\n<p>The DIS of 9001:2015 also seems to want to straddle the fence on whether risk can be both negative and positive, a recent position taken by ISO and being pushed on its TC&#8217;s. While the DIS definition includes a &#8220;Note 1&#8221; acknowledging positive risk:<\/p>\n<blockquote><p>Note 1 to entry: An effect is a deviation from the expected \u2014 positive or negative<\/p><\/blockquote>\n<p><span style=\"line-height: 1.5em;\">&#8230; it then includes a Note 5 that half-contradicts it:<\/span><\/p>\n<blockquote><p>Note 5 to entry: The term \u201crisk\u201d is sometimes used when there is only the possibility of negative consequences.<\/p><\/blockquote>\n<p><span style=\"line-height: 1.5em;\">The first four notes were taken from Annex SL, with TC 176 apparently adding the fifth note itself. The fifth note references ISO 9000:2014, which is currently in DIS stage itself, so we can assume that standard will also tilt towards negative risk only.<\/span><\/p>\n<p>The fact that ISO is struggling to such a degree over the definition of the word shows that it was not prepared to tackle risk management as a standard, much less incorporate it into all management system standards through its TMB-directed Annex SL mandate. The negative reaction has been immediate. One source close to ISO 31000 called the new definition &#8220;a farce&#8221; and said TC 176 were &#8220;imbeciles.&#8221; Another risk management professional said the 9001 definition is &#8220;recursive&#8221; and the that the ongoing wrangling of definitions was &#8220;tragicomic.&#8221;<\/p>\n<p>If ISO can&#8217;t standardize a definition of something, what are the rest of us supposed to do?<\/p>","protected":false},"excerpt":{"rendered":"<p>UPDATE 1: I was wrong to say the definition in ISO\/DIS 9001:2015 was only the fifth definition of risk within ISO standards.\u00a0It&#8217;s the FORTIETH. \u00a0This article has been updated accordingly. &#8212; CP UPDATE 2: I have added a link to an Excel sheet that includes all the known definitions, and their ISO sources. &#8212; CP [&hellip;]<\/p>","protected":false},"author":2,"featured_media":3363,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","mc4wp_mailchimp_campaign":[],"footnotes":""},"categories":[3,5],"tags":[211,212,43,186,14,116,147,148,42],"class_list":["post-3361","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","category-opinion","tag-dis","tag-draft-international-standard","tag-iso","tag-iso-31000","tag-iso-9001","tag-iso-90012015","tag-risk","tag-risk-management","tag-tc-176","et-has-post-format-content","et_post_format-et-post-format-standard"],"_links":{"self":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/3361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/comments?post=3361"}],"version-history":[{"count":8,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/3361\/revisions"}],"predecessor-version":[{"id":3385,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/posts\/3361\/revisions\/3385"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media\/3363"}],"wp:attachment":[{"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/media?parent=3361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/categories?post=3361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oxebridge.com\/emma\/wp-json\/wp\/v2\/tags?post=3361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}