| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| articles:a_matter_of_risk [2021/03/10 10:39] – [US Military Definitions of Risk] rrandall | articles:a_matter_of_risk [2023/01/31 13:48] (current) – [The ISO 9001:2015 Conundrum] rrandall |
|---|
| ====== A Matter of "Risk" ====== | ====== A Matter of "Risk" ====== |
| |
| When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards. As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (initially through ISO/IEC Directives-Part 1, Annex SL), while failing to recognize that there are different "types" of risks... and perhaps, failing to grasp a basic understanding of the concept. | When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards. As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (through ISO/IEC Directives-Part 1, Annex SL), in recognition of various industries having different views on what "risk" is. |
| |
| This article will discuss two of the most "commonly" used general definitions. | This article will discuss two of the most "commonly" used general definitions. |
| |
| - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in Appendix 2 of [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) | - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) |
| - The "traditional" definition is that "risk" is always "negative" (e.g., for a type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30) | - The "traditional" definition is that "risk" is always "negative" (e.g., for a type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30) |
| |
| ===== Non-Traditional (ISO) Definition of Risk ===== | ===== Non-Traditional (ISO) Definition of Risk ===== |
| |
| ==== ISO/IEC Directives-Part 1. Annex L (originally Annex SL) ==== | ==== ISO/IEC Directives-Part 1. Annex SL (later changed to Annex L... and then back to Annex SL) ==== |
| |
| While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" currently promoting this definition is [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019, Annex L (originally Annex SL), Appendix 2 . | While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" promoting this definition in ISO 9001:2015 was [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]. |
| |
| Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure. | Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure. |
| |
| According to ISO JTCG N359, "//JTCG Frequently Asked Questions in support of Annex SL//" (dated 2013-12-03), in response to the “//Report of the ISO TMB Ad Hoc Group on Management Systems Standards//” (dated 10 February, 2006), the "Technical Management Board (TMB)" formed the "//Joint Technical Co-ordination Group on Management System Standards//" (TAG13-JTCG, or JTCG) to develop the future vision and guidelines for "//aligning//" future editions of its current management system standards (MSS), and for any new MSS. While the original scope of the JTCG was to standardize the "structure" of ISO MSSs, the JTCG requested permission to include "some" common content. This scope expansion was approved by the TMB, which led to the JTCG introducing Annex SL for inclusion to the 2012 edition of the [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]. | According to ISO JTCG N359, "//JTCG Frequently Asked Questions in support of Annex SL//" (dated 2013-12-03), in response to the “//Report of the ISO TMB Ad Hoc Group on Management Systems Standards//” (dated 10 February 2006), the "Technical Management Board (TMB)" formed the "//Joint Technical Co-ordination Group on Management System Standards//" (TAG13-JTCG, or JTCG) to develop the future vision and guidelines for "//aligning//" future editions of its current management system standards (MSS), and for any new MSS. While the original scope of the JTCG was to standardize the "structure" of ISO MSSs, the JTCG requested permission to include "some" common content. This scope expansion was approved by the TMB, which led to the JTCG introducing Annex SL for inclusion in the 2012 edition of the ISO/IEC Directives-Part 1. |
| |
| [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]], Annex SL prescribes how ISO Management System Standard (MSS) standards //should// be structured and, much to the ire of some Technical Committee (TC) members, includes some "mandatory" //common// content. The [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019 edition was restructured to (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (many of whom had been, and remain, resistant to adopting the new structure and/or common content). | [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2021-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]] prescribes how ISO Management System Standard (MSS) standards //should// be structured and, much to the ire of some Technical Committee (TC) members, includes some "mandatory" //common// content. |
| |
| [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019 is divided into two main parts: | <note> |
| * Annex L, "Proposals for management system standards" \\ | The ISO/IEC Directives-Part 1:2019 edition was restructured to (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (who was resistant to adopting the new structure and/or common content). However, the 2022 version has returned to "Annex SL" and no longer includes IEC (S-prefixed annexes only apply to ISO standards, while those without the prefix apply to both ISO and IEC standards). It now states: \\ |
| * Appendix 2, "High level structure, identical core text, common terms and core definitions" | **SL.5 Applicability of this annex** \\ |
| | //The procedures in this annex apply to all ISO documents, including TS, PAS and IWA.// |
| | </note> |
| |
| | ISO/IEC Directives-Part 1:2022 was divided into two main parts: |
| | * Annex SL, "Proposals for management system standards" \\ |
| | * Appendix 2, "Harmonized structure for MSS with guidance for use" |
| |
| However, its definition of "risk" has remained unchanged since it was introduced in the 2012 edition of "ISO/IEC Directives-Part 1. Annex SL, Appendix 3". | However, its definition of "risk" has remained unchanged since it was introduced in the 2012 edition of "ISO/IEC Directives-Part 1. Annex SL, Appendix 3". |
| |
| <blockquote>**ISO/IEC Directives-Part 1. Annex L, Appendix 2 (2019 edition)** \\ | <blockquote>**ISO/IEC Directives-Part 1. Annex SL, Appendix 2 (2022 edition)** \\ |
| 3.9 risk \\ | 3.7 risk \\ |
| effect of uncertainty \\ | effect of uncertainty \\ |
| |
| Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ | Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ |
| Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and “consequences” (as defined in ISO Guide 73), or a combination of these. \\ | Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and “consequences” (as defined in ISO Guide 73), or a combination of these. \\ |
| Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.</blockquote> | Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.</blockquote> |
| | |
| | <note>While the [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2|ISO/IEC Directives-Part 1, Annex SL]]:2022 is titled "Harmonized approach for management system standards" (HA), this is essentially the same as the previous “//High level structure//” (HLS). Interestingly, the actual ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022 is titled "//Harmonized structure for MSS with guidance for use//" (or "HS"). The differences in "ISO/IEC Directives-Part 1, Annex SL, Appendix 2" compared to ISO 9001:2015 are minimal. These differences are described at the end of an article titled [[https://www.quality.org/knowledge/high-level-structure-dead-long-life-harmonised-approach|"The High Level Structure is dead. Long life to the Harmonised Approach?"]].</note> |
| | |
| |
| A clue as to why ISO developed this broad definition for risk can be found in ISO JTCG N359, "JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03), explaining why the concept of “Preventive Action” was replaced with "risks and opportunities". | A clue as to why ISO developed this broad definition for risk can be found in ISO JTCG N359, "JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03), explaining why the concept of “Preventive Action” was replaced with "risks and opportunities". |
| |
| <WRAP center round box 80%> | <WRAP center round box 80%> |
| Consider a baseball game where your team is down by a run at the bottom of the 9th inning and the bases are loaded with two outs. \\ | Consider a baseball game where your team is down by 1 run at the bottom of the 9th inning and the bases are loaded with two outs. \\ |
| Negative risk - the batter will strike out and your team will lose the game. \\ | Negative risk - the batter will strike out and your team will lose the game. \\ |
| Positive risk - the batter will score a couple of runs and your team will win the game. | Positive risk - the batter will hit a "Grand Slam" and your team will win the game. |
| </WRAP> | </WRAP> |
| |
| However, the above definition was deleted from SAE AS9100:2016 (Rev. D) in order to accommodate the definition provided in ISO 9000:2015. | However, the above definition was deleted from SAE AS9100:2016 (Rev. D) in order to accommodate the definition provided in ISO 9000:2015. |
| |
| ==== US Military Definitions of Risk ==== | ==== NASA ==== |
| | NASA has a relatively extensive definition and explanation of risk. |
| |
| | <blockquote>**NASA/SP-2011-3421 (Second Edition, December 2011) \\ |
| | "Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners"** \\ |
| | 2.1 Definition of Risk \\ |
| | The concept of risk includes both undesirable consequences and likelihoods, e.g., the number of people harmed, and the probability of occurrence of this harm. Sometimes, risk is defined as a set of single values, e.g., the expected values of these consequences. This is a summary measure and not a general definition. Producing probability distributions for the consequences affords a much more detailed description of risk. |
| |
| | A very common definition of risk represents it as a set of triplets [2-1]: scenarios, likelihoods, and consequences. Determining risk generally amounts to answering the following questions: |
| | - What can go wrong? |
| | - How likely is it? |
| | - What are the associated consequences? |
| | |
| | The answer to the first question is a set of accident scenarios. The second question requires the evaluation of the probabilities of these scenarios, while the third estimates their consequences. Implicit within each question is that there are uncertainties. The uncertainties pertain to whether all the significant accident scenarios have been identified, and whether the probabilities of the scenarios and associated consequence estimates have properly taken into account the sources of variability and the limitations of the available information. |
| | |
| | Scenarios and uncertainties are among the most important components of a risk assessment. Figure 2-1 shows the implementation of these concepts in PRA. In this Figure, uncertainty analysis is shown to be an integral part of each step of the process rather than just a calculation that is performed at the end of the risk quantification. |
| | </blockquote> |
| | |
| | ==== US Military Definitions of Risk ==== |
| | |
| | For internal use: |
| <blockquote>**FM 5-19 (FM 100-14) "Composite Risk Management" (July 2006) - SECTION II – TERMS** \\ | <blockquote>**FM 5-19 (FM 100-14) "Composite Risk Management" (July 2006) - SECTION II – TERMS** \\ |
| Risk \\ | Risk \\ |
| A condition with the potential to cause injury, illness, or death of personnel; damage to or loss of equipment or property; or mission degradation. | A condition with the potential to cause injury, illness, or death of personnel; damage to or loss of equipment or property; or mission degradation. |
| </blockquote> | </blockquote> |
| | |
| | For DoD Contractors: |
| | <blockquote>**Department of Defense, "Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs" (January 2017) - Glossary** \\ |
| | risk: potential future event or condition that may have a negative effect on achieving program objectives for cost, schedule, and performance. Risks are defined by (1) the probability (greater than 0, less than 1) of an undesired event or condition and (2) the consequences, impact, or severity of the undesired event, were it to occur.</blockquote> |
| |
| And, by order of the Commander Air Force Materiel Command: | And, by order of the Commander Air Force Materiel Command: |
| ===== The ISO 9001:2015 Conundrum ===== | ===== The ISO 9001:2015 Conundrum ===== |
| |
| IF the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "risk" rather than repeatedly stating “//risks and opportunities//” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). | IF the authors of ISO 9001:2015 had truly subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "risk" rather than repeatedly stating “//risks and opportunities//” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). |
| {{ :articles:confused_thoughts.png?nolink&300|}} | {{ :articles:confused_thoughts.png?nolink&300|}} |
| |
| Consequently, this has created a conundrum for users over how to properly address "risk". | Consequently, this has created a conundrum for users over how to properly address "risk". |
| |
| <note tip>To use an analogy, the online dictionary "[[https://www.wordnik.com/|Wordnik]]" includes two definitions for the word [[https://www.wordnik.com/words/day|"day"]]: \\ | <WRAP center round info 80%> |
| | To use an analogy, the online dictionary "[[https://www.wordnik.com/|Wordnik]]" includes two definitions for the word [[https://www.wordnik.com/words/day|"day"]]: \\ |
| n. The period of light between dawn and nightfall; the interval from sunrise to sunset. \\ | n. The period of light between dawn and nightfall; the interval from sunrise to sunset. \\ |
| n. The 24-hour period during which the earth completes one rotation on its axis, traditionally measured from midnight to midnight. \\ | n. The 24-hour period during which the earth completes one rotation on its axis, traditionally measured from midnight to midnight. \\ |
| \\ | \\ |
| Using this analogy, ISO //defines// "risk" as being both "negative" and "positive" in much the same way as a "day" can be interpreted as including both "light" and "darkness". However, the term "risks and opportunities" are used repeatedly in standards such as ISO 9001 & ISO 17025 in much the same way that one might casually refer to "day" and "night" as both occurring during a 24-hour "day".</note> | Using this analogy, ISO //defines// "risk" as being both "negative" and "positive" in much the same way as a "day" can be interpreted as including both "light" and "darkness". However, the term "risks and opportunities" are used repeatedly in standards such as ISO 9001 & ISO 17025 in much the same way that one might casually refer to "day" and "night" as both occurring during a 24-hour "day". |
| | </WRAP> |
| ==== Is the use of "Preventive Action" still valid? ==== | ==== Is the use of "Preventive Action" still valid? ==== |
| |
