| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| articles:a_matter_of_risk [2022/06/12 14:20] – [ISO 9000:2015] rrandall | articles:a_matter_of_risk [2023/01/31 13:48] (current) – [The ISO 9001:2015 Conundrum] rrandall |
|---|
| ====== A Matter of "Risk" ====== | ====== A Matter of "Risk" ====== |
| |
| When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards. As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (initially through ISO/IEC Directives-Part 1, Annex SL), while failing to recognize that there are different "types" of risks... and perhaps, failing to grasp a basic understanding of the concept. | When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards. As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (through ISO/IEC Directives-Part 1, Annex SL), in recognition of various industries having different views on what "risk" is. |
| |
| This article will discuss two of the most "commonly" used general definitions. | This article will discuss two of the most "commonly" used general definitions. |
| |
| - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in Appendix 2 of [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) | - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) |
| - The "traditional" definition is that "risk" is always "negative" (e.g., for a type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30) | - The "traditional" definition is that "risk" is always "negative" (e.g., for a type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30) |
| |
| ===== Non-Traditional (ISO) Definition of Risk ===== | ===== Non-Traditional (ISO) Definition of Risk ===== |
| |
| ==== ISO/IEC Directives-Part 1. Annex SL (larter changed to Annex L) ==== | ==== ISO/IEC Directives-Part 1. Annex SL (later changed to Annex L... and then back to Annex SL) ==== |
| |
| While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" promoting this definition in ISO 9001:2015 was ISO/IEC Directives-Part 1, Annex SL (later changed to Annex L), Appendix 2. | While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" promoting this definition in ISO 9001:2015 was [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]. |
| |
| Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure. | Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure. |
| According to ISO JTCG N359, "//JTCG Frequently Asked Questions in support of Annex SL//" (dated 2013-12-03), in response to the “//Report of the ISO TMB Ad Hoc Group on Management Systems Standards//” (dated 10 February 2006), the "Technical Management Board (TMB)" formed the "//Joint Technical Co-ordination Group on Management System Standards//" (TAG13-JTCG, or JTCG) to develop the future vision and guidelines for "//aligning//" future editions of its current management system standards (MSS), and for any new MSS. While the original scope of the JTCG was to standardize the "structure" of ISO MSSs, the JTCG requested permission to include "some" common content. This scope expansion was approved by the TMB, which led to the JTCG introducing Annex SL for inclusion in the 2012 edition of the ISO/IEC Directives-Part 1. | According to ISO JTCG N359, "//JTCG Frequently Asked Questions in support of Annex SL//" (dated 2013-12-03), in response to the “//Report of the ISO TMB Ad Hoc Group on Management Systems Standards//” (dated 10 February 2006), the "Technical Management Board (TMB)" formed the "//Joint Technical Co-ordination Group on Management System Standards//" (TAG13-JTCG, or JTCG) to develop the future vision and guidelines for "//aligning//" future editions of its current management system standards (MSS), and for any new MSS. While the original scope of the JTCG was to standardize the "structure" of ISO MSSs, the JTCG requested permission to include "some" common content. This scope expansion was approved by the TMB, which led to the JTCG introducing Annex SL for inclusion in the 2012 edition of the ISO/IEC Directives-Part 1. |
| |
| ISO/IEC Directives-Part 1, Annex SL prescribes how ISO Management System Standard (MSS) standards //should// be structured and, much to the ire of some Technical Committee (TC) members, includes some "mandatory" //common// content. The ISO/IEC Directives-Part 1:2019 edition was restructured to (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (many of whom had been and remain, resistant to adopting the new structure and/or common content). | [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2021-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]] prescribes how ISO Management System Standard (MSS) standards //should// be structured and, much to the ire of some Technical Committee (TC) members, includes some "mandatory" //common// content. |
| |
| ISO/IEC Directives-Part 1:2019 was divided into two main parts: | <note> |
| * Annex L, "Proposals for management system standards" \\ | The ISO/IEC Directives-Part 1:2019 edition was restructured to (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (who was resistant to adopting the new structure and/or common content). However, the 2022 version has returned to "Annex SL" and no longer includes IEC (S-prefixed annexes only apply to ISO standards, while those without the prefix apply to both ISO and IEC standards). It now states: \\ |
| * Appendix 2, "High level structure, identical core text, common terms and core definitions" | **SL.5 Applicability of this annex** \\ |
| | //The procedures in this annex apply to all ISO documents, including TS, PAS and IWA.// |
| | </note> |
| |
| | ISO/IEC Directives-Part 1:2022 was divided into two main parts: |
| | * Annex SL, "Proposals for management system standards" \\ |
| | * Appendix 2, "Harmonized structure for MSS with guidance for use" |
| |
| However, its definition of "risk" has remained unchanged since it was introduced in the 2012 edition of "ISO/IEC Directives-Part 1. Annex SL, Appendix 3". | However, its definition of "risk" has remained unchanged since it was introduced in the 2012 edition of "ISO/IEC Directives-Part 1. Annex SL, Appendix 3". |
| |
| <blockquote>**ISO/IEC Directives-Part 1. Annex L, Appendix 2 (2019 edition)** \\ | <blockquote>**ISO/IEC Directives-Part 1. Annex SL, Appendix 2 (2022 edition)** \\ |
| 3.9 risk \\ | 3.7 risk \\ |
| effect of uncertainty \\ | effect of uncertainty \\ |
| |
| Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ | Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ |
| Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.</blockquote> | Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.</blockquote> |
| |
| <note>As of 2022, the [[https://www.iso.org/sites/directives/current/consolidated/index.xhtml#_idTextAnchor645|ISO/IEC Directives-Part 1, Annex SL]] appears to have been revised such that it describes (generically) a "Harmonized Approach" (HA)... which replaces the “High level structure” (HLS). I have been unable to locate a document describing the HA in the same way that he HLS was specified. In fact, the only other information that I've been able to find on it is in an article titled [[https://www.quality.org/knowledge/high-level-structure-dead-long-life-harmonised-approach|"The High Level Structure is dead. Long life to the Harmonised Approach?"]]. If I understand the article (which is questionable) the HA is currently being developed.</note> | <note>While the [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2|ISO/IEC Directives-Part 1, Annex SL]]:2022 is titled "Harmonized approach for management system standards" (HA), this is essentially the same as the previous “//High level structure//” (HLS). Interestingly, the actual ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022 is titled "//Harmonized structure for MSS with guidance for use//" (or "HS"). The differences in "ISO/IEC Directives-Part 1, Annex SL, Appendix 2" compared to ISO 9001:2015 are minimal. These differences are described at the end of an article titled [[https://www.quality.org/knowledge/high-level-structure-dead-long-life-harmonised-approach|"The High Level Structure is dead. Long life to the Harmonised Approach?"]].</note> |
| |
| |
| Consequently, this has created a conundrum for users over how to properly address "risk". | Consequently, this has created a conundrum for users over how to properly address "risk". |
| |
| <note tip>To use an analogy, the online dictionary "[[https://www.wordnik.com/|Wordnik]]" includes two definitions for the word [[https://www.wordnik.com/words/day|"day"]]: \\ | <WRAP center round info 80%> |
| | To use an analogy, the online dictionary "[[https://www.wordnik.com/|Wordnik]]" includes two definitions for the word [[https://www.wordnik.com/words/day|"day"]]: \\ |
| n. The period of light between dawn and nightfall; the interval from sunrise to sunset. \\ | n. The period of light between dawn and nightfall; the interval from sunrise to sunset. \\ |
| n. The 24-hour period during which the earth completes one rotation on its axis, traditionally measured from midnight to midnight. \\ | n. The 24-hour period during which the earth completes one rotation on its axis, traditionally measured from midnight to midnight. \\ |
| \\ | \\ |
| Using this analogy, ISO //defines// "risk" as being both "negative" and "positive" in much the same way as a "day" can be interpreted as including both "light" and "darkness". However, the term "risks and opportunities" are used repeatedly in standards such as ISO 9001 & ISO 17025 in much the same way that one might casually refer to "day" and "night" as both occurring during a 24-hour "day".</note> | Using this analogy, ISO //defines// "risk" as being both "negative" and "positive" in much the same way as a "day" can be interpreted as including both "light" and "darkness". However, the term "risks and opportunities" are used repeatedly in standards such as ISO 9001 & ISO 17025 in much the same way that one might casually refer to "day" and "night" as both occurring during a 24-hour "day". |
| | </WRAP> |
| ==== Is the use of "Preventive Action" still valid? ==== | ==== Is the use of "Preventive Action" still valid? ==== |
| |
