| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| articles:a_matter_of_risk [2022/06/12 15:06] – [A Matter of "Risk"] rrandall | articles:a_matter_of_risk [2023/01/31 13:48] (current) – [The ISO 9001:2015 Conundrum] rrandall |
|---|
| ====== A Matter of "Risk" ====== | ====== A Matter of "Risk" ====== |
| |
| When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards. As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (initially through ISO/IEC Directives-Part 1, Annex SL), while failing to recognize that there are different "types" of risks... and perhaps, failing to grasp a basic understanding of the concept. | When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards. As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (through ISO/IEC Directives-Part 1, Annex SL), in recognition of various industries having different views on what "risk" is. |
| |
| This article will discuss two of the most "commonly" used general definitions. | This article will discuss two of the most "commonly" used general definitions. |
| |
| - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2021-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) | - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) |
| - The "traditional" definition is that "risk" is always "negative" (e.g., for a type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30) | - The "traditional" definition is that "risk" is always "negative" (e.g., for a type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30) |
| |
| ==== ISO/IEC Directives-Part 1. Annex SL (later changed to Annex L... and then back to Annex SL) ==== | ==== ISO/IEC Directives-Part 1. Annex SL (later changed to Annex L... and then back to Annex SL) ==== |
| |
| While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" promoting this definition in ISO 9001:2015 was [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2021-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]. | While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" promoting this definition in ISO 9001:2015 was [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]. |
| |
| Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure. | Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure. |
| |
| <note> | <note> |
| The ISO/IEC Directives-Part 1:2019 edition was restructured to (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (many of whom had been and remain, resistant to adopting the new structure and/or common content). However, the 2022 version has returned to "Annex SL" and no longer includes IEC. It now states: \\ | The ISO/IEC Directives-Part 1:2019 edition was restructured to (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (who was resistant to adopting the new structure and/or common content). However, the 2022 version has returned to "Annex SL" and no longer includes IEC (S-prefixed annexes only apply to ISO standards, while those without the prefix apply to both ISO and IEC standards). It now states: \\ |
| **SL.5 Applicability of this annex** \\ | **SL.5 Applicability of this annex** \\ |
| //The procedures in this annex apply to all ISO documents, including TS, PAS and IWA.// | //The procedures in this annex apply to all ISO documents, including TS, PAS and IWA.// |
| Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.</blockquote> | Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.</blockquote> |
| |
| <note>While the [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2021-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2|ISO/IEC Directives-Part 1, Annex SL]]:2022 is titled "Harmonized approach for management system standards" (HA), this is essentially the same as the previous “//High level structure//” (HLS). Interestingly, the actual ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022 is titled "//Harmonized structure for MSS with guidance for use//" (or "HS"). The differences in "ISO/IEC Directives-Part 1, Annex SL, Appendix 2" compared to ISO 9001:2015 are minimal. These differences are described at the end of an article titled [[https://www.quality.org/knowledge/high-level-structure-dead-long-life-harmonised-approach|"The High Level Structure is dead. Long life to the Harmonised Approach?"]].</note> | <note>While the [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2|ISO/IEC Directives-Part 1, Annex SL]]:2022 is titled "Harmonized approach for management system standards" (HA), this is essentially the same as the previous “//High level structure//” (HLS). Interestingly, the actual ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022 is titled "//Harmonized structure for MSS with guidance for use//" (or "HS"). The differences in "ISO/IEC Directives-Part 1, Annex SL, Appendix 2" compared to ISO 9001:2015 are minimal. These differences are described at the end of an article titled [[https://www.quality.org/knowledge/high-level-structure-dead-long-life-harmonised-approach|"The High Level Structure is dead. Long life to the Harmonised Approach?"]].</note> |
| |
| |
| Consequently, this has created a conundrum for users over how to properly address "risk". | Consequently, this has created a conundrum for users over how to properly address "risk". |
| |
| <note tip>To use an analogy, the online dictionary "[[https://www.wordnik.com/|Wordnik]]" includes two definitions for the word [[https://www.wordnik.com/words/day|"day"]]: \\ | <WRAP center round info 80%> |
| | To use an analogy, the online dictionary "[[https://www.wordnik.com/|Wordnik]]" includes two definitions for the word [[https://www.wordnik.com/words/day|"day"]]: \\ |
| n. The period of light between dawn and nightfall; the interval from sunrise to sunset. \\ | n. The period of light between dawn and nightfall; the interval from sunrise to sunset. \\ |
| n. The 24-hour period during which the earth completes one rotation on its axis, traditionally measured from midnight to midnight. \\ | n. The 24-hour period during which the earth completes one rotation on its axis, traditionally measured from midnight to midnight. \\ |
| \\ | \\ |
| Using this analogy, ISO //defines// "risk" as being both "negative" and "positive" in much the same way as a "day" can be interpreted as including both "light" and "darkness". However, the term "risks and opportunities" are used repeatedly in standards such as ISO 9001 & ISO 17025 in much the same way that one might casually refer to "day" and "night" as both occurring during a 24-hour "day".</note> | Using this analogy, ISO //defines// "risk" as being both "negative" and "positive" in much the same way as a "day" can be interpreted as including both "light" and "darkness". However, the term "risks and opportunities" are used repeatedly in standards such as ISO 9001 & ISO 17025 in much the same way that one might casually refer to "day" and "night" as both occurring during a 24-hour "day". |
| | </WRAP> |
| ==== Is the use of "Preventive Action" still valid? ==== | ==== Is the use of "Preventive Action" still valid? ==== |
| |
