A Matter of "Risk"

When it comes to defining the word “risk”, ISO has several competing definitions; in various “official” ISO documents. And these are in further conflict with non-ISO industry standards. As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a “one-size fits all” definition for “risk” (through ISO/IEC Directives-Part 1, Annex SL), in recognition of various industries having different views on what “risk” is.

This article will discuss two of the most “commonly” used general definitions.

1. The “non-traditional” definition is that “risk” can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as not taking that action). This definition appears in ISO/IEC Directives-Part 1, Annex SL, Appendix 2:2022, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009)
2. The “traditional” definition is that “risk” is always “negative” (e.g., for a type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30)

While ISO promotes (through marketing) that “the world agrees” on ISO standards, in reality, committee work is often contentious. Many ISO standards are adopted through compromise (lose-lose), rather than collaboration (win-win). And when it comes to defining the word “risk”, there is little agreement.

While the origin of the non-traditional definition for risk may have been “ISO Guide 73”, the “driving force” promoting this definition in ISO 9001:2015 was ISO/IEC Directives-Part 1, Annex SL, Appendix 2.

Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure.

According to ISO JTCG N359, “JTCG Frequently Asked Questions in support of Annex SL” (dated 2013-12-03), in response to the “Report of the ISO TMB Ad Hoc Group on Management Systems Standards” (dated 10 February 2006), the “Technical Management Board (TMB)” formed the “Joint Technical Co-ordination Group on Management System Standards” (TAG13-JTCG, or JTCG) to develop the future vision and guidelines for “aligning” future editions of its current management system standards (MSS), and for any new MSS. While the original scope of the JTCG was to standardize the “structure” of ISO MSSs, the JTCG requested permission to include “some” common content. This scope expansion was approved by the TMB, which led to the JTCG introducing Annex SL for inclusion in the 2012 edition of the ISO/IEC Directives-Part 1.

ISO/IEC Directives-Part 1, Annex SL, Appendix 2 prescribes how ISO Management System Standard (MSS) standards should be structured and, much to the ire of some Technical Committee (TC) members, includes some “mandatory” common content.

<note> The ISO/IEC Directives-Part 1:2019 edition was restructured to (1) rename “Annex SL” to “Annex L” and (2) expand the scope of Annex L to include IEC management system standards (who was resistant to adopting the new structure and/or common content). However, the 2022 version has returned to “Annex SL” and no longer includes IEC (S-prefixed annexes only apply to ISO standards, while those without the prefix apply to both ISO and IEC standards). It now states:
SL.5 Applicability of this annex
The procedures in this annex apply to all ISO documents, including TS, PAS and IWA. </note>

ISO/IEC Directives-Part 1:2022 was divided into two main parts:

• Annex SL, “Proposals for management system standards”
  
• Appendix 2, “Harmonized structure for MSS with guidance for use”

However, its definition of “risk” has remained unchanged since it was introduced in the 2012 edition of “ISO/IEC Directives-Part 1. Annex SL, Appendix 3”.

ISO/IEC Directives-Part 1. Annex SL, Appendix 2 (2022 edition)
3.7 risk
effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and “consequences” (as defined in ISO Guide 73), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.

<note>While the ISO/IEC Directives-Part 1, Annex SL:2022 is titled “Harmonized approach for management system standards” (HA), this is essentially the same as the previous “High level structure” (HLS). Interestingly, the actual ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022 is titled “Harmonized structure for MSS with guidance for use” (or “HS”). The differences in “ISO/IEC Directives-Part 1, Annex SL, Appendix 2” compared to ISO 9001:2015 are minimal. These differences are described at the end of an article titled "The High Level Structure is dead. Long life to the Harmonised Approach?".</note>

A clue as to why ISO developed this broad definition for risk can be found in ISO JTCG N359, “JTCG Frequently Asked Questions in support of Annex SL” (dated 2013-12-03), explaining why the concept of “Preventive Action” was replaced with “risks and opportunities”.

“JTCG Frequently Asked Questions in support of Annex SL”
10. Why does the common text not include a specific clause on “Preventive Action”?
The high level structure and identical text does not include a clause giving specific requirements for “preventive action”. This is because one of the key purposes of a formal management system is to act as a preventive tool. Consequently, a MSS requires an assessment of the organization’s “external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s)” in clause 4.1, and to “determine the risks and opportunities that need to be addressed to: assure the XXX management system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual improvement.” in clause 6.1. These two sets of requirements are considered to cover the concept of “preventive action”, and also to take a wider view that looks at risks and opportunities.

When ISO 9001:2015 replaced the concept of “preventive action” with the more expanded “risks and opportunities” (in section 6.1), a definition for “risk” was added to the ISO 9000:2015, “Quality management systems–Fundamentals and Vocabulary” as.

ISO 9000:2015
3.7.9 risk
effect of uncertainty

Note 1 to entry: An effect is a deviation from the expected — positive or negative.
Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information (3.8.2) related to, understanding or knowledge of, an event, its consequence, or likelihood.
Note 3 to entry: Risk is often characterized by reference to potential events (as defined in ISO Guide 73:2009, 3.5.1.3) and consequences (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence.
Note 5 to entry: The word “risk” is sometimes used when there is the possibility of only negative consequences.
Note 6 to entry: This constitutes one of the common terms and core definitions for ISO management system standards given in Annex SL of the Consolidated ISO Supplement to the ISO/IEC Directives, Part 1. The original definition has been modified by adding Note 5 to entry.

Understanding of this short definition can be clarified through substituting the word “effect”, with one of its synonyms: “consequence”, “outcome” or “result”. Consequently, the committee for ISO 9000:2015 asserts that “risk” is a consequence, outcome, or result of uncertainty.

This broad definition is very similar to the word: “possibility”

“Note 1” then “re-defines” the word “effect” to “a deviation from the expected — positive or negative”.

This does two things. First, adds a slight nuance to the meaning by excluding the “expected” outcome from all of the other possibilities. All it really does is exclude a “sure thing” (i.e., absolutely no “risk” of failing to achieve the expectation).

This enhanced definition is very similar to the term: “unexpected possibilities”

However, what if there were no expectations, but instead, a “hope” or “preference”?

Second, the addition of “positive or negative” clarifies that the “possibilities” include both “desired” or “undesired” effects (consequences, outcomes or results).

An example of “positive” vs “negative” risks from a book written by the conveners of ISO 9001:2015 follows:

In the above example, there is an implied “hope” or “preference” for the “positive” risk.

The 4-minute video below explains “Positive vs. Negative Risks on Projects”:

However, “Note 5” states that the word “risk” is “sometimes” used when there is the possibility of only negative consequences (i.e., a “positive” consequence is impossible). In other words, ANY outcome other than the one “expected”, will be negative.

<note>ISO 14001:2015, “Environmental management systems — Requirements with guidance for use”, sec. 3.2.10 contains a definition for “risk” identical to ISO 9000:2015 EXCEPT that it does not include Note 5 & 6.</note>

Now that we understand how ISO 9000:2015 has defined risk, and since it contains several references to ISO Guide 73, “Risk management — Vocabulary” (which was reviewed and confirmed in 2016), let's take a look at they are different from one another.

ISO Guide 73:2009
1.1. risk

- effect of uncertainty on objectives

NOTE 1 An effect is a deviation from the expected — positive and/or negative.
NOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
NOTE 3 Risk is often characterized by reference to potential events (3.5.1.3) and consequences (3.6.1.3), or a combination of these.
NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.6.1.1) of occurrence.
NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

The expanded definition to include “objectives” (i.e., “effect of uncertainty on objectives”) is negligible because it is equivalent to ISO 9000:2015, “Note 1” using the word “ expected” (i.e., “a deviation from the expected — positive or negative”).

Just as ISO 9000:2015 excludes the “expected” outcome from all of the other possibilities, ISO Guide 73:2009 excludes the “objectives” from all of the other possibilities. As stated above, all it really does is exclude a “sure thing” (i.e., absolutely no “risk” of failing to achieve the expectation).

However, a significant difference appears in “NOTE 1” in ISO Guide 73:2009. While ISO 9000:2015 “Note 1” uses the word “or” (indicating either “positive” OR “negative” effects from a risk, but NOT both), ISO Guide 73:2009 “NOTE 1” uses “and/or” (indicating that there could simultaneously be both “positive” AND “negative” effects from a risk).

The significance of this differentiation may be minor. Perhaps ISO Guide 73:2009 was simply attempting to expand the definition to include absolutely any combination of possibilities. If that is the case, then one must wonder why the committee responsible for ISO 9000:2015 consciously decided to limit/restrict those possibilities through using the word “or”.

While ISO 31000:2018, “Risk Management–Guidelines” has the exact verbatim definition for “risk” as ISO Guide 73:2009, “Risk management — Vocabulary”, it has a greatly expanded “Note 1”.

ISO 31000:2018
3.1 risk
effect of uncertainty on objectives

Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities and threats.
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.

While the first sentence of ISO 31000:2018, “Note 1” is exactly the same as ISO 9000:2015, “Note 1”, the second sentence begins by maintaining consistency with ISO Guide 73:2009 through reinforcing that the outcome “can be positive, negative or both,…”. The sentence then states that the consequence, outcome, or result “can address, create or result in opportunities and threats”.

At this point, “Note 1” becomes nonsensical because there is no definition or use of the word “address” relating to a consequence, outcome, or result. So for the moment, let's ignore the use of that word and focus on how ISO 31000:2018, “Note 1” states that a “risk” can “create or result in opportunities and threats”.

In effect, ISO 31000:2018 is stating that “opportunities and threats” are two sides of the same “risk” coin; because the word “and” means that the two exist simultaneously!

It's important to note that risks typically result from an “opportunity”. For example, when presented with an investment “opportunity”, taking action could result in either a profit, a loss, or no change in value. While taking no action would preserve the current assets (no change), avoid loss, and forgo any profits that the investment would have yielded.

The “Standards Related Document SRD-4739, Training Package on NATO Risk Management Guide for Acquisition Programmes” (Edition A, Version 1, July 2015) supports and promotes this two-sided construct concept, explaining it as:

Conceptual – Risk can be seen as a source of variability which is a two-sided construct. The double side nature of variability is captured in the definition of risk that includes both positive and negative consequences. An opportunity is also an uncertain event since it is a possible future event. So both threats and opportunities are covered by this same description of risk as “uncertainty that matters”.

While none of the above ISO documents define “opportunity”, Dictionary.com does:

Opportunity
noun, plural op·por·tu·ni·ties.

1. an appropriate or favorable time or occasion: (e.g., Their meeting afforded an opportunity to exchange views.)
2. a situation or condition favorable for attainment of a goal.
3. a good position, chance, or prospect, as for advancement or success.

Ultimately, ISO 31000:2018 appears to be promoting the concept of layered contingency planning based upon the various unexpected possibilities; both positive and negative (desired and undesired effects).

As we can see, there are differences between ISO Annex SL, ISO 9000:2015, ISO 14001:2015, ISO 31000:2018 & ISO Guide 73:2009 regarding the concept of “risk”; whether it be through the definitions or clarification notes provided.

Terje Aven holds a Master's degree (cand. real) and PhD (dr. philos) in Mathematical Statistics and Risk/Reliability Analysis from the University of Oslo, 1980 and 1984, respectively. Professor of Risk Analysis and Risk Management at the University of Stavanger (UiS) (1992-), Aven is Editor-in-Chief of the “Journal of Risk and Reliability”, and Area Editor of “Risk analysis in Policy”, and he is currently President of the “International Society for Risk Analysis (SRA)”. He was the Chairman of the “European Safety and Reliability Association (ESRA)” in the period 2014-2018 (June). He is also a principal researcher at the “International Research Institute of Stavanger (IRIS)” (1985-).

In his book, "Quantitative Risk Assessment: The Scientific Platform" (2011), Professor Aven expressed criticism in how ISO has chosen to approach “risk”. Acknowledging that risk is related to uncertainty, but questions whether it really is a consequence of uncertainty. Is it rather a consequence of an existing hazard, or a cause or the exposure to the hazard? Risk is related to objectives, but if there are no objectives defined, are there no risks either? The ISO definition can undoubtedly lead to various interpretations. Such a definition is not precise enough, which should be its main purpose, and therefore its purpose can be regarded as questionable.

An excellent discussion on this topic is contained in the The SRA Glossary of Risk-Related Terminology.

In order to truly understand the meaning of “risk”, we must examine the etymology of the word.

Again, referring to Dictionary.com:

WORD ORIGIN FOR RISK

C17: from French risque, from Italian risco, from rischiare to be in peril, from Greek rhiza cliff (from the hazards of sailing along rocky coasts)

And, referring to the Online Etymology Dictionary:

risk (n.)

1660s, risque, from French risque (16c.), from Italian risco, riscio (modern rischio), from riscare “run into danger,” of uncertain origin. The English spelling first recorded 1728. Spanish riesgo and German Risiko are Italian loan-words. With run (v.) from 1660s. Risk aversion is recorded from 1942; risk factor from 1906; risk management from 1963; risk taker from 1892.

As we see, the word “risk” has traditionally been associated with “hazards” or “danger”; and something to be avoided. In fact, the words “risk” and “hazard” are often described as synonyms. However, upon closer examination, there is a slight difference in the meaning of these two words. A hazard is a type of risk.

Again, referring to the Online Etymology Dictionary:

hazard (n.)
c. 1300, name of a game at dice, from Old French hasard, hasart “game of chance played with dice,” also “a throw of six in dice” (12c.), of uncertain origin. Possibly from Spanish azar “an unfortunate card or throw at dice,” which is said to be from Arabic az-zahr (for al-zahr) “the die.” But this is doubtful because of the absence of zahr in classical Arabic dictionaries. Klein suggests Arabic yasara “he played at dice;” Arabic -s- regularly becomes Spanish -z-. The -d was added in French through confusion with the native suffix -ard. Sense evolved in French to “chances in gambling,” then “chances in life.” In English, sense of “chance of loss or harm, risk” first recorded 1540s.

hazard (v.) “put something at stake in a game of chance,” 1520s, from Middle French hasarder “to play at gambling, throw dice” (15c.), from hasard (see hazard (n.)). Related: Hazarded; hazarding.

Do you see the difference? While many risks are unknown, and/or cannot be avoided, a “hazard” is recognized as a known risk that can be avoided (e.g., a “trip hazard”). There are MANY warning signs (specified by various standards organizations) associated with hazards. For example:

We don't see warning signs for unknown risks, or risks that cannot be avoided. We only see warning signage for known risks that can be avoided.

The definition for “risk” provided in ISO/IEC Guide 51:2014, “Safety aspects — Guidelines for their inclusion in standards” (which was reviewed and confirmed in 2019), maintains consistency with the etymology of the word.

ISO/IEC Guide 51:2014
3.9. risk
Combination of the probability of occurrence of harm (3.1) and the severity of that harm.

Note 1 to entry: The probability of occurrence includes the exposure to a hazardous situation (3.4), the occurrence of a hazardous event (3.3) and the possibility to avoid or limit the harm.

The above definition appears in multiple ISO documents, including, but not limited to:

• ISO 11014:2009, “Safety data sheet for chemical products — Content and order of sections”
• ISO 13022:2012, “Medical products containing viable human cells — Application of risk management and requirements for processing practices”
• ISO 13485:2016, “Medical devices — Quality management systems — Requirements for regulatory purposes”
• ISO 14971:2007, “Medical devices — Application of risk management to medical devices”
• ISO 15188:2001, “Project management guidelines for terminology standardization”
• ISO/TS 18683:2015, “Guidelines for systems and installations for supply of LNG as fuel to ships”
• ISO 18113-1:2009, “In vitro diagnostic medical devices — Information supplied by the manufacturer (labeling) — Part 1: Terms, definitions and general requirements”
• ISO 20696:2018, “Sterile urethral catheters for single use”

It is interesting that when “safety” is involved, ISO suddenly changes its position on the definition of “risk”.

Because the "International Conference on Harmonization of Technical Requirements for Registration of Pharmaceuticals for Human Use" (ICH), "ICH Harmonized Tripartite Guideline — Quality Risk Management Q9" (Current Step 4 version dated 9 November 2005), effectively duplicated the definition for “risk” contained in “ISO/IEC Guide 51:2005” (which had no note), it is likely that they will continue to use this definition. The only question is whether an updated ICH Q9 would add the note from the definition contained in “ISO/IEC Guide 51:2014”.

ICH Q9
Risk:
The combination of the probability of occurrence of harm and the severity of that harm (ISO/IEC Guide 51).

ISO 45001:2018, “Occupational health and safety management systems — Requirements with guidance for use” merges the concepts of ISO/IEC Guide 51:2014 with ISO 31000:2018 , Note 3 (adding consideration to likelihood (a synonym for “probability”) and severity). This results in a traditional definition specifically tailored for “occupational health and safety”.

ISO 45001:2018
3.21 occupational health and safety risk (OH&S risk)
combination of the likelihood of occurrence of a work-related hazardous event(s) or exposure(s) and the severity of injury and ill health (3.18) that can be caused by the event(s) or exposure(s)

The definition for “risk” in OHSAS 18001:2007, “Occupational health and safety management systems” is virtually identical to that of ISO 45001:2018 with the omission of the term “work-related”.

OHSAS 18001:2007
3.21 risk
combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury or ill health (3.8) that can be caused by the event or exposure(s)

ISO 45001:2018 also has a separate definition for “opportunity”.

ISO 45001:2018
occupational health and safety opportunity (OH&S opportunity)
circumstance or set of circumstances that can lead to improvement of OH&S performance (3.28)

While it used ISO 9001:2008 as its base document, SAE AS9100C included a definition for risk.

SAE AS9100C
3.1 Risk
An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.

However, the above definition was deleted from SAE AS9100:2016 (Rev. D) in order to accommodate the definition provided in ISO 9000:2015.

NASA has a relatively extensive definition and explanation of risk.

NASA/SP-2011-3421 (Second Edition, December 2011)
“Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners”
2.1 Definition of Risk
The concept of risk includes both undesirable consequences and likelihoods, e.g., the number of people harmed, and the probability of occurrence of this harm. Sometimes, risk is defined as a set of single values, e.g., the expected values of these consequences. This is a summary measure and not a general definition. Producing probability distributions for the consequences affords a much more detailed description of risk.

A very common definition of risk represents it as a set of triplets [2-1]: scenarios, likelihoods, and consequences. Determining risk generally amounts to answering the following questions:

1. What can go wrong?
2. How likely is it?
3. What are the associated consequences?

The answer to the first question is a set of accident scenarios. The second question requires the evaluation of the probabilities of these scenarios, while the third estimates their consequences. Implicit within each question is that there are uncertainties. The uncertainties pertain to whether all the significant accident scenarios have been identified, and whether the probabilities of the scenarios and associated consequence estimates have properly taken into account the sources of variability and the limitations of the available information.

Scenarios and uncertainties are among the most important components of a risk assessment. Figure 2-1 shows the implementation of these concepts in PRA. In this Figure, uncertainty analysis is shown to be an integral part of each step of the process rather than just a calculation that is performed at the end of the risk quantification.

For internal use:

FM 5-19 (FM 100-14) “Composite Risk Management” (July 2006) - SECTION II – TERMS
Risk
Probability and severity of loss linked to hazards.

Hazard
A condition with the potential to cause injury, illness, or death of personnel; damage to or loss of equipment or property; or mission degradation.

For DoD Contractors:

Department of Defense, “Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs” (January 2017) - Glossary
risk: potential future event or condition that may have a negative effect on achieving program objectives for cost, schedule, and performance. Risks are defined by (1) the probability (greater than 0, less than 1) of an undesired event or condition and (2) the consequences, impact, or severity of the undesired event, were it to occur.

And, by order of the Commander Air Force Materiel Command:

AFMC Pamphlet 63-101, “Risk Management” (9 July 1997)
1.5. – Risk Management Definitions:
1.5.1. Risk. Risk is a measure of the inability to achieve program objectives within defined cost and schedule constraints. Risk has two components:

• The probability (or likelihood) of failing to achieve particular performance, schedule, or cost objectives, and
• The consequence of failing to achieve those objectives.

The “Scope” of AS9100:2016 states: “It is emphasized that the requirements specified in this standard are complementary (not alternative) to customer and applicable statutory and regulatory requirements.”

Therefore, where U.S. Federal Aviation Administration (FAA) regulations apply, the word “risk” is defined in “14 CFR § 5.5 - Definitions” (for general aviation safety) as:

U.S. 14 CFR § 5.5 - Definitions
Risk
Risk means the composite of predicted severity and likelihood of the potential effect of a hazard.

and

Hazard
Hazard means a condition that could foreseeably cause or contribute to an aircraft accident as defined in 49 CFR 830.2.

And in “U.S. 14 CFR § 401.5 - Definitions” (for the U.S. commercial space industry) as:

U.S. 14 CFR § 401.5 - Definitions
Risk
Risk means a measure that accounts for both the probability of occurrence of a hazardous event and the consequence of that event to persons or property.

Where DFARs (Defense Federal Acquisition Regulations) 252-204-7012 "Safeguarding Covered Defense Information and Cyber Incident Reporting" is invoked, section (b), (2), (i) requires the implementation of NIST Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”, which defines “risk” as:

NIST Special Publication (SP) 800-171 (Rev. 2) - Appendix B, GLOSSARY
Risk
[OMB A-130]
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

The CNSS (Committee on National Security Systems (CNSS)) Instruction No. 4009, "National Information Assurance (IA) Glossary" (dated 26 April 2010) includes the following definition for “risk”:

CNSS Instruction No. 4009
risk
A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence.

Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.

This definition is also included in "NIST Special Publication 800-30" (Revision 1), "Guide for Conducting Risk Assessments", Appendix B, "Glossary" (dated September 2012).

FIPS PUB 200, "Minimum Security Requirements for Federal Information and Information Systems" contains a similar definition for “risk”.

FIPS PUB 200 - APPENDIX A TERMS AND DEFINITIONS
risk
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.

API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013), published by the American Petroleum Institute (API), also contains a definition very similar to the definition contained in SAE AS9100C.

API Spec Q1
3.1.19 risk
Situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.

API Recommended Practice 580, “Risk-Based Inspection” (Second Edition, November 2009), expanded on the above definition through expressing “risk” as a mathematical equation.

API RP 580
4.1.35 risk
Combination of the probability of an event and its consequence. In some situations, risk is a deviation from the expected. When probability and consequence are expressed numerically, risk is the product.

The equation would be: Risk = “probability of an event” x “consequence of event”

However, the above equation ignores “detection”, a common criterian for a “Falure Mode and Effects Analysis” (FMEA). Adding “detection” would change the equation to: Risk = “probability of an event” x “consequence of event” x “likelihood of detection”. The result of this equation is typically referred to as a “Risk Priority Number”.

NFPA 1600®, "Standard on Continuity, Emergency, and Crisis Management" (2019 Edition), published by the National Fire Protection Association (NFPA), contains a definition for “Risk Assessment”, from which a definition for “risk” can be easily derived as “threats and hazards”.

NFPA 1600^®
3.3.27 Risk Assessment
The process of identifying threats and hazards to life, property, operations, the environment, and entities, and the analysis of probabilities, vulnerabilities, and impacts.

IF the authors of ISO 9001:2015 had truly subscribed to the views expressed in ISO 9000:2015, “Note 1”, then they would simply have used the word “risk” rather than repeatedly stating “risks and opportunities” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e).

Interestingly, ISO 14001:2015, “Environmental management systems — Requirements with guidance for use” also adopted use of the term “risks and opportunities”. However, unlike the approach taken in ISO 9001:2015, ISO 14001:2015 differentiated the two words by defining the term “risks and opportunities” in ISO 14001:2015.

ISO 14001:2015
3.2.11 risks and opportunities
potential adverse effects (threats) and potential beneficial effects (opportunities)

For those who subscribe to the interpretation provided in ISO 9000:2015, sec. 3.7.9, “Note 1”, “risks and opportunities” is an incongruous term BECAUSE “opportunities” are included in “risks”. Therefore, it appears that the authors subscribed to the views expressed in ISO 9000:2015, sec. 3.7.9, “Note 5” AND the definition provided in ISO 14001:2015; that “risks” are “potential adverse effects (threats)” and opportunities are “potential beneficial effects.

Consequently, this has created a conundrum for users over how to properly address “risk”.

The short answer is yes. However, while many organizations continue to use the term “preventive action” to address “negative risks”/threats (e.g., because it was embedded into their corrective action forms, databases, etc.), the term has an extremely limiting/restrive definition.

ISO 9000:2015, sec. 3.12.1
preventive action
action to eliminate the cause of a potential nonconformity (3.6.9) or other potential undesirable situation

Note 1 to entry: There can be more than one cause for a potential nonconformity.
Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action (3.12.2) is taken to prevent recurrence.

In reality, many risks (often the majority) cannot be “eliminated”. And are instead “mitigated”.

Even though use of “preventive action” is still permitted to address “negative risks“/threats, many ISO 9001 and AS9100:2016 registrars are encouraging their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS.

Unfortunately, this presents challenges because several other standards specifically require “preventive action” to be included in the QMS (due to the same limited understanding of risk as ISO suffers and/or a ”monkey see - monkey do“ approach). These include, but are not limited to:

• ISO 13485:2016, “Medical Devices — Quality management systems — Requirements for regulatory purposes”
• ISO 17020:2012, “Conformity Assessment — Requirements for the operation of various types of bodies performing inspection” (Option A)
• AAR M-1003:2019, Section J, ”Specification for Quality Assurance”
• API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)

Supporting this, there is nothing stated in either the “ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015” or “US TC 176 - TG22 - Interpretations” forbidding or restricting use of the “preventive action” methodology. And ISO 9000:2015 continues to recognize “preventive action” as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1).

The only “record” regarding “risks and opportunities” specified in ISO 9001:2015, is in sec. 9.3, “Management Review”. This includes:

9.3.2 Management review inputs
The management review shall be planned and carried out taking into consideration:
e. the effectiveness of actions taken to address risks and opportunities (see 6.1);
f. opportunities for improvement.

Here again we see where ISO 9001:2015 is consistent with ISO 9000:2015, “Note 5” in considering “risks” as only “threats” by addressing “opportunities” separately (in 9.3.2e). And then specifically requiring the organization to consider “opportunities for improvement” (in 9.3.2f), as if they were somehow excluded from the opportunities identified in 9.3.2e (as defined in ISO 14001:2015 3.2.11)!

Due to the ambiguous/vague nature of the requirement, the “Management Review Meeting Minutes” could include a statement as simple as: “All of the actions taken to address risks and opportunities were determined by management to be effective.”

<note tip> Many ISO 9001:2015 consultants recommend the creation of a SWOT Analysis. While limited in their usefulness, a SWOT Analysis can provide:

• some great talking points relating to “external and internal issues” (ISO 9001:2015, sec. 4.1),
• useful information to help to “determine the risks and opportunities that need to be addressed” (ISO 9001:2015, sec. 6.1.1),
• evidence that management has “considered” 9.3.2b, “changes in external and internal issues that are relevant to the quality management system” (when incorporated into the management review meeting minutes).
  

</note>

Further, ISO 9001:2015, sec. 9.3.3 “Management Review Outputs” states (with an additional requirement added to AS 9100:2016, shown in BOLD below):

9.3.3 Management Review Outputs
The outputs of the management review shall include decisions and actions related to:
a. opportunities for improvement;
b. any need for changes to the quality management system;
c. resource needs;
d. risks identified.

The organization shall retain documented information as evidence of the results of management reviews.

It is critical to note that sec. 9.3.3 is not simply a management review agenda topic. This section specifically requires the inclusion of any “decisions and actions” taken (or initiated) by management. However, it is interesting to note that the “decisions and actions related to opportunities for improvement” is limited in ONLY addressing opportunities related to “improvement”, specifically excluding “decisions and actions related to” other opportunities“.

AS 9100:2016 expanded the requirement through adding 9.3.3d, which requires organizations to also address ”decisions and actions related to risks identified“. Without knowing whether the authors of AS 9100:2016 subscribe to ISO 9000:2015 “Note 1” or “Note 5”, we cannot definitively interpret 9.3.3d as including ”…decisions and actions related to“ ALL of the “opportunities and threats” identified (as per “Note 1”); or as the ”…decisions and actions related to“ ONLY the “threats” identified (as per “Note 5”).

However, the “safest” approach would be to interpret the requirement in alignment with ISO 9000:2015 “Note 1”.

One must wonder why ISO is so obsessed with ignoring the etymology of the word “risk”, and insisting upon redefining the word.

Upon examining the “Bibliography” section of many ISO documents promoting non-traditional definitions of “risk”, we see that they only reference ISO or IEC documents (IEC (International Electrotechnical Commission) is a sister organization of ISO):

• ISO 9000:2015 (only references other ISO & IEC documents)
• ISO 9001:2015 (only references other ISO & IEC documents)
• ISO 14001:2015 (only references other ISO documents)
• ISO 31000:2018 (only references a single IEC document)
• ISO 19011:2018 (only references other ISO & IEC documents)
• ISO Guide 73:2009 (only references other ISO & IEC documents)

It quickly becomes obvious that ISO is firmly entrenched in ”Not Invented Here Syndrome“ (NIHS).

<note>”Not Invented Here Syndrome“ (NIHS) is a term used to describe the situation where a perfectly fine solution (e.g., product, software, standard, technique) is rejected, simply because it was developed by someone else (e.g., a different organization, department, person). It is important to recognize that “true” NIHS is driven by a psychological disorder or other abnormal condition.

Where an organization or business modifies an existing product, software, etc. to avoid infringing on a copyright or patent, to avoid expensive licensing fees or royalties, reduce supply-chain risks, to avoid supporting a competitor or foreign nation (e.g., a dictatorship); then the modification is justified based on a logical reason. However, where an organization or business modifies an existing product, software, etc. based purely on a desire to be “unique” - without any significant differences or improvements, then the change was driven by emotion rather than logic. In other words, being different for the sake of being different. An organization or business driven by NIHS will often claim that their product, software, etc. is “better”… whether it is or not. This feeds and perpetuates the delusional egos of their narcissistic leadership, and can extend throughout the organization.</note>

Unlike the above documents, ISO 13485:2016 also includes references to GHTF (Global Harmonization Task Force), which has been superseded by (International Medical Device Regulators Forum) documents. And ISO 14001:2015 includes references to U.N. ILO (International Labor Organization) documents and the OHSAS Project Group documents (OHSAS 18001 & 18002), which has now been superseded by ISO/TC 283.

<note>The Bibliography section of OHSAS 18001:2007 ONLY listed ISO documents.</note>

As this article shows, ISO has been divided over defining the concept of “risk” for many years. And the definition that ISO appears to be working toward is convoluted to the point of being nonsensical… likely never to be understood (or embraced) by users.

In contrast, API Spec Q1 (Ninth Edition, June 2013) easily and succinctly defined this concept.