Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
articles:a_matter_of_risk [2019/11/17 19:03] – [Conclusion] rrandallarticles:a_matter_of_risk [2020/06/11 13:02] – [ISO/IEC Guide 51:2014] rrandall
Line 1: Line 1:
 ====== A Matter of "Risk" ====== ====== A Matter of "Risk" ======
  
-When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards As one would expect, these differences have created conflict within ISO and confusion amongst users.+When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (initially through ISO/IEC Directives-Part 1, Annex SL), while failing to recognize that there are different "types" of risks.
  
-This article will discuss two of the most "generally" used definitions.+This article will discuss two of the most "commonly" used general definitions.
  
-  - The first definition is that "risk" can be positive, negative, or both(a "non-traditional" interpretation defined in ISO Annex SL (now Appendix 2 of [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019), ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) +  - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in Appendix 2 of [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) 
-  - The second definition is that "risk" is always "negative"(a traditional interpretation defined in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., API Spec Q1 & ICH Q9) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30)+  - The "traditional" definition is that "risk" is always "negative" (e.g., for type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30)
  
 While ISO promotes (through marketing) that “//the world agrees//” on ISO standards, in reality, committee work is often contentious. Many ISO standards are adopted through compromise (lose-lose), rather than collaboration (win-win). And when it comes to defining the word "risk", there is little agreement. While ISO promotes (through marketing) that “//the world agrees//” on ISO standards, in reality, committee work is often contentious. Many ISO standards are adopted through compromise (lose-lose), rather than collaboration (win-win). And when it comes to defining the word "risk", there is little agreement.
  
 {{ :articles:iso-when_the_world_compromises.png?nolink&800 |}} {{ :articles:iso-when_the_world_compromises.png?nolink&800 |}}
 +
 +
 ===== Non-Traditional Definition of Risk ===== ===== Non-Traditional Definition of Risk =====
  
 ==== ISO/IEC Directives-Part 1. Annex L (originally Annex SL) ==== ==== ISO/IEC Directives-Part 1. Annex L (originally Annex SL) ====
  
-While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" promoting this definition is [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019, Annex L (originally Annex SL), Appendix 2 .+While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" currently promoting this definition is [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019, Annex L (originally Annex SL), Appendix 2 .
  
 Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure. Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure.
Line 23: Line 25:
 [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]], Annex SL prescribes how ISO Management System Standard (MSS) standards //should// be structured and, much to the ire of some Technical Committee (TC) members, includes some "mandatory" //common// content. The [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019 edition was restructured to  (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (many of whom had been, and remain, resistant to adopting the new structure and/or common content). [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]], Annex SL prescribes how ISO Management System Standard (MSS) standards //should// be structured and, much to the ire of some Technical Committee (TC) members, includes some "mandatory" //common// content. The [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019 edition was restructured to  (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (many of whom had been, and remain, resistant to adopting the new structure and/or common content).
  
-[[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019 is divided into two main parts: \\ +[[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019 is divided into two main parts:  
-Annex L, "Proposals for management system standards" \\ +  Annex L, "Proposals for management system standards" \\ 
-Appendix 2, "High level structure, identical core text, common terms and core definitions" +  Appendix 2, "High level structure, identical core text, common terms and core definitions" 
  
  
Line 83: Line 85:
 In the above example, there is an implied "//hope//" or "//preference//" for the "positive" risk. In the above example, there is an implied "//hope//" or "//preference//" for the "positive" risk.
  
-The 4-minute video below explains "Positive vs. Negative Risks on Projects":+The 4-minute video below //explains// "Positive vs. Negative Risks on Projects":
  
 {{ youtube>pRUF2Uwu62U?large }} {{ youtube>pRUF2Uwu62U?large }}
Line 89: Line 91:
 However, "Note 5" states that the word “risk” is "sometimes" used when there is the //possibility// of only negative consequences (i.e., a "positive" consequence is impossible). In other words, ANY outcome other than the one "expected", will be negative. However, "Note 5" states that the word “risk” is "sometimes" used when there is the //possibility// of only negative consequences (i.e., a "positive" consequence is impossible). In other words, ANY outcome other than the one "expected", will be negative.
  
-<note>ISO 14001:2015, "//Environmental management systems — Requirements with guidance for use//", sec. 3.2.10 contains an identical definition for "risk" EXCEPT that it does not include Note 5 & 6.</note>+<note>ISO 14001:2015, "//Environmental management systems — Requirements with guidance for use//", sec. 3.2.10 contains definition for "risk" identical to ISO 9000:2015 EXCEPT that it does not include Note 5 & 6.</note>
 ==== ISO Guide 73:2009 ==== ==== ISO Guide 73:2009 ====
 Now that we understand how ISO 9000:2015 has defined risk, and since it contains several references to ISO Guide 73, "//Risk management — Vocabulary//" (which was reviewed and confirmed in 2016), let's take a look at they are different from one another. Now that we understand how ISO 9000:2015 has defined risk, and since it contains several references to ISO Guide 73, "//Risk management — Vocabulary//" (which was reviewed and confirmed in 2016), let's take a look at they are different from one another.
Line 124: Line 126:
 Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.</blockquote> Note 3 to entry: Risk is usually expressed in terms of risk sources, potential events, their consequences and their likelihood.</blockquote>
  
-While the first sentence of ISO 31000:2018, "Note 1" is exactly the same as ISO 9000:2015, "Note 1", the second sentence begins by maintains consistency with ISO Guide 73:2009 through reinforcing that the outcome "//can be positive, negative or both,...//". The sentence then states that the consequence, outcome, or result "//can address, create or result in opportunities and threats//".  +While the first sentence of ISO 31000:2018, "Note 1" is exactly the same as ISO 9000:2015, "Note 1", the second sentence begins by maintaining consistency with ISO Guide 73:2009 through reinforcing that the outcome "//can be positive, negative or both,...//". The sentence then states that the consequence, outcome, or result "//can address, create or result in opportunities and threats//".  
  
 {{ :articles:two-sides-of-risk-coin-graphic-900x600.png?nolink&400|The two sides of the Risk coin}} {{ :articles:two-sides-of-risk-coin-graphic-900x600.png?nolink&400|The two sides of the Risk coin}}
-At this point, "Note 1" becomes nonsensical because there is no definition or use of the word "address" relating to a consequence, outcome, or result. So for the moment, let's ignore the use of that words and focus on how ISO 31000:2018, "Note 1" states that a "risk" can "//create or result in opportunities and threats//"+At this point, "Note 1" becomes nonsensical because there is no definition or use of the word "address" relating to a consequence, outcome, or result. So for the moment, let's ignore the use of that word and focus on how ISO 31000:2018, "Note 1" states that a "risk" can "//create or result in opportunities __and__ threats//"
  
-In effect, ISO 31000:2018 is stating that “opportunities and threats” are two sides of the same “risk” coin.+In effect, ISO 31000:2018 is stating that “opportunities __and__ threats” are two sides of the same “risk” coin; because the word "and" means that the two exist simultaneously!
  
-It's important to note that risks typically result from an "opportunity". For example, when presented with an investment "opportunity", taking action could result in either a profit, a loss, or no change in value. While taking no action would preserve the current assets (no change), avoid loss, and forgo any profits that the investment would have yielded. This happens every day in the stock market.+It's important to note that risks typically result from an "opportunity". For example, when presented with an investment "opportunity", taking action could result in either a profit, a loss, or no change in value. While taking no action would preserve the current assets (no change), avoid loss, and forgo any profits that the investment would have yielded. 
 + 
 +The "[[https://nso.nato.int/nso/zPublic/srd/PROM/SRD-4739%20EDA%20V1%20E.pdf|Standards Related Document SRD-4739, Training Package on NATO Risk Management Guide for Acquisition Programmes]]" (Edition A, Version 1, July 2015) supports and promotes this two-sided construct concept, explaining it as: 
 + 
 +<blockquote> 
 +Conceptual – Risk can be seen as a source of variability which is a two-sided construct. The double side nature of variability is captured in the definition of risk that includes both positive and negative consequences. An opportunity is also an uncertain event since it is a possible future event. So both threats and opportunities are covered by this same description of risk as “uncertainty that matters”.</blockquote>
  
 While none of the above ISO documents define "opportunity", [[https://www.dictionary.com/browse/opportunity|Dictionary.com]] does: While none of the above ISO documents define "opportunity", [[https://www.dictionary.com/browse/opportunity|Dictionary.com]] does:
Line 150: Line 157:
 [[https://www.uis.no/getfile.php/13453650/SEROS/cv-aven-August%2021%20-%202018.pdf|Terje Aven]] holds a Master's degree (cand. real) and PhD (dr. philos) in Mathematical Statistics and Risk/Reliability Analysis from the University of Oslo, 1980 and 1984, respectively. Professor of Risk Analysis and Risk Management at the [[https://www.uis.no/?lang=en_GB#Studies|University of Stavanger (UiS)]] (1992-), Aven is Editor-in-Chief of the "Journal of Risk and Reliability", and Area Editor of "Risk analysis in Policy", and he is currently President of the "International Society for Risk Analysis (SRA)". He was the Chairman of the "European Safety and Reliability Association (ESRA)" in the period 2014-2018 (June). He is also a principal researcher at the "International Research Institute of Stavanger (IRIS)" (1985-). [[https://www.uis.no/getfile.php/13453650/SEROS/cv-aven-August%2021%20-%202018.pdf|Terje Aven]] holds a Master's degree (cand. real) and PhD (dr. philos) in Mathematical Statistics and Risk/Reliability Analysis from the University of Oslo, 1980 and 1984, respectively. Professor of Risk Analysis and Risk Management at the [[https://www.uis.no/?lang=en_GB#Studies|University of Stavanger (UiS)]] (1992-), Aven is Editor-in-Chief of the "Journal of Risk and Reliability", and Area Editor of "Risk analysis in Policy", and he is currently President of the "International Society for Risk Analysis (SRA)". He was the Chairman of the "European Safety and Reliability Association (ESRA)" in the period 2014-2018 (June). He is also a principal researcher at the "International Research Institute of Stavanger (IRIS)" (1985-).
  
-In his book, [[https://www.amazon.com/Quantitative-Risk-Assessment-Scientific-Platform/dp/0521760577|"Quantitative Risk Assessment: The Scientific Platform"]] (2011), Professor Aven expressed criticism in how ISO has chosen to approach "risk". Acknowledging that risk is related to uncertainty, but questions whether it really is a consequence of uncertainty. Is it rather a consequence of an existing hazard, or a cause or the exposure to the hazard? Risk is related to objectives, but if there are no objectives defined, are there no risks either? ThE ISO definition can undoubtedly lead to various interpretations. Such a definition is not precise enough, which should be its main purpose, and therefore its purpose can be regarded as questionable.+In his book, [[https://www.amazon.com/Quantitative-Risk-Assessment-Scientific-Platform/dp/0521760577|"Quantitative Risk Assessment: The Scientific Platform"]] (2011), Professor Aven expressed criticism in how ISO has chosen to approach "risk". Acknowledging that risk is related to uncertainty, but questions whether it really is a consequence of uncertainty. Is it rather a consequence of an existing hazard, or a cause or the exposure to the hazard? Risk is related to objectives, but if there are no objectives defined, are there no risks either? The ISO definition can undoubtedly lead to various interpretations. Such a definition is not precise enough, which should be its main purpose, and therefore its purpose can be regarded as questionable.
  
 An excellent discussion on this topic is contained in the [[https://www.sra.org/sites/default/files/pdf/SRA%20Glossary%20-%20FINAL.pdf|The SRA Glossary of Risk-Related Terminology]]. An excellent discussion on this topic is contained in the [[https://www.sra.org/sites/default/files/pdf/SRA%20Glossary%20-%20FINAL.pdf|The SRA Glossary of Risk-Related Terminology]].
-===== Traditional Definition of Risk =====+===== Traditional (Correct) Definition of Risk =====
  
 In order to truly understand the meaning of "risk", we must examine the etymology of the word. In order to truly understand the meaning of "risk", we must examine the etymology of the word.
Line 168: Line 175:
 <blockquote>risk (n.) \\ <blockquote>risk (n.) \\
  
-1660s, risque, from French risque (16c.), from Italian risco, riscio (modern rischio), from riscare "run into danger," of uncertain origin. The Englished spelling first recorded 1728. Spanish riesgo and German Risiko are Italian loan-words. With run (v.) from 1660s. Risk aversion is recorded from 1942; risk factor from 1906; risk management from 1963; risk taker from 1892.+1660s, risque, from French risque (16c.), from Italian risco, riscio (modern rischio), from riscare "run into danger," of uncertain origin. The English spelling first recorded 1728. Spanish riesgo and German Risiko are Italian loan-words. With run (v.) from 1660s. Risk aversion is recorded from 1942; risk factor from 1906; risk management from 1963; risk taker from 1892.
 </blockquote> </blockquote>
  
-As we see, the word "risk" has always been associated with "hazards" or "danger"; and something to be avoided.+As we see, the word "risk" has traditionally been associated with "hazards" or "danger"; and something to be avoided. In fact, the words "risk" and "hazard" are often described as synonyms. However, upon closer examination, there is a slight difference in the meaning of these two words. A hazard is a type of risk.
  
 +==== Hazards ====
 +Again, referring to the [[https://www.etymonline.com/word/hazard|Online Etymology Dictionary]]:
  
-==== ISO 13485:2016 & ISO 14971:2007 ==== +<blockquote> hazard (n.) \\ 
-Both ISO 13485:2016, "//Medical devices — Quality management systems — Requirements for regulatory purposes//" and ISO 14971:2007, +c. 1300name of a game at dice, from Old French hasard, hasart "game of chance played with dice," also "a throw of six in dice" (12c.), of uncertain origin. Possibly from Spanish azar "an unfortunate card or throw at dice," which is said to be from Arabic az-zahr (for al-zahr) "the die." But this is doubtful because of the absence of zahr in classical Arabic dictionaries. Klein suggests Arabic yasara "he played at dice;Arabic -s- regularly becomes Spanish -z-. The -d was added in French through confusion with the native suffix -ard. Sense evolved in French to "chances in gambling," then "chances in life." In English, sense of "chance of loss or harm, risk" first recorded 1540s\\ 
-"//Medical devices — Application of risk management to medical devices//maintain a definition of "riskconsistent with the etymology of the word.+\\ 
 +hazard (v.) 
 +"put something at stake in a game of chance," 1520s, from Middle French hasarder "to play at gambling, throw dice" (15c.), from hasard (see hazard (n.)). Related: Hazarded; hazarding.</blockquote>
  
-<blockquote> +Do you see the difference? While many risks are unknown, and/or cannot be avoided, a "hazard" is recognized as a __known risk__ that __can be avoided__ (e.g., a "trip hazard"). There are MANY warning signs (specified by various standards organizations) associated with hazards. For example
-**ISO 13485:2016** \\ + 
-3.17 risk +{{ :articles:freevector-warning-symbols-vector_transparency.png?direct&600 |Original Source: https://www.freevector.com/warning-symbols-vector}} 
-combination of the probability of occurrence of harm and the severity of that harm+ 
 +We don't see warning signs for unknown risks, or risks that cannot be avoided. We only see warning signage for __known__ risks that can be avoided.
  
-Note 1 to entry: This definition of “risk” differs from the definition given in ISO 9000:2015 
  
-[SOURCE: ISO 14971:2007, 2.16]</blockquote> 
  
  
 ==== ISO/IEC Guide 51:2014 ==== ==== ISO/IEC Guide 51:2014 ====
  
-The definition for "risk" provided in ISO/IEC Guide 51:2014, "Safety aspects — Guidelines for their inclusion in standards" (which was reviewed and confirmed in 2019), is identical to that provided by ISO 13485:2016 & ISO 14971:2007, with a different "Note 1".+The definition for "risk" provided in ISO/IEC Guide 51:2014, "Safety aspects — Guidelines for their inclusion in standards" (which was reviewed and confirmed in 2019), maintains consistency with the etymology of the word.
  
 <blockquote>**ISO/IEC Guide 51:2014** \\ <blockquote>**ISO/IEC Guide 51:2014** \\
Line 198: Line 208:
 Note 1 to entry: The probability of occurrence includes the exposure to a //hazardous situation// (3.4), the occurrence of a //hazardous event// (3.3) and the possibility to avoid or limit the harm.</blockquote> Note 1 to entry: The probability of occurrence includes the exposure to a //hazardous situation// (3.4), the occurrence of a //hazardous event// (3.3) and the possibility to avoid or limit the harm.</blockquote>
  
 +The above definition appears in multiple ISO documents, including, but not limited to:
 +  * ISO 11014:2009, "//Safety data sheet for chemical products — Content and order of sections//"
 +  * ISO 13022:2012, "//Medical products containing viable human cells — Application of risk management and requirements for processing practices//"
 +  * ISO 13485:2016, "//Medical devices — Quality management systems — Requirements for regulatory purposes//"
 +  * ISO 14971:2007, "//Medical devices — Application of risk management to medical devices//"
 +  * ISO 15188:2001, "//Project management guidelines for terminology standardization//"
 +  * ISO/TS 18683:2015, "//Guidelines for systems and installations for supply of LNG as fuel to ships//"
 +  * ISO 18113-1:2009, "//In vitro diagnostic medical devices — Information supplied by the manufacturer (labeling) — Part 1: Terms, definitions and general requirements//"
 +  * ISO 20696:2018, "//Sterile urethral catheters for single use//"
 +
 +It is interesting that "safety" is involved, that ISO suddenly changes its position on the definition of "risk".
  
 ==== ICH Q9 ==== ==== ICH Q9 ====
Line 208: Line 229:
 ==== ISO 45001:2018 ==== ==== ISO 45001:2018 ====
  
-ISO 45001:2018, "Occupational health and safety management systems — Requirements with guidance for use" takes an interesting, if not confusing approach toward "risk". First, ISO 45001:2018, sec. 3.20 defines "riskthe same as ISO 9000:2015, although with slightly modified notesThen it shifts to a traditional definition when specifically applied to "occupational health and safety".+ISO 45001:2018, "Occupational health and safety management systems — Requirements with guidance for use" merges the concepts of ISO/IEC Guide 51:2014 with ISO 31000:2018 , Note (adding consideration to likelihood (a synonym for "probability") and severity)This results in a traditional definition specifically tailored for "occupational health and safety".
  
 <blockquote>**ISO 45001:2018** \\ <blockquote>**ISO 45001:2018** \\
Line 214: Line 235:
 combination of the likelihood of occurrence of a work-related hazardous event(s) or exposure(s) and the severity of injury and ill health (3.18) that can be caused by the event(s) or exposure(s)</blockquote> combination of the likelihood of occurrence of a work-related hazardous event(s) or exposure(s) and the severity of injury and ill health (3.18) that can be caused by the event(s) or exposure(s)</blockquote>
  
-Keeping the Annex SL definition for "risk" while also keeping their own definition for "occupational health and safety risk (OH&S risk)" was obviously a compromise to satisfy ISO. Also, the above definition for "occupational health and safety risk (OH&S risk)" is very similar to the definition for "risk" found in one of the source documents referenced, OHSAS 18001:2007, "//Occupational health and safety management systems//".+The definition for "risk" in OHSAS 18001:2007, "//Occupational health and safety management systems//" is virtually identical to that of ISO 45001:2018 with the omission of the term "//work-related//".
  
 <blockquote>**OHSAS 18001:2007** \\ <blockquote>**OHSAS 18001:2007** \\
Line 225: Line 246:
 occupational health and safety opportunity (OH&S opportunity) \\ occupational health and safety opportunity (OH&S opportunity) \\
 circumstance or set of circumstances that can lead to improvement of OH&S performance (3.28)</blockquote> circumstance or set of circumstances that can lead to improvement of OH&S performance (3.28)</blockquote>
 +==== SAE AS9100:2009 (Rev. C) & AS9100:2016 (Rev. D) ====
 +While it used ISO 9001:2008 as its base document, SAE AS9100C included a definition for risk.
  
 +<blockquote>**SAE AS9100C** \\
 +3.1 Risk \\
 +An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.</blockquote>
  
 +However, the above definition was deleted from SAE AS9100:2016 (Rev. D) in order to accommodate the definition provided in ISO 9000:2015. BUT, the "Scope" of AS9100:2016 states: "//It is emphasized that the requirements specified in this standard are complementary (not alternative) to customer and __applicable__ statutory and __regulatory requirements__.//" 
 +
 +Therefore, where U.S. Federal Aviation Administration (FAA) regulations apply, the word "risk" is defined in "[[https://www.law.cornell.edu/cfr/text/14/5.5|14 CFR § 5.5 - Definitions]]" (for general aviation safety) as:
 +
 +<blockquote>**U.S. 14 CFR § 5.5 - Definitions** \\
 +//Risk// \\
 +Risk means the composite of predicted severity and likelihood of the potential effect of a hazard.\\
 +
 +and
 +
 +//Hazard// \\
 +Hazard means a condition that could foreseeably cause or contribute to an aircraft accident as defined in [[https://www.law.cornell.edu/cfr/text/49/830.2|49 CFR 830.2]].
 +</blockquote>
 +
 +And in "[[https://www.law.cornell.edu/cfr/text/14/401.5|U.S. 14 CFR § 401.5 - Definitions]]" (for the U.S. commercial space industry) as:
 +
 +<blockquote>**U.S. 14 CFR § 401.5 - Definitions** \\
 +//Risk// \\
 +Risk means a measure that accounts for both the probability of occurrence of a hazardous event and the consequence of that event to persons or property.</blockquote>
 ==== API Spec Q1 ==== ==== API Spec Q1 ====
-While not an ISO document, [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)]], published by the [[https://www.api.org|American Petroleum Institute (API)]], also contains a traditional definition for "risk" that is far superior to any definition offered by ISO+While not an ISO document, [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)]], published by the [[https://www.api.org|American Petroleum Institute (API)]], also contains a definition very similar to the definition contained in SAE AS9100C
  
 <blockquote>**API Spec Q1** \\ <blockquote>**API Spec Q1** \\
Line 241: Line 286:
  
 The equation would be: Risk = "probability of an event" x "consequence of event" The equation would be: Risk = "probability of an event" x "consequence of event"
 +
 +However, the above equation ignores "detection", a common criterian for a "Falure Mode and Effects Analysis" (FMEA). Adding "detection" would change the equation to: Risk = "probability of an event" x "consequence of event" x "likelihood of detection". The result of this equation is typically referred to as a "Risk Priority Number".
 +
 +==== NFPA 1600® ====
 +While also not an ISO document, [[https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1600|NFPA 1600®, "Standard on Continuity, Emergency, and Crisis Management" (2019 Edition)]], published by the [[https://www.nfpa.org|National Fire Protection Association (NFPA)]], contains a definition for "//Risk Assessment//", from which a definition for "risk" can be easily derived as "//threats and hazards//".
 +
 +<blockquote>**NFPA 1600<sup>®</sup> ** \\
 +3.3.27 Risk Assessment \\
 +The process of identifying threats and hazards to life, property, operations, the environment, and entities, and the analysis of probabilities, vulnerabilities, and impacts.</blockquote>
 ==== CNSS Instruction No. 4009 ==== ==== CNSS Instruction No. 4009 ====
 The [[https://www.cdse.edu/documents/toolkits-issm/cnssi4009.pdf|CNSS (Committee on National Security Systems (CNSS)) Instruction No. 4009, "National Information Assurance (IA) Glossary" (dated 26 April 2010)]] includes the following definition for "risk": The [[https://www.cdse.edu/documents/toolkits-issm/cnssi4009.pdf|CNSS (Committee on National Security Systems (CNSS)) Instruction No. 4009, "National Information Assurance (IA) Glossary" (dated 26 April 2010)]] includes the following definition for "risk":
Line 253: Line 307:
 ===== The ISO 9001:2015 Conundrum ===== ===== The ISO 9001:2015 Conundrum =====
  
-If the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "risk" rather than repeatedly stating “//risks and opportunities//” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). +IF the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "risk" rather than repeatedly stating “//risks and opportunities//” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e).  
 +{{ :articles:confused_thoughts.png?nolink&300|}}
  
-Interestingly, ISO 14001:2015, "//Environmental management systems — Requirements with guidance for use//" also adopted this approachAnd while not defined in ISO 9000:2015 or ISO 9001:2015the term "risks and opportunities" is defined in ISO 14001:2015.+Interestingly, ISO 14001:2015, "//Environmental management systems — Requirements with guidance for use//" also adopted use of the term "risks and opportunities"However, unlike the approach taken in ISO 9001:2015ISO 14001:2015 differentiated the two words by defining the term "risks and opportunities" in ISO 14001:2015.
  
 <blockquote>**ISO 14001:2015** \\ <blockquote>**ISO 14001:2015** \\
Line 262: Line 317:
 </blockquote> </blockquote>
  
-{{ :articles:confused_thoughts.png?nolink&400|}} +For those who subscribe to the interpretation provided in ISO 9000:2015, sec. 3.7.9, "Note 1", “risks and opportunities” is an incongruous term BECAUSE "opportunities" are included in "risks". Therefore, it appears that the authors subscribed to the views expressed in ISO 9000:2015, sec. 3.7.9, "Note 5" AND the definition provided in ISO 14001:2015; that "risks" are "potential adverse effects (threats)" and opportunities are "potential beneficial effects.
-For those who subscribe to the interpretation provided in "Note 1", “risks and opportunities” is an incongruous term BECAUSE "opportunities" are included in "risks". Therefore, it appears that the authors subscribed to the views expressed in ISO 9000:2015, "Note 5" AND the definition provided in ISO 14001:2015; that "risks" are "potential adverse effects (threats)" and opportunities are "potential beneficial effects).+
  
 Consequently, this has created a conundrum for users over how to properly address "risk". Consequently, this has created a conundrum for users over how to properly address "risk".
  
 +<note tip>To use an analogy, the online dictionary "[[https://www.wordnik.com/|Wordnik]]" includes two definitions for the word  [[https://www.wordnik.com/words/day|"day"]]: \\
 +n. The period of light between dawn and nightfall; the interval from sunrise to sunset. \\
 +n. The 24-hour period during which the earth completes one rotation on its axis, traditionally measured from midnight to midnight.  \\
 + \\
 +Using this analogy, ISO //defines// "risk" as being both "negative" and "positive" in much the same way as a "day" can be interpreted as including both "light" and "darkness". However, the term "risks and opportunities" are used repeatedly in standards such as ISO 9001 & ISO 17025 in much the same way that one might casually refer to "day" and "night" as both occurring during a 24-hour "day".</note>
 ==== Is the use of "Preventive Action" still valid? ==== ==== Is the use of "Preventive Action" still valid? ====
  
Line 273: Line 332:
 Even though use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //encouraging// their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS. Even though use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //encouraging// their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS.
  
-However, this presents challenges because other industry standards, such as ISO 13485:2016, “//Medical Devices — Quality management systems — Requirements for regulatory purposes//ISO 17020:2012, “//Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//” (Option A) and AAR M-1003:2019, Section J, "//Specification for Quality Assurance//, and [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)]], all specifically require “preventive action” to be included in the QMS.+However, this presents challenges because several other standards specifically require “preventive action” to be included in the QMS. These includebut are not limited to: 
 +  * ISO 13485:2016, “//Medical Devices — Quality management systems — Requirements for regulatory purposes// 
 +  * ISO 17020:2012, “//Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//” (Option A) 
 +  * AAR M-1003:2019, Section J, "//Specification for Quality Assurance// 
 +  * [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)]]
  
 Supporting this, there is nothing stated in either the "[[https://committee.iso.org/files/live/sites/tc176sc2/files/documents/Interpretations/ISO9001_2015_Approved_Interpretations.doc|ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015]]" or "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]" forbidding or restricting use of the "preventive action" methodology. And ISO 9000:2015 continues to recognize "preventive action" as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1). Supporting this, there is nothing stated in either the "[[https://committee.iso.org/files/live/sites/tc176sc2/files/documents/Interpretations/ISO9001_2015_Approved_Interpretations.doc|ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015]]" or "[[https://asq.org/quality-resources/iso-9001/us-tc176|US TC 176 - TG22 - Interpretations]]" forbidding or restricting use of the "preventive action" methodology. And ISO 9000:2015 continues to recognize "preventive action" as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1).