Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
articles:a_matter_of_risk [2020/05/22 11:37] – [SAE AS9100:2009 (Rev. C) & AS9100:2016 (Rev. D)] rrandallarticles:a_matter_of_risk [2023/01/31 13:48] (current) – [The ISO 9001:2015 Conundrum] rrandall
Line 1: Line 1:
 ====== A Matter of "Risk" ====== ====== A Matter of "Risk" ======
  
-When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (initially through ISO/IEC Directives-Part 1, Annex SL), while failing to recognize that there are different "typesof risks.+When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standardsAs one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (through ISO/IEC Directives-Part 1, Annex SL), in recognition of various industries having different views on what "riskis.
  
 This article will discuss two of the most "commonly" used general definitions. This article will discuss two of the most "commonly" used general definitions.
  
-  - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in Appendix 2 of [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009)+  - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009)
   - The "traditional" definition is that "risk" is always "negative" (e.g., for a type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30)   - The "traditional" definition is that "risk" is always "negative" (e.g., for a type of risk involving specific desired outcomes, such as operational processes, projects or designs). This definition appears in ISO 13485:2016, ISO 45001:2018, ISO/IEC Guide 51:2014, along with popular industry standards (e.g., ICH Q9, API Spec Q1 & SAE AS9100C) and government publications (e.g., CNSS Instruction No. 4009 & NIST SP 800-30)
  
Line 13: Line 13:
  
  
-===== Non-Traditional Definition of Risk =====+===== Non-Traditional (ISO) Definition of Risk =====
  
-==== ISO/IEC Directives-Part 1. Annex (originally Annex SL) ====+==== ISO/IEC Directives-Part 1. Annex SL (later changed to Annex L... and then back to Annex SL) ====
  
-While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" currently promoting this definition is [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019Annex L (originally Annex SL), Appendix 2 .+While the origin of the non-traditional definition for risk //may// have been "ISO Guide 73", the "driving force" promoting this definition in ISO 9001:2015 was [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2a|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]].
  
 Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure. Prior to 2012, various standards for management systems were written in different/inconsistent structures. When users would implement two or more of these management system standards (e.g., ISO 9001 for quality management and ISO 14001 for environmental management), this led to challenges in aligning/integrating the same or similar concepts into one cohesive management system structure.
  
-According to ISO JTCG N359, "//JTCG Frequently Asked Questions in support of Annex SL//" (dated 2013-12-03), in response to the “//Report of the ISO TMB Ad Hoc Group on Management Systems Standards//” (dated 10 February2006), the "Technical Management Board (TMB)" formed the "//Joint Technical Co-ordination Group on Management System Standards//" (TAG13-JTCG, or JTCG) to develop the future vision and guidelines for "//aligning//" future editions of its current management system standards (MSS), and for any new MSS. While the original scope of the JTCG was to standardize the "structure" of ISO MSSs, the JTCG requested permission to include "some" common content. This scope expansion was approved by the TMB, which led to the JTCG introducing Annex SL for inclusion to the 2012 edition of the [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]].+According to ISO JTCG N359, "//JTCG Frequently Asked Questions in support of Annex SL//" (dated 2013-12-03), in response to the “//Report of the ISO TMB Ad Hoc Group on Management Systems Standards//” (dated 10 February 2006), the "Technical Management Board (TMB)" formed the "//Joint Technical Co-ordination Group on Management System Standards//" (TAG13-JTCG, or JTCG) to develop the future vision and guidelines for "//aligning//" future editions of its current management system standards (MSS), and for any new MSS. While the original scope of the JTCG was to standardize the "structure" of ISO MSSs, the JTCG requested permission to include "some" common content. This scope expansion was approved by the TMB, which led to the JTCG introducing Annex SL for inclusion in the 2012 edition of the ISO/IEC Directives-Part 1.
  
-[[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]], Annex SL prescribes how ISO Management System Standard (MSS) standards //should// be structured and, much to the ire of some Technical Committee (TC) members, includes some "mandatory" //common// content. The [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019 edition was restructured to  (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (many of whom had been, and remain, resistant to adopting the new structure and/or common content).+[[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2021-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2|ISO/IEC Directives-Part 1, Annex SL, Appendix 2]] prescribes how ISO Management System Standard (MSS) standards //should// be structured and, much to the ire of some Technical Committee (TC) members, includes some "mandatory" //common// content. 
  
-[[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019 is divided into two main parts:  +<note> 
-  Annex L"Proposals for management system standards" \\ +The ISO/IEC Directives-Part 1:2019 edition was restructured to  (1) rename "Annex SL" to "Annex L" and (2) expand the scope of Annex L to include IEC management system standards (who was resistant to adopting the new structure and/or common content). However, the 2022 version has returned to "Annex SL" and no longer includes IEC (S-prefixed annexes only apply to ISO standards, while those without the prefix apply to both ISO and IEC standards). It now states: \\  
-  Appendix 2"High level structureidentical core text, common terms and core definitions" +**SL.5 Applicability of this annex** \\  
 +//The procedures in this annex apply to all ISO documentsincluding TSPAS and IWA.// 
 +</note>
  
 +ISO/IEC Directives-Part 1:2022 was divided into two main parts: 
 +  * Annex SL, "Proposals for management system standards" \\
 +  * Appendix 2, "Harmonized structure for MSS with guidance for use"
  
 However, its definition of "risk" has remained unchanged since it was introduced in the 2012 edition of "ISO/IEC Directives-Part 1. Annex SL, Appendix 3". However, its definition of "risk" has remained unchanged since it was introduced in the 2012 edition of "ISO/IEC Directives-Part 1. Annex SL, Appendix 3".
  
-<blockquote>**ISO/IEC Directives-Part 1. Annex L, Appendix 2 (2019 edition)** \\ +<blockquote>**ISO/IEC Directives-Part 1. Annex SL, Appendix 2 (2022 edition)** \\ 
-3. risk \\ +3. risk \\ 
-effect of uncertainty \\+effect of uncertainty \\ 
  
 Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\ Note 1 to entry: An effect is a deviation from the expected — positive or negative. \\
Line 40: Line 45:
 Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and “consequences” (as defined in ISO Guide 73), or a combination of these. \\ Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73) and “consequences” (as defined in ISO Guide 73), or a combination of these. \\
 Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.</blockquote> Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73) of occurrence.</blockquote>
 +
 +<note>While the [[https://isotc.iso.org/livelink/livelink/fetch/-8921878/8921901/16347356/16347818/2022-05_Annex_SL_Appendix_2.pdf?nodeid=21826538&vernum=-2|ISO/IEC Directives-Part 1, Annex SL]]:2022 is titled "Harmonized approach for management system standards" (HA), this is essentially the same as the previous “//High level structure//” (HLS). Interestingly, the actual ISO/IEC Directives-Part 1, Annex SL, Appendix 2]]:2022 is titled "//Harmonized structure for MSS with guidance for use//" (or "HS"). The differences in "ISO/IEC Directives-Part 1, Annex SL, Appendix 2" compared to ISO 9001:2015 are minimal. These differences are described at the end of an article titled [[https://www.quality.org/knowledge/high-level-structure-dead-long-life-harmonised-approach|"The High Level Structure is dead. Long life to the Harmonised Approach?"]].</note>
 +
  
 A clue as to why ISO developed this broad definition for risk can be found in ISO JTCG N359, "JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03), explaining why the concept of “Preventive Action” was replaced with "risks and opportunities". A clue as to why ISO developed this broad definition for risk can be found in ISO JTCG N359, "JTCG Frequently Asked Questions in support of Annex SL" (dated 2013-12-03), explaining why the concept of “Preventive Action” was replaced with "risks and opportunities".
Line 78: Line 86:
  
 <WRAP center round box 80%> <WRAP center round box 80%>
-Consider a baseball game where your team is down by run at the bottom of the 9th inning and the bases are loaded with two outs. \\ +Consider a baseball game where your team is down by run at the bottom of the 9th inning and the bases are loaded with two outs. \\ 
 Negative risk - the batter will strike out and your team will lose the game. \\ Negative risk - the batter will strike out and your team will lose the game. \\
-Positive risk - the batter will score couple of runs and your team will win the game.+Positive risk - the batter will hit "Grand Slam" and your team will win the game.
 </WRAP> </WRAP>
  
Line 131: Line 139:
 At this point, "Note 1" becomes nonsensical because there is no definition or use of the word "address" relating to a consequence, outcome, or result. So for the moment, let's ignore the use of that word and focus on how ISO 31000:2018, "Note 1" states that a "risk" can "//create or result in opportunities __and__ threats//" At this point, "Note 1" becomes nonsensical because there is no definition or use of the word "address" relating to a consequence, outcome, or result. So for the moment, let's ignore the use of that word and focus on how ISO 31000:2018, "Note 1" states that a "risk" can "//create or result in opportunities __and__ threats//"
  
-In effect, ISO 31000:2018 is stating that “opportunities __and__ threats” are two sides of the same “risk” coin; because the word "and" means that the two exist simultaniously!+In effect, ISO 31000:2018 is stating that “opportunities __and__ threats” are two sides of the same “risk” coin; because the word "and" means that the two exist simultaneously!
  
 It's important to note that risks typically result from an "opportunity". For example, when presented with an investment "opportunity", taking action could result in either a profit, a loss, or no change in value. While taking no action would preserve the current assets (no change), avoid loss, and forgo any profits that the investment would have yielded. It's important to note that risks typically result from an "opportunity". For example, when presented with an investment "opportunity", taking action could result in either a profit, a loss, or no change in value. While taking no action would preserve the current assets (no change), avoid loss, and forgo any profits that the investment would have yielded.
 +
 +The "[[https://nso.nato.int/nso/zPublic/srd/PROM/SRD-4739%20EDA%20V1%20E.pdf|Standards Related Document SRD-4739, Training Package on NATO Risk Management Guide for Acquisition Programmes]]" (Edition A, Version 1, July 2015) supports and promotes this two-sided construct concept, explaining it as:
 +
 +<blockquote>
 +Conceptual – Risk can be seen as a source of variability which is a two-sided construct. The double side nature of variability is captured in the definition of risk that includes both positive and negative consequences. An opportunity is also an uncertain event since it is a possible future event. So both threats and opportunities are covered by this same description of risk as “uncertainty that matters”.</blockquote>
  
 While none of the above ISO documents define "opportunity", [[https://www.dictionary.com/browse/opportunity|Dictionary.com]] does: While none of the above ISO documents define "opportunity", [[https://www.dictionary.com/browse/opportunity|Dictionary.com]] does:
Line 155: Line 168:
  
 An excellent discussion on this topic is contained in the [[https://www.sra.org/sites/default/files/pdf/SRA%20Glossary%20-%20FINAL.pdf|The SRA Glossary of Risk-Related Terminology]]. An excellent discussion on this topic is contained in the [[https://www.sra.org/sites/default/files/pdf/SRA%20Glossary%20-%20FINAL.pdf|The SRA Glossary of Risk-Related Terminology]].
-===== Traditional Definition of Risk =====+===== Traditional (Correct) Definition of Risk =====
  
 In order to truly understand the meaning of "risk", we must examine the etymology of the word. In order to truly understand the meaning of "risk", we must examine the etymology of the word.
Line 190: Line 203:
 We don't see warning signs for unknown risks, or risks that cannot be avoided. We only see warning signage for __known__ risks that can be avoided. We don't see warning signs for unknown risks, or risks that cannot be avoided. We only see warning signage for __known__ risks that can be avoided.
  
-==== ISO 13485:2016 & ISO 14971:2007 ==== 
-Both ISO 13485:2016, "//Medical devices — Quality management systems — Requirements for regulatory purposes//" and ISO 14971:2007, 
-"//Medical devices — Application of risk management to medical devices//" maintain a definition of "risk" consistent with the etymology of the word. 
  
-<blockquote> 
-**ISO 13485:2016** \\ 
-3.17 risk \\ 
-combination of the probability of occurrence of harm and the severity of that harm 
- 
-Note 1 to entry: This definition of “risk” differs from the definition given in ISO 9000:2015 
- 
-[SOURCE: ISO 14971:2007, 2.16]</blockquote> 
  
  
 ==== ISO/IEC Guide 51:2014 ==== ==== ISO/IEC Guide 51:2014 ====
  
-The definition for "risk" provided in ISO/IEC Guide 51:2014, "Safety aspects — Guidelines for their inclusion in standards" (which was reviewed and confirmed in 2019), is identical to that provided by ISO 13485:2016 & ISO 14971:2007, with a different "Note 1".+The definition for "risk" provided in ISO/IEC Guide 51:2014, "Safety aspects — Guidelines for their inclusion in standards" (which was reviewed and confirmed in 2019), maintains consistency with the etymology of the word.
  
 <blockquote>**ISO/IEC Guide 51:2014** \\ <blockquote>**ISO/IEC Guide 51:2014** \\
Line 214: Line 216:
 Note 1 to entry: The probability of occurrence includes the exposure to a //hazardous situation// (3.4), the occurrence of a //hazardous event// (3.3) and the possibility to avoid or limit the harm.</blockquote> Note 1 to entry: The probability of occurrence includes the exposure to a //hazardous situation// (3.4), the occurrence of a //hazardous event// (3.3) and the possibility to avoid or limit the harm.</blockquote>
  
 +The above definition appears in multiple ISO documents, including, but not limited to:
 +  * ISO 11014:2009, "//Safety data sheet for chemical products — Content and order of sections//"
 +  * ISO 13022:2012, "//Medical products containing viable human cells — Application of risk management and requirements for processing practices//"
 +  * ISO 13485:2016, "//Medical devices — Quality management systems — Requirements for regulatory purposes//"
 +  * ISO 14971:2007, "//Medical devices — Application of risk management to medical devices//"
 +  * ISO 15188:2001, "//Project management guidelines for terminology standardization//"
 +  * ISO/TS 18683:2015, "//Guidelines for systems and installations for supply of LNG as fuel to ships//"
 +  * ISO 18113-1:2009, "//In vitro diagnostic medical devices — Information supplied by the manufacturer (labeling) — Part 1: Terms, definitions and general requirements//"
 +  * ISO 20696:2018, "//Sterile urethral catheters for single use//"
 +
 +It is interesting that when "safety" is involved, ISO suddenly changes its position on the definition of "risk".
  
 ==== ICH Q9 ==== ==== ICH Q9 ====
Line 248: Line 261:
 An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.</blockquote> An undesirable situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.</blockquote>
  
-However, the above definition was deleted from SAE AS9100:2016 (Rev. D) in order to accommodate the definition provided in ISO 9000:2015. BUT, the "Scope" of AS9100:2016 states: "//It is emphasized that the requirements specified in this standard are complementary (not alternative) to customer and __applicable__ statutory and __regulatory requirements__.//" +However, the above definition was deleted from SAE AS9100:2016 (Rev. D) in order to accommodate the definition provided in ISO 9000:2015.  
 + 
 +==== NASA  ==== 
 +NASA has a relatively extensive definition and explanation of risk. 
 + 
 +<blockquote>**NASA/SP-2011-3421 (Second Edition, December 2011) \\ 
 +"Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners"** \\ 
 +2.1 Definition of Risk \\ 
 +The concept of risk includes both undesirable consequences and likelihoods, e.g., the number of people harmed, and the probability of occurrence of this harm. Sometimes, risk is defined as a set of single values, e.g., the expected values of these consequences. This is a summary measure and not a general definition. Producing probability distributions for the consequences affords a much more detailed description of risk. 
 + 
 +A very common definition of risk represents it as a set of triplets [2-1]: scenarios, likelihoods, and consequences. Determining risk generally amounts to answering the following questions: 
 +  - What can go wrong? 
 +  - How likely is it? 
 +  - What are the associated consequences? 
 + 
 +The answer to the first question is a set of accident scenarios. The second question requires the evaluation of the probabilities of these scenarios, while the third estimates their consequences. Implicit within each question is that there are uncertainties. The uncertainties pertain to whether all the significant accident scenarios have been identified, and whether the probabilities of the scenarios and associated consequence estimates have properly taken into account the sources of variability and the limitations of the available information. 
 + 
 +Scenarios and uncertainties are among the most important components of a risk assessment. Figure 2-1 shows the implementation of these concepts in PRA. In this Figure, uncertainty analysis is shown to be an integral part of each step of the process rather than just a calculation that is performed at the end of the risk quantification. 
 +</blockquote> 
 + 
 +==== US Military Definitions of Risk ==== 
 + 
 +For internal use: 
 +<blockquote>**FM 5-19 (FM 100-14) "Composite Risk Management" (July 2006) - SECTION II – TERMS** \\ 
 +Risk \\ 
 +Probability and severity of loss linked to hazards. \\ 
 +\\ 
 +Hazard \\ 
 +A condition with the potential to cause injury, illness, or death of personnel; damage to or loss of equipment or property; or mission degradation. 
 +</blockquote> 
 + 
 +For DoD Contractors: 
 +<blockquote>**Department of Defense, "Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs" (January 2017) - Glossary** \\ 
 +risk: potential future event or condition that may have a negative effect on achieving program objectives for cost, schedule, and performance. Risks are defined by (1) the probability (greater than 0, less than 1) of an undesired event or condition and (2) the consequences, impact, or severity of the undesired event, were it to occur.</blockquote> 
 + 
 +And, by order of the Commander Air Force Materiel Command: 
 +<blockquote>**AFMC Pamphlet 63-101, "Risk Management" (9 July 1997)** \\ 
 +1.5. -- Risk Management Definitions: \\ 
 +1.5.1.  Risk.  Risk is a measure of the inability to achieve program objectives within defined cost and schedule constraints.  Risk has two components: 
 +  * The probability (or likelihood) of failing to achieve particular performance, schedule, or cost objectives, and 
 +  * The consequence of failing to achieve those objectives. 
 +</blockquote> 
 +==== U.S. Regulatory Definitions of Risk ==== 
 + 
 +The "Scope" of AS9100:2016 states: "//It is emphasized that the requirements specified in this standard are complementary (not alternative) to customer and __applicable__ statutory and __regulatory requirements__.//" 
  
-Through an interesting turn of fortunate eventsthe U.S. Federal Aviation Administration (FAA) has //rescued// the aerospace industry from dealing with the ambiguity contained in ISO 9000:2015 by defining the word "risk" in "[[https://www.law.cornell.edu/cfr/text/14/5.5|14 CFR § 5.5 - Definitions]]" (for general aviation safety)...+Thereforewhere U.S. Federal Aviation Administration (FAA) regulations apply, the word "risk" is defined in "[[https://www.law.cornell.edu/cfr/text/14/5.5|14 CFR § 5.5 - Definitions]]" (for general aviation safety) as:
  
 <blockquote>**U.S. 14 CFR § 5.5 - Definitions** \\ <blockquote>**U.S. 14 CFR § 5.5 - Definitions** \\
Line 262: Line 319:
 </blockquote> </blockquote>
  
-...and in "[[https://www.law.cornell.edu/cfr/text/14/401.5|U.S. 14 CFR § 401.5 - Definitions]]" (for the U.S. commercial space industry).+And in "[[https://www.law.cornell.edu/cfr/text/14/401.5|U.S. 14 CFR § 401.5 - Definitions]]" (for the U.S. commercial space industry) as:
  
 <blockquote>**U.S. 14 CFR § 401.5 - Definitions** \\ <blockquote>**U.S. 14 CFR § 401.5 - Definitions** \\
 //Risk// \\ //Risk// \\
 Risk means a measure that accounts for both the probability of occurrence of a hazardous event and the consequence of that event to persons or property.</blockquote> Risk means a measure that accounts for both the probability of occurrence of a hazardous event and the consequence of that event to persons or property.</blockquote>
 +
 +Where [[https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.|DFARs (Defense Federal Acquisition Regulations) 252-204-7012 "Safeguarding Covered Defense Information and Cyber Incident Reporting"]] is invoked, section (b), (2), (i) requires the implementation of [[https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final|NIST Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”]], which defines "risk" as: 
 +
 +<blockquote>**NIST Special Publication (SP) 800-171 (Rev. 2) - Appendix B, GLOSSARY** \\
 +//Risk// \\
 +[[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf|[OMB A-130]]] \\ 
 +A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impact, or magnitude of harm, that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.</blockquote>
 +
 +==== CNSS Instruction No. 4009 ====
 +The [[https://www.cdse.edu/documents/toolkits-issm/cnssi4009.pdf|CNSS (Committee on National Security Systems (CNSS)) Instruction No. 4009, "National Information Assurance (IA) Glossary" (dated 26 April 2010)]] includes the following definition for "risk":
 +
 +<blockquote>**CNSS Instruction No. 4009** \\
 +//risk// \\
 +A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence. \\
 +
 +Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.</blockquote>
 +
 +This definition is also included in [[https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf|"NIST Special Publication 800-30" (Revision 1), "Guide for Conducting Risk Assessments", Appendix B, "Glossary" (dated September 2012)]].
 +
 +==== FIPS PUB 200 ====
 +[[https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf|FIPS PUB 200, "Minimum Security Requirements for Federal Information and Information Systems"]] contains a similar definition for "risk".
 +
 +<blockquote>**FIPS PUB 200 - APPENDIX A TERMS AND DEFINITIONS** \\
 +//risk// \\
 +The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.
 +</blockquote>
 +
 ==== API Spec Q1 ==== ==== API Spec Q1 ====
-While not an ISO document, [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)]], published by the [[https://www.api.org|American Petroleum Institute (API)]], also contains a definition very similar to the definition contained in SAE AS9100C. +[[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)]], published by the [[https://www.api.org|American Petroleum Institute (API)]], also contains a definition very similar to the definition contained in SAE AS9100C. 
  
 <blockquote>**API Spec Q1** \\ <blockquote>**API Spec Q1** \\
Line 285: Line 369:
  
 ==== NFPA 1600® ==== ==== NFPA 1600® ====
-While also not an ISO document, [[https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1600|NFPA 1600®, "Standard on Continuity, Emergency, and Crisis Management" (2019 Edition)]], published by the [[https://www.nfpa.org|National Fire Protection Association (NFPA)]], contains a definition for "//Risk Assessment//", from which a definition for "risk" can be easily derived as "//threats and hazards//".+[[https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1600|NFPA 1600®, "Standard on Continuity, Emergency, and Crisis Management" (2019 Edition)]], published by the [[https://www.nfpa.org|National Fire Protection Association (NFPA)]], contains a definition for "//Risk Assessment//", from which a definition for "risk" can be easily derived as "//threats and hazards//".
  
 <blockquote>**NFPA 1600<sup>®</sup> ** \\ <blockquote>**NFPA 1600<sup>®</sup> ** \\
 3.3.27 Risk Assessment \\ 3.3.27 Risk Assessment \\
 The process of identifying threats and hazards to life, property, operations, the environment, and entities, and the analysis of probabilities, vulnerabilities, and impacts.</blockquote> The process of identifying threats and hazards to life, property, operations, the environment, and entities, and the analysis of probabilities, vulnerabilities, and impacts.</blockquote>
-==== CNSS Instruction No. 4009 ==== 
-The [[https://www.cdse.edu/documents/toolkits-issm/cnssi4009.pdf|CNSS (Committee on National Security Systems (CNSS)) Instruction No. 4009, "National Information Assurance (IA) Glossary" (dated 26 April 2010)]] includes the following definition for "risk": 
  
-<blockquote>**CNSS Instruction No. 4009** \\ 
-risk \\ 
-A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of occurrence. \\ 
- 
-Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.</blockquote> 
- 
-This definition is also included in [[https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf|"NIST Special Publication 800-30" (Revision 1), "Guide for Conducting Risk Assessments", Appendix B, "Glossary" (dated September 2012)]]. 
 ===== The ISO 9001:2015 Conundrum ===== ===== The ISO 9001:2015 Conundrum =====
  
-IF the authors of ISO 9001:2015 had subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "risk" rather than repeatedly stating “//risks and opportunities//” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). +IF the authors of ISO 9001:2015 had truly subscribed to the views expressed in ISO 9000:2015, "Note 1", then they would simply have used the word "risk" rather than repeatedly stating “//risks and opportunities//” as two separate concepts throughout the standard (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e). 
 {{ :articles:confused_thoughts.png?nolink&300|}} {{ :articles:confused_thoughts.png?nolink&300|}}
  
Line 316: Line 391:
 Consequently, this has created a conundrum for users over how to properly address "risk". Consequently, this has created a conundrum for users over how to properly address "risk".
  
-<note tip>To use an analogy, the online dictionary "[[https://www.wordnik.com/|Wordnik]]" includes two definitions for the word  [[https://www.wordnik.com/words/day|"day"]]: \\+<WRAP center round info 80%> 
 +To use an analogy, the online dictionary "[[https://www.wordnik.com/|Wordnik]]" includes two definitions for the word  [[https://www.wordnik.com/words/day|"day"]]: \\
 n. The period of light between dawn and nightfall; the interval from sunrise to sunset. \\ n. The period of light between dawn and nightfall; the interval from sunrise to sunset. \\
 n. The 24-hour period during which the earth completes one rotation on its axis, traditionally measured from midnight to midnight.  \\ n. The 24-hour period during which the earth completes one rotation on its axis, traditionally measured from midnight to midnight.  \\
  \\  \\
-Using this analogy, ISO //defines// "risk" as being both "negative" and "positive" in much the same way as a "day" can be interpreted as including both "light" and "darkness". However, the term "risks and opportunities" are used repeatedly in standards such as ISO 9001 & ISO 17025 in much the same way that one might casually refer to "day" and "night" as both occurring during a 24-hour "day".</note>+Using this analogy, ISO //defines// "risk" as being both "negative" and "positive" in much the same way as a "day" can be interpreted as including both "light" and "darkness". However, the term "risks and opportunities" are used repeatedly in standards such as ISO 9001 & ISO 17025 in much the same way that one might casually refer to "day" and "night" as both occurring during a 24-hour "day". 
 +</WRAP> 
 ==== Is the use of "Preventive Action" still valid? ==== ==== Is the use of "Preventive Action" still valid? ====
  
-While many organizations continue to use the term “preventive action” to address “negative risks"/threats (e.g., because it was embedded into their corrective action forms, databases, etc.), it fails to address "positive risks" and "opportunities".+The short answer is yes. However, while many organizations continue to use the term “preventive action” to address “negative risks"/threats (e.g., because it was embedded into their corrective action forms, databases, etc.), the term has an extremely limiting/restrive definition. 
 + 
 +<blockquote>ISO 9000:2015, sec. 3.12.1 \\  
 +preventive action \\  
 +action to __eliminate__ the cause of a potential nonconformity (3.6.9) or other potential undesirable situation \\  
 + \\  
 +Note 1 to entry: There can be more than one cause for a potential nonconformity.  \\   
 +Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action (3.12.2) is taken to prevent recurrence.</blockquote> 
 + 
 +In reality, many risks (often the majority) cannot be "eliminated". And are instead "mitigated".
  
 Even though use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //encouraging// their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS. Even though use of “preventive action” is still permitted to address “negative risks"/threats, many ISO 9001 and AS9100:2016 registrars are //encouraging// their clients to eliminate use of the term “preventive action” and adopt the term “risks and opportunities” to ensure that both “threats” and “opportunities” are addressed within their QMS.
  
-However, this presents challenges because several other standards specifically require “preventive action” to be included in the QMS. These include, but are not limited to:+Unfortunately, this presents challenges because several other standards specifically require “preventive action” to be included in the QMS (due to the same limited understanding of risk as ISO suffers and/or a "//monkey see - monkey do//" approach). These include, but are not limited to:
   * ISO 13485:2016, “//Medical Devices — Quality management systems — Requirements for regulatory purposes//   * ISO 13485:2016, “//Medical Devices — Quality management systems — Requirements for regulatory purposes//
   * ISO 17020:2012, “//Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//” (Option A)   * ISO 17020:2012, “//Conformity Assessment — Requirements for the operation of various types of bodies performing inspection//” (Option A)
Line 381: Line 468:
   * ISO Guide 73:2009 (only references other ISO & IEC documents)   * ISO Guide 73:2009 (only references other ISO & IEC documents)
  
-It quickly becomes obvious that ISO is firmly entrenched in "//Not Invented Here Syndrome//" (NIHS). [[https://en.wikipedia.org/wiki/Not_invented_here|Wikipedia]] describes NIHS as a stance adopted by social, corporate, or institutional cultures that avoids using or buying already existing products, research, standards, or knowledge because of their external origins and costs, such as royalties. The reasons for not wanting to use the work of others are varied, but some can include a desire to support a local economy instead of paying royalties to a foreign license-holder, fear of patent infringement, lack of understanding of the foreign work, an unwillingness to acknowledge or value the work of others, jealousy, belief perseverance, or forming part of a wider turf war. As a social phenomenon, this tendency can manifest itself as an unwillingness to adopt an idea or product because it originates from another culture, a form of tribalism.+It quickly becomes obvious that ISO is firmly entrenched in "//Not Invented Here Syndrome//" (NIHS).
  
 +<note>"//Not Invented Here Syndrome//" (NIHS) is a term used to describe the situation where a perfectly fine solution (e.g., product, software, standard, technique) is rejected, simply because it was developed by someone else (e.g., a different organization, department, person). It is important to recognize that "true" NIHS is driven by a psychological disorder or other abnormal condition.
 + \\
 + \\
 +Where an organization or business modifies an existing product, software, etc. to avoid infringing on a copyright or patent, to avoid expensive licensing fees or royalties, reduce supply-chain risks, to avoid supporting a competitor or foreign nation (e.g., a dictatorship); then the modification is justified based on a logical reason. However, where an organization or business modifies an existing product, software, etc. based purely on a desire to be "unique" - without any significant differences or improvements, then the change was driven by emotion rather than logic. In other words, being different for the sake of being different. An organization or business driven by NIHS will often claim that their product, software, etc. is "better"... whether it is or not. This feeds and perpetuates the delusional egos of their narcissistic leadership, and can extend throughout the organization.</note>
  
-However, unlike the above documents, ISO 13485:2016 also includes references to GHTF (Global Harmonization Task Force), which has been superseded by ([[http://www.imdrf.org|International Medical Device Regulators Forum]]) documents. And ISO 14001:2015 includes references to [[https://www.ilo.org/global/lang--en/index.htm|U.N. ILO (International Labor Organization)]] documents and +Unlike the above documents, ISO 13485:2016 also includes references to GHTF (Global Harmonization Task Force), which has been superseded by ([[http://www.imdrf.org|International Medical Device Regulators Forum]]) documents. And ISO 14001:2015 includes references to [[https://www.ilo.org/global/lang--en/index.htm|U.N. ILO (International Labor Organization)]] documents and 
 the OHSAS Project Group documents (OHSAS 18001 & 18002), which has now been superseded by [[https://committee.iso.org/home/pc283|ISO/TC 283]]. the OHSAS Project Group documents (OHSAS 18001 & 18002), which has now been superseded by [[https://committee.iso.org/home/pc283|ISO/TC 283]].
  
-<note>The Bibliography section of OHSAS 18001:2007 ONLY lists ISO documents.</note>+<note>The Bibliography section of OHSAS 18001:2007 ONLY listed ISO documents.</note>
  
-As this article shows, ISO has been divided over defining this simple concept for many years. And the definition that ISO appears to be working toward is convoluted... likely never to be embraced (or understood) by users. +As this article shows, ISO has been divided over defining the concept of "risk" for many years. And the definition that ISO appears to be working toward is convoluted to the point of being nonsensical... likely never to be understood (or embraced) by users. 
  
 In contrast, [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1 (Ninth Edition, June 2013)]] easily and succinctly defined this concept. In contrast, [[https://www.monogramwebstore.org/publications/item.cgi?7a832d46-1fb0-4650-a57e-963108b9f71d|API Spec Q1 (Ninth Edition, June 2013)]] easily and succinctly defined this concept.
 +