| Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision |
| articles:a_matter_of_risk [2020/03/19 12:42] – [NFPA 1600®] rrandall | articles:a_matter_of_risk [2020/05/15 11:11] – [NFPA 1600®] rrandall |
|---|
| When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (initially through ISO/IEC Directives-Part 1, Annex SL), while failing to recognize that there are different "types" of risks. | When it comes to defining the word "//risk//", ISO has several competing definitions; in various "official" ISO documents. And these are in further conflict with non-ISO industry standards As one would expect, these differences have created conflict within ISO and confusion amongst users. The problem appears to stem from ISO attempting to create a "one-size fits all" definition for "risk" (initially through ISO/IEC Directives-Part 1, Annex SL), while failing to recognize that there are different "types" of risks. |
| |
| This article will discuss two of the most "commonly" used definitions. | This article will discuss two of the most "commonly" used general definitions. |
| |
| - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in Appendix 2 of [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) | - The "non-traditional" definition is that "risk" can be positive, negative, or both (e.g., for a type of risk involving action-related decisions, such as investment decisions; addressing the consequences of taking some action, as well as __not__ taking that action). This definition appears in Appendix 2 of [[https://www.iso.org/sites/directives/current/part1/index.xhtml|ISO/IEC Directives-Part 1]]:2019, ISO 9000:2015, ISO 14001:2015, ISO 19011:2018, ISO 31000:2018 & ISO Guide 73:2009) |
| In effect, ISO 31000:2018 is stating that “opportunities __and__ threats” are two sides of the same “risk” coin; because the word "and" means that the two exist simultaniously! | In effect, ISO 31000:2018 is stating that “opportunities __and__ threats” are two sides of the same “risk” coin; because the word "and" means that the two exist simultaniously! |
| |
| It's important to note that risks typically result from an "opportunity". For example, when presented with an investment "opportunity", taking action could result in either a profit, a loss, or no change in value. While taking no action would preserve the current assets (no change), avoid loss, and forgo any profits that the investment would have yielded. This happens every day in the stock market. | It's important to note that risks typically result from an "opportunity". For example, when presented with an investment "opportunity", taking action could result in either a profit, a loss, or no change in value. While taking no action would preserve the current assets (no change), avoid loss, and forgo any profits that the investment would have yielded. |
| |
| While none of the above ISO documents define "opportunity", [[https://www.dictionary.com/browse/opportunity|Dictionary.com]] does: | While none of the above ISO documents define "opportunity", [[https://www.dictionary.com/browse/opportunity|Dictionary.com]] does: |
| However, the above equation ignores "detection", a common criterian for a "Falure Mode and Effects Analysis" (FMEA). Adding "detection" would change the equation to: Risk = "probability of an event" x "consequence of event" x "likelihood of detection". The result of this equation is typically referred to as a "Risk Priority Number". | However, the above equation ignores "detection", a common criterian for a "Falure Mode and Effects Analysis" (FMEA). Adding "detection" would change the equation to: Risk = "probability of an event" x "consequence of event" x "likelihood of detection". The result of this equation is typically referred to as a "Risk Priority Number". |
| |
| ==== NFPA 1600® ==== | ==== NFPA 1600<sup>®</sup> ==== |
| While also not an ISO document, [[https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1600|NFPA 1600®, "Standard on Continuity, Emergency, and Crisis Management" (2019 Edition)]], published by the [[https://www.nfpa.org|National Fire Protection Association (NFPA)]], contains a definition for "//Risk Assessment//", from which a definition for "risk" can be easily derived as "//threats and hazards//". | While also not an ISO document, [[https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1600|NFPA 1600<sup>®</sup>, "Standard on Continuity, Emergency, and Crisis Management" (2019 Edition)]], published by the [[https://www.nfpa.org|National Fire Protection Association (NFPA)]], contains a definition for "//Risk Assessment//", from which a definition for "risk" can be easily derived as "//threats and hazards//". |
| |
| <blockquote>**NFPA 1600® ** \\ | <blockquote>**NFPA 1600<sup>®</sup> ** \\ |
| 3.3.27 Risk Assessment \\ | 3.3.27 Risk Assessment \\ |
| The process of identifying threats and hazards to life, property, operations, the environment, and entities, and the analysis of probabilities, vulnerabilities, and impacts.</blockquote> | The process of identifying threats and hazards to life, property, operations, the environment, and entities, and the analysis of probabilities, vulnerabilities, and impacts.</blockquote> |
