Risk Solutions - leave nothing to chance

definitions

Someone once said: “The great thing about standards is that there are so many to choose from.”

The risk management field is no different in this respect than any other area of management where standards proliferate. In this section we highlight some of the most important terms in the field of risk management and provide examples of how these are defined in some of the more important or well known reference materials.

Where there are multiple definitions we provide a commentary on the distinctions but it is up to the reader to determine which definition best aligns with their own needs.

risk

The chance of something happening that will have an impact on objectives

  1. A risk is often specified in terms of an event or circumstance and the consequences that may flow from it.
  2. Risk is measured in terms of a combination of the consequences of an event and their likelihood.
  3. Risk may have a positive or negative impact.

Source: AS/NZS 4360:2004


Combination of the probability of an event and its consequence

  1. The term ‘risk’ is generally used only when there is at least the possibility of negative consequences.
  2. In some situations, risk arises from the possibility of deviation from the expected outcome or event.

Source: ISO/IEC GUIDE 73:2002


Combination of the probability of occurrence of harm and the severity of that harm

Source: ISO/IEC Guide 51:1999


Uncertainty of outcome, whether positive opportunity or negative threat, of actions and events. It is the combination of likelihood and impact, including perceived importance.

Source: HM Treasury, The Orange Book, 2004


The likelihood, measured by its probability, that a particular event will occur.

Source: HM Treasury, The Green Book


The chance, high or low, that somebody could be harmed by these and other hazards, together with an indication of how serious the harm could be.

Source: HSE – 5 steps to risk assessment, INDG163(rev2), revised 06/06


The potential for realization of unwanted, adverse consequences to human life, health, property, or the environment; estimation of risk is usually based on the expected value of the conditional probability of the event occurring times the consequence of the event given that it has occurred

Source: Society for Risk Analysis


The combination of the likelihood and the consequence of a specified hazard being realized. It is a measure of harm or loss associated with an activity

Source: USA - Office of Hazardous Materials Safety

 

We like the AS/NZ focus on the impact on objectives. The inclusion of ‘probability’ in the ISO/IEC definition and the Green Book is too restrictive.  The Orange book has a better balance and emphasises the upside as well as the downside.

Ideally a definition of “risk” should distinguish clearly between the concept of a “risk event” and that of a “risk measure”.  The AS/NZ definition comes closest to doing this.

operational risk

The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

  1. The committee indicates that this definition excludes systemic risk, legal risk and reputational risk.

 Basel Committee (2004)

 

Unsurprisingly, given the history in the financial services sector, focus is on the downside.

risk analysis

Systematic process to understand the nature of and to deduce the level of risk.

  1. Provides the basis for risk evaluation and decisions about risk treatment.

AS/NZS 4360:2004

Systematic use of information to identify sources and to estimate the risk.

  1. Risk analysis provides a basis for risk evaluation, risk treatment and risk acceptance.
  2. Information can include historical data, theoretical analysis, informed opinions, and the concerns of stakeholders.

ISO/IEC GUIDE 73:2002

Systematic use of available information to identify hazards and to estimate the risk.

ISO/IEC Guide 51:1999

A detailed examination including risk assessment, risk evaluation, and risk management alternatives, performed to understand the nature of unwanted, negative consequences to human life, health, property, or the environment; an analytical process to provide information regarding undesirable events; the process of quantification of the probabilities and expected consequences for identified risks

Society for Risk Analysis.

With the exception of the Society for Risk Analysis, which over-complicates the definition, there is good agreement here.

risk assessment

The overall process of risk identification, risk analysis and risk evaluation.

AS/NZS 4360:2004

Overall process of risk analysis and risk evaluation.

ISO/IEC GUIDE 73:2002

Overall process comprising a risk analysis and a risk evaluation.

ISO/IEC Guide 51:1999

The evaluation of risk with regard to the impact if the risk is realised and the likelihood of the risk being realised.

HM Treasury, The Orange Book, 2004

The process of establishing information regarding acceptable levels of a risk and/or levels of risk for an individual, group, society, or the environment.

Society for Risk Analysis

(Or risk characterization) is determination of risk context and acceptability, often by comparison to similar risks.

USA - Office of Hazardous Materials Safety

 

General agreement that this is to do with the process. The Orange Book focuses on ‘evaluation’ which is part of the process in the other definitions.

risk identification

The process of determining what, where, when, why and how something could happen.

AS/NZS 4360:2004

Process to find, list and characterize elements of risk.

  1. Elements can include source or hazard, event, consequence and probability.
  2. Risk identification can also reflect the concerns of stakeholders.

ISO/IEC GUIDE 73:2002

Recognizing that a hazard exists and trying to define its characteristics. Often risks exist and are even measured for some time before their adverse consequences are recognized. In other cases, risk identification is a deliberate procedure to review, and it is hoped, anticipate possible hazards.

Society for Risk Analysis

 

The AS/NZ definition is the simplest and most elegant.

risk evaluation

Process of comparing the level of risk against risk criteria.

  1. Risk evaluation assists in decisions about risk treatment.

AS/NZS 4360:2004

Process of comparing the estimated risk against given risk criteria to determine the significance of the risk.

  1. Risk evaluation may be used to assist in the decision to accept or to treat a risk.

ISO/IEC GUIDE 73:2002

Procedure based on the risk analysis to determine whether the tolerable risk has been achieved.

ISO/IEC Guide 51:1999

A component of risk assessment in which judgements are made about the significance and acceptability of risk.

Society for Risk Analysis

The introduction of the concept of risk criteria is helpful. Any subsequent judgements about ‘tolerability’ and ‘significance’ need the existence of the criteria to be meaningful.

risk criteria

Terms of reference by which the significance of risk is assessed.

n.b. Risk criteria can include associated cost and benefits, legal and statutory requirements, socioeconomic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.

AS/NZS 4360:2004

Terms of reference by which the significance of risk is assessed.

n.b. Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic and environmental aspects, the concerns of stakeholders, priorities and other inputs to the assessment.

ISO/IEC GUIDE 73:2002

 

The introduction of the concept of risk criteria is helpful. Any subsequent judgements about ‘tolerability’ and ‘significance’ need the existence of the criteria to be meaningful.

risk treatment

Process of selection and implementation of measures to modify risk.

  1. The term ‘risk treatment’ is sometimes used for the measures themselves.
  2. Risk treatment measures can include avoiding, modifying, sharing or retaining risk.

AS/NZS 4360:2004

Process of selection and implementation of measures to modify risk.

  1. The term “risk treatment” is sometimes used for the measures themselves.
  2. Risk treatment measures can include avoiding, optimizing, transferring or retaining risk.

 ISO/IEC GUIDE 73:2002

The process of selecting and implementing measures to modify the risk.

Risk treatment includes as its major element, risk control/mitigation, but extends further to, for example, risk avoidance, risk transfer, risk financing, etc.

AIRMIC/ALARM/ IRM, Risk Management Standard: 2002

 

Not much disagreement here

residual risk

Risk remaining after implementation of risk treatment.

AS/NZS 4360:2004

Risk remaining after risk treatment.

ISO/IEC GUIDE 73:2002

Risk remaining after protective measures have been taken.

ISO/IEC Guide 51:1999

The remaining risk after management has taken action to alter the risk’s likelihood or impact.

COSO, Enterprise Risk Management – Integrated Framework, 2004

The exposure arising from a specific risk after action has been taken to manage it and making the assumption that the action is effective.

HM Treasury, The Orange Book, 2004

 

Broad agreement but the Orange Book’s explicit point about assumed effectiveness of the planned risk treatment is a valuable enhancement.

risk management

The culture, processes and structures that are directed towards realizing potential opportunities whilst managing adverse effects.

AS/NZS 4360:2004

Coordinated activities to direct and control an organization with regard to risk.

NOTE Risk management generally includes risk assessment, risk treatment, risk acceptance and risk communication.

ISO/IEC GUIDE 73:2002

The process whereby organisations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities.

AIRMIC/ALARM/ IRM, Risk Management Standard: 2002

All the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress.

HM Treasury, The Orange Book, 2004

Is the systematic application of policies, practices, and resources to the assessment and control of risk affecting human health and safety and the environment. Hazard, risk, and cost/benefit analysis are used to support development of risk reduction options, program objectives, and prioritization of issues and resources. A critical role of the safety regulator is to identify activities involving significant risk and to establish an acceptable level of risk. Near zero risk can be very costly and in most cases is not achievable.

USA - Office of Hazardous Materials Safety

Process that involves assessing the risks that arise in your workplace, putting sensible health and safety measures in place to control them and then making sure they work in practice.

Health & Safety Executive

 

The emphasis on monitoring and review of the system, explicit in the Orange Book and implicit in the HSE one, is an important and valuable enhancement to the other definitions.

risk management framework

Set of elements of an organization’s management system concerned with managing risk.

  1. Management system elements can include strategic planning, decision making, and other strategies, processes and practices for dealing with risk.
  2. The culture of an organization is reflected in its risk management system.

AS/NZS 4360:2004

 

enterprise risk management

A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

COSO, Enterprise Risk Management – Integrated Framework, 2004

 

To our mind this is not materially different from ‘risk management’ definitions

tolerable risk

Risk which is accepted in a given context based on the current values of society.

ISO/IEC Guide 51:1999

 

risk appetite

The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision).

COSO, Enterprise Risk Management – Integrated Framework, 2004

The amount of risk that an organisation is prepared to accept, tolerate, or be exposed to at any point in time.

HM Treasury, The Orange Book, 2004

hazard

Source of potential harm.

AS/NZS 4360:2004

Potential source of harm.

n.b. The term hazard can be qualified in order to define its origin or the nature of the expected harm (e.g. electric shock hazard, crushing hazard, cutting hazard, toxic hazard, fire hazard, drowning hazard).

ISO/IEC Guide 51:1999

Anything that may cause harm, such as chemicals, electricity, working from ladders, an open drawer etc.

HSE – 5 steps to risk assessment

INDG163(rev2), revised 06/06

Is the inherent characteristic of a material, condition, or activity that has the potential to cause harm to people, property, or the environment.

USA - Office of Hazardous Materials Safety

 

Good agreement here

impact

Result or effect of an event.

  1. There may be a range of possible impacts associated with an event.
  2. The impact of an event can be positive or negative relative to the entity’s related objectives.

COSO, Enterprise Risk Management – Integrated Framework, 2004

 

See consequence

consequence

Outcome or impact of an event.

  1. There can be more than one consequence from one event.
  2. Consequences can range from positive to negative.
  3. Consequences can be expressed qualitatively or quantitatively.
  4. Consequences are considered in relation to the achievement of objectives.

AS/NZS 4360:2004

Outcome of an event.

  1. There can be more than one consequence from one event.
  2. Consequences can range from positive to negative. However, consequences are always negative for safety aspects. 
  3. Consequences can be expressed qualitatively or quantitatively.

ISO/IEC GUIDE 73:2002

A consequence is the direct effect of an event, incident or accident. It is expressed as a health effect (e.g., death, injury, exposure), property loss, environmental effect, evacuation, or quantity spilled.

USA - Office of Hazardous Materials Safety

 

Important points are: the link between consequence/impact and an ‘event’; the fact that there can be multiple consequences; and that consequences should be related should be related to the entity objectives .

likelihood

Used as a general description of probability or frequency.

n.b. Can be expressed qualitatively or quantitatively.

AS/NZS 4360:2004

The possibility that a given event will occur.

  1. Terms sometimes take on more specific connotations, with ‘likelihood’ indicating the possibility that a given event will occur in qualitative terms such as high, medium, and low, or other judgmental scales, and ‘probability’ indicating a quantitative measure such as a percentage, frequency of occurrence, or other numerical metric.

COSO, Enterprise Risk Management – Integrated Framework, 2004

Is expressed as either a frequency or a probability. Frequency is a measure of the rate at which events occur over time (e.g., events/year, incidents/year, deaths/year, etc.). Probability is a measure of the rate of a possible event expressed as a fraction of the total number of events (e.g., one-in-a-million, 1/1,000,000, or 1×10 3).

USA - Office of Hazardous Materials Safety

 

The AS/NZ definition is simple and correct.

The other definitions suffer from a common problem associated with the interpretation of ‘probability’. At best, it is misleading, at worst it is mathematically incorrect.

frequency

A measure of the number of occurrences per unit of time.

AS/NZS 4360:2004

probability

A measure of the chance of occurrence expressed as a number between 0 and 1.

AS/NZS 4360:2004

Extent to which an event is likely to occur.

  1. ISO 3534-1:1993, definition 1.1, gives the mathematical definition of probability as “a real number in the scale 0 to 1 attached to a random event. It can be related to a long-run relative frequency of occurrence or to a degree of belief that an event will occur. For a high degree of belief, the probability is near 1.” 
  2. Frequency rather than probability may be used in describing risk.
  3. Degrees of belief about probability can be chosen as classes or ranks, such as
  • rare/unlikely/moderate/likely/almost certain, or 
  • incredible/improbable/remote/occasional/probable/frequent.

ISO/IEC GUIDE 73:2002

 

The AS/NZ definition is mathematically correct. The ISO definition confuses matters by introducing qualitative measures that are more at home under ‘likelihood’.

event

Occurrence of a particular set of circumstances.

  1. The event can be certain or uncertain.
  2. The event can be a single occurrence or a series of occurrences.

AS/NZS 4360:2004

Occurrence of a particular set of circumstances.

  1. The event can be certain or uncertain.
  2. The event can be a single occurrence or a series of occurrences.
  3. The probability associated with the event can be estimated for a given period of time.

ISO/IEC GUIDE 73:2002

An incident or occurrence from internal or external sources that affects achievement of objectives.

  1. Events can have negative impact, positive impact, or both.
  2. Events with negative impact represent risks.

COSO, Enterprise Risk Management – Integrated Framework, 2004 

Most of us would rather risk catastrophe than read the directions.

Mignon McLaughlin