40 definições de Risco da ISO... não serão demais?
Grande artigo sobre as várias definições de risco nas várias normas da ISO.
Não está na hora de harmonizar estes termos?
Leiam este artigo.
DIS of ISO 9001 Introduces ISO’s 40th Definition of “Risk”
DIS OF ISO 9001 INTRODUCES ISO’S 40TH DEFINITION OF “RISK”
📷UPDATE 1: I was wrong to say the definition in ISO/DIS 9001:2015 was only the fifth definition of risk within ISO standards. It’s the FORTIETH. This article has been updated accordingly. — CP
UPDATE 2: I have added a link to an Excel sheet that includes all the known definitions, and their ISO sources. — CP
Inexplicably, the latest DIS version of ISO 9001:2015 injects yet another alternate definition of the term “risk,” pushing it further away from that of the ISO 31000 standard on risk management.
The DIS definition included in the ISO/DIS 9001:2015 is now “effect of uncertainty on an expected result.” This marks the fortieth definition of risk produced by ISO — an organization, remember, founded to standardize things like definitions. As of right now, the following definitions all reside in different ISO standards.
a function of the probability of occurrence of a given threat and the potential adverse consequences of that threat’s occurrence.chance of injury, damage or loss postulated by considering the consequence of a threat and the likelihood of its occurrencecombination of the chance that a specified hazardous event will occur and the severity of the consequences of the eventcombination of the frequency, or probability, of occurrence and the consequence of a specified hazardous eventcombination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of the incident causedcombination of the likelihood of occurrence of harm and the severity of that harmcombination of the probability and the degree of the possible injury or damage to health in a hazardous situationcombination of the probability of an event and its consequencecombination of the probability of an event and the consequences of the eventcombination of the probability of harm and the severity of that harmcombination of the probability of occurrence of harm and the severity of that harmcombination of the probability of occurrence of harm and the severity of that harm; indicating the probability that an adverse effect on soil functions will occur under defined conditions and the magnitude of the consequences of the effect occurring (see ISO/IEC Guide 51:1990)combination of the probability of the occurrence of a hazard in a particular situation and the consequences or extent of harm to the individual to be expected from the hazardcombination of the probability or frequency of occurrence of an event and the magnitude of its consequencecombination of the probability that a specified undesirable event will occur combined with the severity of the consequences of that eventeffect of uncertaintyeffect of uncertainty on an expected resulteffect of uncertainty on objectivesexposure to the chance of injury or loss as applies to safetyexpression of the probability that an adverse effect on soil functions will occur under defined conditions and the magnitude of the consequences of the effect occurringfactor, R, that reflects both likelihood, L, of the occurrence of a hazard in a particular situation and severity, S, of the consequences or extent of harm to the individual to be expected from the hazard R = L × Sfunction of the probability of occurrence of a given threat and the potential adverse consequences of that threat’s occurrencelikelihood of a security threat materializing and the consequenceslikelihood of the occurrence of an event or failure and the consequences or impact of that event or failurenumerical estimate of the probability or likelihood that a given hazard will occurpotential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organizationprobability of a specific undesired event occurring so that a hazard is realizedprobability of an event (e.g. failure, damage) multiplied by its consequences (e.g. cost, fatalities, exposure to personal or environmental hazard)probability of loss or injury from a hazardprobability of the occurrence of a hazard and the severity of its outcomeproduct of probability and consequences for an undesired event or actionqualitative or quantitative likelihood of an event occurring, considered in conjunction with the consequence of the eventquantitative or qualitative measure for the severity of a potential damage and the probability of incurring that damageterm describing an event encompassing what can happen (scenario), its likelihood (probability) and its level or degree of damage (consequences)the combination of the probability of an event and its consequence.the possibility that a particular threat will exploit a particular vulnerability of a data processing system.the potential for realisation of an unwanted event, which is a function of the hazard, its probability and its consequencesthe probable rate of occurrence of a hazard causing harm and the degree of severity of the harmundesirable situation or circumstance that has both a likelihood of occurring and a potential negative consequence on a projectvalue of what can be lost if infringement occurs
The 40 definitions above appear in over 140 standards currently available from ISO. The list was derived from scouring ISO’s Online Browsing Platform, and may not even be a complete accounting. Originally, ISO 31000 was touted as being the harmonization standard for all those others, but apparently has not succeeded.
For an MS Excel® sheet featuring all the known definitions and their ISO source documents, click here. Note: it is in .xlsx format, for MS Exce® l 2007 or higher.
Positive vs. Negative Risk
The DIS of 9001:2015 also seems to want to straddle the fence on whether risk can be both negative and positive, a recent position taken by ISO and being pushed on its TC’s. While the DIS definition includes a “Note 1” acknowledging positive risk:
Note 1 to entry: An effect is a deviation from the expected — positive or negative
… it then includes a Note 5 that half-contradicts it:
Note 5 to entry: The term “risk” is sometimes used when there is only the possibility of negative consequences.
The first four notes were taken from Annex SL, with TC 176 apparently adding the fifth note itself. The fifth note references ISO 9000:2014, which is currently in DIS stage itself, so we can assume that standard will also tilt towards negative risk only.
The fact that ISO is struggling to such a degree over the definition of the word shows that it was not prepared to tackle risk management as a standard, much less incorporate it into all management system standards through its TMB-directed Annex SL mandate. The negative reaction has been immediate. One source close to ISO 31000 called the new definition “a farce” and said TC 176 were “imbeciles.” Another risk management professional said the 9001 definition is “recursive” and the that the ongoing wrangling of definitions was “tragicomic.”
If ISO can’t standardize a definition of something, what are the rest of us supposed to do?