The new edition of ISO 9001 under development will include the concept of risk in the form of definition, guidance and requirements. Previous editions included a clause on preventive action which aimed to prevent the occurrence of nonconformities and to some extent this was risk mitigation by another name.
Risk has therefore always been addressed in ISO 9001. In addition if we look at ISO 9001 through a ‘risk tinted’ lens we would see all requirements in ISO 9001 as risk treatments, therefore risk and ISO 9001 is not a new combination. However, the way in which the term risk is defined, used and explained in the current draft creates some uncertainty as to what the term means and this has implications for users. In Part I, I look at the differences in meaning between the word ‘risk’ as commonly understood and the word ‘risk’ as defined in ISO 9001.
THE COMMON DEFINITION OF RISK
If we look up the term risk in an English dictionary, we will find that in the simplest terms, the word is used to express the possibility of something bad happening. E.g. in the Oxford English Dictionary[i] risk is “exposure to the possibility of loss, injury, or other adverse or unwelcome circumstance”. In the Merriam Webster Online Dictionary[ii] risk is “the possibility that something bad or unpleasant (such as an injury or a loss) will happen”. There isn’t one English Dictionary I could find in which the term risk is used to express the possibility of something good happening, that is until we look at standards in the field of Risk Management. Even Wikipedia defines risk as “the potential of losing something of value” and it is only with reference to volatility in the finance sector and the recent International Standards that the term risk is used in a different sense.
THE NEW DEFINITION OF RISK
TC 176, the committee responsible for the development of ISO 9001, has been placed under an obligation from ISO/IEC Directives[iii] to adopt a new common structure for management system standards, commonly referred to as Annex SL. This directive takes the definition of risk from ISO Guide 73[iv] and modifies it to permit users of Annex SL to tailor the definition to the context of a particular management system standard but the appended notes remain unchanged.
In ISO Guide 73 and ISO 31000[v], risk is defined as ‘effect of uncertainty on objectives’. In Annex SL risk is defined as ‘effect of uncertainty’ and in ISO DIS 9000[vi], risk is defined as ‘effect of uncertainty on an expected result’. These definitions differ in what is affected by the uncertainty but they all pose the possibility that the uncertainty may be something good as well as something bad e.g. when you invest in the stock market there is risk that the value of your investment may go up or down. .
WHAT DO WE MEAN BY UNCERTAINTY
Uncertainty is simply something we are uncertain about, there is doubt, we are unsure. Now, not everything we are unsure about is important to us, e.g. if we live in California we are unlikely to be concerned about whether we will be able to rent an automatic drive car. This is different in Wales if we wish to rent a car. If we did decide to rent a car in Wales and we learnt that we would have to drive on the left side of the road, something we hadn’t done before, we may well have doubts over whether we could do that safely.
One particular celebrity in risk management circles is David Hillson[vii] who calls himself a Risk Doctor. He makes the claim that “risk is uncertainty that matters” and it is true that uncertainties that present neither risk nor opportunity to achievement of expected results don’t matter but so what? Clearly an uncertainty such as whether I can rent an automatic drive car in Wales or safely drive on the left is an uncertainty that matters if I live in California and I choose to travel to Wales. This uncertainty does not matter if I don’t want to do those things, but it makes no sense to redefine a commonly used English word.
My response to this is simple, the concept that has been defined is the concept of uncertainty and not that of risk. This is also the view of Douglas Hubbard[viii], author of The Failure of Risk Management.
Telling us to identify risks and opportunities is all well and good but what kind of uncertainties would we be looking for? It’s almost left to our imagination. If we can’t imagine what could go wrong or what the future might bring, where do we start in this task? Well, Hillson gives some good tips here when he identifies four types of uncertainty: 1. Uncertainty of events (whether an event will or will not happen); 2. Uncertainty of variables (whether results will be the same or different to those observed previously); 3. Uncertainty of knowledge (whether the knowledge needed is complete or incomplete); 4. Uncertainty of the unknown (whether everything that affects the results is inside or outside our frame of reference). These are indeed useful in identifying risks and opportunities and it would certainly help if they were embodied into ISO 9001.
THE NOTION OF POSITIVE AND NEGATIVE RISK
The redefining of the term risk does not end with the simple definition that risk is ‘effect of uncertainty on an expected result’. ISO Guide 73 appends several notes to the definition one of which is highly significant. They define an effect as “a deviation from the expected – positive and/or negative”. Although this might look like a definition of the word ‘effect’, it isn’t (see Part II).
Hillson and others in the Linkedin Risk Management Group[ix] claim that we can trace the origin of the word risk back to Arabic, Greek, Chinese and Italian, to a word that was used to express good and bad, positive and negative. Languages evolve and meanings change and from the Oxford English Dictionary the word risk has been used to express the possibility of loss or harm since the 13th century so it appears to have lost its use to express positive effects long ago and there does not appear to be any justification for reintroducing this use in the 21st century. In fact it may do more harm than good as it’s highly likely that users of ISO 9001 will not use the term risk to express the possibility of something good happening .
In almost everything we do there are risks and every day we make conscious and subconscious choices about them. We consciously weigh up the potential benefits and harms of exercising one choice of action over another. We also subconsciously do this based on our past familiarity with a situation. This can sometimes catch us out which is why we develop certain habits like looking before we leap as a precaution, even looking down a one way street when crossing in case some idiot didn’t obey the ‘No Entry’ signs . We have learnt ways of reducing risk to a level where we behave instinctively and some of us navigate through life without befalling the risks that we face every day.
If having weighed up the potential benefits and harms, we may say to ourselves, nothing ventured nothing gained; and choose to take the risk. If the risk we thought would prevent us achieving our objectives does not materialise we do indeed reap the benefits. Some people are now referring to this as “positive risk taking”[x] which is quite absurd because the risk remains a potentially negative effect. However, we should not be misled by the terminology because the motivation for this absurd term is to discourage people, often the disabled but also cautious managers, using risk as a excuse for not doing something of benefit to them or their organization.
In Part II David will round off the controversial issue of positive and negative risk, expose more uncertainty in the new definition of risk and in the way the term is used in ISO DIS 9001 and finally draw some conclusions.
After a period in aircraft production and development following which I qualified as a Chartered Engineer, I spent the next 20 years in quality management with British Aerospace and Ferranti International. For the next 15 years I operated as a management consultant and guided large and small companies through their ISO 9000 programmes, delivered quality management and auditor training courses throughout the world, set up my own consultancy business, Transition Support Ltd, and published several books on quality management many of which have been translated into Japanese, Spanish and Italian. A member of the IQA (Now CQI) since 1974, I was elected Fellow in 1988 and have served on and chaired several committees. In 2005 I took early retirement due to sudden sight loss but continue my interest in quality management. My Quality Systems Handbook first published in 1992 is now in its 6th edition and this particular piece on risk, I developed as I undertake my research for a major revision to align with ISO 9001:2015.
[iii] ISO/IEC Directives, Part 1 2014 Consolidated ISO Supplement — Procedures specific to ISO
[iv] ISO Guide 73:2009 Risk management – vocabulary
[v] ISO 31000:2009 Risk management — Principles and guidelines
[vi] Draft BS ISO 9000:2014 Quality Management Systems – Fundamentals and Vocabulary