Risk management — VocabularyThis Guide provides basic vocabulary to develop common understanding on risk management concepts and terms among organizations and functions, and across different applications and types.In addition to managing threats to the achievement of their objectives, organizations are increasingly applying risk management processes and developing an integrated approach to risk management in order to improve the management of potential opportunities. The terms and definitions in this Guide are, therefore, broader in concept and application than those contained in ISO/IEC Guide 51, which is confined to safety aspects of risk, i.e. with undesirable or negative consequences. Since organizations increasingly adopt a broader approach to the management of risk, this Guide addresses all applications and sectors.This Guide is generic and is compiled to encompass the general field of risk management. The terms are arranged in the following order:* terms relating to risk;* terms relating to risk management;* terms relating to the risk management process;* terms relating to communication and consultation;* terms relating to the context;* term relating to risk assessment;* terms relating to risk identification;* terms relating to risk analysis;* terms relating to risk evaluation;* terms relating to risk treatment;* terms relating to monitoring and measurement.International Organization for StandardizationISO_99aa6319-4a01-47af-a462-8d23907f2147ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.Risk ManagersThis Guide is intended to be used by:* those engaged in managing risks,* those who are involved in activities of ISO and IEC, and* developers of national or sector-specific standards, guides, procedures and codes of practice relating to the management of risk.Mutual and consistent understanding of, and a coherent approach to, the description of activities relating to the management of risk, and the use of uniform risk management terminology in processes and frameworks dealing with the management of risk_08b650cc-9a2a-11ea-8722-1ee01083ea00To develop common understanding on risk management concepts and terms_08b652fc-9a2a-11ea-8722-1ee01083ea00Risks[Define] risks_08b653d8-9a2a-11ea-8722-1ee01083ea001Terms relating to riskObjectives[Determine the] effects of uncertainties on objectives_08b654a0-9a2a-11ea-8722-1ee01083ea001.1risk ~ effect of uncertainty on objectivesNote 1 to entry: An effect is a deviation from the expected — positive and/or negative.Note 2 to entry: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).Note 3 to entry: Risk is often characterized by reference to potential events (3.5.1.3) and consequences (3.6.1.3), or a combination of these.Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.6.1.1) of occurrence.Note 5 to entry: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.ManagementManage risks_08b6555e-9a2a-11ea-8722-1ee01083ea002Terms relating to risk managementActivitiesCoordinate activities to direct and control organizations with regard to risks_08b65612-9a2a-11ea-8722-1ee01083ea002.1risk management ~ coordinated activities to direct and control an organization with regard to risk (1.1)Framework[Identify the] components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management _08b656d0-9a2a-11ea-8722-1ee01083ea002.1.1risk management framework ~ set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring (3.8.2.1), reviewing and continually improving risk management (2.1) throughout the organizationNote 1 to entry: The foundations include the policy, objectives, mandate and commitment to manage risk (1.1).Note 2 to entry: The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities.Note 3 to entry: The risk management framework is embedded within the organization's overall strategic and operational policies and practices.PolicyState the intentions and directions related to risk management_08b65798-9a2a-11ea-8722-1ee01083ea002.1.2risk management policy ~ statement of the overall intentions and direction of an organization related to risk management (2.1)PlanSpecify the approach, management components and resources to be applied to the management of risks_08b65856-9a2a-11ea-8722-1ee01083ea002.1.3risk management plan ~ scheme within the risk management framework (2.1.1) specifying the approach, the management components and resources to be applied to the management of risk (1.1)Note 1 to entry: Management components typically include procedures, practices, assignment of responsibilities, sequence and timing of activities.Note 2 to entry: The risk management plan can be applied to a particular product, process and project, and part or whole of the organization.Processes[Institute] risk management processes_08b6596e-9a2a-11ea-8722-1ee01083ea003Terms relating to the risk management processPolicies, Procedures & PracticesApply management policies, procedures and practices_08b65a54-9a2a-11ea-8722-1ee01083ea003.1risk management process ~ systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring (3.8.2.1) and reviewing risk (1.1)Communication & ConsultationCommunicate and consult with stakeholders_08b65b1c-9a2a-11ea-8722-1ee01083ea003.2Terms relating to communication and consultation.Information & DialogueProvide, share or obtain information and engage in dialogue with stakeholders_08b65bf8-9a2a-11ea-8722-1ee01083ea003.2.1communication and consultation ~ continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders (3.2.1.1) regarding the management of risk (1.1)Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.6.1.1), significance, evaluation, acceptability and treatment of the management of risk.Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is:— a process which impacts on a decision through influence rather than power; and— an input to decision making, not joint decision making.Stakeholders[Identify] persons and organizations that can affect, be affected by, or perceive themselves to be affected by decisions and activities_08b65cc0-9a2a-11ea-8722-1ee01083ea003.2.1.1stakeholder ~ person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activityNote 1 to entry: A decision maker can be a stakeholder.Perception[Take into account] stakeholder views on risks_08b65d92-9a2a-11ea-8722-1ee01083ea003.2.1.2risk perception ~ stakeholder's (3.2.1.1) view on a risk (1.1)Note 1 to entry: Risk perception reflects the stakeholder's needs, issues, knowledge, belief and values.ContextEstablish the contexts in which risks occur_08b65e6e-9a2a-11ea-8722-1ee01083ea003.3Terms relating to the contextParametersDefine the external and internal parameters to be taken into account_08b65f4a-9a2a-11ea-8722-1ee01083ea003.3.1establishing the context ~ defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria (3.3.1.3) for the risk management policy (2.1.2)External Factors[Consider the] external environments in which organizations seek to achieve their objectives_08b663be-9a2a-11ea-8722-1ee01083ea003.3.1.1external context ~ external environment in which the organization seeks to achieve its objectivesNote 1 to entry: External context can include:— the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;— key drivers and trends having impact on the objectives of the organization; and— relationships with, and perceptions and values of external stakeholders (3.2.1.1).Internal Factors[Consider the] internal environments in which organizations seek to achieve their objectives_08b66620-9a2a-11ea-8722-1ee01083ea003.3.1.2internal context ~ internal environment in which the organization seeks to achieve its objectivesNote 1 to entry: Internal context can include:— governance, organizational structure, roles and accountabilities;— policies, objectives, and the strategies that are in place to achieve them;— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);— information systems, information flows and decision-making processes (both formal and informal);— relationships with, and perceptions and values of internal stakeholders;— the organization's culture;— standards, guidelines and models adopted by the organization; and— form and extent of contractual relationships.Criteria[Specify the] terms of reference against which the significance of risks is evaluated_08b66710-9a2a-11ea-8722-1ee01083ea003.3.1.3risk criteria ~ terms of reference against which the significance of a risk (1.1) is evaluatedNote 1 to entry: Risk criteria are based on organizational objectives, and external (3.3.1.1) and internal context (3.3.1.2).Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.AssessmentAssess risks_08b667f6-9a2a-11ea-8722-1ee01083ea003.4Term relating to risk assessmentIdentification, Analysis & EvaluationIdentify, analyze, and evaluate risks_08b668e6-9a2a-11ea-8722-1ee01083ea003.4.1risk assessment ~ overall process of risk identification (3.5.1), risk analysis (3.6.1) and risk evaluation (3.7.1)IdentificationIdentify risks_08b669d6-9a2a-11ea-8722-1ee01083ea003.5Terms relating to risk identificationDiscovery, Recognition & DescriptionFind, recognize and describe risks_08b66bd4-9a2a-11ea-8722-1ee01083ea003.5.1risk identification ~ process of finding, recognizing and describing risks (1.1)Note 1 to entry: Risk identification involves the identification of risk sources (3.5.1.2), events (3.5.1.3), their causes and their potential consequences (3.6.1.3).Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholder's (3.2.1.1) needs.Statement[Provide a] structured statement of risk_08b66d6e-9a2a-11ea-8722-1ee01083ea003.5.1.1risk description ~ structured statement of risk usually containing four elements: sources, events (3.5.1.3), causes and consequences (3.6.1.3)Sources[Identify] elements potentially posing risks_08b66ee0-9a2a-11ea-8722-1ee01083ea003.5.1.2risk source ~ element which alone or in combination has the intrinsic potential to give rise to risk (1.1)Note 1 to entry: A risk source can be tangible or intangible.Events[Identify] circumstances that create risks_08b67048-9a2a-11ea-8722-1ee01083ea003.5.1.3event ~ occurrence or change of a particular set of circumstancesNote 1 to entry: An event can be one or more occurrences, and can have several causes.Note 2 to entry: An event can consist of something not happening.Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.Note 4 to entry: An event without consequences (3.6.1.3) can also be referred to as a “near miss”, “incident”, “near hit” or “close call”.Hazards[Identify] sources of potential harm_08b671ba-9a2a-11ea-8722-1ee01083ea003.5.1.4hazard ~ source of potential harmNote 1 to entry: Hazard can be a risk source (3.5.1.2).Managers[Identify the] persons and entities with accountability and authority to manage risks_08b67322-9a2a-11ea-8722-1ee01083ea003.5.1.5Risk OwnersRisk Managersrisk owner ~ person or entity with the accountability and authority to manage a risk (1.1)AnalysisAnalyze risks_08b67480-9a2a-11ea-8722-1ee01083ea003.6Terms relating to risk analysisAttributes & LevelsComprehend the nature of and determine the levels of risks_08b67692-9a2a-11ea-8722-1ee01083ea003.6.1risk analysis ~ process to comprehend the nature of risk (1.1) and to determine the level of risk (3.6.1.8)Note 1 to entry: Risk analysis provides the basis for risk evaluation (3.7.1) and decisions about risk treatment (3.8.1).Note 2 to entry: Risk analysis includes risk estimation.Likelihood[Determine the] chances of happenings_08b677a0-9a2a-11ea-8722-1ee01083ea003.6.1.1likelihood ~ chance of something happeningNote 1 to entry: In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically [such as a probability (3.6.1.4) or a frequency (3.6.1.5) over a given time period].Note 2 to entry: The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad interpretation as the term “probability” has in many languages other than English.Exposures[Determine the] extent to which organizations and stakeholders are subject to events_08b67976-9a2a-11ea-8722-1ee01083ea003.6.1.2exposure ~ extent to which an organization and/or stakeholder (3.2.1.1) is subject to an event (3.5.1.3)Consequences[Determine the] outcomes of events affecting objectives_08b67aa2-9a2a-11ea-8722-1ee01083ea003.6.1.3consequence ~ outcome of an event (3.5.1.3) affecting objectivesNote 1 to entry: An event can lead to a range of consequences.Note 2 to entry: A consequence can be certain or uncertain and can have positive or negative effects on objectives.Note 3 to entry: Consequences can be expressed qualitatively or quantitatively.Note 4 to entry: Initial consequences can escalate through knock-on effects.Probability[Determine the] the chances of occurrences_08b67bba-9a2a-11ea-8722-1ee01083ea003.6.1.4probability ~ measure of the chance of occurrence expressed as a number between 0 and 1, where 0 is impossibility and 1 is absolute certaintyNote 1 to entry: See definition 3.6.1.1, Note 2.Frequencies[Determine the] numbers of events and outcomes per defined units of time_08b67cc8-9a2a-11ea-8722-1ee01083ea003.6.1.5frequency ~ number of events (3.5.1.3) or outcomes per defined unit of timeNote 1 to entry: Frequency can be applied to past events (3.5.1.3) or to potential future events, where it can be used as a measure of likelihood (3.6.1.1)/probability (3.6.1.3).Vulnerabilities[Identify] intrinsic properties resulting in susceptibilities to risk sources_08b67dea-9a2a-11ea-8722-1ee01083ea003.6.1.6vulnerability ~ intrinsic properties of something resulting in susceptibility to a risk source (3.5.1.2) that can lead to an event with a consequence (3.6.1.3)MatrixRank and display risks_08b67ef8-9a2a-11ea-8722-1ee01083ea003.6.1.7risk matrix ~ tool for ranking and displaying risks (1.1) by defining ranges for consequence (3.6.1.3) and likelihood (3.6.1.1)Levels[Determine the] magnitude of risks and combinations of risks_08b68056-9a2a-11ea-8722-1ee01083ea003.6.1.8level of risk ~ magnitude of a risk (1.1) or combination of risks, expressed in terms of the combination of consequences (3.6.1.3) and their likelihood (3.6.1.1)EvaluationEvaluate risks_08b681a0-9a2a-11ea-8722-1ee01083ea003.73.7 Terms relating to risk evaluationComparisonCompare the results of risk analyses with risk criteria_08b682c2-9a2a-11ea-8722-1ee01083ea003.7.1risk evaluation ~ process of comparing the results of risk analysis (3.6.1) with risk criteria (3.3.1.3) to determine whether the risk (1.1) and/or its magnitude is acceptable or tolerableNote 1 to entry: Risk evaluation assists in the decision about risk treatment (3.8.1).Attitudes[Determine] organizational approaches to assess and pursue, retain, take or turn away from risks_08b683da-9a2a-11ea-8722-1ee01083ea003.7.1.1risk attitude ~ organization's approach to assess and eventually pursue, retain, take or turn away from risk (1.1)Appetites[Evaluate the] amounts and types of risks that organizations are willing to accept_08b68510-9a2a-11ea-8722-1ee01083ea003.7.1.2risk appetite ~ amount and type of risk (1.1) that an organization is willing to pursue or retainTolerances[Evaluate] readiness to bear risks after treatment in order to achieve objectives_08b68632-9a2a-11ea-8722-1ee01083ea003.7.1.3risk tolerance ~ organization's or stakeholder's (3.2.1.1) readiness to bear the risk (1.1) after risk treatment (3.8.1) in order to achieve its objectivesNote 1 to entry: Risk tolerance can be influenced by legal or regulatory requirements.AversionsTurn away from risks_08b68754-9a2a-11ea-8722-1ee01083ea003.7.1.4risk aversion ~ attitude to turn away from risk (1.1)AggregationCombine risks to develop more complete understanding_08b688da-9a2a-11ea-8722-1ee01083ea003.7.1.5risk aggregation ~ combination of a number of risks into one risk (1.1) to develop a more complete understanding of the overall riskAcceptance[Make] informed decisions to take particular risks_08b68a06-9a2a-11ea-8722-1ee01083ea003.7.1.6risk acceptance ~ informed decision to take a particular risk (1.1)Note 1 to entry: Risk acceptance can occur without risk treatment (3.8.1) or during the process of risk treatment.Note 2 to entry: Accepted risks are subject to monitoring (3.8.2.1) and review (3.8.2.2).TreatmentTreat risks_08b68b8c-9a2a-11ea-8722-1ee01083ea003.8Terms relating to risk treatmentModificationsModify risks_08b68d62-9a2a-11ea-8722-1ee01083ea003.8.1risk treatment ~ process to modify risk (1.1)Note 1 to entry: Risk treatment can involve:— avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;— taking or increasing risk in order to pursue an opportunity;— removing the risk source (3.5.1.2);— changing the likelihood (3.6.1.1);— changing the consequences (3.6.1.3);— sharing the risk with another party or parties [including contracts and risk financing (3.8.1.4)]; and— retaining the risk by informed decision.Note 2 to entry: Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.Note 3 to entry: Risk treatment can create new risks or modify existing risks.ControlsTake measures to modify risks_08b68f24-9a2a-11ea-8722-1ee01083ea003.8.1.1control ~ measure that is modifying risk (1.1)Note 1 to entry: Controls include any process, policy, device, practice, or other actions which modify risk.Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.Avoidance[Decide] not to be involved in, or to withdraw from, activities in order not to be exposed to particular risks_08b69078-9a2a-11ea-8722-1ee01083ea003.8.1.2risk avoidance ~ informed decision not to be involved in, or to withdraw from, an activity in order not to be exposed to a particular risk (1.1)Note 1 to entry: Risk avoidance can be based on the result of risk evaluation (3.7.1) and/or legal and regulatory obligations.SharingDistribute risks among parties_08b691cc-9a2a-11ea-8722-1ee01083ea003.8.1.3risk sharing ~ form of risk treatment (3.8.1) involving the agreed distribution of risk (1.1) with other partiesNote 1 to entry: Legal or regulatory requirements can limit, prohibit or mandate risk sharing.Note 2 to entry: Risk sharing can be carried out through insurance or other forms of contract.Note 3 to entry: The extent to which risk is distributed can depend on the reliability and clarity of the sharing arrangements.Note 4 to entry: Risk transfer is a form of risk sharing.FinancingArrange for funding to meet or modify financial consequences_08b693c0-9a2a-11ea-8722-1ee01083ea003.8.1.4risk financing ~ form of risk treatment (3.8.1) involving contingent arrangements for the provision of funds to meet or modify the financial consequences (3.6.1.3) should they occurRetentions[Determine the degrees of] acceptance of the potential benefits of gain, or burdens of losses, from particular risks_08b6955a-9a2a-11ea-8722-1ee01083ea003.8.1.5risk retention ~ acceptance of the potential benefit of gain, or burden of loss, from a particular risk (1.1)Note 1 to entry: Risk retention includes the acceptance of residual risks (3.8.1.6).Note 2 to entry: The level of risk (3.6.1.8) retained can depend on risk criteria (3.3.1.3).Residuals[Identify the] risks remaining after treatments_08b69708-9a2a-11ea-8722-1ee01083ea003.8.1.6residual risk ~ risk (1.1) remaining after risk treatment (3.8.1)Note 1 to entry: Residual risk can contain unidentified risk.Note 2 to entry: Residual risk can also be known as “retained risk”.ResilienceAdapt to complex and changing environments_08b69852-9a2a-11ea-8722-1ee01083ea003.8.1.7resilience ~ adaptive capacity of an organization in a complex and changing environmentMonitoring & MeasurementMonitor and measure risks_08b6999c-9a2a-11ea-8722-1ee01083ea003.8.2Terms relating to monitoring and measurementMonitoringContinuously observe deviations from expected performance levels_08b69afa-9a2a-11ea-8722-1ee01083ea003.8.2.1monitoring ~ continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expectedNote 1 to entry: Monitoring can be applied to a risk management framework (2.1.1), risk management process (3.1), risk (1.1) or control (3.8.1.1).ReviewsDetermine the suitability, adequacy and effectiveness of subject matters to achieve objectives_08b69c44-9a2a-11ea-8722-1ee01083ea003.8.2.2review ~ activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectivesNote 1 to entry: Review can be applied to a risk management framework (2.1.1), risk management process (3.1), risk (1.1) or control (3.8.1.1).ReportsProvide information on the state and management of risks_08b69d8e-9a2a-11ea-8722-1ee01083ea003.8.2.3risk reporting ~ form of communication intended to inform particular internal or external stakeholders (3.2.1.1) by providing information regarding the current state of risk (1.1) and its managementRegisterRecord information about risks_08b69f1e-9a2a-11ea-8722-1ee01083ea003.8.2.4risk register ~ record of information about identified risks (1.1)Note 1 to entry: The term “risk log” is sometimes used instead of “risk register”.ProfilesDescribe sets of risks_08b6a158-9a2a-11ea-8722-1ee01083ea003.8.2.5risk profile ~ description of any set of risks (1.1)Note 1 to entry: The set of risks can contain those that relate to the whole organization, part of the organization, or as otherwise defined.AuditsObtain and evaluate evidence to determine the adequacy and effectiveness of risk management frameworks_08b6a2c0-9a2a-11ea-8722-1ee01083ea003.8.2.6risk management audit ~ systematic, independent and documented process for obtaining evidence and evaluating it objectively in order to determine the extent to which the risk management framework (2.1.1), or any selected part of it, is adequate and effective.2020-05-19https://www.iso.org/obp/ui/#iso:std:iso:guide:73:ed-1:v1:enAmburOwen.Ambur@verizon.net