Risk Source (2.18) vs. Event (2.

19)
http://goo.gl/6RaeW - Risk Source

Hi everyone,
The difference between "Risk Source" and "Event" in ISO31000 is not clear for me. Can anyone
please make a clarification?

Comment(17)
Like(0)
Follow
Report spam

Pat Croke
The ocean is a risk source. A tsunami is an event.
June 27, 2011
o
o

Like(2)
Report spam

Grant Purdy
Behzad
An event is an outcome and therefore cannot be a source of risk. A source of risk is something that
gives rise to risk. Normally we would attempt to understand these when we establish the context.
Some people think of them as threats or opportunities such as hazards.
June 27, 2011
o
o

Like(0)
Report spam

John Salter
I have found it useful to distinguish between the "conditions which give rise to risk" - root sources,
such as embedded features of an organisation's culture which contribute to their vulnerability vs the
manifestation of that vulnerability - in the form of an "event". One "exists", the other "happens".
June 27, 2011
o
o
o

Like(0)
Reply privately
Report spam


Behzad Behdani
Thanks all.
If I want to sum-up:
Risk Source is something that might cause occurrence of an Event.
Because, I was thinking before that Risk Source is something that can potentially go wrong and
influence the Objectives but Event is an INSTANCE of Risk Source happened in real world.
June 28, 2011
o
o

Like(0)
Report spam

John Salter
Not quite - reality is rarely linear. It is generally the complex interaction of "conditions" which give
risk to risk. To take the given example of Ocean and Tsunami - the Tsunami hazard requires both an
earthquake and a compounding bathymetry. The further conditions for risk to arise require there to
be "things in the way which you care about" - in our example, say people and infrastructure. Further,
these elements need to be vulnerable - a function not just of exposure, but also susceptibility. So the
risk is a function of the hazard interfacing with vulnerability. This opens up considerations around the
opportunity levers for mitigation - from land use planning (to adjust exposure); to infrastructure
design (to either adjust exposure or increase resilience); to simple planning and preparedness
solutions such as warning systems (to reduce exposure) etc. Which interventions or treatments you
select will depend on the (politically, culturally and economically) agreed approach and the
associated selection criteria - but that is another (albeit linked) story.
June 28, 2011
o
o
o

Like(1)
Reply privately
Report spam

Alpaslan Menevse
Risk source (threat/opportunity) with enough motivation and appetite (vulnerabilty) of the risk owner
has the ability to impact the objectives. When impact occurs it becomes an event and the risk source
becomes the rootcause of that risk.
June 29, 2011
o
o

Like(0)
Report spam


Peter Boyce
Thanks John
I think your brief summation should clear up the question very nicely.
July 7, 2011
o
o

Like(0)
Report spam

Arnold Schanfield, CIA, CPA

Is this a good analogy to the above- the BP situation?
The explosion of the Macondo well was the event
The risk were the deaths, the loss of reputation, the numerous criminal and civil lawsuits, the
potential demise of the entire company
The source was tone at the top or lack thereof driving for profits instead of safety first, not
articulating proper risk appetite, not understanding fully the risks because everything was deemed
to be rush rush- taking on third party contractors without fully understanding their capabilities and
the risks thereof of outsourcing/sharing/transfer
July 7, 2011
o
o

Like(0)
Report spam

Jason Shohet
Looking at this thread from 7 months ago - I'm wondering about risk source vs older concepts (i.e. in
COSO-ERM) related to "categories" of risk events.
An IT example: Say we have 20 events related to a risk source - "Lack of commitment to Training..."
(lets put aside for now that this may not be the ultimate source). So from "Lack of commitment to
training" - events range from regulatory violations to data-center outages, failure to meet recoverytime objectives for critical systems - and more.
Now the question: Might it be also useful to have an "Event Category" element captured in the
register? For example, we might want to analyze ALL events related to the "data-center outage"
category - regardless of the source. Of course data-centers are not a source of risk - but it may be
useful to have categories defined in order to facilitate discussion on similar events?
On the other hand - "Event Category" isn't in the Standard (to my knowledge) and I am wondering if
it was omitted for good reason.
February 10, 2012
o
Like(0)
o
Reply privately

Report spam

Ovidiu Cretu, PhD, PE

Am I missing something? The risk definition is: effect of uncertainty on objective. Based on it I
would consider that the source of a risk is part of uncertainty surrounding the objective. So I think
that Pat Croke gave us a good example. The proximity to the ocean represents the uncertainty; the
tsunami is a risk to the safety of the costal population. When the risk materializes is a different story
that John Salter has explained in his post.
February 22, 2012
o
Like(0)
o
Reply privately
o
Report spam

Prabir Kumar Bandyopadhyay

"It is late to add any comment and I am afraid, I may not add further confusion.
I want to share the following points:
In Chemical Engineering Risk Analysis generally four terms are used; hazard,exposure Event and
Consequence.And of course probability/likelihood,which comes later.
Suppose an Operator's job is to climb up by using ladder to take reading.
In this context:
ladder is a Hazard
Climbing up using ladder is Exposure (Number of times used)
Event: chances of Fall from the ladder
Consequence is the injury
In ISO 31000,we do not have "Hazard" and "Exposure" instead we have "Risk source"
Using the above example we may say "Risk source" is a combination of Hazard and exposure.
Comment on this will also help me internalize the definition of source. "
May 26, 2012
o
o
o

Like(0)
Reply privately
Report spam

Alex Dali, MBA, ARM

Prabir, your explanation is simple, clear and broadly accepted. It is suitable for some sectors or
specialized fields dealing with the management of risk.
The concept of "risk source" was introduced to apply to every fields and sectors.
Some additional comments (see the slight modification) :
HAZARD.
Hazard = Potential source of harm
See [ISO/IEC Guide 51:1999, definition 3.5]
Hazard = source of potential harm
NOTE Hazard can be a risk source (3.5.1.1)
See : [ISO Guide 73:2009, definition 3.5.1.3]
EXPOSURE
Exposure = extent to which an organization and/or stakeholder (2.13) is subject to an event (2.19)
See : [ISO Guide 73:2009, definition 3.6.1.2]
May 26, 2012
o
o
o

Like(2)
Reply privately
Report spam

Ian Wood
hi Prabir
I find exposure and probability of event to be useful in calculating Likelihood.
I tend to retain the dimensions Consequence and Likelihood
for me, things like Hazard and Exposure are fractal dimensions of Consequence and Likelihood that
are useful in specific circumstances.
for example if your exposure is daily and the chance of an event per exposure is 2% then the
(ISO31000) Likelihood is once every 50 days.
if the project will be finished in 25 days, the (simple) Likelihood of an event within the timeframe of
the Objective is 50%. (this is an example of my oft stated "the Objectives are the frame of reference
for the risk".)
This becomes important as most controls can only affect Likelihood, rather than Consequence. Fall
arrest, for example, lowers likelihood, as if it fails then the full consequence still applies.
The only way to reduce Consequence is to reduce the energy (such as building a lower tank design).
May 27, 2012
o
o
o

Like(1)
Reply privately
Report spam

Jason Shohet
Alex - good points about where in ISO "hazard" has been defined.
I can see Prabir, how you suggest the lader is a component of source of risk.
Just to add flavor - if we consider that a factory / plant has a standard which mandates use of ladders

by operators (and as such - there are few stairs or elevators in the plant) - that may be part of
Internal Context.
May 29, 2012
o
o
o

Like(0)
Reply privately
Report spam

John Moffat
Hi Prabir
I'm with you.
For me - long in the tooth BUT have had them sharpened recently!!!
KISS to make sure the masses grasp and can be involved.
Establish the Context - Process and Steps (ie what's happening)
(Risk) Identification - The hazard that is the source with the potential to cause Harm (I prefer loss for
it extends then to product and finance and security etc etc
Analysis - Controls ... ie what is already in place to prevent Loss
Evaluation - Level of Risk in terms of Likelihood and Impact - so can be positive or negative - and at
least 30 things to think about when making that judgement call - based on Task, Individual, Material
and Environment.... including whether the controls are working or not.
Treatment - Improved Control
I believe that there are Steps after that like Prioritization (on a business risk basis) ACTION and
feedback - in some way to ensure continual improvement.
May 29, 2012
o
o

Like(0)
Report spam

Prabir Kumar Bandyopadhyay

John. Thanks for your comment. I am happy that most of us agree with the explanation of 'Risk
Source' in the context of the" Ladder" example. I see one problem with this example,it is true for
technical risk point of view. If we consider Risk Source from Hazard angle then the
effect/consequence of Risk event is negative only. But business risk may turn to positive or negative.
The greatest risk of any business is not taking risk. Many a time auditing firms when carrying out
Risk audit ,as per my experience, also consider the negative consequences only, as a result the
firm's attitude becomes risk averse and try to overlook the risk appetite aspect. May be ISO has not
included Hazard considering these issues as ISO 31000 is for Business Risk.
But then, sadly, all encompassing definition of Risk source will remain fuzzy. Perhaps this chain of
discussions help us in conceiving the definition of Source in tacit form and if it is then it serves the
purpose.
May 30, 2012
o
o
o

Like(0)
Reply privately
Report spam

Mohammad Mojtabaei
I always think means of world may be a little diferent in various nations and culture ,I think risk
means possibilty of occurnce events and event is outcome event from risk.
May 30, 2012
o
o
o

Like(0)
Reply privately
Report spam