Professional Documents
Culture Documents
19)
http://goo.gl/6RaeW - Risk Source
Hi everyone,
The difference between "Risk Source" and "Event" in ISO31000 is not clear for me. Can anyone
please make a clarification?
Comment(17)
Like(0)
Follow
Report spam
Pat Croke
The ocean is a risk source. A tsunami is an event.
June 27, 2011
o
o
Like(2)
Report spam
Grant Purdy
Behzad
An event is an outcome and therefore cannot be a source of risk. A source of risk is something that
gives rise to risk. Normally we would attempt to understand these when we establish the context.
Some people think of them as threats or opportunities such as hazards.
June 27, 2011
o
o
Like(0)
Report spam
John Salter
I have found it useful to distinguish between the "conditions which give rise to risk" - root sources,
such as embedded features of an organisation's culture which contribute to their vulnerability vs the
manifestation of that vulnerability - in the form of an "event". One "exists", the other "happens".
June 27, 2011
o
o
o
Like(0)
Reply privately
Report spam
Behzad Behdani
Thanks all.
If I want to sum-up:
Risk Source is something that might cause occurrence of an Event.
Because, I was thinking before that Risk Source is something that can potentially go wrong and
influence the Objectives but Event is an INSTANCE of Risk Source happened in real world.
June 28, 2011
o
o
Like(0)
Report spam
John Salter
Not quite - reality is rarely linear. It is generally the complex interaction of "conditions" which give
risk to risk. To take the given example of Ocean and Tsunami - the Tsunami hazard requires both an
earthquake and a compounding bathymetry. The further conditions for risk to arise require there to
be "things in the way which you care about" - in our example, say people and infrastructure. Further,
these elements need to be vulnerable - a function not just of exposure, but also susceptibility. So the
risk is a function of the hazard interfacing with vulnerability. This opens up considerations around the
opportunity levers for mitigation - from land use planning (to adjust exposure); to infrastructure
design (to either adjust exposure or increase resilience); to simple planning and preparedness
solutions such as warning systems (to reduce exposure) etc. Which interventions or treatments you
select will depend on the (politically, culturally and economically) agreed approach and the
associated selection criteria - but that is another (albeit linked) story.
June 28, 2011
o
o
o
Like(1)
Reply privately
Report spam
Alpaslan Menevse
Risk source (threat/opportunity) with enough motivation and appetite (vulnerabilty) of the risk owner
has the ability to impact the objectives. When impact occurs it becomes an event and the risk source
becomes the rootcause of that risk.
June 29, 2011
o
o
Like(0)
Report spam
Peter Boyce
Thanks John
I think your brief summation should clear up the question very nicely.
July 7, 2011
o
o
Like(0)
Report spam
Like(0)
Report spam
Jason Shohet
Looking at this thread from 7 months ago - I'm wondering about risk source vs older concepts (i.e. in
COSO-ERM) related to "categories" of risk events.
An IT example: Say we have 20 events related to a risk source - "Lack of commitment to Training..."
(lets put aside for now that this may not be the ultimate source). So from "Lack of commitment to
training" - events range from regulatory violations to data-center outages, failure to meet recoverytime objectives for critical systems - and more.
Now the question: Might it be also useful to have an "Event Category" element captured in the
register? For example, we might want to analyze ALL events related to the "data-center outage"
category - regardless of the source. Of course data-centers are not a source of risk - but it may be
useful to have categories defined in order to facilitate discussion on similar events?
On the other hand - "Event Category" isn't in the Standard (to my knowledge) and I am wondering if
it was omitted for good reason.
February 10, 2012
o
Like(0)
o
Reply privately
Report spam
Like(0)
Reply privately
Report spam
Prabir, your explanation is simple, clear and broadly accepted. It is suitable for some sectors or
specialized fields dealing with the management of risk.
The concept of "risk source" was introduced to apply to every fields and sectors.
Some additional comments (see the slight modification) :
HAZARD.
Hazard = Potential source of harm
See [ISO/IEC Guide 51:1999, definition 3.5]
Hazard = source of potential harm
NOTE Hazard can be a risk source (3.5.1.1)
See : [ISO Guide 73:2009, definition 3.5.1.3]
EXPOSURE
Exposure = extent to which an organization and/or stakeholder (2.13) is subject to an event (2.19)
See : [ISO Guide 73:2009, definition 3.6.1.2]
May 26, 2012
o
o
o
Like(2)
Reply privately
Report spam
Ian Wood
hi Prabir
I find exposure and probability of event to be useful in calculating Likelihood.
I tend to retain the dimensions Consequence and Likelihood
for me, things like Hazard and Exposure are fractal dimensions of Consequence and Likelihood that
are useful in specific circumstances.
for example if your exposure is daily and the chance of an event per exposure is 2% then the
(ISO31000) Likelihood is once every 50 days.
if the project will be finished in 25 days, the (simple) Likelihood of an event within the timeframe of
the Objective is 50%. (this is an example of my oft stated "the Objectives are the frame of reference
for the risk".)
This becomes important as most controls can only affect Likelihood, rather than Consequence. Fall
arrest, for example, lowers likelihood, as if it fails then the full consequence still applies.
The only way to reduce Consequence is to reduce the energy (such as building a lower tank design).
May 27, 2012
o
o
o
Like(1)
Reply privately
Report spam
Jason Shohet
Alex - good points about where in ISO "hazard" has been defined.
I can see Prabir, how you suggest the lader is a component of source of risk.
Just to add flavor - if we consider that a factory / plant has a standard which mandates use of ladders
by operators (and as such - there are few stairs or elevators in the plant) - that may be part of
Internal Context.
May 29, 2012
o
o
o
Like(0)
Reply privately
Report spam
John Moffat
Hi Prabir
I'm with you.
For me - long in the tooth BUT have had them sharpened recently!!!
KISS to make sure the masses grasp and can be involved.
Establish the Context - Process and Steps (ie what's happening)
(Risk) Identification - The hazard that is the source with the potential to cause Harm (I prefer loss for
it extends then to product and finance and security etc etc
Analysis - Controls ... ie what is already in place to prevent Loss
Evaluation - Level of Risk in terms of Likelihood and Impact - so can be positive or negative - and at
least 30 things to think about when making that judgement call - based on Task, Individual, Material
and Environment.... including whether the controls are working or not.
Treatment - Improved Control
I believe that there are Steps after that like Prioritization (on a business risk basis) ACTION and
feedback - in some way to ensure continual improvement.
May 29, 2012
o
o
Like(0)
Report spam
Like(0)
Reply privately
Report spam
Mohammad Mojtabaei
I always think means of world may be a little diferent in various nations and culture ,I think risk
means possibilty of occurnce events and event is outcome event from risk.
May 30, 2012
o
o
o
Like(0)
Reply privately
Report spam