ISO 31073:2022 pdf download.Risk management — Vocabulary
This document defines generic terms related to the management of risks faced by organizations.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1 Terms related to risk
3.1.1 risk
effect of uncertainty (3.1.3) on objectives (3.1.2)
Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address,create or result in opportunities (3.3.23) and threats (3.3.13).
Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels.
Note 3 to entry: Risk is usually expressed in terms of risk sources (3.3.10), potential events (3.3.11), their consequences (3.3.18) and their likelihood (3.3.16).
3.1.2 objective
result to be achieved
Note 1 to entry: An objective can be strategic, tactical or operational.
Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as a management system objective, or by the use of other words with similar meaning (e.g.aim, goal, target).
3.1.3 uncertainty
state, even partial, of deficiency of information related to understanding or knowledge
Note 1 to entry: In some cases, uncertainty can be related to the organization’s (3.3.7) context as well as to its objectives (3.1.2).
Note 2 to entry: Uncertainty is the root source of risk (3.1.1), namely any kind of “deficiency of information” that matters in relation to objectives (and objectives, in turn, relate to all relevant interested parties’ (3.3.2) needs and expectations).
— relationships with, and perceptions and values of, external interested parties (3.3.2).
[SOURCE: ISO Guide 73:2009, 3.3.1.1, modified — “interested parties” has replaced “stakeholders”.]
3.3.5 internal context
internal environment in which the organization (3.3.7) seeks to achieve its objectives (3.1.2)
Note 1 to entry: Internal context can include:
— governance, organizational structure, roles and accountabilities;
— policies, objectives, and the strategies that are in place to achieve them;
— the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes,systems and technologies);
— information systems, information flows and decision-making processes (both formal and informal);
— relationships with, and perceptions and values of, internal interested parties (3.3.2);
— the organization’s culture;
— standards, guidelines and models adopted by the organization; and
— form and extent of contractual relationships.
[SOURCE: ISO Guide 73:2009, 3.3.1.2, modified — “interested parties” has replaced “stakeholders”.]
3.3.6 risk criteria
terms of reference against which the significance of risk (3.1.1) is evaluated
Note 1 to entry: Risk criteria are based on organizational objectives (3.1.2), and external (3.3.4) and internal context (3.3.5).
Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
[SOURCE: ISO Guide 73:2009, 3.3.1.3, modified — “risk” has replaced “a risk” in the definition.]
3.3.7 organization
person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.1.2)
Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.
3.3.8 risk assessment
overall process of risk identification (3.3.9), risk analysis (3.3.15) and risk evaluation (3.3.25) [SOURCE: ISO Guide 73:2009, 3.4.1]
3.3.9 risk identification
process of finding, recognizing and describing risks (3.1.1)
Note 1 to entry: Risk identification involves the identification of risk sources (3.3.10), events (3.3.11), their causes and their potential consequences (3.3.18).
Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions,and interested party’s (3.3.2) needs.
[SOURCE: ISO Guide 73:2009, 3.5.1, modified — “interested party” has replaced “stakeholder”.]
3.3.10 risk source
element which alone or in combination has the potential to give rise to risk (3.1.1)
3.3.11 event
occurrence or change of a particular set of circumstances
Note 1 to entry: An event can have one or more occurrences, and can have several causes and several
consequences (3.3.18).
Note 2 to entry: An event can also be something that is expected which does not happen, or something that is not expected which does happen.
Note 3 to entry: An event can be a risk source (3.3.10).
3.3.12 hazard
source of potential harm
Note 1 to entry: Hazard can be a risk source (3.3.10).
[SOURCE: ISO Guide 73:2009, 3.5.1.4].ISO 31073 pdf download.ISO 31073 pdf download
