ISO 31073:2022 pdf – Risk management — Vocabulary.
2 Normative references There are no normative references in this document. 3? Terms? and? definitions ISO and IEC maintain terminology databases for use in standardization at the following addresses: — ISO Online browsing platform: available at https:// www .iso .org/ obp — IEC Electropedia: available at https:// www .electropedia .org/ 3.1 Terms related to risk 3.1.1 risk effect of uncertainty (3.1.3) on objectives (3.1.2) Note 1 to entry: An effect is a deviation from the expected. It can be positive, negative or both, and can address, create or result in opportunities (3.3.23) and threats (3.3.13). Note 2 to entry: Objectives can have different aspects and categories, and can be applied at different levels. Note 3 to entry: Risk is usually expressed in terms of risk sources (3.3.10), potential events (3.3.11), their consequences (3.3.18) and their likelihood (3.3.16). 3.1.2 objective result to be achieved Note 1 to entry: An objective can be strategic, tactical or operational. Note 2 to entry: Objectives can relate to different disciplines (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process). Note 3 to entry: An objective can be expressed in other ways, e.g. as an intended outcome, a purpose, an operational criterion, as a management system objective, or by the use of other words with similar meaning (e.g. aim, goal, target). 3.1.3 uncertainty state, even partial, of deficiency of information related to understanding or knowledge Note 1 to entry: In some cases, uncertainty can be related to the organization’s (3.3.7) context as well as to its objectives (3.1.2). Note 2 to entry: Uncertainty is the root source of risk (3.1.1), namely any kind of “deficiency of information” that matters in relation to objectives (and objectives, in turn, relate to all relevant interested parties’ (3.3.2) needs and expectations).
3.2 Terms related to risk management 3.2.1 risk management coordinated activities to direct and control an organization (3.3.7) with regard to risk (3.1.1) 3.2.2 risk management policy statement of the overall intentions and direction of an organization (3.3.7) related to risk management (3.2.1) [SOURCE: ISO Guide 73:2009, 2.1.2] 3.2.3 risk management plan scheme within the risk management framework specifying the approach, the management components and resources to be applied to the management of risk (3.1.1) Note 1 to entry: Management components typically include procedures, practices, assignment of responsibilities, sequence and timing of activities. Note 2 to entry: The risk management plan can be applied to a particular product, process and project, and part or whole of the organization (3.3.7). [SOURCE: ISO Guide 73:2009, 2.1.3] 3.3 Terms related to the risk management process 3.3.1 risk management process systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring (3.3.40) and reviewing risk (3.1.1) [SOURCE: ISO Guide 73:2009, 3.1] 3.3.2 interested party stakeholder person or organization (3.3.7) that can affect, be affected by, or perceives itself to be affected by a decision or activity 3.3.3 risk perception interested party’s (3.3.2) view on risk (3.1.1) Note 1 to entry: Risk perception reflects the interested party’s needs, issues, knowledge, beliefs and values. [SOURCE: ISO Guide 73:2009, 184.108.40.206, modified — “interested party” has replaced “stakeholder”, and “risk” has replaced “a risk” in the definition.] 3.3.4 external context external environment in which the organization (3.3.7) seeks to achieve its objectives (3.1.2)
— relationships with, and perceptions and values of, external interested parties (3.3.2). [SOURCE: ISO Guide 73:2009, 220.127.116.11, modified — “interested parties” has replaced “stakeholders”.] 3.3.5 internal context internal environment in which the organization (3.3.7) seeks to achieve its objectives (3.1.2) Note 1 to entry: Internal context can include: — governance, organizational structure, roles and accountabilities; — policies, objectives, and the strategies that are in place to achieve them; — the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies); — information systems, information flows and decision-making processes (both formal and informal); — relationships with, and perceptions and values of, internal interested parties (3.3.2); — the organization’s culture; — standards, guidelines and models adopted by the organization; and — form and extent of contractual relationships. [SOURCE: ISO Guide 73:2009, 18.104.22.168, modified — “interested parties” has replaced “stakeholders”.] 3.3.6 risk criteria terms of reference against which the significance of risk (3.1.1) is evaluated Note 1 to entry: Risk criteria are based on organizational objectives (3.1.2), and external (3.3.4) and internal context (3.3.5). Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements. [SOURCE: ISO Guide 73:2009, 22.214.171.124, modified — “risk” has replaced “a risk” in the definition.] 3.3.7 organization person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives (3.1.2) Note 1 to entry: The concept of organization includes, but is not limited to, sole-trader, company, corporation, firm, enterprise, authority, partnership, charity or institution, or part or combination thereof, whether incorporated or not, public or private.