commentson - u.s. tag 73... · web view-ohsas 18001 (1999)-ohsas 18002 (2000) a systematic...

Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

MB1 Entry No. of terms (e.g.

3.1.1)

Number of Notes

(e.g. NOTE 1)/

Line numbers (e.g. 61)

Type of

com-ment2

Comment (justification for change) by the MB Proposed change by the MB Secretariat observationson each comment submitted

US Ge Guide 73 definitions should be included in the actual 31000 document. Since Guide 73 pre-dates 31000, it now makes sense to integrate Guide 73 into 31000. The fact that they are being presented as stand-alone documents is a primary reason the AIHA is voting “no, with comments” with regard to Guide 73.

Combine Guide 73 and ISO 31000

US Ge It seems odd to be reviewing and voting on the definitions prior to the actual standard.

If Guide 73 and ISO 31000 are not combined, then at least have their review and comment cycles directly match.

Allow one more round of comments on Guide 73 after ISO 31000 is finalized, if the documents are not combined.

US

US ge Generally, all consensus standards include definitions. It is not clear why Guide 73 needs to be a stand alone document. It should be incorporated into the affected standards and then deleted. It is not a user-friendly process to have key definitions located outside a standard such as ISO 31000 or any other consensus standard. Moreover, it makes the review process of affected standards, such as ISO 31000, difficult and disjointed. On the ballot for Guide 73, I voted YES WITH COMMENTS, as I am not sure of how many standards are dependent upon Guide 73.

US 1 160 Ed “Therefore, this International Standard is generic and not specific to any industry or

Remove the term generic

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **)2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory.

page 1 of 16ISO electronic balloting commenting template/version 2001-10


1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


sector.” The term generic is superfluous here as it is already stated.

US 1 66 Ed Grammar …management, see ISO 31000

US 2 71 Te See justification for comment regarding line 54 ADD:

Thus, certain applications may use different or even conflicting definitions of terms defined in this Guide 73.

US 2 78 Ed Singular figure Figure

US 2 81 Ed The figure provides a useful hierarchy of the terms. The order of the terms within a level is very confusing. For example, why is Uncertainty the first term under Risk Analysis when you cannot really evaluate uncertainty until you’ve estimated the other factors and arrived at a risk level?

Pick your battles. The list of terms in most ISO documents is completely user unfriendly. They usually appear in numerical order and not alphabetical order – which most glossaries use. I understand that different languages would require differing ordering for the country specific versions, but doesn’t it make more sense to alphabetize the lists and have the numbering be out of order rather than the numbering in good order but the terms completely out of order?

Reorder the terms within a common level to follow some logical order such as order of use, alphabetical or something.

Best solution is to assign sequential numbers to one language according to the alphabetical listing in that language. Then allow other languages to reorder the terms in alphabetical order within their language versions, but require that they keep the common numbering (thus the numbering would not be sequential in all versions but the numbering would refer to the same terms in all languages).

Second option would be to move the Alphabetical Index to immediately follow Figure 1.

US 2 , Ed Under risk analysis (3.3.5), Uncertainty (3.3.5.1) is Use correct spelling




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


table misspelled.

US 3 ge This guide is well organized and written. The reader must be aware that even though ISO31000 is applicable in the management of risk to safety, the safety related terms and concepts are found in Guide 51.

US 3 ge As a management standard, there should be some reference to how other ISO standards could/would relate to this standard. Users are confused on how this standard relates to other peer standards (management standards) and to ISO norms.

Add a section/flowchart on how an organisation maybe able to implement this standard in conjunction with other ISO standards – similar to the European EN A/B/C structure

US 3 ge This guide is well organized and written. The reader must be aware that even though ISO31000 is applicable in the management of risk to safety, the safety related terms and concepts are found in Guide 51.

US 3 ge “Known Risk” – I don’t see any definition for this term although I do see “identified risk” used in definitions.

Define Known Risk, or alter definition of risk

US 3 ge “Unknown Risk” – Same comment as above. Define Unknown Risk, or alter definition of risk

US 3.1 Te The change in the definition of “risk” from Guide 73:2002 to include both negative and positive outcomes is a very significant change, the proposed definition here is not in accord with common usage and is extremely ill-advised. The definition should remain as it was in Guide 73:2002.

Risk Definition – “combination of the probability of an event and its consequences.”

US 3.1 Te This definition of Risk is very vague. I’ve sent a list of existing definitions of the term to Tim Fisher. I suggest that the TAG review them and select a clearer definition.

US 3.1 te Economists, versus statisticians, further define risks as measurable, with unmeasurable uncertainties not being defined as risks.

Revisit the definition of risk and potentially adopt the definition already used by economists, or add Notes




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


In economics, the definitions of risk and uncertainty are different, and the distinction between the two is clearer. Frank H. Knight established the economic definition of the terms in his landmark book, Risk, Uncertainty, and Profit (1921):

- risk is present when future events occur with measurable probability

- uncertainty is present when the likelihood of future events is indefinite or incalculable

From paragraph 26 of Part I, Chapter 1: It will appear that a measurable uncertainty, or "risk" proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect an uncertainty at all. We shall accordingly restrict the term "uncertainty" to cases of the non-quantitive type. It is this "true" uncertainty, and not risk, as has been argued, which forms the basis of a valid theory of profit and accounts for the divergence between actual and theoretical competition. In addition, we suggest there be further discussion about the inclusion as risk of potential outcomes that have only potential for a positive impact (if such exist).

US 3.1 ge Risk is not the same thing as “effect of uncertainty on objectives.” Risk is the “uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.” (PMI PMBOK(R) Guide, 3rd edition, 2004) Risk describes the uncertain event or condition, not its “effect ...on objectives.” The very basic distinction between the risk and its effect should not be confused.

We agree that the risk is something that has an impact, but to combine the risk with its effect is to confuse the

3.1RiskAn uncertain event or condition that, if it occurs, has a positive or negative effect on a project objective.



http://www.econlib.org/LIBRARY/Knight/knRUP1.html#Pt.I,Ch.I


1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


concept. Risk can be

1. Ambiguity such as (in the project management world) the general error in making estimates with an immature design

2. Uncertainty such as labor rates that may be one level or another based on market conditions

3. Risk events such as failing the factory acceptance test and having to re-fabricate the product.

The first two (ambiguity and uncertainty) are usually thought of as having a probability of 100% but an uncertain impact on objectives, while the third (risk events) may have a probability less than 100% and also an uncertain impact on the objective.

US 3.1 Note 4 (add) ge The term risk could mean “a risk” that has probability and impact or it could mean “risk to the system” which is the result of individual risks, ambiguities and uncertainties. We should include reference to this other use of the term “risk.”

NOTE 4: Risk can refer to the uncertainty in the system’s objectives that is caused by the possible or potential action (including interaction) of individual, several or many risks that are contained within or impact on the system’s objectives.

US 3.2 page 3 Te The definition for risk management should reflect the connection to adverse events.

Change …”with regard to risk” to …”with regard to adverse risk events.”

US 3.2.2 Te Shouldn’t a policy be documented? Intentions and directions are just ideas.

CHANGE To:

The documented statement of the overall intentions and…

US 3.2.3 Ge General comment: There are many different “plans” and “processes” referenced in this document and 31000. It is confusing to try and keep track of what is required. It would be helpful to the reader of 31000 if there was a summary listing of what they are expected to produce.




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


US 3.2.3 Note ed We also use “Guidelines” as a management component where non-mandatory procedures or practices are available for application.

Consider inserting “guidelines”

US 3.3.1 Te I fail to see how this definition of communication adds value. The use of this term is no different than it is used in most dictionaries and in daily use.

Delete communication from the definition and keep only consultation portion

US 3.3.1 page 3 Te The definition for communication and consultation is nice. In ISO/DIS 31000 (2008-04-01) the word consult is used at line 340.

Either consider include a definition for the consult, or change language at line 340 to say consultation.

US 3.3.1.1 Te I fail to see how this definition adds value. The use of this term is no different than it is used in most dictionaries and in daily use.

Delete definition.

US 3.3.1.1 page 4 Te The definition for stakeholder should be strengthened. Change …”“that can affect, be affected by, or perceive themselves to be affected by a decision or activity.” Change to: ”that can affect or be affected by a decision or activity. Potential stakeholders include any person or organization that perceives themselves to be affected by a decision or activity”.

US 3.3.1.2 ed Is it acceptable to have a section that only contains Notes and not text or explanation?

US 3.3.1.2 Ed Clarity. Change to:

Risk perception is subjective and can differ from objective data.

US 3.3.1.2 New Note 3 te “Risk perception includes subjective values and beliefs which must be considered in consultation.”

US 3.3.2.1 page 5 Te The third note for the definition on external context should reflect the risk appetite of the external stakeholders.

At the end of the third note, add …”and their risk appetite.”




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


US 3.3.2.2 Note ed Need clarification of – items 3 and 5 syntax to reflect organization subjective elements in internal context.

Change internal stakeholders to “internal stakeholders’ perceptions and values”

Change perceptions, values and culture to “organizational culture”

US 3.3.2.2 Page 5 Te The third note for the definition on internal context should reflect the risk appetite of the internal stakeholders. An example here are an organization’s workers.

At the end of the third note, add …”and their risk appetite.”

US 3.3.3 risk assessment

ge Since we are recommending a new term, level of overall system risk, it should be included in 3.3.3

overall process of risk identification (3.3.4), risk analysis (3.3.5), risk evaluation (3.3.6) and level of overall system risk (3.3.5.11)

US 3.3.4.1 page 6 Te Note 1 for the definition on risk source should reflect exposure, not interaction.

In Note 1, change “interaction to “exposure.”

US 3.3.4.2 Te We define this term and then have 6 Notes to explain it.

We define ‘event’ using the term ‘circumstances’ but don’t explain what a circumstance is. This adds confusion not clarity

The Notes are conflicting – in 1 we say likelihood is unknowable and in 3 we say it can be determined.

Note 1 is untrue. The consequence of an event is often quite knowable. What the heck is “Nature” anyway?

Note 4 is very vague

If our reader of Guide 73 doesn’t understand what an event is, we have bigger issues than defining the term. This is a Guide of vocabulary, not a primer.

Delete this definition. Unnecessary

US 3.3.4.4 page 6 Te The definition for risk owner needs to reflect the adverse At the end of this definition, include …”and




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


or positive effect of risk treatments. subsequent adverse or positive effect.”

US 3.3.5 Te “comprehend the nature of risk”

Really. What does this mean?

TAG to review list of alternate definitions submitted to Tim Fisher and select a better definition

US 3.3.5 Risk analysis

ge The discussion of risk analysis in this document is dominated by descriptions of individual risks. It does not deal with overall risk to the system’s objective that can come from or be influenced by all risks potentially affecting the objective and operating simultaneously. The latter inquiry, into overall risk to the objective, is pursued by quantitative methods such as simulation. We need to include this branch of the discipline in this document.

process to comprehend the nature of individual risks (3.1) and to determine the overall level of overall system risk (3.3.5.10)

US 3.3.5.1 ed Text clarification-“state” is multi meaning and needs a modifier for definition

Consider “knowledge state”

US 3.3.5.1 Ed Clarify intent. Change to:

State of deficiency of infomraiton related to an event…

US 3.3.5.10 Te We are able to define a “level of risk” by stating it is related to consequences and likelihood, but our definition of risk does not state that. Indeed if you replace the word “risk” with its definition in 3.3.5.10, it gets really confusing. A better definition of risk using consequences and likelihood would allow simplifying this current definition to “magnitude of a risk” or deleting the definition entirely as it is obvious (with the better definition of risk).

Modify risk definition and delete unnecessary portions of this definition or the definition entirely.

US 3.3.5.11 (new) Level of overall system risk

ge This element is where we should be explicit in talking about overall system risk (a separate use of the term “risk” – see my recommended added Note 4 to item 3.1). Since 3.3.5.10 concerns “a risk” we need to add a new item. This deals with the overall level of risk to a system

3.3.5.11 Overall level of risk to objectives The level of risk to system objectives resulting from the effects of all risks within the system or impacting the




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


objective that results from the possible simultaneous operations of several individual risks. The analysis of overall system risk is done using tools such as Monte Carlo simulation, not the multiplication or combination of individual risks’ probability and impact.

system objectives from without

Note 1: the overall level of risk to objectives is found by aggregating (3.3.6.5) the probability and impact of all risks simultaneously as they affect the system’s objective

Note 2: Measurement of the overall level of risk may be in terms of the probability of achieving the objective and the amount of contingency reserve needed to raise the probability to an amount acceptable to the organization.

Note 3: An additional measure associated with the overall level of risk to the objectives is the identification of the individual risks that contribute most to the overall risk. Individual risks can be prioritized by their importance to the system using this measure.

US 3.3.5.2.1 ge Is exposure magnitude or frequency? If needed add explanation

US 3.3.5.3 Note 2 Ed Adding ‘objectives’ confuses the issue. What is an objective? We don’t define it and it really isn’t needed for the point made by the Note.

Change to:

…negative effects.

US 3.3.5.4 te I propose that we add a note per the following:

Note 2 – For planning purposes, the probability of occurrence may be set to “1” when its necessary to plan for a scenario where the assumption is that the incident

Add Note:

Note 2 – For planning purposes, the probability of occurrence may be set to “1” when its necessary to plan for a scenario where the assumption is that




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


will occurred. the incident will occurred.

US 3.3.5.7 ge Is vulnerability both internal and external? Both are critical and must be considered.

If needed define susceptibility as both internal and external threats

US 3.3.5.8 ge A risk matrix can be either numerical or qualitative Possibly a note is needed

US 3.3.5.8 Ge Words are great but showing a simple example of a risk matrix would be helpful in conveying the intent

Add an example

US 3.3.6risk evaluation

1 ge There is no mention of Risk Significance. This is prominent in all global management risk assessment approaches.

US 3.3.6 Note 2 Te In many applications there is no ‘process’ of evaluation nor much of a risk analysis. You select consequence level, likelihood level, and decide if the risk is acceptable.

Add new Note 2:

Note 2: In some instances risk evaluation may simply be a decision rather than a process

US 3.3.6.2 ed I personally find the use of “appetite” incorrect since it implies fulfilment to capacity

Is “limit” a more appropriate term?

US 3.3.6.2 page 8 Te The definition for risk appetite is too narrow by only considering the organization. With connections to stakeholders and risk owners, these additional entities should be included.

After organization, insert …”stakeholder, or risk owners. This definition would now read “amount and type of risk (3.1) an organization, stakeholder or risk owner is prepared to pursuer or take.”

US 3.3.6.3 page 8 Te The definition for risk tolerance is too narrow by only considering the organization. With connections to stakeholders and risk owners, these additional entities should be included.

It would appear that “ability” is a better word than “readiness” in this definition.

After organization’s, insert …”stakeholders, or risk owners.

Replace readiness with ability.

This definition would now read “organization’s, stakeholders’, or risk owners ability to bear the risk (3.1) after risk treatments (3.3.7) in order to




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


achieve its objectives.”

US 3.3.6.4 page 8 Te For the definition on risk aversion, it would appear that propensity is a better word than attitude.

Replace “attitude” with “propensity.”

US 3.3.6.5 Ed We have many different processes in the document. We don’t need to suggest there is another.

Change:

combining …

US 3.3.6.7 Note 1, bullet 2

Ed Clarity Change:

- deciding to…

US 3.3.7 Note 1, item 2

ed Second item: “– seeking…” is grammatically confusing.

I read this three times and never understood the intent.

Reword sentence

US 3.3.7 Note 1, Item 6

ed I concur with the AIHA comments on ISO 31000 that sharing with other parties should be “consenting parties”

US 3.3.7 Note 1,item 4

te Is “changing the nature and magnitude of likelihood” the same as hardening the object? In control strategy, hardening is frequently used to mitigate effect.

Consider where hardening goes in this list of items. Could also go with consequences

US 3.3.7 page 8 Te For the sixth bullet of note 1 for risk treatment, the concept of “agreement” should be included.

Replace the sixth bullet with, “establishing an agreement with one or more parties to share risk.”

US 3.3.7 Page 8 Te The seventh bullet of note 1 for risk treatment seems odd. We understand the concept, but there is something counterintuitive with this bullet. It is not clear that it adds anything, and if it does, it under mines the definition and intent in ISO 31000.

Delete the seventh bullet that reads “retaining risk by choice.”

US 3.3.7.1 Note 3 Ed In most instances risks that are accepted are not monitored or reviewed. Low risk items are rarely reviewed, nor should they. Higher risk items should be.

Change:

Risks accepted may be subject to monitoring…

US 3.3.7.1 Note 4 (new) ge Risk acceptance often is accompanied by a risk provision. Note 4: Risks are often accepted with a provision




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


In projects this is called “contingency” or “reserve.” This provision is intended to increase the likelihood of success to a level that is acceptable to the organization. This differs from risk mitigation that is intended to reduce the probability or impact of a risk.

or reserve intended to increase the likelihood of success

US 3.3.7.2 Note ed Risk avoidance is also based on regulatory obligations which could be different than legal (contractual) obligations.

Consider adding “regulatory”

US 3.3.7.3 ed Same as 3.3.7; consenting parties

US 3.3.7.3 Page 8 Te For the definition on risk sharing, the entities with whom risk is shared needs to be expanded. Risk is shared with more than just other parties.

At the end of this definition, insert …”or stakeholders.”

US 3.3.7.3 Page 9 Te Risk sharing can involve “risk transfer.” A new note should be added that indicates that risk transfers should be explicit, understood and agreed to by parties and stakeholders involved.

Add a new note, this would be note 4. It would state “Risk sharing is explicit, with a full understanding and agreement between parties and stakeholders. Transfer of risk is done with the explicit understanding and agreement of all parties and stakeholders.”

US 3.3.7.8 (new) Risk provision

ge The risk provision that accompanies risk acceptance (3.3.7.1) may be different from risk financing (3.3.7.4). for some objectives “financing” is not an answer to the risk and funding the consequences may not be appropriate. Schedule risk for instance is a risk in time and sometimes money is not compensation enough or appropriate compensation for overruns. Similarly, quality may be defined as reliability leading to extra down-time per year, and the organization may not be satisfied by providing money.

Risk provision

A reserve appropriate to the objective under consideration that represents the impact on that objective of risk acceptance (3.3.7.1)

US 3.3.8.1 Ge “performance level” is used. If this is intended to have the same meaning as in ISO 13849-1, then fine, but if not

Determine if usage is per 13849-1 and adjust




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


then alternate words should be used. Otherwise our communications will be confused.

accordingly.

US 3.3.8.1 Note ed Monitoring is of the risk condition Consider adding “condition”

US 3.3.8.2 Te This definition is unnecessary. Less is better. Delete definition

US 3.3.8.3.1 ge I have never personally heard or used either the term risk register or risk log. Is this unique to some practice of risk management outside of industry?

US 3.3.8.3.1 page 9 Te The definition for risk register should include known and potential risks.

“record of information about identified risks” change to “a record of identified, known or potential risks”

US 3.3.8.4 Te This definition is unnecessary. How does an RM audit differ from any other audit? Change RM framework to environmental framework and the definition stands – which suggests an RM audit definition is not really needed. Less is better.

Delete definition

US 4 a) 181 Ge A statement is made in the heading that Risk management creates value. Value for who? The organization? The stake-holders? The paragraph below does little to explain what is the value and even fails to mention the term ‘value’ in the explanation.

Add a final sentence to line 185. “This improves the value to the organization, customers, employees and any other stake holder”

US 5 Te I did not see any remarks in the ‘design of the framework’ that talks about the impact analysis of a risk management program. Implementing any new management program will have an impact on the business. The risk management program itself can add business risk and can be related to the type of business. E.g. designing a complex and overburdened risk management framework for a small, low-risk business will increase the risk to that business. When designing a risk management framework

Add a statement into section 5.3.3 – Integration in organizational systems –

“Developing a risk management policy that is overburdening or erroneous may have a negative effect on the organization’s other systems. It is important when designing a risk management system, that is fit for purpose and that the impact to the overall risk of the organization is




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


it is important to understand the risk and impact that this will have and adjust the design to best-fit the business.

understood.”

US 5.2 Ge Commitment from management is a must, however, there should be some reference to leadership in this section. In order for risk management to be successful it needs leadership, not just a mandate and commitment to do it! Management must not assume that if they say it must be done (mandate) and they commit the organization to a risk management program (commitment) that it will be effective. Management need to lead the organization to achieve managed risk.

Additional wording such as “The introduction of risk management and ensuring its on-going effectiveness requires strong and sustained commitment by management as well as continual leadership to accomplish the strategic and tactical goals”

US 5.3.1 268 Te Culture is often used associated with an organization. However, when trying to understand the organization, it is important to consider the differing cultures and their acceptance / averseness to risk that exist within the organization.

Rewrite

Perceptions, values and culture of the organization and the possible differentiations of these that may exist within the organization.

US 6.4 Ge There are currently ISO standards published on risk assessment. This standard should be harmonized with these (e.g. ISO 14121)

US 6.4 6.5 Te Risk Treatment is commonly referred to as Risk Reduction. Why is the term risk treatment now used? Also the term risk modification is used on line 527. This would indicate that within the risk management plan, it was acceptable to increase the risk as well as reduce it. This seems in conflict with Line 530 that discusses residual risk. The majority of risk management systems are designed to reduce risk. If this is not the case, then greater clarification is required as this could confuse the majority of risk managers that are trying to reduce risk.

Add clarification




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


US Intro 38 – 50 Te This document is restricted to vocabulary. The description of risk management is better left to 31000 or other documents that discuss the application of the vocabulary in appropriate depth. Lines 51-53 are sufficient background Introduction for a Vocabulary document.

Delete all this Intro text leaving lines 51 – 54

US Intro 54 Te What matters is a clear understanding of risk management terms within an organization or industry, not that everyone in the world uses the same definitions. If the Food industry and the Medical Devices industry and the Machine Tool industry have differing definitions of the term “Risk Analysis,” does it really matter?

Note, the Food industry has already changed its definition of the term ‘risk analysis’ once. The international food industry uses that term to describe the umbrella process of risk assessment, risk management and risk communication. This definition is very different than in Guide 73. I very much doubt the food industry would be receptive to a general ISO standard telling them to change their definition again. Nor should they if those in that industry have a common understanding.

ADD:

Other definitions and uses of the terms in this Guide 73 do exist and may conflict with the definitions given herein. Effectively managing risks requires clear communications about risks to an organization, industry, sector and stakeholders. Common understanding of terms is necessary for clear communications. In the long term, developing a common set of terms is desired in the international community. In the near term, organizations or industries that have a common understanding of risk management terms using definitions that conflict with those in this Guide 73 may choose to continue using the differing definitions to facilitate effective communications within that organization or industry.

US Introduction 133 ed The sentence ‘management can decide to critically review their existing practices or processes…’ seems misplaced and abrupt, within the context of the paragraph. I think this standard could be used to critically review an organisation’s existing system, however, I think it should be reworded in the ‘positive’

Suggested wording… “An organisation may find some of the principles and processes in this standard as beneficial in improving or evolving their own risk management system”

US Introduction 38 ge Is Organizations defined elsewhere in another ISO that is used for a basis in this document? Organizations in Risk Management must encompass both chartered entities

Add either a definition of organization or a reference to another use of the term. Suggestion: “Organizations are chartered bodies of




1 2 (3) 4 5 (6) (7)


3.1.1)

Number of Notes

(e.g. NOTE 1)/


Type of

com-ment2


with financial assets at risk as well as entities with professional or public perception values at risk. Thus both for profit and not for profits are covered.

employment or public service with capital assets at risk or intangible assets like professional standing or reputation at risk to harm or loss.”

US Introduction 44 ed When I first read this logic, I was confused with the introduction of line 45 communication and consultation at the beginning but when I referred to Figure 3 in 31000 it made sense.

Reference Fig 3 from 31000 or insert as new figure in Introduction to Guide 73

US Introduction 47 te The EU outline for carrying out a risk assessment includes as Step 2 “evaluating and prioritizing risk”. Line 47 does not include prioritizing as a step and this is often a critical aspect of risk management decision

Consider inserting “prioritizing” in step process.

US New Def Te The April 2008 version of ISO/DIS 31000 uses the term “areas of impact” at line 474. This is an important term that had ramifications throughout 31000. It would appear that a definition is needed.

Add a new definition. It would appear the number would be 3.3.4.5.areas of impactfinancial, property, human health, or environmental conditions of the organization, risk owners, or stakeholders affected by risks.

US New Def Te The term “objective” is used in several locations in ISO/DIS 31000. It would appear useful for there to be a definition.

Add a new definition. It would appear the number would be 3.2.2.1

ObjectiveAn internal performance goal or expectation established by an organization.



commentson - u.s. tag 73... · web view-ohsas 18001 (1999)-ohsas 18002 (2000) a systematic...

Documents