Risk management Part 1 – Concepts and Definitions

The latest revisions of the ISO 9001, IATF 16949 and ISO 14001 standards have incorporated Risk Management as a requirement to be considered in the processes that make up the management systems of organizations. The intention is to ensure that the objectives of the management systems are achieved, to increase the desired effects, to prevent or reduce undesirable effects and to achieve the improvement.

With this first installment of a series of articles, I propose a simple and logical methodology to meet the new regulatory requirements for risk management in management systems within organizations.


It is important to define and understand some concepts before starting the risk analysis:

  • Risk. “Effect of uncertainty” as defined in ISO 9000:2015 Fundamentals and vocabulary.
  • Uncertainty. “State, even partial, of information deficiency related to the understanding or knowledge of an event, its consequence or probability”.
  • Risk is, then, the effect of not understanding or ignoring an event, its consequence or probability.


In this definition we find 3 basic elements of risk analysis:

  • Event – Something that happens or can happen (potential) that is a deviation from what is expected.
  • Consequence – Effect or impact of the event on the stakeholders of the management system.
  • Probability – Estimated Occurrence or Possibility of Event Occurring.


From the understanding of these concepts we conclude that:

  1. The greatest risk is not knowing what events can happen in the management system processes.
  2. The risk is high when we don’t understand the events that can happen in the management system processes.
  3. The risk increases as the severity of the consequences increases if the event occurs.
  4. The risk increases when the probability of the event increasing.


 Part 2 ►

comments powered by Disqus