Consolidated Comments / Date: 4th August 2008 / Document: CDV IEC 31010
1 / 2 / (3) / 4 / 5 / (6) / (7)
Clause No./
Subclause No./
Annex
(e.g. 3.1) / Line No. / Type of com-ment2 / Comment (justification for change) / Change proposed / OB/7 observations
on each comment submitted
General / Tech / Documentation is an essential part of what someone performing a risk assessment has to do / Include more about risk documentation and reporting
General / Should include other qualitative tools eg spider chart to get away from matrix
General / Need at least some definitions for ease of use and to stress to users that some definitions have changed since 60 300-3-9 / Include definitions for risk, assess, analyse and evaluate risk, risk level, consequences, likelihood event, hazard, treat and control. / Not agreed
General / There are some systems where risk cannot be defined by a likelihood of a consequences because under some circumstances (not all of which can be identified) failure will occur (software is a good example) The treatment is a required SIL (safety integrity level) to withstand a wider range of adverse circumstances This concept needs to be mentioned see MIL 882C or RTCA DO 178B
Some environmental risks may also be approached by analysing the vulnerability of species and considering how to protect them rather than considering the probability of hazards or risks / Insert something in 4.3.1 ? eg?
In some circumstances a consequence may occur as a result of a range of different events or conditions and the aim is to achieve objectives in spite of the event or circumstances and regardless of its likelihood. Examples are safety critical software, business continuity management and some environmental applications. In this case the focus of risk assessment is on analysing the criticality and vulnerability of the system with a view to defining treatments which relate to levels of protection or recovery strategies. / revised
Forward / The forward about IEC immediately gives the impression that the standard only has technical application and is likely to put off a significant part of intended audience / Replace with general ISO/IEC forward / Trying if rules allow
Intro 2nd last para at end / shouldexplicitly state that the methods discussed are notexhaustive,exclusive or prescriptive. It should also state thatthe omission of a method from the standard does not mean it is not valid. / This standard does not refer to all methods nor does the fact that a method is applicable to a particular circumstance mean that it should necessarily be applied / Agreed
Introduction / Needs more to explain the hierarchy of standards documents and to refer between them to avoid conflict / Eg This is a supporting standard for ISO31000 and provides guidance on selection and application of systematic techniques for risk assessment detailed standards are available for some of the techniques summarised here / Agreed
scope / Should state not covering analysis of financial risks or analysis of risks in some other systems / noted
4 / Title / The standard is no longer limited to technological systems / Delete for technological systems
A better heading for 4.1 would be the role of risk assessment / heading changed but role of risk assessment not agreed
Paragraphs relating to concepts currently in several different places need to be bought together in this section and headings tidied
The section on application as part of the life cycle fits better in this general section than at the in its present position. / Move section 5.6 to become either a sub-section in 4.1 – “role of risk assessment” or a new section 4.4 Application of Risk Assessment
Proposed headings are 4 Risk Assessment Concepts
4.1 purpose and benefits (or role of risk assessment)
4.2 risk assessment and the risk management framework
4.3 Risk assessment as part of the risk management process
4.4 application of risk assessment
4.4.1 General
4.4.2pplication as part of the lifecycle / headings changed
4.1 purpose / Needs a comment relating to its application in projects as opposed to organisational context / Add line at 4.4.1 general “ Risks may be assessed at an organisational level, at a departmental level, for projects, individual activities or specific risks. Different tools may be appropriate in different contexts / Accepted in 4.3.4
4.1 / Dot point 1 / Information is not necessarily objective / Delete “objective information for” replace with “reasoned arguments and information about uncertainty to assist” / agreed
4.1 / Some dot points describe the process not its purpose –
Same purpose is repeated in dot point 2, 5 and dot point 12
Dot point 10 too specific / Delete dot point 2,3, 10 and 12 / dot points modified
4.1 / Quantification is not in itself a benefit a benefit may be to set priorities for any type of risk not just OHS / Delete dot point 4 and change dot point 9 to assist with establishing priorities / Agreed
4.1 / Bullets / Te / 'understanding of the risk and its potential impact upon objectives' should be above 'providing objective information for decision makers' (especially since at times the information obtained from risk assessment may not be strictly objective - think of all the stuff about subjective probabilities (and I don't see that as a problem). / ``change bullet order / Agreed
4.1 / Last bullet point / Te / Check whether this standard uses acceptability and tolerability according to guide 73 / To be checked
4.2.1 / heading / Ed / This paragraph has two sections – framework and process. Separate these two by subheadings. This removes the need for a sub heading - general / Change subheading general to “risk management framework” and insert heading ”risk management process” after the first set of dot points / done
4.2.1 / Para 1 / Paraphrase of 31000 is neater wording / A risk management framework provides the policies, procedures and organizational arrangements that will embed risk management throughout the organization at all levels. / Agreed
4.2.1 / Para 2 / Policy to ensure objectives are met seems out of place here – objectives for what? -the organization, risk management or risk assessment / Replace words after policy or strategy with for deciding when and how risks should be assessed / Agreed
4.2.1 / Last bllt point first set / Gen / "how performance will be reported and reviewed" - performance of what? Does it mean how risk assessments will be reported and reviewed / revised
4.2.1 / Para 2 / Not part of risk assessment to set up the framework but to work within it and be aware of it. / Replace second para with the following This standard assumes that risk assessment takes place within the framework and process of risk management described in ISO 31000. In particular those carrying out risk assessment will need to be clear about / agreed
4.2.2 / Dot points in previous version missing from this were good / Add “Bring together different areas of expertise for analysing risk” / agreed
4.2.2 / Last para / Thee final paragraph concern the framework rather than the process / Delete paragraph and Add dot point to 4.2.1 how the risk assessment process interfaces with other management processes including change management, project and programme management and financial management
Add dot point to 4.2.2 “contribute to interfacing of risk assessment with other management areas and processes” / Noted
Did not deal with highlighted comment I would like it in
4.2.2 / Replace "Involving stakeholders in the risk management process is necessary in order to:" with involving stakeholders will assist in the following steps. / agreed
4.2.2 / first bullt point / To put "develop a communication plan" first is a bit chicken and eggish / Move develop a communication plan to end
Re-order other dot points to the same order as the risk management process / noted
4.2.3 / superfluous / Delete sentence that forms 2nd paragraph / noted
4.2.3
(now 4.3.3) / The lead in lines for 1), 2) and 3) are all different
1) - involves
2) - may involve
3) - includes
4) -includes / I don't really care which it is, but it would be better if it was consistent. / Revised
4.2.3 / None available / Te / Decisions need to be backed up with actions. Suggest re-enforcing this often missed step. / Insert “and actions” after “decisions” in the first line of page 13. / agreed
4.2.3 / superfluous / Delete sentence that forms 2nd paragraph / noted
4.2.4 / 2nd sentence / clarifies / Insert their before likelihoods / agreed
4.2.4 / Bullets / the last two should be up front / agreed
4.2.4 / Bullets / Positive aspects need to be included / Add bullet “how to make the most of opportunities” / agreed
4.2.5 / Mitigating implies only negative risk - / Replace mitigate with change / revised
4.2.5 / Te / Possible inconsistency with terminology used in ISO 31000. / Change “occurrence” to “likelihood” / Revised
5.1 / Last para of 5.1 would be better after first sentence of 5.1 / Eric
5.1 last para / Line 2 / Ed / Insert achievement of before objectives / Agreed
5.3.1 / There are some systems where risk cannot be defined by a likelihood of a consequences because under some circumstances (not all of which can be identified) failure will occur (software is a good example) The treatment is a required SIL (safety integrity level) to withstand a wider range of adverse circumstances This concept needs to be mentioned see MIL 882C or RTCA DO 178B
Some environmental risks may also be approached by analysing the vulnerability of species rather than specifically causes l / Insert something in 5.3.1 ? eg?
In some circumstances a consequence may occur as a result of a range of different events or conditions, or where the specific event is not identified. In this case the focus of risk assessment is
on analysing the criticality and vulnerability of the system with a view to defining treatments which relate to levels of protection or recovery strategies. / agreed
5.3.1 Risk Analysis / Mention that more than one technique might be required for complex problems at end of paragraph 3 / noted
5.3.1 / Second para / te / The sequence of the terms consequence and likelihood are noted firstly in this order and then again in reverse. / Change to “The consequences and likelihood are then combined to determine a level of risk. / revised
5.3.1 / Para 2 / Many of the risk analysis techniques in Annex do not determine both consequences and likelihood and combine them. This paragraph needs to be less mechanistic / Replace Ist 3 paras with words from 6.4.3 lines 487- 494 in ISO31000 ie
Risk analysis is about developing an understanding of the risk. It provides an input to risk evaluation and to decisions on whether risks need to be treated and on the most appropriate treatment strategies and methods.
Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences and the likelihood those consequences can occur. Factors that affect consequences and likelihood should be identified. Risk is analysed by determining consequences and their likelihood and other attributes of the risk An event may have multiple consequences and can affect multiple objectives Existing risk controls and their effectiveness should be taken into account.
Then add para 2 from 5.3.4
Keep
methods of analysis are described in Annex B / agreed
5.3.1 / Word semi is missing before quantitative in last sentence of paragraph starting quantitative analysis / Insert word semi-
5.3.2 / Para 1 / Impacts and Severity have negative implications / Replace severity with magnitude and impact with consequences / agreed
5.3.2 / Para 1 / The consequences considered may be indirectly rather than directly related to objectives - statement needs to be broader / consequence analysis analyses the nature and type of impact which could occur assuming that a particular …… / agreed
5.3.2 / The section on consequence analysis seems out of balance with the likelihood analysis . It needs to be expanded by mentioning modelling and vulnerability analysis. add after first sentence of paragraph / It can vary from a simple description of outcomes to detailed quantitative modelling or vulnerability analysis / Agreed
5.3.2 / ed / Last line of this section is a repeat of the bullet point introduction. / Delete last line. / noted
5.3.2 / Para 1 / Provide some guidance on choosing conceivable, credible or relevant consequences in this section / After impacts of different severity add words
Typically impacts may have a low consequence but high probability; or a high consequence but a low probability, or some intermediate outcome.
In many cases it is appropriate to focus on risks with potentially very large outcomes, as these are often of greatest concern to managers. In some cases it may be important analyse both common low consequence risks separately For example, a frequent but low-impact (or chronic) problem may have large cumulative or long-term effects. In addition, the treatment actions for dealing with these two distinct kinds of risks are often quite different, so it is useful to analyse them separately / agreed
Add to first paragraph of 5.3.2 The types of consequence and to which stakeholder will have been decided when the context was established / agreed
5.3.2 / Above dot points / may not should / Change to “depending on context consequence analysis may / Revised
There is nothing on controls analysis although some of the techniques listed in appendix B do focus on controls| (Eg HACCP LOPA and to an extent Bow tie analysis) Controls assessment is in appendix although it is not a formal technique . Suhggest removing technique from appendix and adding paragraph in Analysis or evaluation section / The level of risk will depend on the adequacy and effectiveness of existing controls This requires answers to the following :