2 Type of Comment: Ge = General Te = Technical Ed = Editorial

Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

MB1 Entry No. of Number of Type Comment (justification for change) by the MB Proposed change by the MB Secretariat observations terms (e.g. Notes of on each comment submitted 3.1.1) (e.g. NOTE com- 1)/ ment2

Line numbers (e.g. 61)

US Ge Guide 73 definitions should be included in the actual Combine Guide 73 and ISO 31000 31000 document. Since Guide 73 pre-dates 31000, it now makes sense to integrate Guide 73 into 31000. The fact that they are being presented as stand-alone documents is a primary reason the AIHA is voting “no, with comments” with regard to Guide 73. US Ge It seems odd to be reviewing and voting on the definitions If Guide 73 and ISO 31000 are not combined, then prior to the actual standard. at least have their review and comment cycles directly match. Allow one more round of comments on Guide 73 after ISO 31000 is finalized, if the documents are not combined. US

BMain Risk Terms Appendix 2004.doc

US ge Generally, all consensus standards include definitions. It is not clear why Guide 73 needs to be a stand alone document. It should be incorporated into the affected standards and then deleted. It is not a user-friendly process to have key definitions located outside a standard such as ISO 31000 or any other consensus standard. Moreover, it makes the review process of affected standards, such as ISO 31000, difficult and disjointed. On the ballot for Guide 73, I voted YES WITH COMMENTS, as I am not sure of how many standards are dependent upon Guide 73. US 1 160 Ed “Therefore, this International Standard is generic and Remove the term generic not specific to any industry or sector.” The term generic is superfluous here as it is already stated.

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 1 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

US 1 66 Ed Grammar …management, see ISO 31000 US 2 71 Te See justification for comment regarding line 54 ADD: Thus, certain applications may use different or even conflicting definitions of terms defined in this Guide 73. US 2 78 Ed Singular figure Figure US 2 81 Ed The figure provides a useful hierarchy of the terms. The Reorder the terms within a common level to follow order of the terms within a level is very confusing. For some logical order such as order of use, example, why is Uncertainty the first term under Risk alphabetical or something. Analysis when you cannot really evaluate uncertainty until you’ve estimated the other factors and arrived at a risk level?

Pick your battles. The list of terms in most ISO Best solution is to assign sequential numbers to documents is completely user unfriendly. They usually one language according to the alphabetical listing appear in numerical order and not alphabetical order – in that language. Then allow other languages to which most glossaries use. I understand that different reorder the terms in alphabetical order within their languages would require differing ordering for the country language versions, but require that they keep the specific versions, but doesn’t it make more sense to common numbering (thus the numbering would alphabetize the lists and have the numbering be out of not be sequential in all versions but the numbering order rather than the numbering in good order but the would refer to the same terms in all languages). terms completely out of order?

Second option would be to move the Alphabetical Index to immediately follow Figure 1. US 2 Page 2, Ed Under risk analysis (3.3.5), Uncertainty (3.3.5.1) is Use correct spelling table misspelled. US 3 ge This guide is well organized and written. The reader must be aware that even though ISO31000 is applicable in the

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 2 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

management of risk to safety, the safety related terms and concepts are found in Guide 51. US 3 ge As a management standard, there should be some Add a section/flowchart on how an organisation reference to how other ISO standards could/would relate maybe able to implement this standard in to this standard. Users are confused on how this standard conjunction with other ISO standards – similar to relates to other peer standards (management standards) the European EN A/B/C structure and to ISO norms. US 3 ge This guide is well organized and written. The reader must be aware that even though ISO31000 is applicable in the management of risk to safety, the safety related terms and concepts are found in Guide 51.

US 3 ge “Known Risk” – I don’t see any definition for this term Define Known Risk, or alter definition of risk although I do see “identified risk” used in definitions.

US 3 ge “Unknown Risk” – Same comment as above. Define Unknown Risk, or alter definition of risk US 3.1 Te The change in the definition of “risk” from Guide 73:2002 Risk Definition – “combination of the probability of to include both negative and positive outcomes is a very an event and its consequences.” significant change, the proposed definition here is not in accord with common usage and is extremely ill-advised. The definition should remain as it was in Guide 73:2002. US 3.1 Te This definition of Risk is very vague. I’ve sent a list of existing definitions of the term to Tim Fisher. I suggest that the TAG review them and select a clearer definition. US 3.1 te Economists, versus statisticians, further define risks as Revisit the definition of risk and potentially adopt measurable, with unmeasurable uncertainties not being the definition already used by economists, or add defined as risks. Notes In economics, the definitions of risk and uncertainty are different, and the distinction between the two is clearer. Frank H. Knight established the economic definition of the terms in his landmark book, Risk, Uncertainty, and Profit

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 3 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

(1921): - risk is present when future events occur with measurable probability - uncertainty is present when the likelihood of future events is indefinite or incalculable From paragraph 26 of Part I, Chapter 1: It will appear that a measurable uncertainty, or "risk" proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect an uncertainty at all. We shall accordingly restrict the term "uncertainty" to cases of the non-quantitive type. It is this "true" uncertainty, and not risk, as has been argued, which forms the basis of a valid theory of profit and accounts for the divergence between actual and theoretical competition. In addition, we suggest there be further discussion about the inclusion as risk of potential outcomes that have only potential for a positive impact (if such exist). US 3.1 ge Risk is not the same thing as “effect of uncertainty on 3.1 objectives.” Risk is the “uncertain event or condition that, Risk if it occurs, has a positive or negative effect on a project An uncertain event or condition that, if it occurs, objective.” (PMI PMBOK(R) Guide, 3rd edition, 2004) Risk has a positive or negative effect on a project describes the uncertain event or condition, not its objective. “effect ...on objectives.” The very basic distinction between the risk and its effect should not be confused. We agree that the risk is something that has an impact, but to combine the risk with its effect is to confuse the concept. Risk can be 1. Ambiguity such as (in the project management world) the general error in making estimates with an immature design 1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 4 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

2. Uncertainty such as labor rates that may be one level or another based on market conditions 3. Risk events such as failing the factory acceptance test and having to re-fabricate the product. The first two (ambiguity and uncertainty) are usually thought of as having a probability of 100% but an uncertain impact on objectives, while the third (risk events) may have a probability less than 100% and also an uncertain impact on the objective. US 3.1 Note 4 (add) ge The term risk could mean “a risk” that has probability and NOTE 4: Risk can refer to the uncertainty in the impact or it could mean “risk to the system” which is the system’s objectives that is caused by the possible or result of individual risks, ambiguities and uncertainties. potential action (including interaction) of individual, several or many risks that are contained within or We should include reference to this other use of the term impact on the system’s objectives. “risk.” US 3.2 page 3 Te The definition for risk management should reflect the Change …”with regard to risk” to …”with regard to connection to adverse events. adverse risk events.” US 3.2.2 Te Shouldn’t a policy be documented? Intentions and CHANGE To: directions are just ideas. The documented statement of the overall intentions and… US 3.2.3 Ge General comment: There are many different “plans” and “processes” referenced in this document and 31000. It is confusing to try and keep track of what is required. It would be helpful to the reader of 31000 if there was a summary listing of what they are expected to produce. US 3.2.3 Note ed We also use “Guidelines” as a management component Consider inserting “guidelines” where non-mandatory procedures or practices are available for application. US 3.3.1 Te I fail to see how this definition of communication adds Delete communication from the definition and keep value. The use of this term is no different than it is used only consultation portion

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 5 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

in most dictionaries and in daily use. US 3.3.1 page 3 Te The definition for communication and consultation is nice. Either consider include a definition for the consult, In ISO/DIS 31000 (2008-04-01) the word consult is used or change language at line 340 to say at line 340. consultation. US 3.3.1.1 Te I fail to see how this definition adds value. The use of this Delete definition. term is no different than it is used in most dictionaries and in daily use. US 3.3.1.1 page 4 Te The definition for stakeholder should be strengthened. Change …”“that can affect, be affected by, or perceive themselves to be affected by a decision or activity.” Change to: ”that can affect or be affected by a decision or activity. Potential stakeholders include any person or organization that perceives themselves to be affected by a decision or activity”. US 3.3.1.2 ed Is it acceptable to have a section that only contains Notes and not text or explanation? US 3.3.1.2 Ed Clarity. Change to: Risk perception is subjective and can differ from objective data.

US 3.3.1.2 New Note 3 te “Risk perception includes subjective values and beliefs which must be considered in consultation.” US 3.3.2.1 page 5 Te The third note for the definition on external context should At the end of the third note, add …”and their risk reflect the risk appetite of the external stakeholders. appetite.” US 3.3.2.2 Note ed Need clarification of – items 3 and 5 syntax to reflect Change internal stakeholders to “internal organization subjective elements in internal context. stakeholders’ perceptions and values” Change perceptions, values and culture to “organizational culture”

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 6 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

US 3.3.2.2 Page 5 Te The third note for the definition on internal context should At the end of the third note, add …”and their risk reflect the risk appetite of the internal stakeholders. An appetite.” example here are an organization’s workers. US 3.3.3 risk ge Since we are recommending a new term, level of overall overall process of risk identification (3.3.4), assessment system risk, it should be included in 3.3.3 risk analysis (3.3.5), risk evaluation (3.3.6) and level of overall system risk (3.3.5.11) US 3.3.4.1 page 6 Te Note 1 for the definition on risk source should reflect In Note 1, change “interaction to “exposure.” exposure, not interaction. US 3.3.4.2 Te We define this term and then have 6 Notes to explain it. Delete this definition. Unnecessary We define ‘event’ using the term ‘circumstances’ but don’t explain what a circumstance is. This adds confusion not clarity The Notes are conflicting – in 1 we say likelihood is unknowable and in 3 we say it can be determined. Note 1 is untrue. The consequence of an event is often quite knowable. What the heck is “Nature” anyway? Note 4 is very vague If our reader of Guide 73 doesn’t understand what an event is, we have bigger issues than defining the term. This is a Guide of vocabulary, not a primer. US 3.3.4.4 page 6 Te The definition for risk owner needs to reflect the adverse At the end of this definition, include …”and or positive effect of risk treatments. subsequent adverse or positive effect.”

US 3.3.5 Te “comprehend the nature of risk” TAG to review list of alternate definitions submitted to Tim Fisher and select a better definition Really. What does this mean? US 3.3.5 Risk ge The discussion of risk analysis in this document is process to comprehend the nature of individual analysis dominated by descriptions of individual risks. It does not risks (3.1) and to determine the overall level of deal with overall risk to the system’s objective that can overall system risk (3.3.5.10) 1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 7 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

come from or be influenced by all risks potentially affecting the objective and operating simultaneously. The latter inquiry, into overall risk to the objective, is pursued by quantitative methods such as simulation. We need to include this branch of the discipline in this document. US 3.3.5.1 ed Text clarification-“state” is multi meaning and needs a Consider “knowledge state” modifier for definition US 3.3.5.1 Ed Clarify intent. Change to: State of deficiency of infomraiton related to an event… US 3.3.5.10 Te We are able to define a “level of risk” by stating it is Modify risk definition and delete unnecessary related to consequences and likelihood, but our definition portions of this definition or the definition entirely. of risk does not state that. Indeed if you replace the word “risk” with its definition in 3.3.5.10, it gets really confusing. A better definition of risk using consequences and likelihood would allow simplifying this current definition to “magnitude of a risk” or deleting the definition entirely as it is obvious (with the better definition of risk). US 3.3.5.11 (new) Level of ge This element is where we should be explicit in talking 3.3.5.11 Overall level of risk to objectives overall about overall system risk (a separate use of the term The level of risk to system objectives resulting system risk “risk” – see my recommended added Note 4 to item 3.1). from the effects of all risks within the system or Since 3.3.5.10 concerns “a risk” we need to add a new impacting the system objectives from without item. This deals with the overall level of risk to a system objective that results from the possible simultaneous Note 1: the overall level of risk to objectives is operations of several individual risks. The analysis of found by aggregating (3.3.6.5) the probability overall system risk is done using tools such as Monte and impact of all risks simultaneously as they Carlo simulation, not the multiplication or combination of affect the system’s objective individual risks’ probability and impact. Note 2: Measurement of the overall level of risk may be in terms of the probability of achieving the objective and the amount of contingency

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 8 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61) reserve needed to raise the probability to an amount acceptable to the organization.

Note 3: An additional measure associated with the overall level of risk to the objectives is the identification of the individual risks that contribute most to the overall risk. Individual risks can be prioritized by their importance to the system using this measure. US 3.3.5.2.1 ge Is exposure magnitude or frequency? If needed add explanation US 3.3.5.3 Note 2 Ed Adding ‘objectives’ confuses the issue. What is an Change to: objective? We don’t define it and it really isn’t needed for the point made by the Note. …negative effects. US 3.3.5.4 te I propose that we add a note per the following: Add Note: Note 2 – For planning purposes, the probability of Note 2 – For planning purposes, the probability of occurrence may be set to “1” when its necessary to plan occurrence may be set to “1” when its necessary for a scenario where the assumption is that the incident to plan for a scenario where the assumption is that will occurred. the incident will occurred. US 3.3.5.7 ge Is vulnerability both internal and external? Both are critical If needed define susceptibility as both internal and and must be considered. external threats US 3.3.5.8 ge A risk matrix can be either numerical or qualitative Possibly a note is needed US 3.3.5.8 Ge Words are great but showing a simple example of a risk Add an example matrix would be helpful in conveying the intent US 3.3.6 1 ge There is no mention of Risk Significance. This is risk prominent in all global management risk assessment evaluation approaches.

US 3.3.6 Note 2 Te In many applications there is no ‘process’ of evaluation Add new Note 2: nor much of a risk analysis. You select consequence 1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 9 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

level, likelihood level, and decide if the risk is acceptable. Note 2: In some instances risk evaluation may simply be a decision rather than a process US 3.3.6.2 ed I personally find the use of “appetite” incorrect since it Is “limit” a more appropriate term? implies fulfilment to capacity US 3.3.6.2 page 8 Te The definition for risk appetite is too narrow by only After organization, insert …”stakeholder, or risk considering the organization. With connections to owners. This definition would now read “amount stakeholders and risk owners, these additional entities and type of risk (3.1) an organization, stakeholder should be included. or risk owner is prepared to pursuer or take.” US 3.3.6.3 page 8 Te The definition for risk tolerance is too narrow by only After organization’s, insert …”stakeholders, or risk considering the organization. With connections to owners. stakeholders and risk owners, these additional entities should be included. Replace readiness with ability.

It would appear that “ability” is a better word than This definition would now read “organization’s, “readiness” in this definition. stakeholders’, or risk owners ability to bear the risk (3.1) after risk treatments (3.3.7) in order to achieve its objectives.” US 3.3.6.4 page 8 Te For the definition on risk aversion, it would appear that Replace “attitude” with “propensity.” propensity is a better word than attitude. US 3.3.6.5 Ed We have many different processes in the document. We Change: don’t need to suggest there is another. combining … US 3.3.6.7 Note 1, Ed Clarity Change: bullet 2 - deciding to… US 3.3.7 Note 1, item ed Second item: “– seeking…” is grammatically confusing. Reword sentence 2 I read this three times and never understood the intent. US 3.3.7 Note 1, Item ed I concur with the AIHA comments on ISO 31000 that 6 sharing with other parties should be “consenting parties”

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 10 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

US 3.3.7 Note 1,item te Is “changing the nature and magnitude of likelihood” the Consider where hardening goes in this list of 4 same as hardening the object? In control strategy, items. Could also go with consequences hardening is frequently used to mitigate effect. US 3.3.7 page 8 Te For the sixth bullet of note 1 for risk treatment, the Replace the sixth bullet with, “establishing an concept of “agreement” should be included. agreement with one or more parties to share risk.” US 3.3.7 Page 8 Te The seventh bullet of note 1 for risk treatment seems odd. Delete the seventh bullet that reads “retaining risk We understand the concept, but there is something by choice.” counterintuitive with this bullet. It is not clear that it adds anything, and if it does, it under mines the definition and intent in ISO 31000. US 3.3.7.1 Note 3 Ed In most instances risks that are accepted are not Change: monitored or reviewed. Low risk items are rarely reviewed, nor should they. Higher risk items should be. Risks accepted may be subject to monitoring… US 3.3.7.1 Note 4 (new) ge Risk acceptance often is accompanied by a risk provision. Note 4: Risks are often accepted with a provision In projects this is called “contingency” or “reserve.” This or reserve intended to increase the likelihood of provision is intended to increase the likelihood of success success to a level that is acceptable to the organization. This differs from risk mitigation that is intended to reduce the probability or impact of a risk. US 3.3.7.2 Note ed Risk avoidance is also based on regulatory obligations Consider adding “regulatory” which could be different than legal (contractual) obligations. US 3.3.7.3 ed Same as 3.3.7; consenting parties US 3.3.7.3 Page 8 Te For the definition on risk sharing, the entities with whom At the end of this definition, insert …”or risk is shared needs to be expanded. Risk is shared with stakeholders.” more than just other parties. US 3.3.7.3 Page 9 Te Risk sharing can involve “risk transfer.” A new note Add a new note, this would be note 4. It would should be added that indicates that risk transfers should state “Risk sharing is explicit, with a full be explicit, understood and agreed to by parties and understanding and agreement between parties stakeholders involved. and stakeholders. Transfer of risk is done with the 1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 11 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

explicit understanding and agreement of all parties and stakeholders.” US 3.3.7.8 (new) Risk ge The risk provision that accompanies risk acceptance Risk provision provision (3.3.7.1) may be different from risk financing (3.3.7.4). for some objectives “financing” is not an answer to the risk A reserve appropriate to the objective under and funding the consequences may not be appropriate. consideration that represents the impact on that Schedule risk for instance is a risk in time and sometimes objective of risk acceptance (3.3.7.1) money is not compensation enough or appropriate compensation for overruns. Similarly, quality may be defined as reliability leading to extra down-time per year, and the organization may not be satisfied by providing money.

US 3.3.8.1 Ge “performance level” is used. If this is intended to have Determine if usage is per 13849-1 and adjust the same meaning as in ISO 13849-1, then fine, but if not accordingly. then alternate words should be used. Otherwise our communications will be confused. US 3.3.8.1 Note ed Monitoring is of the risk condition Consider adding “condition” US 3.3.8.2 Te This definition is unnecessary. Less is better. Delete definition US 3.3.8.3.1 ge I have never personally heard or used either the term risk register or risk log. Is this unique to some practice of risk management outside of industry?

US 3.3.8.3.1 page 9 Te The definition for risk register should include known and “record of information about identified risks” potential risks. change to “a record of identified, known or potential risks” US 3.3.8.4 Te This definition is unnecessary. How does an RM audit Delete definition differ from any other audit? Change RM framework to environmental framework and the definition stands – which suggests an RM audit definition is not really needed. Less is better.

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 12 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

US 4 a) 181 Ge A statement is made in the heading that Risk Add a final sentence to line 185. “This improves management creates value. Value for who? The the value to the organization, customers, organization? The stake-holders? The paragraph below employees and any other stake holder” does little to explain what is the value and even fails to mention the term ‘value’ in the explanation. US 5 Te I did not see any remarks in the ‘design of the framework’ Add a statement into section 5.3.3 – Integration in that talks about the impact analysis of a risk management organizational systems – program. Implementing any new management program will have an impact on the business. The risk “Developing a risk management policy that is management program itself can add business risk and overburdening or erroneous may have a negative can be related to the type of business. E.g. designing a effect on the organization’s other systems. It is complex and overburdened risk management framework important when designing a risk management for a small, low-risk business will increase the risk to that system, that is fit for purpose and that the impact business. When designing a risk management framework to the overall risk of the organization is it is important to understand the risk and impact that this understood.” will have and adjust the design to best-fit the business. US 5.2 Ge Commitment from management is a must, however, there Additional wording such as “The introduction of should be some reference to leadership in this section. In risk management and ensuring its on-going order for risk management to be successful it needs effectiveness requires strong and sustained leadership, not just a mandate and commitment to do it! commitment by management as well as Management must not assume that if they say it must be continual leadership to accomplish the strategic done (mandate) and they commit the organization to a and tactical goals” risk management program (commitment) that it will be effective. Management need to lead the organization to achieve managed risk. US 5.3.1 268 Te Culture is often used associated with an organization. Rewrite However, when trying to understand the organization, it is important to consider the differing cultures and their Perceptions, values and culture of the acceptance / averseness to risk that exist within the organization and the possible differentiations of organization. these that may exist within the organization. US 6.4 Ge There are currently ISO standards published on risk assessment. This standard should be harmonized with

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 13 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

these (e.g. ISO 14121) US 6.4 6.5 Te Risk Treatment is commonly referred to as Risk Add clarification Reduction. Why is the term risk treatment now used? Also the term risk modification is used on line 527. This would indicate that within the risk management plan, it was acceptable to increase the risk as well as reduce it. This seems in conflict with Line 530 that discusses residual risk. The majority of risk management systems are designed to reduce risk. If this is not the case, then greater clarification is required as this could confuse the majority of risk managers that are trying to reduce risk. US Intro 38 – 50 Te This document is restricted to vocabulary. The Delete all this Intro text leaving lines 51 – 54 description of risk management is better left to 31000 or other documents that discuss the application of the vocabulary in appropriate depth. Lines 51-53 are sufficient background Introduction for a Vocabulary document. US Intro 54 Te What matters is a clear understanding of risk ADD: management terms within an organization or industry, not that everyone in the world uses the same definitions. If Other definitions and uses of the terms in this the Food industry and the Medical Devices industry and Guide 73 do exist and may conflict with the the Machine Tool industry have differing definitions of the definitions given herein. Effectively managing term “Risk Analysis,” does it really matter? risks requires clear communications about risks to an organization, industry, sector and stakeholders. Common understanding of terms is necessary for clear communications. In the long term, Note, the Food industry has already changed its definition developing a common set of terms is desired in of the term ‘risk analysis’ once. The international food the international community. In the near term, industry uses that term to describe the umbrella process organizations or industries that have a common of risk assessment, risk management and risk understanding of risk management terms using communication. This definition is very different than in definitions that conflict with those in this Guide 73 Guide 73. I very much doubt the food industry would be may choose to continue using the differing receptive to a general ISO standard telling them to definitions to facilitate effective communications change their definition again. Nor should they if those in 1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 14 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

that industry have a common understanding. within that organization or industry. US Introduction 133 ed The sentence ‘management can decide to critically review Suggested wording… “An organisation may find their existing practices or processes…’ seems misplaced some of the principles and processes in this and abrupt, within the context of the paragraph. I think standard as beneficial in improving or evolving this standard could be used to critically review an their own risk management system” organisation’s existing system, however, I think it should be reworded in the ‘positive’ US Introduction 38 ge Is Organizations defined elsewhere in another ISO that is Add either a definition of organization or a used for a basis in this document? Organizations in Risk reference to another use of the term. Suggestion: Management must encompass both chartered entities “Organizations are chartered bodies of with financial assets at risk as well as entities with employment or public service with capital assets at professional or public perception values at risk. Thus both risk or intangible assets like professional standing for profit and not for profits are covered. or reputation at risk to harm or loss.” US Introduction 44 ed When I first read this logic, I was confused with the Reference Fig 3 from 31000 or insert as new introduction of line 45 communication and consultation at figure in Introduction to Guide 73 the beginning but when I referred to Figure 3 in 31000 it made sense. US Introduction 47 te The EU outline for carrying out a risk assessment Consider inserting “prioritizing” in step process. includes as Step 2 “evaluating and prioritizing risk”. Line 47 does not include prioritizing as a step and this is often a critical aspect of risk management decision US New Def Te The April 2008 version of ISO/DIS 31000 uses the term Add a new definition. It would appear the number “areas of impact” at line 474. This is an important term would be 3.3.4.5. that had ramifications throughout 31000. It would appear areas of impact that a definition is needed. financial, property, human health, or environmental conditions of the organization, risk owners, or stakeholders affected by risks.

US New Def Te The term “objective” is used in several locations in Add a new definition. It would appear the number ISO/DIS 31000. It would appear useful for there to be a would be 3.2.2.1

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 15 of 16 ISO electronic balloting commenting template/version 2001-10 Template for comments and secretariat observations Date: Document: ISO/IEC CD 2 Guide 73

1 2 (3) 4 5 (6) (7)

Line numbers (e.g. 61)

definition. Objective An internal performance goal or expectation established by an organization.

1 MB = Member body (enter the ISO 3166 two-letter country code, e.g. CN for China; comments from the ISO/CS editing unit are identified by **) 2 Type of comment: ge = general te = technical ed = editorial NOTE Columns 1, 2, 4, 5 are compulsory. page 16 of 16 ISO electronic balloting commenting template/version 2001-10