by Nic Plum on Monday 05 August, 2013 - 21:46 GMT
In part 1 we established that a lot of the current definitions of risk don’t actually define what a risk is - they simply define a formula for calculating it or prioritising it which doesn’t help us get at what a risk is and therefore whether it is a distinct entity.
The OED has a definition:
(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility
Dissecting this with the old semantic scalpel we have parts:
- possibility or chance
- adverse circumstance
- a situation
Possibility or Chance
A risk always has a probability of occurring. This therefore means that the metamodel entity has ‘probability of occurrence’ as an attribute. It also means that there are qualifying values in order for it to be a risk - the probability of occurrence cannot be zero since there is then no possibility and it cannot be 100% either because it is then a certainty not a risk.
A risk is associated with a harmful outcome (the positive flip side is an opportunity). We can represent this using a relationship between risk (if the vehicle for risk is an event) and hazard (threat).
This starts to sound like an event through which the unlucky recipient is exposed to the risk. Is this a risk or is it really a description of a risky-event?
Much the same thing happens to hazard where at least one definitions defines a hazardous event not a hazard. In IEC 61508:2010 part 4 Hazard is defined as:
potential source of harm [Guide 51 ISO/IEC:1990]
but then add
NOTE – The term includes danger to persons arising within a short time scale (for example, fire and explosion) and also those that have a long-term effect on a person’s health (for example, release of a toxic substance).
which isn’t correct because the release of a toxic substance is not a hazard but a hazardous event. The toxic substance represents the hazard. This is important because we’d represent hazard and hazardous event differently with a relationship between a Hazard and Event and the combination becomes the ‘hazardous event’.
Is something similar happening with risk in common parlance or definitions?
If a Risk is a distinct entity we have:
- Hazard (syn. Threat) poses Risk
- Risk is a Event (where 100 > probability of occurrence > 0)
and we can have
- Hazard (syn. Threat) to Resource (i.e System, Physical, Software, Organisation, Job or Role)
to introduce the required ‘harm’ or ‘adverse circumstance’.
The limits on probability of occurrence have to be applied because if it is 100% it isn’t a possibility it’s a certainty and therefore no longer a risk. Similarly it cannot be zero because it can never happen and is therefore not a risk.
We could of course just represent a Risk using Event where the value of an attribute ‘probability of occurrence’ takes a value between these limits when representing a risk and is otherwise null or 100% if representing a ‘straight’ Event.
Of course even if it is a type of event there are advantages in making it a distinct entity since as an element in a tool it makes it easy to find, to navigate to or from and to distinguish it from a straight event. This utility might justify it being distinct.
So, is a risk a type of event?
Logged-in site members can receive notifications of comments made on this article.
- Definitions - What Exactly is a Risk?
- Risk and Threats - The Common Ground Between Security and Safety?
- Risk and Threats - The Common Ground Between Security and Safety? (67% )
- Definitions - What Exactly is a Risk? (33% )
- ISO/IEC/IEEE 42010:2011, Systems and software engineering—Architecture Description Released (17% )
- A MODAF Architecture Description Only Applies to a ‘System of Systems’? (17% )
- Conformance Assessment vs ISO/IEC 42010:2011 (17% )