Listing all articles in The Residual World under the category 'Architecture Framework' :

Definitions - What Exactly is a Risk Part 2?

by Nic Plum on Monday 05 August, 2013 - 21:46 GMT

Posted in Architecture FrameworkTRAK

Tags: definitionhazardontologyriskstandardthreat

In part 1 we established that a lot of the current definitions of risk don’t actually define what a risk is - they simply define a formula for calculating it or prioritising it which doesn’t help us get at what a risk is and therefore whether it is a distinct entity.

The OED has a definition:

(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility

Dissecting this with the old semantic scalpel we have parts:

  • possibility or chance
  • adverse circumstance
  • a situation

Possibility or Chance

A risk always has a probability of occurring. This therefore means that the metamodel entity has ‘probability of occurrence’ as an attribute. It also means that there are qualifying values in order for it to be a risk - the probability of occurrence cannot be zero since there is then no possibility and it cannot be 100% either because it is then a certainty not a risk.

Adverse Circumstance

A risk is associated with a harmful outcome (the positive flip side is an opportunity). We can represent this using a relationship between risk (if the vehicle for risk is an event) and hazard (threat).

A Situation

This starts to sound like an event through which the unlucky recipient is exposed to the risk. Is this a risk or is it really a description of a risky-event? 

Much the same thing happens to hazard where at least one definitions defines a hazardous event not a hazard. In IEC 61508:2010 part 4 Hazard is defined as:

potential source of harm [Guide 51 ISO/IEC:1990]

but then add

NOTE – The term includes danger to persons arising within a short time scale (for example, fire and explosion) and also those that have a long-term effect on a person’s health (for example, release of a toxic substance).

which isn’t correct because the release of a toxic substance is not a hazard but a hazardous event. The toxic substance represents the hazard. This is important because we’d represent hazard and hazardous event differently with a relationship between a Hazard and Event and the combination becomes the ‘hazardous event’.

Is something similar happening with risk in common parlance or definitions?

If a Risk is a distinct entity we have:

  • Hazard (syn. Threat) poses Risk
  • Risk is a Event (where 100 > probability of occurrence > 0)

and we can have

  • Hazard (syn. Threat) to Resource (i.e System, Physical, Software, Organisation, Job or Role) 

to introduce the required ‘harm’ or ‘adverse circumstance’.

The limits on probability of occurrence have to be applied because if it is 100% it isn’t a possibility it’s a certainty and therefore no longer a risk.  Similarly it cannot be zero because it can never happen and is therefore not a risk.

We could of course just represent a Risk using Event where the value of an attribute ‘probability of occurrence’ takes a value between these limits when representing a risk and is otherwise null or 100% if representing a ‘straight’ Event.

Of course even if it is a type of event there are advantages in making it a distinct entity since as an element in a tool it makes it easy to find, to navigate to or from and to distinguish it from a straight event. This utility might justify it being distinct.

So, is a risk a type of event?


Comment on this article

Just When You Thought It Was Safe - EntiTy Returns

by Nic Plum on Wednesday 13 March, 2013 - 21:33 GMT

Posted in Architecture FrameworkTRAK

Tags: safetysecuritysourceforgetrakworking group

TRAK logo

Sorry for the awful pun…

A small band of happy volunteers have been musing over possible extensions to TRAK to provide viewpoints that address typical safety and security concerns. As part of the ongoing activity a candidate set of concepts / entities for the TRAK metamodel have been described in a short document together with some of the backgrounds from which they arise. This has been published and comment / discussion is being encouraged on the forum on the TRAK Viewpoints project on Sourceforge. If you have any views on the candidate entities please post them there.

There will be other follow-on documents soon:

  • a definition of the candidate relationships that knit these entities together and to the residual TRAK metamodel
  • a definition of the candidate viewpoints (ISO/IEC/IEEE 42010 terminology) against which views are prepared that use the candidate and existing parts of the metamodel

There will then follow a testing phase to ensure that what is proposed is usable, easily understood, pragmatic and of utility (fit for purpose - but no more than necessary as we don’t want perfection at the expense of usability) for jobbing engineers and those who need to be able to read and understand the products and who aren’t in any technical priesthood. If anyone wishes to help in this testing phase can they please make contact either via this site or the Sourceforge discussion forum for the Safety and Security Working Group.


Comment on this article

Definitions - What Exactly is a Risk?

by Nic Plum on Tuesday 12 March, 2013 - 22:30 GMT

Posted in Architecture FrameworkTRAKStandards

Tags: defencedefinitiondodiecnistsafetysecuritystandardtrakusa

NIST logoIEC logoUS DoD logo

Creating a definition sounds as thought it ought to be easy. It isn’t for many reasons - some of these are not so much technical as the process by which consensus is reached and the need to get consensus. For example the need to get consensus might mean that at times a weaker definition escapes because it was too difficult to get consensus with a tighter one.

Why do we care? Well there is a particular and a more general reason. The more general one is that the graphic blocks we use to represent the real world things have definitions and therefore the architect is supposed to select the most appropriate block to represent the real world thing based on the description. We can’t just choose anything otherwise we end up “head-modelling” where the verbal description we provide is not supported by the semantics of the model we’ve created (the model in our head is not the one on paper). If the description is wrong it might not be the right block to use (you wouldn’t represent ‘tank’ with a ‘tree’).

The particular reason is that we’ve a working group in TRAK looking to see if and how it is possible to extend TRAK to enable it to be used to address typical safety-related and security-related concerns. One of the starting points is therefore a review of general literature and particularly standards to identify the potential concepts or entities likely to be needed. In doing so we’ve found some potential problems with definitions.

A candidate entity is risk. What is a risk?

IEC 61508:2010

combination of the probability of occurrence of harm and the severity of that harm


Mishap Risk. An expression of the impact and possibility of a mishap in terms of potential mishap severity and probability of occurrence.


The net mission/business impact considering (1) the likelihood that a particular threat source will exploit, or trigger, a particular information system vulnerability and (2) the resulting impact if this should occur.

There is a common thread. Many other standards also have very similar forms of definition. None of these, however, defines what a risk actually is The analogy is defining force as the product of mass and acceleration - it tells us nothing of what force is. None of the above are therefore definitions of risk they just indicate how we might derive a metric for it. One of the principles in defining something has to be that the definition is independent of other variables or an implementation. In the above if risk didn’t involve probability of occurrence it would mean that the concept of risk itself had changed which isn’t true.

My dictionary provides:

a possibility of harm or damage

IEC 61508:2010 defines a Hazard:

potential source of harm [Guide 51 ISO/IEC:1990]..

’ which is fine but then in the note that follows it states ‘….for example, release of a toxic substance…’ which looks to be a hazardous event not a hazard.

All of this means that it is harder and takes longer than it should do to analyse and form a view of a pragmatic compromise because you have to examine every word and be selective in what you choose to accept and what you choose to reject. You cannot blindly assume that any standard is correct since it is as much the product of gaining consensus as it is the technical content. You have to be a skeptical enquirer and constantly challenge. Too often folks put such committees on pedestals and don’t stop and think.


Comment on this article

All articles/posts © of the respective authors

Site design and architecture © 2010 - 2011 Eclectica Systems Ltd.