GAQM: ISO ISO-31000-CLA Passing Score

A fire occurring in a new manufacturing process line is an example of a pure risk, which is a situation that can only end in a loss12. For example, the fire could damage property, injure workers or disrupt operations.

 ISO uses the concept of uncertainty as the driver and rationale for risk management. Uncertainty refers to the state of having incomplete knowledge or understanding about something that can affect an organization’s objectives.

the last step of the risk assessment process, which starts with risk identification, moves to risk assessment, and finally risk evaluation, is Risk evaluation.

Risk evaluation involves comparing the estimated level of risk against the risk criteria established during the risk assessment phase, to determine the significance of the risk and whether it is acceptable or not. This decision is made in consultation with stakeholders, who may provide additional context and information to inform the decision.

The American Society for Quality (ASQ) describes risk evaluation as "the process of comparing an estimated risk against given risk criteria to determine the acceptability of the risk." [1]

Similarly, ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements) defines risk evaluation as "the process of comparing the estimated risk against given risk criteria in order to determine the significance of the risk." [2]

References: [1] ASQ Glossary - Risk evaluation, https://asq.org/quality-resources/risk-evaluation  [2] ISO/IEC 27001:2013, Clause 6.1.3(c), https://www.iso.org/standard/54534.html

Risk management takes human and cultural factors into account1. Human factors include perception, judgment, behavior, and communication that influence risk management. Cultural factors include values, beliefs, norms, and expectations that shape the organization’s risk culture.