Book/Literature Reviews and Standards

Minimising Public WiFi Risk

By | Book/Literature Reviews and Standards, Travel Safety and Duty of Care | No Comments

For those of us living itinerant lives, constant connectivity while moving within and in-between countries is a necessity. We love our Free WiFi. Among friends and colleagues we discuss and recommend the relative merits of cafes and restaurants partially according to how reliable is their free WiFi. Whether adding the finishing touches to the final written pieces of the contract just completed, transferring funds in between accounts to pay bills or onward flight tickets, emailing back and forth on a piece of work or a contact yet to be gained, or simply remaining in touch with family and friends, near constant email connectivity is essential to the modern professional within the Humanitarian and Development sectors.

But another truism is that most of this work is rarely conducted at ‘home’. Indeed, for those of us who base in places like Bali and Thailand, our office while ‘in between contracts’ is an obliging café where we do our work. These home base locations, or temporary ports of call may have poor 4G or 3G connectivity. While in transit in hotels and airports we are grateful to find a free WiFi connection somewhere. It may not be fast, but it is enough to get stuff done.

But it is safe?

The Harvard Business Review have been the most recent in a long line of articles advising us against the use of public WiFi. I have summarised and expanded on their points below. They are right to warn us. They quote a Verizon cyber security report describing how ‘Man in the Middle’ and ‘Evil Twin’ attacks have been identified in an increasing number of hotels and public places, especially in Asia. These are useful to extract login and password data, steal information from laptops and other devices, and/or lay the ground work for a far more elaborate and costly identity theft.

What Can We Do About It?

Because I live in Indonesia where there is relatively cheap internet packages available on pre-paid phones, I minimise the risk of public WiFi access by not using it and tethering my phone instead. And when I must connect to a public WiFi connection, I do so via a VPN. I would recommend a paid one. I use Zen, but there are many more on the market, Please see here a recent review of Zen that compares it to others currently on the market. Please note I am not endorsing this product. But if it is simple enough for me to use then anyone can.

Another must is an easy to use Password Manager. Personally I use KeepAss (think, ‘Keep your arse safe’) and the password hygiene greatly reduces the risk of Man in the Middle and Evil Twin attacks. But there are many others on the market. Do your research to ensure the database is encrypted and it can be easily backed up to a USB and printed hardcopy (for secure storage elsewhere). Remember, in a man in the middle attack the thief is logging your key strokes to get your login and password details. If the password is an easy to remember one you use everywhere, like the name of your first pet, with Upper and Lower, numbers (eg, ‘Blacky123’) and the username is your email address you can be guaranteed that this combo will be tested on banks, Facebook, LinkedIn and other places where your identity and personal information can be hijacked. But if your password is Pj67$tHyfg&90dessTmb* it is clear in the mind of the thief that this is not a password you use for every site you access; you are using a password manager and there is no point attempting to apply that username/password combo on other sites.

How do these tools manage Risk? The VPN or WiFi avoidance method (ie, by tethering to your phone’s internet connection) greatly reduces the likelihood of being compromised by a thief. However, if compromised, the password manager will ensure that whatever Username/Password combo you use for the compromised site is not repeated for other sites thus containing the breach.

Other basic and easy to implement precautions include switching off your Bluetooth and WiFi when not in use so they do not randomly connect to a network without you noticing, and using two-factor identification for sensitive sites like email and banking sites.

To summarise the tips given by the Harvard Business Review to both reduce both the likelihood and impact of this threat:

  • Avoidance. Don’t use public Wi-Fi to shop online, log in to your financial institution, or access other sensitive sites.
  • Mask. Use a Virtual Private Network, or VPN, to create a network-within-a-network, keeping everything you do encrypted
  • Complicate. Implement two-factor authentication when logging into sensitive sites, so even if malicious individuals have the passwords to your bank, social media, or email, they won’t be able to log in
  • Verify. Only visit websites with HTTPS encryption when in public places, as opposed to lesser-protected HTTP addresses
  • Switch Off. Turn off the automatic Wi-Fi connectivity feature on your phone, so it won’t automatically seek out hotspots
  • Pay Attention. Monitor your Bluetooth connection when in public places to ensure others are not intercepting your transfer of data
  • Avoid. Buy an unlimited data plan for your device and stop using public Wi-Fi altogether
  • Obscure. Use a password manager, and get into the habit of changing passwords regularly

This is not rocket science. Merely the 21st century version of locking valuables away in the hotel safe, not carrying all your cash and cards in the one place, not visibly flaunting wealth, and not changing cash on the black market.

If there are any questions arising from this post, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.

Risk Management and Staff Safety: Similar But Different

By | Book/Literature Reviews and Standards | No Comments

Risk Management versus Staff Safety

It is still common practice within the Humanitarian and Development sectors to misunderstand ‘Staff Safety and Security’ with ‘Risk Management’. This is understandable for a number of reasons. The field of Risk Management is still evolving. Also, the relatively high exposure to safety and security challenges faced by many organisations in the sector, combined with institutional inertia, mean that Staff Safety understandably has a higher profile and urgency than the adoption of modern Risk Management practice.

The main reason however is the evolution of organisations’ perception of the problem. Formerly, humanitarian operations conducted in areas of conflict could reasonably be understood to be impartial and neutral, demanding and achieving humanitarian space within which to serve the victims of the conflict. Having an ex-military Security Officer made perfect sense, as they could quite readily establish a rapport with armed groups in the area and assist in managing access. They could yell at people in emergencies and ‘get stuff done’. The ‘Security bloke’ profile was a good solution to that problem.

Late for Curfew? Drop and give me 20!

However, since the weaponization of development and humanitarian assistance from 2002 INGOs have been challenged mightily to create and maintain humanitarian space. Often they were working in the same village as the militaries of their donors who were conducting activities similar to those of NGOs for counter-insurgency reasons. There was a need to create and maintain space from all things militaristic. Hence we noticed over the years a move away from ‘Security Officers’ to ‘Safety Officers’, and from there to ‘Risk Manager’. However, it was usually the same guy; lots of pockets in his hard-wearing pants, dark sunglasses, a never-say-die demeanour, an ill-kept beard and tonnes of gadgets. He may indeed have been an excellent Risk Manager, if asked to perform in that role; but it hardly ever happened because all parties misunderstood the term.

After all, what everyone wanted was a MacGyver who was calm in an emergency, could communicate security concepts easily and did not fall asleep in long meetings. “But now we will call him a ‘Risk Manager’ and thus get our much needed security support while not alienating people inside and outside the organisation with a Security Officer”. Meanwhile, genuine risk management challenges remain unaddressed.

Safety, Security and Risk Management Officers are not the same person, and here is why.

Safety Officers – Assists management in the identification and remediation of non-man made hazards in the workplace. Sometimes also known as Occupational Health and Safety Officers, such a focal point will usually have under taken basic training in first aid and fire extinguishers, the need to place signs in hazardous areas, reporting of incidents, the conduct of evacuation drills, and the management of any other sector specific hazard. They are often dual hatted, with their safety role a secondary task.

Security Officers – Assists management in the identification and remediation of man-made threats to operations, from either outside or inside the organisation. Usually focussing on threats associated with, ‘men with guns and bombs’, ‘crime’, ‘KFR’ and ‘mobs’. They will usually bring their qualifications and experience with them from the military or police, ideally in the same context within which the country is operating. They will often assume the ‘Safety’ role described above.

Risk Managers – Assists management in the identification and remediation of ALL obstacles to project success, as well as identifying and exploiting any opportunities. A Risk Manager needs to be across all the organisational objectives and be able to think at least ‘one level up’. That is, if they are a Country Risk Management Officer they need to know and understand the operational and strategic imperatives at the Global or Regional level. The Risk Manager usually has come from within the organisation, and is sufficiently experienced to know and understand those parts of the organisation not his/her specialty. It is this experience that allows the Risk Manager to advise the Senior Management Team on the relative risk presenting itself to different parts of the organisation.

A Not Unprecedented Hypothetical Scenario

In the Office of the Country Director: The Safety Officer recommends that what remains of the budget should be spent on improved lighting for certain areas, a first aid course, and upgraded fire extinguishers. The need, he says, is urgent. Meanwhile the Security Officer (both of whom report to the Head of Admin who has a different barrow to push) argues the money should be spent on enhanced screening of visitors in the office, implementation of a CCTV network, and an extra staff member to watch the screen. The Finance manager intervenes with a plea for a proper safe, as the lockable cabinet is clearly insufficient (and he has not been able to maintain the attention and support of the Security or the Safety Officer). Meanwhile the Programme Manager insists that if she cannot get an extra staff member in to write new proposals there will be no new work in the pipeline and we can all get ready to pack up and go home. And so it goes. We’ve all been there before.

So how does our Country Director reconcile these competing demands? How does she compare apples with oranges in order to allocate scarce resources where they can have the greatest impact? She turns to her Risk Management Officer, asks for a copy of the [recently reviewed] Risk Assessment, passes her eye over the Risk Treatment Plan and allocates the remaining resources to the highest ranked risk mediation measures; instead of to the loudest and most persuasive voice in the room at that time.

This plan was not conjured out of thin air. The Risk Manager has spent his or her time consulting across, and up and down the organisation, conducting information gathering sessions (internally), and benchmarked across similar organisations doing similar things and facing similar challenges in the same place. All to produce a holistic risk assessment particular to that organisation, with those objectives in that place at that time. There is consensus across all units (Programme, Logistics, Admin, Finance, Security etc), everyone accepts their role in the plan and the Risk Manager follows up on behalf of the Country Director.

The profile of such a person? Young or old. Male or female. Probably university educated but not necessarily with sectoral experience (although it helps). Sufficient soft skills to manage emotionally charged meetings attended by stressed managers and practitioners. Process focussed yet with an eye for outcomes. Discretion and a sense of humour. It is possible to find all three roles in the same person, but not necessarily. And merely changing the title of your Security Officer does not make him/her a Risk Manager. And vice versa.

If there are any questions arising from this, please do not hesitate to do so in the comments section below. You are also invited to sign up for email notifications of future posts on this site.

RM4HD Email Subscription Form

Please enter details below.

Risk Management, Standards and Risk – A German Approach

By | Book/Literature Reviews and Standards | No Comments




At a time when submissions are being called for the update of global risk management standards (ISO 31000, globally adopted in 2009) it helps to ask, ‘how global was it, really? Where was it not adopted? Why not?’

Surprisingly, at least initially, one stand out was Germany. We ask ourselves three questions:

  1.  Why did the German Standards authority (DIN) decline to adopt the standard?
  2.  What can we learn from this to apply to the new Global Standards moving forward? and
  3.  Is there anything of relevance to the Humanitarian and Development sectors?

The German perspective is surprisingly relevant to the Humanitarian and Development sectors. As Prof. Dr. Udo Weis, Chairman of DIN (Deutsches Institut für Normung e.V) NA 175-00-04 AA elegantly argues in the interview conducted with TC262, there were two main objections within Germany to adoption of the global standard. The first from Industry and Labour groups, and the second from environmentalists.

But first a side note. In Germany, according to the Professor, the adoption of standards is a form of self-regulation by industry groups. But the stakeholders are much broader and all have a veto. Explicit consensus is a must and was not achieved for ISO31000; hence its non-adoption. Decision making is distributed and consensus based. Sound familiar? If there is anything that defines the internal management and external project work of Humanitarian and Development organisations is that leadership and management is diffuse, there is a strong emphasis on stakeholder engagement, and EVERYONE must be on board before a decision can be implemented.

Back to Germany. The framers of ISO 31000 ‘meant no harm’ when they argued that all aspects impacting on the organisational objectives must be considered, and relative merits balanced in order to achieve the ‘optimal’ result. But it raised more red cards in Germany than a rugby team attempting to play soccer. Staff safety and the environment are never compromised, therefore there can be no ‘balancing’. It is against the law, and in the opinion of RM4HD – rightly so. [Once again, sound familiar? How many times have we heard that ‘staff safety is paramount’ in Humanitarian and Development organisations?] Hence in Germany, the Labour and Industry groups vetoed adoption due to a concern that implementation would undermine the existing regime, enshrined in legislation of self-regulation of Occupational Health and Safety. Prof. Dr. Udo Weis’ summary of the objection by environmentalists speaks for itself, so I am just going to cut it out and paste it right here:

Also, the environmentalists vetoed. They feared that the wording “Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social protection and the protection of the natural Environment” would allow balancing to take place. It should be borne in mind that there are clear limits in the German environmental legislation. There was fear of opening the gates for subordination of environmental protection under financial conditions.

In short, one does not subordinate occupational health and safety and the environment to profit. The interview continues, and it is a good one. It is worth the time to read it.

A number of key points for consideration by risk management professionals in the Humanitarian and Development sectors, partly addressing the questions given above.

Firstly, the humanitarian and development sector professionals interested in Risk Management must move quickly to ensure that the ethics, ethos and values of Humanitarian and Development organisations are explicitly referred to and protected. A litmus test for success would be the adoption of the revised standard by the German mirror organisation, DIN. Last date for submissions is 25 Apr 17.

Secondly, the criticisms often made of management and decision making processes within Humanitarian and Development organisations may not be entirely fair. Or perhaps culturally blinded. Distributed stakeholders, cross-sectoral engagement, adherence to rules and process, protection of key values and consensus across disparate groups and interests can work. Last time I checked Germany was doing OK.

Thirdly, the good Professor’s wonderful quote at the bottom of the interview. “Bad managers manage problems; good managers manage risk.” It just may become my new motto.

In summary, there is a lot we in the Risk Management sector can learn from the German approach, particularly when it comes to the frameworks within which the environment is a stakeholder, flexibility is maintained, decisions are consensus based, ethos and values are protected, the job gets done and no-one gets killed.


Please visit the TC262 website to see what they are up to, and for more information on how to contribute to the global standard review process. Please see the link to the original article here. The text has been cut out and pasted below.

The work of the German organisation DIN may be visited here. We are grateful for the English language option, danke very much. Germans may also contribute to the evolution of Risk management standards in Germany – especially factoring in the needs of development work – by approaching DIN directly.

RM4HD Email Subscription Form

Please enter details below.

Risk Management and ISO 31000 in Germany

Interview conducted for isotc262.  with Prof. Dr. Udo Weis, Chairman of DIN NA 175-00-04 AA, the German mirror committee to ISO/TC 262

Prof. Dr. Udo Weis was trained as a chemist and later earned a MBA in international business. After working for over 15 years in industry, mostly for the electro technical company ABB as vice president for HSE and sustainability, he joined SRH University Heidelberg Heidelberg as a professor for business engineering. He is currently director of the Steinbeis Institute International business and Risk Management in Heidelberg, Germany and CEO of IFNEK GmbH. Prof. Weis has worked for over 25 years in several national and international standardization committees. Prof. Weis you are the chairman of DIN NA 175-00-04 AA, the German mirror committee to TC 262. Can you briefly introduce DIN, Deutsches Institut für Normung e.V., your national standardization organization in Germany, please?

Prof. Weis: DIN is a privately organized non-profit provider of standardization services with nearly 100 years’ experience. More than 32,000 external experts from industry, research, consumer protection and the public sector come together at DIN to develop market-oriented standards and specifications that promote global trade and innovations, assure efficiency and quality, and help protect the environment and society as a whole. More than 70 % of its financing comes from the sales of standards and other technical publications and services offered by Beuth Verlag who is responsible to publish DIN and ISO standards in Germany. Other sources include project funds from industry, public funding and membership fees. In Germany standardization is a form of self-regulation by industry. DIN did not adopt ISO 31000 as a national standard – what were the reasons and what does this mean for German organizations operating nationally and for those operating globally?

Prof. Weis: DIN´s nearly 100 years’ experience is based on several principles. For example, DIN tries to integrate all stakeholders into a consensual consensus in the decisions. On the other hand, DIN’s work also means that no decision can be taken against the explicit will of a stakeholder. Thus, each stakeholder has a veto right.
When the decision was taken whether to adopt ISO 31000 as a German standard, two stakeholder groups raised concerns.
One group objecting was the group were the occupational safety represenatives. One must be aware that occupational health and safety regulations in Germany have a tradition of more than 130 yearswith a system of self-administration of the enterprises, thus independent from government or other norms. There was concern that ISO 31000 might adversely affect the self-administration.
Also, the environmentalists vetoed. They feared that the wording “Selecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social protection and the protection of the natural Environment” would allow balancing to take place. It should be borne in mind that there are clear limits in the German environmental legislation. There was fear of opening the gates for subordination of environmental protection under financial conditions.
A similar discussion had already taken place when considering the adoption of the ISO 14000 series. In that case the industry saw advantages and a consensus formed for adoption. There was no comparable lobby for the risk management standard and therefore is was not adopted. What is the basis for risk management in Germany and what is its impact?

Prof. Weis: Risk management really has a broad basis in Germany. In particular, in the KonTraG, a framework law is in force, which obliges companies to assess, record, report, monitor and treat risks. In addition, the annual report of financial statements is a requirement by the tax and financial legislation. Accounting rules and other statutory regulations oblige almost every company to manage risk. Who are the key stakeholders of risk management in Germany?

Prof. Weis: That is a difficult question. As already indicated, risk management is everywhere – and nowhere.
Traditionally, and especially through the revisions of the management system standards, the protective functions in companies such as environmental protection, occupational health and safety, quality, data protection, etc. are the most active stakeholders of risk management. Risk management has also established itself in individual sectors for example in health and safety, health care and the financial sector. The different sectors often have their own models and rules. Unfortunately, these are specific solutions and lack a more comprehensive or company level approach. What are the biggest obstacles for integrating risk management in all organizational activities for managers in Germany?

Prof. Weis: There is a lack of a superordinated understanding of managing risks with specific and partial solutions instead. The nomenclature also plays a role. Contrary to the English-speaking countries, risk is negatively interpreted in the German language and German managers are afraid to deal with the dark side of the business – the risks. It would be easier to overcome these hurdles with formulations such as “positive risk” or “risk and opportunity”. An example is given here. For a long time, risk management in the hospital sector was an unloved child. Since it was renamed “patient safety”, a noticeable progress is apparent. ISO 31000 globally quickly became one of the bestselling and most well recognized standards in ISO. What do you think about the future of the standard – particularly in Germany – and how will it change to adapt to new challenges?

Prof. Weis: I see that the concerns raised by the environmentalists have given way to a more open understanding. One has learned that proactive handling and struggle for the best solution require compromises. The ISO 14000 series is established and environmentalists see the benefits. I expect to see the same with the progress of ISO 45000 for occupational health and safety. However, it should be noted that there is still concern that Germany’s strict national limits and established principles should not be softened by ISO 31000. All members in our national mirror committee  understand that risk has to be managed within legal and other requirements and want this clarified for all stakeholders.
Another point for me is the realization that the uncertainty continues to rise. Through the Internet of Things (IoT) and the increasing digitalization, we need a new approach to manage the challenges of the future and the associated risks. The ISO 31000 family provides the right solutions. What advice can you give to interested parties in Germany who want to offer their input to the work of ISO/TC 262 and DIN NA-175-00-04 AA and who should they address?

Prof. Weis: We are very happy to welcome further members to our mirror committee. In particular, insurance companies, the financial sector, internationally operating companies as well as experts from practice are very welcome. In particular, feedback on drafts are necessary support for the working group. Interested persons are invited to contact me directly or via DIN to indicate their desire to cooperate. Thank you very much!

Prof. Weis: I hope that in the future a saying will be more widely known: Bad managers manage problems; good managers manage risk.

We do not post blogs every day, or even every week. So if you are interested in semi-regular emails from this site as blogs are updated, please feel free to sign up below.

RM4HD Email Subscription Form

Please enter details below.

ISO 31000 Revision for Humanitarian and Development

By | Book/Literature Reviews and Standards, Travel Safety and Duty of Care | No Comments

Since 2009 ISO 31000:2009 has been the defacto global standard for the majority of professional Risk Management practitioners, across all sectors, worldwide. In the humanitarian and development sectors, uptake of and adherence to industry standard Risk Management theory and practice has been held back by two issues:

  • Resistance to change. Not an uncommon phenomena in publicly funded, or not for profit outfits, and
  • A perception the standard only applies to ‘professional’, for profit businesses and not for NGOs and development organisations in complex environments.
[Nothing could be further from the truth, but we will get to that later.] There is not much we can do about the former. However the time is right for those interested in impacting on the perception of risk management internal to the sector, and the framing of the standard to include the demands of Humanitarian and Development organisations. So, here is a shout-out to all the typists out there willing and able to kick in and advocate for the sector via contributing the update of the standard.

The original call for public submissions went out a while ago, and we still have until late April to get our suggestions in. You can see the original post [courtesy of Alex Dali] and call for submissions on LinkedIn here.

RM4HD will be making its own submission and posting it in due course.

To contribute, here is the link

The draft guidelines can be found here.

Please do click on the link, add your comments, and for those in the sector now is our chance to include Risk Management for organisations:

  • Usually Headquartered in ‘safe’ countries,
  • Spend donor money, and do not make a profit,
  • Are staffed largely by idealists, and
  • Operate in areas where their home countries say people should not go, and hence invalidate the standard travel and work insurances, hazards are high, response capacity is low, and the pressure to perform is extreme.

The last chance to influence global Risk Management standards was over 8 years ago. Do not wait till next time.

We do not post blogs every day, or even every week. So if you are interested in semi-regular emails from this site as blogs are updated, please feel free to sign up below.

RM4HD Email Subscription Form

Please enter details below.


Comparing ISO 31000 (2009) with the draft ISO 31000 (2017) – Part 2

By | Book/Literature Reviews and Standards | No Comments

A high level document

The revision for the ISO 31000 standard is to be finalized in 2017. In a series of articles we want to present and discuss the major changes that are to be expected. In Part 1 we discussed the introduction of the document and the new graphic lay-out of the framework and process of the revised ISO 31000 risk management standard (see figure below). It immediately shows what the intent of the revision is.

The update intends to make ISO 31000 a very concise high level document on risk management. It  is mainly achieved by reducing the level of information, keeping it to the strict minimum. This approach should be in concert with the ambition of ISO to develop a whole series of ISO 31000 documents, related to the different aspects of risk management. This similarly to the ISO 31004 and ISO 31010 documents that are already available at the moment. The idea is then for these supplementary documents to accommodate for any specific information regarding risk management which is not contained in the ISO 31000 document.


When looking at the section “Scope” in the revised standard, the reduction of the content is clearly visible. Instead of the scope being elaborated on half a page, it is now explained in less than 5 lines. This is mainly achieved by deleting large parts of the original text.

However, there are some remarkable changes in this draft 2017 edition. In the proposed version, ISO 31000 talks about “adaptable guidelines“, instead of “generic guidelines“. It also mentions that the standard is “to be used by any organisation“. This instead of the old phrase that the ISO 31000 standard “is not specific to any industry or sector“.


Maybe the most notable change in the scope is that the sentence “This International Standard is not intended for the purpose of certification” is no longer there. This leaves a door open for those who want to have a standard also to be used for certification.

Normative references

This is a new section in the standard. It only mentions that there are no normative references in the document. I suppose this is only to comply with the newer  formats ISO uses for its standards.

Terms and definitions

The major change in this section (at least to me) is the fact that the following sentence has changed.

“For the purpose of this document, the following terms and definitions apply.”

As this sentence was followed by 29 definitions that fully defined risk management the ISO 31000 way.

Now it goes as follows:

“For the purpose of this document the terms and definitions given in ISO Guide 73 and the following apply.”

As a consequence, now for ISO 31000 all definitions that are mentioned in the ISO Guide 73 apply. As the Guide 73 is to cover all ISO definitions regarding risk and risk management, this shouldn’t come as a surprise. It is to be noted that nothing of the wording of the actual definitions has been changed. The changes in the revision only concern the notes to the definitions.


The definitions still mentioned in the standard (… the following apply) are kept to a strict minimum and mainly those that have updated notes:

RISK (change for the notes), RISK MANAGEMENT (no change), STAKEHOLDER (no change), RISK SOURCE (change for the notes), EVENT (change for the notes), CONSEQUENCE (change for the notes), LIKELIHOOD (no change), CONTROL (change for the notes).

In general the changes are in the direction of a better wording and more complete coverage of what the notes want to convey. However, there’s one note that really catches my attention and that in my opinion can be improved. It is note 1 of the definition of risk.

“An effect is a deviation from the expected. It can be positive (sometimes expressed as opportunities), negative (sometimes expressed as threats) or both.”

The problem I have with this sentence is the parts between brackets. The content between brackets should be left out. Because in my opinion, opportunities and threats are (external) risk sources in the same way as weaknesses and strengths are (internal) risk sources. Although effects can also become risk sources, the way note 1 is phrased only leads to a short sighted view on what can be understood by effects.

For example, one could say that pursuing an opportunity, making use of ones strengths, while managing threats and weaknesses, can bring unexpected positive consequences. However, pursuing opportunities without managing threats and weaknesses and not building on strengths, can certainly bring about unexpected and unwanted consequences. The consequences are then the effects of uncertainty on the objectives related to the opportunity pursued.

So my proposal for note 1 is “An effect is a deviation from the expected. It can be positive, negative or both.”. There’s no need to add anything to that!

In general

In general, one can say “less is more” and this is certainly true for this revision. More interpretations are possible, more definitions come into play and more options in the use of the standard are provided (e.g. certification). The one remark I have is the note 1 on the definition of risk.

To be continued …


  • Do you want to know more about ISO 31000 and its revision?
  • Are you looking for certification for this standard?
  • Do you want learn how to integrate risk management at all levels of your organisation and all of its operations?

Join us for one of our certification courses in Brussels or Frankfurt or contact us for an in-house training!