Food Fraud Prevention - Understanding ISO 31000 and Consequence in Risk Management
Welcome! In support of the Food Authenticity Network (FAN), this blog series reviews key topics related to food fraud prevention. Watch here for updates that explore the definitions of food fraud terms and concepts.
This post expands on our earlier discussion of ISO 31000’s ‘likelihood’ component in risk assessment to explore the final key concept of ‘consequence.’ In our next post, we’ll complete the risk assessment process by applying COSO-based Enterprise Risk Management (ERM) to set a precise risk tolerance level.
To recap, a vulnerability in risk management combines ‘likelihood’ and ‘consequence’ to assess potential outcomes. Both elements are essential for comprehensive risk evaluation. Let’s consider this with a familiar example: the consequence of a 5% chance event varies widely depending on the context. A 5% chance of stubbing your toe at night might require no precautions beyond possibly turning on a light (‘risk acceptance’), while a 5% chance of drowning would prompt more significant measures, such as wearing a life jacket (‘risk treatment’) or finding an alternative way to cross the water (‘risk avoidance’).
To recap, a vulnerability is a type of risk. A risk is determined by the combination of ‘likelihood’ and ‘consequence.’ Remember:
Risk Assessment Essentials in ISO 31000
- Risk (ISO 31000): “effect of uncertainty on objectives; [Reference 2]
- NOTE 1: An effect is a deviation from the expected — positive and/or negative.
- NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.
- NOTE 3: Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these.
ISO definitions are carefully crafted through years of review across disciplines, emphasizing the importance of structured and universal terminology in risk management.
- “Consequence (ISO 31000): outcome of an event affecting objectives
- NOTE 1: An event can lead to a range of consequences.
- NOTE 2: A consequence can be certain or uncertain and can have positive or negative effects on objectives.
- NOTE 3: Consequences can be expressed qualitatively or quantitatively.
- NOTE 4: Initial consequences can escalate through additional effects. [ISO Guide 73:2009, definition 3.6.1.3]”
These guidelines provide a thorough framework for organizations assessing risks, helping them identify and respond to various outcomes more effectively.
The Importance of Consequence vs. Severity in Risk Management
To help frame the problem in a broader business sense, ‘consequence’ considers a broader interpretation of the terms. Specifically the term ‘severity’ insinuates only a negative outcome. Some methods refer to other more neutral terms, such as ‘impact’ or ‘outcome.’ In a business, there is a need for some level of risk-taking to meet performance growth and financial goals. However, the term ‘consequence’ covers a broader range of possibilities, including positive, neutral, and negative results. In the context of food safety, for instance, risk isn’t just about avoiding undesirable outcomes—it’s about managing them to meet an organization’s goals. “Many Food Scientists and Food Safety managers use the term ‘risk’ to define an unacceptable or intolerable level.” [Reference 3] This aligns with business risk-taking, where managing risk appetite allows for opportunities that may bring rewards.
For example, buying a stock involves risk, but it’s a controlled risk with the potential for reward. Risk assessment, in this sense, includes both ‘likelihood’ and ‘consequence,’ ensuring that resource allocation aligns with both risk tolerance and potential outcomes.
The Formula for Risk: Likelihood x Consequence
Effective risk management must account for both likelihood and consequence to allocate resources wisely. While every event is bad and disruptive, the likelihood of an event is important ONLY in relation to the consquence, and vice versa. It should be noted that a food fraud incident – or known fraud in a supply chain – is illegal. Unless the operators are a criminal organization, the likelihood would be defined as ‘100%,’ and the consequence is ‘illegal product,’ so this situation is an ‘intolerable risk.’ In this case, addressing vulnerabilities shifts from reacting to incidents to eliminating root causes that could lead to fraud.
Adjusting terminology to align with ISO 31000 can simplify this process, but defining your organization’s risk tolerance threshold is crucial—and often complex.
Coming Next: Determining Your Risk Tolerance and Risk Appetite
Our next post will cover determining your organization’s risk tolerance, examining both likelihood and consequence. Traditional risk assessment frameworks often assign this threshold to an undefined “someone” within the organization. However, this step is both critical and complex in the risk assessment process and requires careful consideration.
If you have any questions on this blog, we’d love to hear from you in the comments box below.
References
- (R1) Spink, John W (2019). Food Fraud Prevention – Introduction, Implementation, and Management, Food Microbiology and Food Safety series, Springer Publishing, New York, URL: https://www.springer.com/gp/book/9781493996193
- (R2) – ISO 31000 Risk Management, International Standards Organization (ISO), Updated 2023, https://www.iso.org/iso-31000-risk-management.html
3. Applying Enterprise Risk Management to Food Fraud Prevention (ERM2), 2017, Food Fraud Prevention Academy, https://foodfraudpreventionthinktank.com/wp-content/uploads/2021/05/BKGFF17-FFI-Backgrounder-2016-ERM-ERM2-v46-2.pdf