spink (3)

Food Fraud Prevention - Understanding ISO 31000 and Consequence in Risk Management

Welcome! In support of the Food Authenticity Network (FAN), this blog series reviews key topics related to food fraud prevention. Watch here for updates that explore the definitions of food fraud terms and concepts.

12369234700?profile=RESIZE_180x180

This post expands on our earlier discussion of ISO 31000’s ‘likelihood’ component in risk assessment to explore the final key concept of ‘consequence.’ In our next post, we’ll complete the risk assessment process by applying COSO-based Enterprise Risk Management (ERM) to set a precise risk tolerance level.

To recap, a vulnerability in risk management combines ‘likelihood’ and ‘consequence’ to assess potential outcomes. Both elements are essential for comprehensive risk evaluation. Let’s consider this with a familiar example: the consequence of a 5% chance event varies widely depending on the context. A 5% chance of stubbing your toe at night might require no precautions beyond possibly turning on a light (‘risk acceptance’), while a 5% chance of drowning would prompt more significant measures, such as wearing a life jacket (‘risk treatment’) or finding an alternative way to cross the water (‘risk avoidance’).

To recap, a vulnerability is a type of risk. A risk is determined by the combination of ‘likelihood’ and ‘consequence.’ Remember:

Risk Assessment Essentials in ISO 31000

  • Risk (ISO 31000): “effect of uncertainty on objectives; [Reference 2]
    • NOTE 1: An effect is a deviation from the expected — positive and/or negative.
    • NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.
    • NOTE 3: Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these.

ISO definitions are carefully crafted through years of review across disciplines, emphasizing the importance of structured and universal terminology in risk management.

  • “Consequence (ISO 31000): outcome of an event affecting objectives
    • NOTE 1: An event can lead to a range of consequences.
    • NOTE 2: A consequence can be certain or uncertain and can have positive or negative effects on objectives.
    • NOTE 3: Consequences can be expressed qualitatively or quantitatively.
    • NOTE 4: Initial consequences can escalate through additional effects. [ISO Guide 73:2009, definition 3.6.1.3]”

These guidelines provide a thorough framework for organizations assessing risks, helping them identify and respond to various outcomes more effectively.

The Importance of Consequence vs. Severity in Risk Management

To help frame the problem in a broader business sense, ‘consequence’ considers a broader interpretation of the terms. Specifically the term ‘severity’ insinuates only a negative outcome. Some methods refer to other more neutral terms, such as ‘impact’ or ‘outcome.’ In a business, there is a need for some level of risk-taking to meet performance growth and financial goals. However, the term ‘consequence’ covers a broader range of possibilities, including positive, neutral, and negative results. In the context of food safety, for instance, risk isn’t just about avoiding undesirable outcomes—it’s about managing them to meet an organization’s goals. “Many Food Scientists and Food Safety managers use the term ‘risk’ to define an unacceptable or intolerable level.” [Reference 3] This aligns with business risk-taking, where managing risk appetite allows for opportunities that may bring rewards.

For example, buying a stock involves risk, but it’s a controlled risk with the potential for reward. Risk assessment, in this sense, includes both ‘likelihood’ and ‘consequence,’ ensuring that resource allocation aligns with both risk tolerance and potential outcomes.

The Formula for Risk: Likelihood x Consequence

Effective risk management must account for both likelihood and consequence to allocate resources wisely. While every event is bad and disruptive, the likelihood of an event is important ONLY in relation to the consquence, and vice versa. It should be noted that a food fraud incident – or known fraud in a supply chain – is illegal. Unless the operators are a criminal organization, the likelihood would be defined as ‘100%,’ and the consequence is ‘illegal product,’ so this situation is an ‘intolerable risk.’ In this case, addressing vulnerabilities shifts from reacting to incidents to eliminating root causes that could lead to fraud.

Adjusting terminology to align with ISO 31000 can simplify this process, but defining your organization’s risk tolerance threshold is crucial—and often complex.

Coming Next: Determining Your Risk Tolerance and Risk Appetite

Our next post will cover determining your organization’s risk tolerance, examining both likelihood and consequence. Traditional risk assessment frameworks often assign this threshold to an undefined “someone” within the organization. However, this step is both critical and complex in the risk assessment process and requires careful consideration.

If you have any questions on this blog, we’d love to hear from you in the comments box below.

References

  1. (R1) Spink, John W (2019). Food Fraud Prevention – Introduction, Implementation, and Management, Food Microbiology and Food Safety series, Springer Publishing, New York, URL: https://www.springer.com/gp/book/9781493996193
  2. (R2) – ISO 31000 Risk Management, International Standards Organization (ISO), Updated 2023, https://www.iso.org/iso-31000-risk-management.html

3. Applying Enterprise Risk Management to Food Fraud Prevention (ERM2), 2017, Food Fraud Prevention Academy, https://foodfraudpreventionthinktank.com/wp-content/uploads/2021/05/BKGFF17-FFI-Backgrounder-2016-ERM-ERM2-v46-2.pdf

Read more…

Spink's Food (Fraud) for Thought - Part VII

Food Fraud Prevention - ISO 31000 and Likelihood

Welcome! In support of the Food Authenticity Network (FAN), this blog series reviews key topics related to food fraud prevention. Watch here for updates that explore the definitions of food fraud terms and concepts.12369234700?profile=RESIZE_180x180

This blog post builds on our previous review of the ISO 31000 Risk Management to dive into the risk assessment concept of “likelihood.” The next blog post will review the second half of a risk assessment, which is “consequence.” Likelihood alone is only half of the risk assessment.

For example, the concern about an event with a 5 percent chance of occurring is based on the consequence. A 5-percent chance of stubbing your toe at night may not require you to take any precautions, even as simple as turning on the light (“risk acceptance”). A 5-percent chance of drowning while swimming would lead you to at least wear a life jacket (“risk treatment”) or find another way to cross a river (“risk avoidance”).

 To recap, a vulnerability is a type of risk. A risk is determined by the combination of “likelihood” and “consequence.” Remember:

  • Risk (ISO 31000): “effect of uncertainty on objectives;
    • NOTE 1: An effect is a deviation from the expected — positive and/or negative.
    • NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.
    • NOTE 3: Risk is often characterized by reference to potential events (2.17) and consequences (2.18), or a combination of these.

Then, a type of risk is a vulnerability.

  • Vulnerability (ISO 31000 citing Guide 73): “intrinsic properties of something resulting in susceptibility to a risk source (3.3.10) that can lead to an event (3.3.11) with a consequence (3.3.18)."

The likelihood is covered in this blog post, and a future blog post will cover the consequences in detail. It is interesting to examine the level of detail and insight that went into the ISO definitions. The use of “likelihood” even considers the information interpretation of the terms. Specifically, the term “probability” often insinuates a statistical or mathematical determination.

  • Likelihood (ISO 31000): “chance of something happening” (Note: yes, that is the exact text) [Reference 1]
    • NOTE 1: In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured, or determined objectively or subjectively, qualitatively or quantitatively and described using general terms or mathematically (such as a probability or a frequency over a given time period).
    • NOTE 2: The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad interpretation as the term “probability” has in many languages other than English.”

 

Why the Likelihood concept was preferred to Probability

When food fraud prevention was first being considered as a specific concept, some experts estimated it would take five years to complete a formal assessment. This was unacceptable, especially since the GFSI requirements were due in 12 months. It was efficient and supported by ISO 31000 concepts to focus on a “vulnerability assessment” rather than a “probabilistic risk assessment.” A key fundamental concept was to start by focusing on the more informal and qualitative “likelihood” than “probability.”

“ISO 31000 includes a consideration for the preliminary or general assessments that may not require data that is very detailed, accurate, precise, certain, or robust decisions. What is often important is that “a” risk assessment is conducted as long as the specification of the low certainty and low robustness is clearly defined. For food fraud prevention decisions, there may not be a lot of detail needed for a decision, or there may not be details provided (at least not yet).” (Reference 2)

It is very important and of great value that ISO 31000 Risk Management provides a common set of terms that have been created through an international and government-endorsed consensus-based process.

Watch out for the next blog, which will review the application of ISO 31000 Risk Management based on the term “consequence” and the basis for not using “severity.”

If you have any questions on this blog, we’d love to hear from you in the comments box below.

 

References:

1  ISO 31000 – Vocabulary, definition of ‘Likelihood, URL: https://www.iso.org/obp/ui/#iso:std:iso:31000:ed-1:v1:en

2  Spink, John W (2019). Food Fraud Prevention – Introduction, Implementation, and Management, Food Microbiology and Food Safety series, Springer Publishing, New York, URL: https://www.springer.com/gp/book/9781493996193

Read more…

Spink's Food (Fraud) for Thought - Part VI

Food Fraud Prevention – ISO 31000 Risk Management

Welcome! In support of the Food Authenticity Network (FAN), this blog series reviews key topics related to food fraud prevention. Watch here for updates that explore the definitions of food fraud terms and concepts.

12369234700?profile=RESIZE_400xThis blog post builds on our previous review of the definition of risk and vulnerability as well as mitigation and prevention to review the International Standards Organization publication ISO 31000 Risk Management. The next blog post will shift focus to the ISO 31000 Risk Management concepts of the likelihood and then a separate blog post on the consequences.

International Standards – and specifically the International Standards Organization (ISO) – are efficient places to start when considering terms, definitions, and basic management system standards. Specifically, ISO 31000 Risk Management provides a crucial fundamental reference. Also, it is crucial to review what is published in this type of consensus-based, government-endorsed, official publication or what is part of informal documents or meeting notes (several of the widespread food fraud-related terms were published in workshop reports or even just meeting invitations). ISO 31000 Risk Management was published as a formal standard in 2009 after many years of a contensious consensus-driven process involving national standards organizations. This superseded more informal reports or informal guidance such as ISO Guide 73 Risk Management Vocabulary.

The publication of ISO 31000 was often contentious since some industries used terms in different applications. With the publication of ISO 31000, some people would need to change to achieve harmonization. Fortunately, food fraud prevention was developed after ISO 31000 was published (e.g., ISO 31000 significantly impacted my research and projects). Thus, from the start, food fraud prevention has focused on vulnerability and presenting the assessment in terms of “likelihood” rather than “probability” and “consequence” rather than “severity.”

ISO 31000 and Risk

In ISO 31000, a risk or vulnerability is defined in terms of likelihood AND consequence. It is critical to note that the assessment must cover both if the event occurs but also this impact. For example, jaywalking and murder are both clearly crimes, but the risk response is more based on a function of the consequence. An interesting – and often uncomfortable - realization for food safety professionals is that ‘risk’ does not only have negative consequences. Admittedly, food safety almost exclusively uses ‘risk’ for situations where there is an ‘unacceptable risk’ or a “hazard that requires a preventive control.” Understanding that, in the big picture, ‘risk’ does have an upside, such as financial investments.

  • Risk (ISO 31000): “effect of uncertainty on objectives;”
    • NOTE 1: An effect is a deviation from the expected — positive and/or negative.
    • NOTE 3: Risk is often characterized by reference to potential events (2.17) and consequences (2.18) or a combination of these.
    • NOTE 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.

Then, a type of risk is a vulnerability.

  • Vulnerability (ISO 31000 citing Guide 73): “intrinsic properties of something resulting in susceptibility to a risk source (3.3.10) that can lead to an event (3.3.11) with a consequence (3.3.18)."

“ISO 31000 includes a consideration for the preliminary or general assessments that may not require data that is very detailed, accurate, precise, certain, or robust decisions. What is often important is that ‘a’ risk assessment is conducted as long as the specification of the low certainty and low robustness is clearly defined. For food fraud prevention decisions, there may not be a lot of detail needed for a decision, or details may not be provided (at least not yet).” (Reference 1)

It is very important and of great value that ISO 31000 Risk Management provides a common set of terms.

Watch out for the next blog, which will review the application of ISO 31000 Risk Management topics of “likelihood versus probability” to “consequence versus severity.”

We’d love to hear from you in the comments box below if you have any questions on this blog.

References:

  1. Spink, John W (2019). Food Fraud Prevention – Introduction, Implementation, and Management, Food Microbiology and Food Safety series, Springer Publishing, New York, URL: https://www.springer.com/gp/book/9781493996193
Read more…