Glossary
Browse the IADC Lexicon alphabetically or by category. Get comprehensive definitions of drilling industry terms.
Risk Matrix
Definition(s)
Risk Matrix
Tool for ranking and displaying components of risk in an array. Risk matrices are user defined.
Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global StandardsRisk Matrix
Tool for ranking and displaying components of risk in an array. Sample Usage: The security staff devised a risk matrix with the likelihoods of various threats to the subway system in the rows and corresponding consequences in the columns. Annotation: A risk matrix is typically displayed in a graphical format to show the relationship between risk components. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory GuidanceRisk Matrix
Tool for ranking and displaying risks (1.1) by defining ranges for consequence (3.6.1.3) and likelihood (3.6.1.1). Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Management Process
Definition(s)
Risk Management Process
Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring (3.8.2.1) and reviewing risk (1.1). Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Management Process
Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring and reviewing risk. [SOURCE: ISO Guide 73:2009]- Note 1 to entry: ISO/IEC 27005 uses the term ‘process’ to describe risk management overall. The elements within the risk management process are termed ‘activities’.
Risk Management Policy
Definition(s)
Risk management policy
Statement of the overall intentions and direction of an organization related to risk management (2.1). Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Management Plan
Definition(s)
Risk Management Plan
Document that identifies risks and specifies the actions that have been chosen to manage those risks. Sample Usage: Businesses often have a risk management plan to address the potential risks that they might encounter. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory GuidanceRisk Management Plan
Scheme within the risk management framework (2.1.1) specifying the approach, the management components and resources to be applied to the management of risk (1.1). NOTE 1 Management components typically include procedures, practices, assignment of responsibilities, sequence and timing of activities. NOTE 2 The risk management plan can be applied to a particular product, process and project, and part or whole of the organization. Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Management Framework
Definition(s)
Risk management framework
Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring (3.8.2.1), reviewing and continually improving risk management (2.1) throughout the organization. NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk (1.1). NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities. NOTE 3 The risk management framework is embedded within the organization's overall strategic and operational policies and practices. Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Management Audit
Definition(s)
Risk management audit
Systematic, independent and documented process for obtaining evidence and evaluating it objectively in order to determine the extent to which the risk management framework (2.1.1), or any selected part of it, is adequate and effective. Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Identification
Definition(s)
Risk Identification
Process of finding, recognizing, and describing potential risks. Sample Usage: During the initial risk identification for the facility's risk assessment, seismic events were chosen as scenarios to consider because of their potentially high consequences. Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory GuidanceRisk Identification
Process of finding, recognizing and describing risks. [SOURCE: ISO Guide 73:2009]- Note 1 to entry: Risk identification involves the identification of risk sources, events, their causes and their potential consequences.
- Note 2 to entry: Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’.
Risk Identification
Process of finding, recognizing and describing risks (1.1). NOTE 1 Risk identification involves the identification of risk sources (3.5.1.2), events (3.5.1.3), their causes and their potential consequences (3.6.1.3). NOTE 2 Risk identification can involve historical data, theoretical analysis, informed and expert opinions, and stakeholder's (3.2.1.1) needs. Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Financing
Definition(s)
Risk financing
Form of risk treatment (3.8.1) involving contingent arrangements for the provision of funds to meet or modify the financial consequences (3.6.1.3) should they occur. Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Description
Definition(s)
Risk description
Structured statement of risk usually containing four elements: sources, events (3.5.1.3), causes and consequences (3.6.1.3). Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Criteria
Definition(s)
Risk Criteria
Terms of reference against which the significance of risk is evaluated.- Note 1 to entry: Risk criteria are based on organizational objectives, and external and internal context.
- Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
Risk Criteria
Terms of reference against which the significance of risk is evaluated. [SOURCE: ISO Guide 73:2009]- Note 1 to entry: Risk criteria are based on organizational objectives, and external and internal context.
- Note 2 to entry: Risk criteria can be derived from standards, laws, policies and other requirements.
Risk Criteria
Terms of reference against which the significance of a risk (1.1) is evaluated.- NOTE 1 Risk criteria are based on organizational objectives, and external (3.3.1.1) and internal context (3.3.1.2).
- NOTE 2 Risk criteria can be derived from standards, laws, policies and other requirements.
Risk Aversion
Definition(s)
Risk aversion
Attitude to turn away from risk (1.1). Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Attitude
Definition(s)
Risk attitude
Organization's approach to assess and eventually pursue, retain, take or turn away from risk (1.1). Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Appetite
Definition(s)
Risk appetite
Amount and type of risk (1.1) that an organization is willing to pursue or retain. Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsRisk Aggregation
Definition(s)
Risk aggregation
Combination of a number of risks into one risk (1.1) to develop a more complete understanding of the overall risk. Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsResilience
Definition(s)
Resilience
The ability to adapt to changing conditions and prepare for, withstand and rapidly recover from disruption.
Source: API RP 781 Security Plan Methodology for the Oil and Natural Gas Industries.1st Ed. September 2016. Global StandardsResilience
The ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption. From: DHS Risk Lexicon. Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsResilience
Ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.
Sample Usage: The county was able to recover quickly from the disaster because of the resilience of governmental support systems.
Extended Definition: ability of systems, infrastructures, government, business, communities, and individuals to resist, tolerate, absorb, recover from, prepare for, or adapt to an adverse occurrence that causes harm, destruction, or loss.
Annotation:
- According to the QHSR, ―Resilient individuals, families, and communities—and the systems that sustain them—are informed, trained, and materially and psychologically prepared to withstand disruption, absorb or tolerate disturbance, know their role in a crisis, adapt to changing conditions, and grow stronger over time.‖
- Resilience can reduce the consequences associated with an incident, event, or occurrence; resilience can also impact the likelihood of a significant incident, event, or occurrence happening at all.
Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory Guidance
Resilience
Adaptive capacity of an organization in a complex and changing environment.
Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global Standards
Residual Risk
Definition(s)
Residual Risk
Risk that remains after controls have been implemented. Source: ISO 16530-1:2017, Petroleum and natural gas industries — Well integrity – Part 1: Life cycle governance, First Edition, March 2017. Global StandardsResidual Risk
Risk that remains after risk management measures have been implemented.
Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global StandardsResidual Risk
Risk that remains after risk management measures have been implemented. Sample Usage: While increased patrols lessened the likelihood of trespassers, residual risk remained due to the unlocked exterior doors. Synonym: unmitigated risk (residual risk). Source: DHS Risk Lexicon, U.S. Department of Homeland Security, 2010 Edition. September 2010 Regulatory GuidanceResidual Risk
The amount of assessed risk that remains after risk controls/barriers have been fully implemented to reduce and mitigate a risk. Source: IOGP Report No. 510, Operating Management System Framework for controlling risk and delivering high performance in the oil and gas industry, International Association of Oil & Gas Producers, June 2014. Global StandardsResidual Risk
Risk remaining after risk treatment.- Note 1 to entry: Residual risk can contain unidentified risk.
- Note 2 to entry: Residual risk can also be known as “retained risk”.
Residual Risk
Risk (1.1) remaining after risk treatment (3.8.1).- NOTE 1 Residual risk can contain unidentified risk.
- NOTE 2 Residual risk can also be known as “retained risk”.
Residual Risk
Risk that remains when a barrier, or combination of barriers, operates as intended. Source: OGP Report No. 415, Asset integrity – the key to managing major incident risks, International Association of Oil & Gas Producers, December 2008. Global StandardsResidual Risk
The remaining risk after the security controls or countermeasures have been applied.
Source: ANSI/ISA–99.00.01–2007, Security for Industrial Automation and Control Systems, Part 1: Terminology, Concepts, and Models, 29 October 2007. National StandardReview
Definition(s)
Review
A process of understanding reported outcomes and assessments of activities with the purpose of learning how to improve performance. An insightful review takes into account a range of different inputs and signals by identifying and understanding change in reported KPIs, management observations, productivity, workforce feedback, audit findings, culture surveys, employee retention, external learnings and many other factors. Effective reviews involve managers with sufficient accountability and authority to put learning into action. Source: IOGP Report No. 510, Operating Management System Framework for controlling risk and delivering high performance in the oil and gas industry, International Association of Oil & Gas Producers, June 2014. Global StandardsReview
Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. [SOURCE: ISO Guide 73:2009]. Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global StandardsReview
Activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. NOTE Review can be applied to a risk management framework (2.1.1), risk management process (3.1), risk (1.1) or control (3.8.1.1). Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsReview
Signifies a systematic examination of drawings, design documents or records in order to evaluate their ability to meet requirements, to identify any problems and to pro-pose necessary actions. Source: Rules for Classification – Offshore units, DNVGL-OU-0101, Offshore drilling and support units, DNV GL, July 2015. Global StandardsProbability
Definition(s)
Probability
Numerical value between zero and one assigned to a random event (which is a subset of the sample space) in such a way that the assigned number obeys three axioms: 1) the probability of the random event "A" must be equal to, or lie between, zero and one; 2) the probability that the outcome is within the sample space must equal one; and3) the probability that the random event "A" or "B" occurs must equal the probability of the random event "A" plus the probability of the random event "B" for any two mutually exclusive events.
Source:API STANDARD 780, Security Risk Assessment Methodology for the Petroleum and Petrochemical Industries, First Edition, May 2013. Global StandardsProbability
Numerical value between zero and one assigned to a random event (which is a subset of the sample space) in such a way that the assigned number obeys three axioms: (1) the probability of the random event ―A‖ must be equal to, or lie between, zero and one; (2) the probability that the outcome is within the sample space must equal one; and (3) the probability that the random event ―A‖ or ―B‖ occurs must equal the probability of the random event ―A‖ plus the probability of the random event ―B‖ for any two mutually exclusive events. Sample Usage: The probability of a coin landing on "heads" is 1/2. Annotation:- 1.Probability can be roughly interpreted as the percent chance that something will occur. For example, a weather forecaster’s estimate of a 30 percent chance of rain in the Washington, DC area is equivalent to a probability of 0.3 that rain will occur somewhere in Washington, DC.
- 2.A probability of 0 indicates the occurrence is impossible; 1 indicates that the occurrence will definitely happen.
- 3.Probability is used colloquially as a synonym for likelihood, but in statistical usage there is a clear distinction.
- 4.The probability that event A occurs is written as P(A).
- 5.Event A and event B are mutually exclusive if they cannot occur at the same time. For example, a coin toss can result in either heads or tails, but both outcomes cannot happen simultaneously.
- 6.Event A and event B are statistically independent if the occurrence of one event has no impact on the probability of the other. Examples of two events that are independent are the systems designed to prevent an attack as described the Fault Tree example and Event Tree example. The probability that the Personnel Action to Stop Attack is successful is not affected by whether the Security Equipment to Stop Attack is successful and vice versa. Two events that may not be independent are the collapse of a bridge and the occurrence of a major earthquake in the area. Clearly the probability of a bridge collapse can be affected by the occurrence of a major earthquake. However, the two events may also be independent: a bridge can survive an earthquake and a bridge can collapse in the absence of any earthquake.
- 7.Conditional probability is the probability of some event A, given the occurrence of some other event B, written as P(A|B). An example is the conditional probability of a person dying (event A), given that they contract the pandemic flu (event B).
- 8.Joint probability is the probability of two events occurring in conjunction -that is, the probability that event A and event B both occur, written as ) or P(AB) and pronounced A intersect B. The probability of someone dying from the pandemic flu is equal to the joint probability of someone contracting the flu (event A) and the flu killing them (event B). Joint probabilities are regularly used in Probabilistic Risk Assessments and Event Trees.
- 9.Conditional and joint probabilities are related by the following formula:
Probability
Measure of the chance of occurrence expressed as a number between 0 and 1, where 0 is impossibility and 1 is absolute certainty. NOTE See definition 3.6.1.1, Note 2. Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsLevel of Risk
Definition(s)
Level of risk
Magnitude of a risk expressed in terms of the combination of consequences and their likelihood. [SOURCE: ISO Guide 73:2009, modified — “or combination of risks,” has been deleted.] Source: ISO/IEC 27000:2014, Information technology — Security techniques — Information security management systems — Overview and vocabulary, Third Edition, January 2014. Global StandardsLevel of risk
Magnitude of a risk (1.1) or combination of risks, expressed in terms of the combination of consequences (3.6.1.3) and their likelihood (3.6.1.1). Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsInternal Context
Definition(s)
IEC 27000:2014, Information technology
Internal environment in which the organization seeks to achieve its objectives. [SOURCE: ISO Guide 73:2009]- Note 1 to entry: Internal context can include:
- governance, organizational structure, roles and accountabilities;
- policies, objectives, and the strategies that are in place to achieve them;
- the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies);
- information systems, information flows and decision-making processes (both formal and informal);
- relationships with, and perceptions and values of, internal stakeholders;
- the organization’s culture;
- standards, guidelines and models adopted by the organization; and
- form and extent of contractual relationships.
Internal context
Internal environment in which the organization seeks to achieve its objectives. NOTE Internal context can include: governance, organizational structure, roles and accountabilities; policies, objectives, and the strategies that are in place to achieve them; the capabilities, understood in terms of resources and knowledge (e.g. capital, time, people, processes, systems and technologies); information systems, information flows and decision-making processes (both formal and informal); relationships with, and perceptions and values of internal stakeholders; the organization's culture; standards, guidelines and models adopted by the organization; and form and extent of contractual relationships. Source: ISO Guide 73:2009(E/F), Risk Management – Vocabulary, First Edition, 2009. Global StandardsEvent
Definition(s)
Event
An unintended or uncontrolled outcome of an operating activity that has, or could have, contributed to harmful consequences to people, property or the environment. Source: IOGP Report No. 510, Operating Management System Framework for controlling risk and delivering high performance in the oil and gas industry, International Association of Oil & Gas Producers, June 2014. Global StandardsEvent
Occurrence or change of a particular set of circumstances. [SOURCE: ISO Guide 73:2009]- Note 1 to entry: An event can be one or more occurrences, and can have several causes.
- Note 2 to entry: An event can consist of something not happening.
- Note 3 to entry: An event can sometimes be referred to as an “incident” or “accident”.
Event
Occurrence or change of a particular set of circumstances.- NOTE 1 An event can be one or more occurrences, and can have several causes.
- NOTE 2 An event can consist of something not happening.
- NOTE 3 An event can sometimes be referred to as an “incident” or “accident”.
- NOTE 4 An event without consequences (3.6.1.3) can also be referred to as a “near miss”, “incident”, “near hit” or “close call”.
Event
An observable occurrence in an information system or network. Extended Definition: Sometimes provides an indication that an incident is occurring or at least raise the suspicion that an incident may be occurring. Adapted from: CNSSI 4009 Source: NICCS™ Portal Cybersecurity Lexicon, National Initiative for Cybersecurity Careers and Studies (https://niccs.us-cert.gov/glossary) as of 11 November 2015, Global StandardsEvent
An unplanned or uncontrolled outcome of a business operation or activity that has or could have contributed to an injury, illness or physical damage or environmental damage. Source: OGP Report No. 456, Process Safety – Recommended Practice on Key Performance Indicators, International Association of Oil & Gas Producers, November 2011. Global StandardsExternal Context
Definition(s)
External Context
External environment in which the organization seeks to achieve its objectives [SOURCE: ISO Guide 73:2009]- Note 1 to entry: External context can include:
- — the cultural, social, political, legal, regulatory, financial, technological, economic, natural and competitive environment, whether international, national, regional or local;
- — key drivers and trends having impact on the objectives of the organization; and
- — relationships with, and perceptions and values of, external stakeholders.