This article examines ISO 31000-2009, also referred to as ANSI/ASSE Z690.2, the second of a trio of standards dealing with the concept of Risk. In our first review (Luko 20136. Luko , S. N. ( 2013 ). Risk management terminology . Quality Engineering , 25 ( 3 ): 292 – 297 . [Taylor & Francis Online], [Web of Science ®]View all references) risk management terminology was reviewed. The terminology documents, ISO Guide 73 and ANSI/ASSE Z690.1-2011, were found to be identical and contained all of the risk vocabulary used in the subsequent two standards. In the present review, the second of the trio of standards concerning risk is treated. The general topic of this standard is risk management principles and guidelines.

Z690.1-2011, ISO Guide 73; Risk Management, Terms
Continued

Figures - uploaded by Stephen N. Luko

Author content

All figure content in this area was uploaded by Stephen N. Luko

Content may be subject to copyright.

ResearchGate Logo

Discover the world's research

  • 20+ million members
  • 135+ million publications
  • 700k+ research projects

Join for free

This article was downloaded by: [Stephen N. Luko]

On: 07 June 2013, At: 11:08

Publisher: Taylor & Francis

Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,

37-41 Mortimer Street, London W1T 3JH, UK

Quality Engineering

Publication details, including instructions for authors and subscription information:

http://www.tandfonline.com/loi/lqen20

Risk Management Terminology

Stephen N. Luko

a

a

United Technologies Aerospace Systems (UTAS) , Windsor Locks , Connecticut

To cite this article: Stephen N. Luko (2013): Risk Management Terminology, Quality Engineering, 25:3, 292-297

To link to this article: http://dx.doi.org/10.1080/08982112.2013.786336

PLEASE SCROLL DOWN FOR ARTICLE

Full terms and conditions of use: http://www.tandfonline.com/page/terms-and-conditions

This article may be used for research, teaching, and private study purposes. Any substantial or systematic

reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to

anyone is expressly forbidden.

The publisher does not give any warranty express or implied or make any representation that the contents

will be complete or accurate or up to date. The accuracy of any instructions, formulae, and drug doses should

be independently verified with primary sources. The publisher shall not be liable for any loss, actions, claims,

proceedings, demand, or costs or damages whatsoever or howsoever caused arising directly or indirectly in

connection with or arising out of the use of this material.

Reviews of Standards and Related Material

Risk Management Terminology

Stephen N. Luko

United Technologies Aerospace

Systems (UTAS), Windsor Locks,

Connecticut

ABSTRACT Three new standards related to the risk concept appeared in

January 2011. These standards are an adoption by the American National

Standards Institute (ANSI) of an ISO suite of documents developed in con-

junction with the American Society of Safety Engineers (ASSE) concerning

risk vocabulary, risk management, and risk assessment techniques. This arti-

cle describes International Organization for Standardization (ISO) Guide 73

(2009), Risk Management Terminology, and its American National Standards

Institute (ANSI) equivalent Z690.1 (2011). A future article will review

the Principles and Guidelines ANSI=ASSE Z690.2 (2011) and Assessment

Techniques ANSI=ASSE Z690.3 (2011) documents.

KEYWORDS risk, risk management, risk management terminology

INTRODUCTION

Throughout this review, reference to either International Organization for

Standardization (ISO) Guide 73 (2009) or American National Standards Insti-

tute (ANSI) Z690.1 (2011) should be considered as meaning the same docu-

ment. In fact, the documents are identical. As stated in their Introduction

(2009, vii), ''This Guide provides basic vocabulary to develop common

understanding on risk management concepts and terms among organiza-

tions and functions and across different applications and types.'' They

further state that '' ...the guide is generic and is compiled to encompass

the general field of risk management.'' As general as this is, it is precisely

what is needed with the ever increasing awareness of risk on various levels

and the application of risk principles to business quarters.

The ISO suite of risk related standards and there ANSI equivalents are

shown in Table 1.

Z690.1 is the ANSI version of the vocabulary (2011). Z690.2 (2011)

focuses on management of risk (31 pages) and Z690.3 (2011) focuses on risk

analysis techniques (110 pages). The risk techniques document contains

many statistical elements including Bayesian methods. This review focuses

on the vocabulary standard, which comprises 15 pages in either version.

Two future articles will focus on management and techniques documents.

All information appearing in quotes are direct quotes from Z690.1 or ISO

Guide 73.

Address correspondence to Stephen

N. Luko, United Technologies

Aerospace Systems, 1 Hamilton Road,

Windsor Locks, CT 06096. E-mail:

stephen.luko@utas.utc.com

Quality Engineering, 25:292–297, 2013

Copyright # Taylor & Francis Group, LLC

ISSN: 0898-2112 print=1532-4222 online

DOI: 10.1080/08982112.2013.786336

292

Downloaded by [Stephen N. Luko] at 11:08 07 June 2013

Z690.1-2011, Risk Management

Vocabulary, Overview

The vocabulary document contains 11 subsec-

tions, each focusing on a specific aspect of risk. Sec-

tions and associated terms are provided in Table 2.

Just before the first section on definitions, there is

a small section entitled ''Scope'' where the purpose

and intent of the document is reiterated.

This Guide provides the definitions of generic terms

related to risk management. It aims to encourage a mutual

and consistent understanding of, and a coherent approach

to, the description of activities relating to the management

of risk, and the use of uniform risk management termin-

ology in processes and frameworks dealing with the man-

agement of risk. This Guide is intended to be used by: a)

those engaged in managing risks, b) those who are

involved in activities of ISO and IEC, and c) developers

of national or sector-specific standards, guides, proce-

dures and codes of practice (ANSI=ASSE Z690.1 2011, 8).

Thus, these guides serve a broad audience, from

general industry- and sector-specific managers, to

(Continued)

TABLE 2 Z690.1-2011, ISO Guide 73; Risk Management, Terms

by Subsections

1. Terms Related to Risk

Risk

2. Terms Related to Risk Management

Risk Management

Risk Management Framework

Risk Management Policy

Risk Management Plan

3. Terms Related to the Risk Management Process

Risk Management Process

Stakeholder

Risk Perception

3.2 Terms Relating to Communication and Consultation

Communication and Consultation

3.3 Terms Related to Context

Establishing the Context

External Context

Internal Context

Risk Criteria

3.4 Terms Related to Risk Assessment

Risk Assessment

3.5 Terms Related to Identification

Risk Identification

Risk Description

Risk Source

Event

Hazard

Risk Owner

3.6 Terms Related to Risk Analysis

Risk Analysis

Likelihood

TABLE 2 Continued

Exposure

Consequence

Probability

Frequency

Vulnerability

Risk Matrix

Level of Risk

3.7 Terms Related to Risk Evaluation

Risk Evaluation

Risk Attitude

Risk Appetite

Risk Tolerance

Risk Aversion

Risk Aggregation

Risk Acceptance

3.8 Terms Related to Risk Treatment

Risk Treatment

Control

Risk Avoidance

Risk Sharing

Risk Financing

Risk Retention

Residual Risk

Resilience

3.8.2 Terms Relating to Monitoring and Measuring

Monitoring

Review

Risk Reporting

Risk Register

Risk Profile

Risk Management Audit

TABLE 1 ISO and ASNI Equivalent Risk Management Standards

ISO Title ANSI Title

Guide 73 (2009) Risk management, Vocabulary Z690.1-2011 Vocabulary for Risk Management

Standard 31000 (2009) Risk Management: Principles and Guidelines Z690.2-2011 Risk Management Principles

Standard 31010 (2009) Risk Management: Risk Assessment Techniques Z690.3-2011 Risk Assessment Techniques

293 Risk Management Terminology

Downloaded by [Stephen N. Luko] at 11:08 07 June 2013

developers of other standards, specifications, and

policy documents involving risk.

The Concept of ''RISK'' and

Associated Terms

Section 1 contains a single term risk. We consider

its definition, associated NOTES, and some dis-

cussion below.

1.1risk

Effect of uncertainty on objectives.

NOTE 1: An effect is a deviation from the expected

positive and=or negative.

NOTE 2: Objectives can have different aspects (such as

financial, health and safety, and environmental goals) and

can apply at different levels (such as strategic,

organization-wide, project, product and process).

NOTE 3: Risk is often characterized by reference to

potential events (3.5.1.3) and consequences (3.6.1.3), or

a combination of these.

NOTE 4: Risk is often expressed in terms of a combi-

nation of the consequences of an event (including

changes in circumstances) and the associated likelihood

(3.6.1.1) of occurrence.

NOTE 5: Uncertainty is the state, even partial, of

deficiency of information related to, understanding or

knowledge of, an event, its consequence, or likelihood

(ANSI=ASSE Z690.1 2011, 8).

Observe that risk is very broadly defined in terms

of uncertainty and its effect, and effect is further

defined in terms of a ''deviation from that expected.''

Also, objective can be assumed to mean desired or

expected result. Therefore, if objectives are planned

desirable future states, conditions, or final outcomes

in an organization or process, and if the achievement

of these future desirable states using various

mechanisms is uncertain, at least to a degree, then

the final outcome(s) or future states may very well

be a departure or deviation from the objective. The

extent of the departure from the expected and how

uncertainty can play into this is called risk.

In addition to uncertainty and objective, three

other important concepts contribute to the overall

understanding of risk in this paragraph. These are

event, consequences, and likelihood.Anevent is

defined in 3.5.1.3 as ''The occurrence or change of

a particular set of circumstances'' (ANSI=ASSE

Z690.1 2011, 10). Here again this is completely gen-

eral and would cover any kind of deleterious single

events, such as an accident, multiple types of events,

and adverse conditions or sets of conditions. The

event, condition, or circumstance may be taken to

be a significant departure from an objective. The

term consequence is defined in 3.6.1.3, ''Conse-

quencethe outcome of an event'' (ANSI=ASSE

Z690.1 2011, 11). This term might seem at first some-

what ambiguous or similar to the event itself but,

upon reflection, the meaning is that we have some

event that occurs, then there is a resulting outcome

from this. The outcome can be considered the conse-

quence. So an event is really a description of what

happens (the circumstances) and the consequence

is what the cost hit is (the outcome).

The concept of likelihood is referred to in Notes 4

and 5 of the definition of risk. This term is taken as a

synonym for probability or relative frequency of

occurrence of something happening. The basic defi-

nition (3.6.1.1) is simply: ''LikelihoodChance of

something happening'' (ANSI=ASSE Z690.1 2011,

11). The associated NOTES further clarify this as:

NOTE 1: In risk management terminology, the word

''likelihood'' is used to refer to the chance of something

happening, whether defined, measured or determined

objectively or subjectively, qualitatively or quantitatively,

and described using general terms or mathematically [such

as a probability or a frequency over a given time period].

NOTE 2: The English term ''likelihood'' does not have a

direct equivalent in some languages; instead, the equiva-

lent of the term ''probability'' is often used. However, in

English, ''probability'' is often narrowly interpreted as a

mathematical term. Therefore, in risk management termin-

ology, ''likelihood'' is used with the intent that it should

have the same broad interpretation as the term ''prob-

ability'' has in many languages other than English.

Two important points stand out: (1) Likelihood

and probability have similar meanings and (2) the

assignment of likelihood is quite general from the

mathematical to the subjective. This leaves the prac-

titioner unintimidated and much room to apply these

concepts to real-world situations.

The definitions of probability and frequency in this

standard read:

Probability: measure of the chance of occurrence

expressed as a number between 0 and 1 where 0 is

impossibility and 1 is absolute certainty.

Frequency: Number of events or outcomes per defined

unit of time. NOTE: Frequency can be applied to past

events or to potential future events, where it can be used

as a measure of likelihood=probability (ANSI=ASSE Z690.1

2011, 11).

S. N. Luko 294

Downloaded by [Stephen N. Luko] at 11:08 07 June 2013

Thus, probability is mathematical, whereas likeli-

hood is more general and may even be qualitative

and assigned subjectively.

The term uncertainty is generally used in its non-

technical sense as a state of mind where we are not

sure about what will happen. This term is not specifi-

cally defined in this standard other than NOTE 5

under risk, but as other terms are quite general, we

can take it that uncertainty as used here is equally

broad. NOTE 5 states that it applies to the future

event outcome, the consequence of an event, and

its likelihood (probability). Thus, when working a

risk scenario we often find that a final event, the con-

sequences of the event, and=or the probability of the

event have some degree of uncertainty, and these

have to be considered in any final risk assessment.

In using the risk concept, then, there is an objective

or expected desirable outcome, but this may be com-

promised to some degree by virtue of our uncertainty

about how all of the variables affecting the outcome

would eventually play out to give us the final out-

come. Some simple examples of how this is used in

ordinary usage may prove instructive here.

1. When we say ''Risk of injury to a minor'' we

generally mean that the situation or behavior

engaged in with respect to the minor can lead

to a departure from an objective (in the ISO lan-

guage). The objective might be, for example, the

safe keeping of a child overnight at a neighbor's

house. Leaving the child alone for a time is the

''risky'' behavior. We would say that leaving the

child alone for a time increases the likelihood

(probability) that the objective would be compro-

mised. Various types of events might happen. For

example, the child could eat something it

shouldn't and the consequence might be a serious

illness or even death. In everyday life this might

also happen, but under the watchful eyes of

adults, the event is considered very unlikely.

The risk of injury comes about because the prob-

ability of something happening (some departure

from objectives) is many times higher than what

has been observed in the past for similar events

happening in a properly supervised setting. Note

that the quantification is important here. We often

need to look back to see how often the undesir-

able departure (event) has happened in the past

under the potential conditions (leaving the child

alone). Then we compare this to the occurrence

of the same departure under all possible con-

ditions. Note also that we may be uncertain about

what might happen, its probability of occurrence,

and the subsequent consequences.

2. More generally, ''engaging in risky behavior''

means that the behavior is associated with an

increase in the likelihood (probability) that a

departure from a stated objective might occur. If

the stated objective is ''accident avoidance'' when

driving in a snowstorm, then the risky behavior

might mean not slowing down enough in a line

of traffic or following too closely, or engaging in

excessive speed. An event might be the occurrence

of an accident, which can have quite variable con-

sequences. Thus, we see that the event and its con-

sequences are uncertain. The probability of the

event may be more certain in this case because

there may be a good deal of past intelligence (data)

concerning this type of accident.

3. In matters of quality, risk generally means the pro-

duction of or the escaping of a nonconforming

product or service to a downstream operation or

a field application. Quality is often measured

using quality indices such as C

pk

, P

pk

, or other

similar metrics. A C

pk

of 1.5 or higher might be a

management objective. Such indices have an

implied probability built into them, so that if

C

pk

¼ 1.5, for example, the implied probability is

between 3.4 and 6.8 nonconforming units in

one million units producedat least in theory.

We can consider this as the baseline acceptable

risk; however, notice that there may be uncer-

tainty concerning (a) whether the normal distri-

bution applies to the data; (b) whether the data

came from a process in statistical control; (c) the

fact that the index was calculated using point esti-

mates of the mean and standard deviationnot

the true values of the parameters; and (d) the fact

that special causes might occur at any time giving

rise to additional nonconforming (and possibly

escaping) units. Each of these as well as other

considerations makes up the risk in quality mat-

ters. More generally, the discipline of quality

engineering may be considered as a

risk-mitigating discipline.

All of the above is very general and designed for use

by managers desiring to incorporate knowledge of

295 Risk Management Terminology

Downloaded by [Stephen N. Luko] at 11:08 07 June 2013

risk and=or some type of risk program, at some level,

into their organizations. It may be useful to finish this

section with contrasting the ISO concept of risk with

a more a specific industry application. The Federal

Aviation Administration (FAA 2003) defines the

notion of ''risk factor'' in its ''Advisory Circular

39-8'' on ''Continued Airworthiness Assessment

Methodology (CAAM)'' (6). This standard applies to

risk assessment and associated activity in the U.S.

aerospace transportation industry, including suppli-

ers to aerospace manufacturers. The FAA (2003)

defines a risk factor as follows:

'' 'Risk Factor'A quantitative assessment output

equal to the average number of'' future events

expected to occur within a given time. Risk factors

can be differentiated by three types and typically

cover the time period required for problem resol-

ution. However, in the case of uncorrected risk factor

and control program risk factors for control pro-

grams that do not incorporate final corrective action

(e.g., recurring inspections), risk factors usually

cover a 20-year (60,000-hour) period or shorter inter-

val corresponding to the expected life of the fleet.

1. Uncorrected Risk FactorThe forecasted number

of future events expected to occur in the entire

worldwide fleet (or, if applicable, the relevant

affected subfleet) if no corrective actions are

incorporated.

2. Control Program Risk Factor The forecasted num-

ber of future events expected to occur in the entire

worldwide fleet (or, if applicable, the relevant

affected subfleet) during the control program.

3. Corrected Risk Factor The forecasted number of

future events expected to occur after the entire

worldwide fleet (or, if applicable, the relevant

affected subfleet) incorporates the final corrective

actions'' (6).

The FAA (2003) risk factor is an expected or

forecasted number of future events as applied to a

specific fleet of aircraft, within a defined time period,

whereas risk in Z690.1 (2011) is a departure from an

objective in the sense of any departure being a result

of uncertainty. The latter is seen to be more general

than how the FAA is applying the term. This is an

important point. Managers looking to incorporate

risk ideas into their business plans could look at

how others have done this, but standards such as

Z690.1 give a much broader base of understanding

on how these concepts are intended to be applied.

Not all quarters will apply these concepts in quite

the same way. It is always context dependent.

Another, more recent, vintage of risk documents,

from which we may contrast the basic interpretation

of the concept of risk, is the U.S. Department of

Homeland Security's (DHS 2010) Risk Lexicon. The

document is essentially a glossary of terms related

to all aspects of risk. Most of the definitions found

in this document have an associated example and

possible extended definitions and=or annotations.

The basic definition of risk found in this document

is as follows:

Risk:

Definition: The potential for an unwanted outcome

resulting from an incident, event, or occurrence, as deter-

mined by its likelihood and the associated consequences.

Example: The team calculated the risk of a terrorist

attack after analyzing intelligence reports, vulnerability

assessments and consequence models.

Extended Definition: potential for an adverse outcome

assessed as a function of threats, vulnerabilities and conse-

quences associated with an incident, event or occurrence.

Annotation: 1) Risk is defined as the potential for an

unwanted outcome. This potential is often measured and

used to compare different future situations; 2) Risk may

manifest at the strategic, operational and tactical levels (27).

The above may be considered as a baseline defi-

nition in the DHS Lexicon. Many other terms in this

document contain the term risk. Notice, though, that

this does harmonize with the ISO version of risk. In

fact, the DHS (2010) document states that one source

of validation for their Lexicon is ''International

Standards Organization (ISO) Risk Management

Vocabulary ISO=ICE Guide 73'' (27).

Risk Management Vocabulary

In section 2, Terms Relating to Risk Management,

we find the very general definition: ''2.1 'Risk

Management'Coordinated activities to direct and

control an organization with regard to risk'' (ANSI=

ASSE Z690.1 2011, 8). This is further developed using

terms such as risk management framework, policy,

and plan. This terminology speaks to general man-

agement of organizations where risk may play a key

role. There needs to be a general policy, an under-

standing of the framework in how the policy is

applied, and a plan to manage the risk. The concepts

S. N. Luko 296

Downloaded by [Stephen N. Luko] at 11:08 07 June 2013

are general enough so that they may be used by a

wide variety of organizations and situations where

risk is important in managing the organization.

Section 3 concerns the broad topic of the risk

management process and makes up the bulk of the

remaining terms in this standard. There are subsec-

tions on communication and consultation, context,

assessment, identification, analysis, evaluation,

monitoring and measuring. In fact, the terminology

in this section reads like a short course in the treat-

ment of risk in organizations. The very first term risk

management process states that '' ...the treatment of

risk in organizations involves, systematic application

of management policy, procedures and practices to

the activities of communicating, consulting, estab-

lishing the context and identifying, analyzing,

evaluating, treating, monitoring and reviewing risk''

(ANSI=ASSE Z690.1 2011, 9). With this description,

companies and organizations seeking to create a risk

management process can easily make a ready check-

list summarizing the major components of such a

process. A simple example is shown in Table 3.

CONCLUSION

The concept of risk and its management has been

increasingly important to organizations in recent

years. That quality, quality engineering, and quality

management are related to risk is without question.

The overall process of creating formal risk manage-

ment tools in organizations starts by just thinking

about and discussing what is ''risky'' in an organiza-

tion. This is, of course, quite variable and context

dependent. At some point, practitioners need good

standard terminology to describe their intentions

and begin the process of creating the risk manage-

ment process. The ISO documents as well as many

other resources are invaluable in describing this.

It is good that people who need to use risk con-

cepts do not have to be mathematicians or statisti-

cians to use these concepts. This greatly reduces

intimidation by users who otherwise would never

bother to consider risk topics as part of their organi-

zations. However, there is some danger in using

these concepts in general qualitative ways, and users

are cautioned that risk generally means what can

happen, how often and with what consequences,

and these are far more meaningful and helpful to

organizations when quantified.

ABOUT THE AUTHOR

Stephen N. Luko is an industrial satistician with

United Technologies Aerospace Systems. He is a

senior member of ASQ and the editor of this column.

REFERENCES

ANSI=ASSE Z690.1–2011. (2011). Vocabulary for Risk Management .

Washington, D.C.: American National Standards Institute.

ANSI=ASSE Z690.2–2011. (2011). Risk Management Principles and

Guidelines. Washington, D.C.: American National Standards Institute.

ANSI=ASSE Z690.3–2011. (2011). Risk Assessment Techniques.

Washington, D.C.: American National Standards Institute.

Federal Aviation Administration. (2003). Advisory Circular 39–8.

Washington, D.C.: Federal Aviation Administration.

ISO Guide 73. (2009). Risk Management Terminology. Geneva,

Switzerland: International Organization for Standardization (ISO).

U.S. Department of Homeland Security. (2010). DHS Risk Lexicon.

Washington, D.C.: U.S. Department of Homeland Security.

TABLE 3 Simple Checklist for a Basic Risk Management Process

General policy Statements to include intentions and basic organizational directives involving the treatment of risk.

MetricsHow is risk to be defined and measured in the organization? Consider objectives, expectations, how events are

defined, the consequences of any events, and the measures of associated likelihoods (how).

Requirements for the processConsider (a) human resource requirements; (b) professional requirements such as risk

analysts, statisticians, engineering or technical experts, and managers; (c) technical components such as computer

programs, reporting templates, data management software; (d) training and communications requirements; standard

work or general written=documented procedures and methodology.

Communication plan Includes training at various levels of an organization and reporting templates.

Risk assessment, analysis methodology, and mitigating corrective action planning and development

Monitoring and improvement of the process

In addition to these basic components, section 3 of Z690.1 defines numerous other important terms and concepts that

managers may want to consider when trying to introduce=implement a risk management process in their organizations

(see Table 1). Not all of these will apply in all organizations. What is important and utilitarian is the generality of

application of the Z690.1 catalog.

297 Risk Management Terminology

Downloaded by [Stephen N. Luko] at 11:08 07 June 2013

... Then, according to the ISO 31000 standard (www.iso.org/iso-31000-risk-management.html) accessed on 5 August 2021 for risk management [37], the values of UF are discretized in scales: low ∈ [0, 0.33), medium ∈ [0.33, 0.66) and high ∈ [0.66, 1]. These thresholds indicate the level of performance (_lvl) of each resource r i , as indicates Equation (14). ...

  • Ivan Lopez-Arevalo
  • José Luis González José Luis González
  • Mariana Hinojosa-Tijerina
  • Jose L. Martinez-Rodriguez

The data produced by sensors of IoT devices are becoming keystones for organizations to conduct critical decision-making processes. However, delivering information to these processes in real-time represents two challenges for the organizations: the first one is achieving a constant dataflow from IoT to the cloud and the second one is enabling decision-making processes to retrieve data from dataflows in real-time. This paper presents a cloud-based Web of Things method for creating digital twins of IoT devices (named sentinels).The novelty of the proposed approach is that sentinels create an abstract window for decision-making processes to: (a) find data (e.g., properties, events, and data from sensors of IoT devices) or (b) invoke functions (e.g., actions and tasks) from physical devices (PD), as well as from virtual devices (VD). In this approach, the applications and services of decision-making processes deal with sentinels instead of managing complex details associated with the PDs, VDs, and cloud computing infrastructures. A prototype based on the proposed method was implemented to conduct a case study based on a blockchain system for verifying contract violation in sensors used in product transportation logistics. The evaluation showed the effectiveness of sentinels enabling organizations to attain data from IoT sensors and the dataflows used by decision-making processes to convert these data into useful information.

... RBT is included in the entire organisational environment by its process approach, in order to encourage organisations to be more cautious and acquire long-term thinking. Thus, prevention becomes a habit and RBT, a part of their culture (Chiarini, 2017;Fonseca, 2015b;ISO, 2017; ISO/TC 176/SC2/N1284, 2019; Luko, 2013). Incorporating a process approach requires the involvement of the entire organisation (e.g. ...

With the update of ISO 9001 in 2015, one of the established requirements was risk-based thinking (RBT), a significant subject discussed by many authors. This paper aims at finding relevant contributions to the literature on ISO 9001:2015 and risks approach, critically analysing the existing studies and providing new perspectives for researchers and organisations. To achieve it, the authors conducted a Systematic Literature Review (SLR), by establishing the main subject matter of the research (a), locating studies using defined criteria (b), running the analysis and performing a synthesis (c) and reporting the results (d). From the SLR papers, five clusters were structured, leading to the identification of the most frequent approaches and their constraints. Most papers present a fragmented view of RBT and the majority of authors opt for FMEA, but RBT goes beyond simply 'doing risk management'. The best option for organisations departs from usual practices and approaches the issue in an integrated manner, with a systemic combination of widespread methods with daily practices, embedded in organisational culture. The results of this study enhance the existing knowledge on RBT by confronting the actual practices with the requirements of ISO 9001:2015, providing useful insights, from different perspectives on RBT implementation.

... • Five-step risk management process (AS/NZS ISO 31,000:2009), for review: (Purdy 2010;Luko 2013), for critical discussion mainly regarding the coverage of uncertainty (Aven 2011 (Häring et al. 2016a). ...

  • Ivo Häring Ivo Häring

Resilience of technical and socio-technical systems can be defined as their capability to behave in an acceptable way along the timeline pre-, during, and post-potentially dangerous or disruptive events, i.e., in each phase of the resilience cycle and overall. Hence, technical safety and reliability methods and processes for technical safety and reliability are strong candidate approaches to achieve the objective of engineering resilience for such systems. Also, when restricting the set of methods to classical safety and reliability assessment methods, e.g., classical hazard analysis (HA) methods, inductive failure mode and effects analysis (FMEA), deductive fault tree analysis (FTA), reliability block diagrams (RBDs), event tree analysis (ETA), and reliability prediction. Such methods have the advantage that they are already used in industrial practice. However, improving the resilience of systems is not their explicit aim. The present chapter covers how to allocate such methods to different resilience assessment, response, development and resilience management work phases, and tasks or conceptual entities when engineering resilience from a technical perspective. To this end, several assessment and analysis schemes, and risk control and resilience enhancement process schemes are employed, as well as the resilience or disruption response cycle. Each concept and the related process can be considered as a dimension to be considered in the generation of risk control and resilience. In particular, the resilience dimensions of risk management, resilience objectives, resilience cycle time phases, technical resilience capabilities, and system layers are used explicitly to explore their range of applicability. Also, typical system graphical modeling, hardware, and software development methods are assessed to document the usability of technical reliability and safety methods for resilience analytics and technically engineering resilience.

... Risk management process is a systematic approach which involves three main processes i.e. establishment of context, assessment of risk and treatment of risk [10]. Risk assessment is applied to understand uncertainty and the risk associated in wideranging perspective for better decisions and actions [11], [12]. Objective of this research is to identify the common hazards and the risk associated which are the root causes of accidents in surface mines through risk assessment technique. ...

Purpose. Technology has advanced significantly but still mining industry faces a higher number of accidents. The purpose of the research is to identify the common hazards and associated risk which are the root causes of accidents in surface mines of Pakistan and to suggest the preventive measures to enhance safety at workplace. Methods. Integrated approach used in this research work involves: collection of mine accidents data from related Government departments; occupational safety data collection from mine sites with questionnaire; fault tree analysis method applied based on three groups of factors/causes obtained from 3E's Model i.e. Engineering, Education and Enforcement that causes accidents in mine; risk assessment and suggestion of preventive measures. Findings. In this study forty three root causes of accidents in surface mines are identified and presented as basic events and undeveloped events in the Fault Trees. A compressed picture of the root causes is revealed leading to accidents in mine. The main causes identified are human errors, unsafe operating procedure, lack of machinery, lack of personal protective equipment, environmental and haulage related hazards and violation of law. Originality.The root causes of accidents in surface mines have been identified. For the first time, the visual paths to accidents causation in surface mines of Pakistan are outlined through fault tree analysis technique. Practical implications. The identified causes of accidents along with the suggested preventive measures can be used to avoid/curtail the number and severity of accidents in surface mines and can save lives of workers and economy. Keywords: hazards identification, surface mine, accidents, fault tree analysis, risk assessment, preventive measures

... By combining the knowledge of multiple departments, such as the emergency response department, decision-makers can efficiently and dynamically allocate resources according to the relationship between nodes, which is also reflected in our case study. Risk assessment is the overall process of risk identification, risk analysis and risk evaluation [53]. Our proposed "B-R model" is a risk assessment model for the whole process. ...

  • Rongchen Zhu
  • Xiaofeng Hu
  • Xin Li
  • Han Ye

The chemical terrorist attack is a type of unconventional terrorism that threatens the safety of cities. This kind of terrorist attack is highly concealed and difficult to be detected. Once the attack is successful, the consequences will be severe and the scope of impact will be enormous. Therefore, public security and emergency departments need to perform risk analysis and dynamic knowledge update to reduce risk or mitigate the effects of accidents. In order to quickly and effectively analyze the risk of chemical terrorist attacks, this article proposed a hybrid approach (B-R model) to analyze the risk of chemical terrorist attacks. First, a modular and customizable Bayesian network (BN) model library was built, which can satisfy users to select multi-dimensional risk factors. Based on the personalized BN, a risk knowledge graph (RKG) is constructed with multi-source data to realize the combination of risk analysis and knowledge acquisition. Then the threat degree of terrorist organizations, the strength of defensive forces, and the risk value of targets is calculated and displayed. The BN-RKG method provides data and theoretical support for defenders' resource allocation and emergency decision-making. Finally, a case study was conducted for a hypothetical scenario analysis. The result shows that the hybrid method can help with risk control and have the potential to support practical policymaking.

The risk is encountered in every activity, operation, process, system or decision-making project. Given the importance of this concept at the individual and organizational level, this approach emphasizes the characteristics of the concept. This chapter aims to make an inventory of the concept of risk, its importance for organizations. This chapter emphasizes the importance of risk assessment in the risk management process. Risk management is an important step in the risk management process. Based on this argument, a series of qualitative and quantitative methods are presented. At the end of the chapter, organizational methods and models are presented. The last part presents a selection of indicators that are used in the automotive industry.

  • Ivo Häring Ivo Häring

This chapter gives an overview of classical system analysis methods. A representative example is given for each of the methods. It is not intended to be sufficient to actually use the method. However, it aids to support the selection of the correct type of method by listing the main analysis objectives of the methods. The categorization of methods in terms of graphical versus tabular, inductive versus deductive, and qualitative versus quantitative is refined by considering implementation examples, phases of developments, and life cycles where the methods are used. Methods covered are fault hazard analysis (FHA), failure modes, and effects analysis method.

  • Liping Li
  • Qisheng Chen
  • Xiaofeng Li
  • Xunjie Gou

Risk evaluation is a primary but important task for technological innovation projects and this task is a multiple criteria group decision-making (MCGDM) process with probabilistic uncertainty and fuzzy uncertainty. Compromise programming decision-making methods with probabilistic linguistic term sets (PLTSs) are more appropriate for risk evaluation of technological innovation projects. This paper proposes a new approach named improved probabilistic linguistic-vise kriterijumska optimizacija kompromisno resenje (PL-VIKOR) method with probabilistic linguistic term sets for risk evaluation of technological innovation projects. Firstly, by fully considering both the relationship between each alternative and the positive ideal solution and the relationship between each alternative and negative ideal solution, the improved PL-VIKOR method for dealing with MCGDM problems is developed to make up the deficiency of the traditional PL-VIKOR method. Then, the improved PL-VIKOR method is applied to solve a practical MCGDM problem with probabilistic linguistic term sets involving the risk evaluation of technologically innovative projects for venture capital. Finally, we make some comparative analyses between the improved PL-VIKOR method and some existing methods to analyze the advantages and disadvantages of the proposed method. The results reflect that the improved PL-VIKOR method is more reasonable when calculating the distance measure between two PLTSs, and it can make the risk evaluation of technological innovation project MCGDM with PLTSs more objective.

Ecosystem monitoring often fails to provide the right information to evaluate and guide environmental stewardship due to a lack of diagnostic capacity, long-term operational resources, explicit monitoring objectives and rigorous sampling designs. Our objective is to describe a monitoring framework that addresses these failures by including causative conceptual models and the concepts of adaptive monitoring and management. Resources are rarely available to monitor all ecosystem components, so identifying priorities is vital for the success of a monitoring program. An ecological risk assessment combining available information and expert opinion on threats and their consequences to the ecosystem can be used to prioritise monitoring and identify explicit objectives. A Pressure-Stressor-Response conceptual model forms the causative understanding of the ecosystem and the model components underpin the factors in the risk assessment. In this way, field sampling can validate the priority of ecosystem threats; provide information for refinement of conceptual understandings and guide efficient management activity. Repeated risk assessments using updated data and information can identify successful management and the increase and establishment of threats. Updated risk assessments can change threat priorities and therefore monitoring and assessment hypotheses and objectives can change. This ability to change underlies the concepts of adaptive monitoring and management.

  • Stephen N. Luko Stephen N. Luko

Three new standards related to the risk concept appeared in January 2011. These standards are an adoption by the American National Standards Institute (ANSI) of an ISO suite of documents developed in conjunction with the American Society of Safety Engineers (ASSE) concerning risk vocabulary, risk management, and risk assessment techniques. This article describes International Organization for Standardization (ISO) Guide 73 (20095. ISO Guide 73 . ( 2009 ). Risk Management Terminology . Geneva, Switzerland: International Organization for Standardization (ISO) . View all references), Risk Management Terminology, and its American National Standards Institute (ANSI) equivalent Z690.1 (20111. ANSI/ASSE Z690.1–2011 . ( 2011 ). Vocabulary for Risk Management . Washington, D.C.: American National Standards Institute . View all references). A future article will review the Principles and Guidelines ANSI/ASSE Z690.2 (2011) and Assessment Techniques ANSI/ASSE Z690.3 (2011) documents.

Federal Aviation Administration. (2003). Advisory Circular 39-8. Washington, D.C.: Federal Aviation Administration.