See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/262692105

Risk Assessment Techniques

Article  in  Quality Engineering · May 2014

DOI: 10.1080/08982112.2014.875769

CITATIONS READS
13 11,985

1 author:

Stephen N. Luko
Retired
30 PUBLICATIONS   238 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Stephen N. Luko on 04 June 2015.

The user has requested enhancement of the downloaded file.

This article was downloaded by: [Stephen N. Luko]
On: 27 May 2014, At: 08:21
Publisher: Taylor & Francis
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,
37-41 Mortimer Street, London W1T 3JH, UK

Quality Engineering
Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/lqen20

Risk Assessment Techniques

a
Stephen N. Luko
a
United Technologies Aerospace Systems (UTAS) , Windsor Locks , Connecticut
Published online: 27 May 2014.

To cite this article: Stephen N. Luko (2014) Risk Assessment Techniques, Quality Engineering, 26:3, 379-382, DOI:
10.1080/08982112.2014.875769

To link to this article: http://dx.doi.org/10.1080/08982112.2014.875769

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.

This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions
 Quality Engineering, 26:379–382, 2014
Copyright # Taylor & Francis Group, LLC
ISSN: 0898-2112 print=1532-4222 online
DOI: 10.1080/08982112.2014.875769
Reviews of Standards and Related Material
Stephen N. Luko
United Technologies
Aerospace Systems (UTAS),
Windsor Locks, Connecticut
Downloaded by [Stephen N. Luko] at 08:21 27 May 2014
Address correspondence to
Stephen N. Luko, United
Technologies Aerospace Systems,
38 Fountainhead Road, Windsor
Locks, CT 06786. E-mail:
stephen.luko@hs.utc.com
Risk Assessment Techniques
ABSTRACT This article is the third and final in a series of three related
articles dealing with the concept of risk. In the previous two articles, ISO
31000-2009 (ANSI Z690.2-2011) on Risk Management Principles and
Guidelines and ISO Guide 73 (ANSI X690.1-2011) on Risk Management
Terminology were reviewed. This third article examines ISO 31010-2009
or the ANSI equivalent version, ANSI Z690.3-2011. These standards deal
with risk assessment techniques and attempt to catalog a set of general
techniques and methods useful in the assessment and analysis of risk.
KEYWORDS risk, risk assesment, risk management, risk management
terminology
INTRODUCTION
The third of the trio of documents concerned with the concept of risk is
designated as follows.
I. ISO 31010-2009, Risk Assessment Techniques
II. ANSI=ASSE Z690.3-2011, Risk Assessment Techniques
Note: the designation ‘‘ASSE’’ stands for The American Society of Safety
Engineers.’’
These documents are identical in their entire substance. The Contents sec-
tion of Z690.3 lists the following major sections: (1) Scope, (2) Normative
References, (3) Terms and Definitions, (4) Risk Assessment Concepts, (5) Risk
Assessment Process, and (6) Selection of Risk Assessment Techniques. These
six sections consume the first 25 pages of this standard. The remaining 85
pages contain two annexes and a bibliography. The annexes contain catalogs
of the various methods and techniques useful in risk analysis. Specifically,
Annex A gives a short account (five pages) of comparative information and
Annex B catalogs actual techniques, briefly describing each topic.
The Scope section is a short summary outlining what is intended and
addressed in the standard. Several important items stand out. The first is:
‘‘The standard is not intended for certification, regulatory or contractual
use’’ (Z690.3-2011, 2011, p. 11); the second appears as a note: ‘‘This
standard does not deal specifically with safety. It is a generic risk
management standard and any references to safety are purely of an informa-
tive nature’’ (Z690.3-2011, 2011, p. 11). The third point is: ‘‘This standard
379
 does not refer to all techniques, and omission of a
technique from this standard does not mean it is not
valid. The fact that a method is applicable to a parti-
cular circumstance does not mean that the method
should necessarily be applied’’ (Z690.3-2011, 2011,
p. 11); finally, we read ‘‘This standard does not pro-
vide specific criteria for identifying the need for risk
analysis, nor does it specify the type of risk analysis
method that is required for a particular application’’
(Z690.3-2011, 2011, p. 11). Every risk scenario is
industry and context dependent and analysis meth-
odology and interpretation can vary greatly from
one context to another. All of the scope statements
essentially mean, as has been previously pointed
out, that these standards are generic in substance,
apply to a wide variety of application areas, and pro-
vide general guidance on concept interpretation and
on how to proceed. At best, this standard contains a
Downloaded by [Stephen N. Luko] at 08:21 27 May 2014
sampling of tools and techniques that might be
applied in a wide variety of specific cases.
In section 2 there are four normative references
listed and these include the ISO and ANSI versions
of the first two standards on terminology and risk
management, principles, and guidelines. The Terms
and Definitions section (3) simply refers you to ANSI
Z690.1 (2011) or ISO Guide 73 (2009) on vocabulary
for risk management. Section 4 is titled ‘‘Risk
Assessment Concepts’’ and includes the important
section 4.1 concerning Purpose: ‘‘The purpose of risk
assessment is to provide evidence based information
and analysis to make informed decisions on how to
treat particular risks and how to select between
options’’ (ANSI Z690.1-2011, 2011, p. 11).
To be sure, the term ‘‘risk assessment’’ is a broad
concept. From ANSI Z690.1 on risk terminology,
‘‘assessment’’ is defined as the ‘‘Overall process of
risk identification, risk analysis and risk evaluation’’
(ANSI Z690.1-2011, p. 10, 3.4.1) Thus, ‘‘analysis’’ is
a subset of ‘‘assessment.’’ In essence, a risk assess-
ment includes everything from identifying risks to
treatment plans and all aspects of informing manage-
ment on possible ways to proceed. The analysis part
provides the appropriate quantitative=qualitative
information and summarizes results in a way that
management can use for decision making and future
planning. All of the material in ANSI Z690.3 (2011) is
concerned with analysis how-to methodology.
Section 4 essentially summarizes a conceptual
framework for risk including short paragraphs on
380
overall assessment, risk management, communi-
cation and consultation, context, treatment of risk,
and monitoring and review. These are very similar
to that outlined in Z690.2-2011 (2011) on risk man-
agement principles and guidelines. Section 5 con-
tinues with material on the risk assessment process
and some of this is similar to material found in the
risk management document (ANSI=ASSE Z690.2-
2011, 2011). What is new here is an extended
discussion of consequence analysis (section 5.3.3)
and of the concept of likelihood. The latter would
be most important to statisticians and reliability ana-
lysts. Section 5.3.4 on likelihood analysis and prob-
ability assessment discusses three general approaches
to estimating probability: Theses are as follows:
1. The use of relevant empirical data or actual obser-
vations on the phenomena in question. A
reminder on rare events and the concept of ‘‘zero
events’’ is briefly discussed. Statisticians may easily
deal with cases of x ¼ 0 events observed in a sam-
ple scenario (for example, in a binomial or a Pois-
son sense); however, there may be other forces at
play such as varying parameters. In a National
Institute of Standards and Technology sense these
estimates would fall under type A uncertainty.
2. Probability forecasts using predictive techniques
such as fault and event trees or systems analysis.
In such an analysis, probability is assigned to
the component parts of a system and standard
techniques are used to ‘‘roll up’’ the assessment
to a systems-level probability. Individual data for
components come from various sources and
may include empirical observations. Simulation
techniques are often required.
3. Expert opinion can be used to estimate probability
but must draw upon all relevant sources of infor-
mation. Often this is a combination of empirical
data, technical=engineering knowledge of the sys-
tem, comparison with similar phenomena, and
other expert sources. Redundancy may also be
important, as might be common failure modes that
can affect several parts of a system at once.
The remainder of section 5 continues to treat basic
principles of risk analysis such as preliminary analy-
sis, uncertainty in risk, sensitivity of risk to changes
in the input parameters, risk evaluation, documenta-
tion, and monitoring and review.
S. N. Luko
 TABLE 1 Excerpted from ANSI Z690.3-2011, Annex A, Table A2,
Section on Statistical Methods (2011)
Methods Description
Markov analysis Markov analysis, sometimes called
‘‘state space analysis,’’ is commonly
used in the analysis of repairable
complex systems that can exist in
multiple states, including various
degraded states.
Monte Carlo analysis Monte Carlo simulation is used to
establish the aggregate variation in
a system resulting from variations
in the system, for a number of
inputs, where each input has a
defined distribution and the inputs
are related to the outputs via
defined relationships. The analysis
can be used for a specific model
where the interactions of the
various inputs can be
Downloaded by [Stephen N. Luko] at 08:21 27 May 2014
in Annex B that describes the technique in more
detail. The types of risk techniques listed in annex
1 include subsections on lookup methods, support-
ing methods, scenario analysis, function analysis,
controls assessment and statistical methods. The
statistical methods subsection includes Markov
analysis, Monte Carlo analysis, and Bayesian analy-
sis. Short descriptions of these last three are pro-
vided in Table 1. These descriptions seem very
brief but may be adequate for quick identification
and method synopsis. There is some loss due to
several technical terms that users may not be fam-
iliar with (e.g., ‘‘prior distribution’’).
For Annex A, Comparison of Risk Assessment
Techniques, there are two tables that try to rate the
applicability of specific tools used for risk
assessment.

mathematically defined. The inputs

can be based on a variety of
distribution types according to the TABLE 2 List of Risk Assessment Techniques: from Annex B,
nature of the uncertainty they are ANSI Z690.3-2011 (2011)
intended to represent. For risk
B1 Brainstorming
assessment, triangular distributions
B2 Structured or semi Structured interviews
or beta distributions are commonly
B3 Delphi Analysis
used.
B4 Checklists
Bayesian analysis A statistical procedure that utilizes
B5 Preliminary hazard analysis (PHA)
prior distribution data to assess the
B6 Hazard and operability study (HAZOP)
probability of the result. Bayesian
B7 Hazard analysis and critical control points (HACCP)
analysis depends on the accuracy of
B8 Toxicity assessment
the prior distribution to deduce an
B9 Structured ‘‘what-if’’ technique (SWIFT)
accurate result. Bayesian belief
B10 Scenario analysis
networks model cause and effect in
B11 Business impact analysis (BIA)
a variety of domains by capturing
B12 Root cause analysis (RCA)
probabilistic relationships of
B13 Failure modes and effects analysis (FMEA)
variable inputs to derive a result.
B14 Fault tree analysis (FTA)
B15 Event tree analysis (ETA)
B16 Cause-consequence analysis
Section 6 begins the review of risk assessment
B17 Cause-and-effect analysis
techniques. The section contains seven short sub- B18 Layers of protection analysis (LOPA)
sections that discuss various considerations of B19 Decision tree analysis
assessment technique selection, including the nat- B20 Human reliability assesment (HRA)
ure of the uncertainty, complexity, life cycle phase, B21 Bow tie analysis
and use of the technique. This is followed by two B22 Reliability-centered maintenance
B23 Sneak analysis (SA)
lengthy annexes—essentially a catalog of risk
B24 Markov Analysis
assessment techniques. Annex A, the shorter sec- B25 Monte Carlo simulation
tion, contains two tables that compare techniques B26 Bayesian statistics and Bayes nets
by applicability and methodology. Table A.1 classi- B27 FN curves
fies the technique by applicability to risk identifi- B28 Risk indices
cation, consequence analysis, probability, level of B29 Consequence=probability matrix
B30 Cost-benefit analysis (CBA)
risk, and risk evaluation. For each tool or technique
B31 Multicriteria decision analysis (MCDA)
in the table there is link to the appropriate section

Reviews of Standards 381

 ANNEX B, THE RISK ASSESSMENT
TECHNIQUES
The second annex is lengthy at 80 pages. The
organization is numbered from B.1, Brainstorming,
to B.31, Multi-Criteria Decision Analysis. For each
of the 31 techniques there are sections concerning
overview, use, inputs, process, outputs, and
strengths and limitations. Many of the tools listed
are probably not part of the popular tools set but
may nonetheless have value in some circumstances.
There are, of course, many standard techniques; for
example, brainstorming, checklists, Failure Mode
and Effects Analysis (FMEA), fault trees and Monte
Carlo simulation. Others are not as familiar, such as
sneak analysis, layers of protection, and FN (Event
Frequency [F] vs. Probability [N] of event) curves.
We have to remember that this suite of documents
Downloaded by [Stephen N. Luko] at 08:21 27 May 2014
is general and can apply to any situation involving
risk. The entire list of 31 techniques is shown in
Table 2. The descriptions for the various techniques
are clearly high-level summaries for many of the
techniques listed. Although probably not detailed
enough for a specialist, the summaries can serve to
provide basic information for the nonspecialist or
for managerial people tasked with implementing risk
management systems in their organizations.
CONCLUSION
The methodology of risk assessment is enormous
and draws from many subdisciplines, including prob-
ability and statistics, quality and reliability theory,
operations research, discrete mathematics, simulation
modeling, and psychology, among others. The
perspectives that one can adopt on risk also vary
greatly in organizations, depending on the position
one has within an organization. There is thus a lot of
variation about the concept and use of risk manage-
ment principles. This third standard, ANSI Z690.3-
2011, tries to outline a sample of widely used assess-
ment techniques. In this it does achieve a degree of
success insofar as there are 31 techniques cataloged;
382
View publication stats
these vary greatly in complexity; and there are short
summaries of key information concerning each tech-
nique. This standard would be most useful to
mid-management level people, including quality engi-
neers, who are tasked with either developing a risk
management program or have to work within an
already existing program. For technical specialists,
the document does not contain enough substance
but may provide ideas and an introduction for those
new to risk.
As far as quality engineering is concerned, the
topic of risk management and its associated activities
should be a key strategy in overall quality planning.
Quality engineering is a discipline concerned with
control of existing quality levels as well as
quality-enhancing strategies. Risk by its very nature
is anti-quality so that quality engineering activity is
risk-mitigating by nature. In modern industrial enter-
prises, because the broader concept of risk is very
much currently in center stage, it is recommended
that quality improvement experts, quality and
reliability engineers, and quality managers add
knowledge and skills from the increasingly more
important risk management arena to their skill set.
Toward that end, these standards provide an
excellent introduction.
ABOUT THE AUTHOR
Stephen N. Luko is an industrial statistician with
United Technologies Aerospace Systems. He is a
senior number of ASQ and the editor of this
column.
REFERENCES
ANSI=ASSE, Z690.1–2011. (2011). Vocabulary for Risk Management.
Washington, DC: American National Standards Institute.
ANSI=ASSE Z690.2–2011. (2011). Risk Management Principles and
Guidelines. Washington, DC: American National Standards Institute.
ANSI=ASSE Z690.3–2011. (2011). Risk Assessment Techniques. Washing-
ton, DC: American National StandardsInstitute.
ISO Guide 73. (2009). Risk Management Terminology. Geneva, Switzer-
land: International Organization for Standardization (ISO).
S. N. Luko