See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/263609185

Risk Management Principles and Guidelines

Article in Quality Engineering · October 2013

DOI: 10.1080/08982112.2013.814508

CITATIONS READS
199 42,534

1 author:

Stephen N. Luko
Retired
30 PUBLICATIONS 294 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Quality Engiineering View project

All content following this page was uploaded by Stephen N. Luko on 05 June 2015.

The user has requested enhancement of the downloaded file.

This article was downloaded by: [Stephen N. Luko]
On: 07 June 2013, At: 11:08
Publisher: Taylor & Francis
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,
37-41 Mortimer Street, London W1T 3JH, UK

Quality Engineering
Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/lqen20

Risk Management Terminology

a
Stephen N. Luko
a
United Technologies Aerospace Systems (UTAS) , Windsor Locks , Connecticut

To cite this article: Stephen N. Luko (2013): Risk Management Terminology, Quality Engineering, 25:3, 292-297

To link to this article: http://dx.doi.org/10.1080/08982112.2013.786336

PLEASE SCROLL DOWN FOR ARTICLE

Full terms and conditions of use: http://www.tandfonline.com/page/terms-and-conditions

This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to
anyone is expressly forbidden.

The publisher does not give any warranty express or implied or make any representation that the contents
will be complete or accurate or up to date. The accuracy of any instructions, formulae, and drug doses should
be independently verified with primary sources. The publisher shall not be liable for any loss, actions, claims,
proceedings, demand, or costs or damages whatsoever or howsoever caused arising directly or indirectly in
connection with or arising out of the use of this material.
 Quality Engineering, 25:292–297, 2013
Copyright # Taylor & Francis Group, LLC
ISSN: 0898-2112 print=1532-4222 online
DOI: 10.1080/08982112.2013.786336
Reviews of Standards and Related Material
Risk Management Terminology
Stephen N. Luko
United Technologies Aerospace
Systems (UTAS), Windsor Locks,
Connecticut
Downloaded by [Stephen N. Luko] at 11:08 07 June 2013
Address correspondence to Stephen
N. Luko, United Technologies
Aerospace Systems, 1 Hamilton Road,
Windsor Locks, CT 06096. E-mail:
stephen.luko@utas.utc.com
ABSTRACT Three new standards related to the risk concept appeared in
January 2011. These standards are an adoption by the American National
Standards Institute (ANSI) of an ISO suite of documents developed in con-
junction with the American Society of Safety Engineers (ASSE) concerning
risk vocabulary, risk management, and risk assessment techniques. This arti-
cle describes International Organization for Standardization (ISO) Guide 73
(2009), Risk Management Terminology, and its American National Standards
Institute (ANSI) equivalent Z690.1 (2011). A future article will review
the Principles and Guidelines ANSI=ASSE Z690.2 (2011) and Assessment
Techniques ANSI=ASSE Z690.3 (2011) documents.
KEYWORDS risk, risk management, risk management terminology
INTRODUCTION
Throughout this review, reference to either International Organization for
Standardization (ISO) Guide 73 (2009) or American National Standards Insti-
tute (ANSI) Z690.1 (2011) should be considered as meaning the same docu-
ment. In fact, the documents are identical. As stated in their Introduction
(2009, vii), ‘‘This Guide provides basic vocabulary to develop common
understanding on risk management concepts and terms among organiza-
tions and functions and across different applications and types.’’ They
further state that ‘‘ . . . the guide is generic and is compiled to encompass
the general field of risk management.’’ As general as this is, it is precisely
what is needed with the ever increasing awareness of risk on various levels
and the application of risk principles to business quarters.
The ISO suite of risk related standards and there ANSI equivalents are
shown in Table 1.
Z690.1 is the ANSI version of the vocabulary (2011). Z690.2 (2011)
focuses on management of risk (31 pages) and Z690.3 (2011) focuses on risk
analysis techniques (110 pages). The risk techniques document contains
many statistical elements including Bayesian methods. This review focuses
on the vocabulary standard, which comprises 15 pages in either version.
Two future articles will focus on management and techniques documents.
All information appearing in quotes are direct quotes from Z690.1 or ISO
Guide 73.
292
 TABLE 1 ISO and ASNI Equivalent Risk Management Standards
ISO Title ANSI Title

Guide 73 (2009) Risk management, Vocabulary Z690.1-2011 Vocabulary for Risk Management
Standard 31000 (2009) Risk Management: Principles and Guidelines Z690.2-2011 Risk Management Principles
Standard 31010 (2009) Risk Management: Risk Assessment Techniques Z690.3-2011 Risk Assessment Techniques

Z690.1-2011, Risk Management TABLE 2 Continued

Vocabulary, Overview Exposure
Consequence
The vocabulary document contains 11 subsec- Probability
tions, each focusing on a specific aspect of risk. Sec- Frequency
tions and associated terms are provided in Table 2. Vulnerability
Just before the first section on definitions, there is Risk Matrix
a small section entitled ‘‘Scope’’ where the purpose Level of Risk
3.7 Terms Related to Risk Evaluation
and intent of the document is reiterated.
Risk Evaluation
Risk Attitude
Downloaded by [Stephen N. Luko] at 11:08 07 June 2013

Risk Appetite
Risk Tolerance
TABLE 2 Z690.1-2011, ISO Guide 73; Risk Management, Terms Risk Aversion
by Subsections Risk Aggregation
1. Terms Related to Risk Risk Acceptance
Risk 3.8 Terms Related to Risk Treatment
2. Terms Related to Risk Management Risk Treatment
Risk Management Control
Risk Management Framework Risk Avoidance
Risk Management Policy Risk Sharing
Risk Management Plan Risk Financing
3. Terms Related to the Risk Management Process Risk Retention
Risk Management Process Residual Risk
Stakeholder Resilience
Risk Perception 3.8.2 Terms Relating to Monitoring and Measuring
3.2 Terms Relating to Communication and Consultation Monitoring
Communication and Consultation Review
3.3 Terms Related to Context Risk Reporting
Establishing the Context Risk Register
External Context Risk Profile
Internal Context Risk Management Audit
Risk Criteria
3.4 Terms Related to Risk Assessment This Guide provides the definitions of generic terms
Risk Assessment related to risk management. It aims to encourage a mutual
3.5 Terms Related to Identification and consistent understanding of, and a coherent approach
Risk Identification to, the description of activities relating to the management
Risk Description of risk, and the use of uniform risk management termin-
Risk Source ology in processes and frameworks dealing with the man-
agement of risk. This Guide is intended to be used by: a)
Event
those engaged in managing risks, b) those who are
Hazard
involved in activities of ISO and IEC, and c) developers
Risk Owner of national or sector-specific standards, guides, proce-
3.6 Terms Related to Risk Analysis dures and codes of practice (ANSI=ASSE Z690.1 2011, 8).
Risk Analysis
Likelihood Thus, these guides serve a broad audience, from
(Continued) general industry- and sector-specific managers, to

293 Risk Management Terminology

 developers of other standards, specifications, and
policy documents involving risk.
The Concept of ‘‘RISK’’ and
Associated Terms
Section 1 contains a single term risk. We consider
its definition, associated NOTES, and some dis-
cussion below.
1.1risk
Effect of uncertainty on objectives.
NOTE 1: An effect is a deviation from the expected—
positive and=or negative.
NOTE 2: Objectives can have different aspects (such as
financial, health and safety, and environmental goals) and
can apply at different levels (such as strategic,
organization-wide, project, product and process).
NOTE 3: Risk is often characterized by reference to
Downloaded by [Stephen N. Luko] at 11:08 07 June 2013
potential events (3.5.1.3) and consequences (3.6.1.3), or
a combination of these.
NOTE 4: Risk is often expressed in terms of a combi-
nation of the consequences of an event (including
changes in circumstances) and the associated likelihood
(3.6.1.1) of occurrence.
NOTE 5: Uncertainty is the state, even partial, of
deficiency of information related to, understanding or
knowledge of, an event, its consequence, or likelihood
(ANSI=ASSE Z690.1 2011, 8).
Observe that risk is very broadly defined in terms
of uncertainty and its effect, and effect is further
defined in terms of a ‘‘deviation from that expected.’’
Also, objective can be assumed to mean desired or
expected result. Therefore, if objectives are planned
desirable future states, conditions, or final outcomes
in an organization or process, and if the achievement
of these future desirable states using various
mechanisms is uncertain, at least to a degree, then
the final outcome(s) or future states may very well
be a departure or deviation from the objective. The
extent of the departure from the expected and how
uncertainty can play into this is called risk.
In addition to uncertainty and objective, three
other important concepts contribute to the overall
understanding of risk in this paragraph. These are
event, consequences, and likelihood. An event is
defined in 3.5.1.3 as ‘‘The occurrence or change of
a particular set of circumstances’’ (ANSI=ASSE
Z690.1 2011, 10). Here again this is completely gen-
eral and would cover any kind of deleterious single
events, such as an accident, multiple types of events,
S. N. Luko
and adverse conditions or sets of conditions. The
event, condition, or circumstance may be taken to
be a significant departure from an objective. The
term consequence is defined in 3.6.1.3, ‘‘Conse-
quence—the outcome of an event’’ (ANSI=ASSE
Z690.1 2011, 11). This term might seem at first some-
what ambiguous or similar to the event itself but,
upon reflection, the meaning is that we have some
event that occurs, then there is a resulting outcome
from this. The outcome can be considered the conse-
quence. So an event is really a description of what
happens (the circumstances) and the consequence
is what the cost hit is (the outcome).
The concept of likelihood is referred to in Notes 4
and 5 of the definition of risk. This term is taken as a
synonym for probability or relative frequency of
occurrence of something happening. The basic defi-
nition (3.6.1.1) is simply: ‘‘Likelihood—Chance of
something happening’’ (ANSI=ASSE Z690.1 2011,
11). The associated NOTES further clarify this as:
NOTE 1: In risk management terminology, the word
‘‘likelihood’’ is used to refer to the chance of something
happening, whether defined, measured or determined
objectively or subjectively, qualitatively or quantitatively,
and described using general terms or mathematically [such
as a probability or a frequency over a given time period].
NOTE 2: The English term ‘‘likelihood’’ does not have a
direct equivalent in some languages; instead, the equiva-
lent of the term ‘‘probability’’ is often used. However, in
English, ‘‘probability’’ is often narrowly interpreted as a
mathematical term. Therefore, in risk management termin-
ology, ‘‘likelihood’’ is used with the intent that it should
have the same broad interpretation as the term ‘‘prob-
ability’’ has in many languages other than English.
Two important points stand out: (1) Likelihood
and probability have similar meanings and (2) the
assignment of likelihood is quite general from the
mathematical to the subjective. This leaves the prac-
titioner unintimidated and much room to apply these
concepts to real-world situations.
The definitions of probability and frequency in this
standard read:
Probability: measure of the chance of occurrence
expressed as a number between 0 and 1 where 0 is
impossibility and 1 is absolute certainty.
Frequency: Number of events or outcomes per defined
unit of time. NOTE: Frequency can be applied to past
events or to potential future events, where it can be used
as a measure of likelihood=probability (ANSI=ASSE Z690.1
2011, 11).
294
 Thus, probability is mathematical, whereas likeli-
hood is more general and may even be qualitative
and assigned subjectively.
The term uncertainty is generally used in its non-
technical sense as a state of mind where we are not
sure about what will happen. This term is not specifi-
cally defined in this standard other than NOTE 5
under risk, but as other terms are quite general, we
can take it that uncertainty as used here is equally
broad. NOTE 5 states that it applies to the future
event outcome, the consequence of an event, and
its likelihood (probability). Thus, when working a
risk scenario we often find that a final event, the con-
sequences of the event, and=or the probability of the
event have some degree of uncertainty, and these
have to be considered in any final risk assessment.
In using the risk concept, then, there is an objective
or expected desirable outcome, but this may be com-
Downloaded by [Stephen N. Luko] at 11:08 07 June 2013
promised to some degree by virtue of our uncertainty
about how all of the variables affecting the outcome
would eventually play out to give us the final out-
come. Some simple examples of how this is used in
ordinary usage may prove instructive here.
1. When we say ‘‘Risk of injury to a minor’’ we
generally mean that the situation or behavior
engaged in with respect to the minor can lead
to a departure from an objective (in the ISO lan-
guage). The objective might be, for example, the
safe keeping of a child overnight at a neighbor’s
house. Leaving the child alone for a time is the
‘‘risky’’ behavior. We would say that leaving the
child alone for a time increases the likelihood
(probability) that the objective would be compro-
mised. Various types of events might happen. For
example, the child could eat something it
shouldn’t and the consequence might be a serious
illness or even death. In everyday life this might
also happen, but under the watchful eyes of
adults, the event is considered very unlikely.
The risk of injury comes about because the prob-
ability of something happening (some departure
from objectives) is many times higher than what
has been observed in the past for similar events
happening in a properly supervised setting. Note
that the quantification is important here. We often
need to look back to see how often the undesir-
able departure (event) has happened in the past
under the potential conditions (leaving the child
295
alone). Then we compare this to the occurrence
of the same departure under all possible con-
ditions. Note also that we may be uncertain about
what might happen, its probability of occurrence,
and the subsequent consequences.
2. More generally, ‘‘engaging in risky behavior’’
means that the behavior is associated with an
increase in the likelihood (probability) that a
departure from a stated objective might occur. If
the stated objective is ‘‘accident avoidance’’ when
driving in a snowstorm, then the risky behavior
might mean not slowing down enough in a line
of traffic or following too closely, or engaging in
excessive speed. An event might be the occurrence
of an accident, which can have quite variable con-
sequences. Thus, we see that the event and its con-
sequences are uncertain. The probability of the
event may be more certain in this case because
there may be a good deal of past intelligence (data)
concerning this type of accident.
3. In matters of quality, risk generally means the pro-
duction of or the escaping of a nonconforming
product or service to a downstream operation or
a field application. Quality is often measured
using quality indices such as Cpk, Ppk, or other
similar metrics. A Cpk of 1.5 or higher might be a
management objective. Such indices have an
implied probability built into them, so that if
Cpk ¼ 1.5, for example, the implied probability is
between 3.4 and 6.8 nonconforming units in
one million units produced—at least in theory.
We can consider this as the baseline acceptable
risk; however, notice that there may be uncer-
tainty concerning (a) whether the normal distri-
bution applies to the data; (b) whether the data
came from a process in statistical control; (c) the
fact that the index was calculated using point esti-
mates of the mean and standard deviation—not
the true values of the parameters; and (d) the fact
that special causes might occur at any time giving
rise to additional nonconforming (and possibly
escaping) units. Each of these as well as other
considerations makes up the risk in quality mat-
ters. More generally, the discipline of quality
engineering may be considered as a
risk-mitigating discipline.
All of the above is very general and designed for use
by managers desiring to incorporate knowledge of
Risk Management Terminology
 risk and=or some type of risk program, at some level,
into their organizations. It may be useful to finish this
section with contrasting the ISO concept of risk with
a more a specific industry application. The Federal
Aviation Administration (FAA 2003) defines the
notion of ‘‘risk factor’’ in its ‘‘Advisory Circular
39-8’’ on ‘‘Continued Airworthiness Assessment
Methodology (CAAM)’’ (6). This standard applies to
risk assessment and associated activity in the U.S.
aerospace transportation industry, including suppli-
ers to aerospace manufacturers. The FAA (2003)
defines a risk factor as follows:
‘‘ ‘Risk Factor’—A quantitative assessment output
equal to the average number of’’ future events
expected to occur within a given time. Risk factors
can be differentiated by three types and typically
cover the time period required for problem resol-
ution. However, in the case of uncorrected risk factor
Downloaded by [Stephen N. Luko] at 11:08 07 June 2013
and control program risk factors for control pro-
grams that do not incorporate final corrective action
(e.g., recurring inspections), risk factors usually
cover a 20-year (60,000-hour) period or shorter inter-
val corresponding to the expected life of the fleet.
1. Uncorrected Risk Factor—The forecasted number
of future events expected to occur in the entire
worldwide fleet (or, if applicable, the relevant
affected subfleet) if no corrective actions are
incorporated.
2. Control Program Risk Factor—The forecasted num-
ber of future events expected to occur in the entire
worldwide fleet (or, if applicable, the relevant
affected subfleet) during the control program.
3. Corrected Risk Factor—The forecasted number of
future events expected to occur after the entire
worldwide fleet (or, if applicable, the relevant
affected subfleet) incorporates the final corrective
actions’’ (6).
The FAA (2003) risk factor is an expected or
forecasted number of future events as applied to a
specific fleet of aircraft, within a defined time period,
whereas risk in Z690.1 (2011) is a departure from an
objective in the sense of any departure being a result
of uncertainty. The latter is seen to be more general
than how the FAA is applying the term. This is an
important point. Managers looking to incorporate
risk ideas into their business plans could look at
how others have done this, but standards such as
S. N. Luko
Z690.1 give a much broader base of understanding
on how these concepts are intended to be applied.
Not all quarters will apply these concepts in quite
the same way. It is always context dependent.
Another, more recent, vintage of risk documents,
from which we may contrast the basic interpretation
of the concept of risk, is the U.S. Department of
Homeland Security’s (DHS 2010) Risk Lexicon. The
document is essentially a glossary of terms related
to all aspects of risk. Most of the definitions found
in this document have an associated example and
possible extended definitions and=or annotations.
The basic definition of risk found in this document
is as follows:
Risk:
Definition: The potential for an unwanted outcome
resulting from an incident, event, or occurrence, as deter-
mined by its likelihood and the associated consequences.
Example: The team calculated the risk of a terrorist
attack after analyzing intelligence reports, vulnerability
assessments and consequence models.
Extended Definition: potential for an adverse outcome
assessed as a function of threats, vulnerabilities and conse-
quences associated with an incident, event or occurrence.
Annotation: 1) Risk is defined as the potential for an
unwanted outcome. This potential is often measured and
used to compare different future situations; 2) Risk may
manifest at the strategic, operational and tactical levels (27).
The above may be considered as a baseline defi-
nition in the DHS Lexicon. Many other terms in this
document contain the term risk. Notice, though, that
this does harmonize with the ISO version of risk. In
fact, the DHS (2010) document states that one source
of validation for their Lexicon is ‘‘International
Standards Organization (ISO) Risk Management
Vocabulary ISO=ICE Guide 73’’ (27).
Risk Management Vocabulary
In section 2, Terms Relating to Risk Management,
we find the very general definition: ‘‘2.1 ‘Risk
Management’—Coordinated activities to direct and
control an organization with regard to risk’’ (ANSI=
ASSE Z690.1 2011, 8). This is further developed using
terms such as risk management framework, policy,
and plan. This terminology speaks to general man-
agement of organizations where risk may play a key
role. There needs to be a general policy, an under-
standing of the framework in how the policy is
applied, and a plan to manage the risk. The concepts
296
 TABLE 3 Simple Checklist for a Basic Risk Management Process
General policy—Statements to include intentions and basic organizational directives involving the treatment of risk.
Metrics—How is risk to be defined and measured in the organization? Consider objectives, expectations, how events are
defined, the consequences of any events, and the measures of associated likelihoods (how).
Requirements for the process—Consider (a) human resource requirements; (b) professional requirements such as risk
analysts, statisticians, engineering or technical experts, and managers; (c) technical components such as computer
programs, reporting templates, data management software; (d) training and communications requirements; standard
work or general written=documented procedures and methodology.
Communication plan—Includes training at various levels of an organization and reporting templates.
Risk assessment, analysis methodology, and mitigating corrective action planning and development
Monitoring and improvement of the process
In addition to these basic components, section 3 of Z690.1 defines numerous other important terms and concepts that
managers may want to consider when trying to introduce=implement a risk management process in their organizations
(see Table 1). Not all of these will apply in all organizations. What is important and utilitarian is the generality of
application of the Z690.1 catalog.

are general enough so that they may be used by a standard terminology to describe their intentions
wide variety of organizations and situations where and begin the process of creating the risk manage-
risk is important in managing the organization. ment process. The ISO documents as well as many
Downloaded by [Stephen N. Luko] at 11:08 07 June 2013

Section 3 concerns the broad topic of the risk
management process and makes up the bulk of the
remaining terms in this standard. There are subsec-
tions on communication and consultation, context,
assessment, identification, analysis, evaluation,
monitoring and measuring. In fact, the terminology
in this section reads like a short course in the treat-
ment of risk in organizations. The very first term risk
management process states that ‘‘ . . . the treatment of
risk in organizations involves, systematic application
of management policy, procedures and practices to
the activities of communicating, consulting, estab-
lishing the context and identifying, analyzing,
evaluating, treating, monitoring and reviewing risk’’
(ANSI=ASSE Z690.1 2011, 9). With this description,
companies and organizations seeking to create a risk
management process can easily make a ready check-
list summarizing the major components of such a
process. A simple example is shown in Table 3.
other resources are invaluable in describing this.
It is good that people who need to use risk con-
cepts do not have to be mathematicians or statisti-
cians to use these concepts. This greatly reduces
intimidation by users who otherwise would never
bother to consider risk topics as part of their organi-
zations. However, there is some danger in using
these concepts in general qualitative ways, and users
are cautioned that risk generally means what can
happen, how often and with what consequences,
and these are far more meaningful and helpful to
organizations when quantified.
ABOUT THE AUTHOR
Stephen N. Luko is an industrial satistician with
United Technologies Aerospace Systems. He is a
senior member of ASQ and the editor of this column.

CONCLUSION
The concept of risk and its management has been
increasingly important to organizations in recent
years. That quality, quality engineering, and quality
management are related to risk is without question.
The overall process of creating formal risk manage-
ment tools in organizations starts by just thinking
about and discussing what is ‘‘risky’’ in an organiza-
tion. This is, of course, quite variable and context
dependent. At some point, practitioners need good
REFERENCES
ANSI=ASSE Z690.1–2011. (2011). Vocabulary for Risk Management.
Washington, D.C.: American National Standards Institute.
ANSI=ASSE Z690.2–2011. (2011). Risk Management Principles and
Guidelines. Washington, D.C.: American National Standards Institute.
ANSI=ASSE Z690.3–2011. (2011). Risk Assessment Techniques.
Washington, D.C.: American National Standards Institute.
Federal Aviation Administration. (2003). Advisory Circular 39–8.
Washington, D.C.: Federal Aviation Administration.
ISO Guide 73. (2009). Risk Management Terminology. Geneva,
Switzerland: International Organization for Standardization (ISO).
U.S. Department of Homeland Security. (2010). DHS Risk Lexicon.
Washington, D.C.: U.S. Department of Homeland Security.

297 Risk Management Terminology

View publication stats