Professional Documents
Culture Documents
ASQLuko Risk Management Part 1
ASQLuko Risk Management Part 1
net/publication/263609185
CITATIONS READS
199 43,550
1 author:
Stephen N. Luko
Retired
30 PUBLICATIONS 301 CITATIONS
SEE PROFILE
All content following this page was uploaded by Stephen N. Luko on 05 June 2015.
Quality Engineering
Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/lqen20
To cite this article: Stephen N. Luko (2013): Risk Management Terminology, Quality Engineering, 25:3, 292-297
This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to
anyone is expressly forbidden.
The publisher does not give any warranty express or implied or make any representation that the contents
will be complete or accurate or up to date. The accuracy of any instructions, formulae, and drug doses should
be independently verified with primary sources. The publisher shall not be liable for any loss, actions, claims,
proceedings, demand, or costs or damages whatsoever or howsoever caused arising directly or indirectly in
connection with or arising out of the use of this material.
Quality Engineering, 25:292–297, 2013
Copyright # Taylor & Francis Group, LLC
ISSN: 0898-2112 print=1532-4222 online
DOI: 10.1080/08982112.2013.786336
INTRODUCTION
Throughout this review, reference to either International Organization for
Standardization (ISO) Guide 73 (2009) or American National Standards Insti-
tute (ANSI) Z690.1 (2011) should be considered as meaning the same docu-
ment. In fact, the documents are identical. As stated in their Introduction
(2009, vii), ‘‘This Guide provides basic vocabulary to develop common
understanding on risk management concepts and terms among organiza-
tions and functions and across different applications and types.’’ They
further state that ‘‘ . . . the guide is generic and is compiled to encompass
the general field of risk management.’’ As general as this is, it is precisely
what is needed with the ever increasing awareness of risk on various levels
and the application of risk principles to business quarters.
The ISO suite of risk related standards and there ANSI equivalents are
shown in Table 1.
Z690.1 is the ANSI version of the vocabulary (2011). Z690.2 (2011)
focuses on management of risk (31 pages) and Z690.3 (2011) focuses on risk
analysis techniques (110 pages). The risk techniques document contains
many statistical elements including Bayesian methods. This review focuses
on the vocabulary standard, which comprises 15 pages in either version.
Two future articles will focus on management and techniques documents.
Address correspondence to Stephen
N. Luko, United Technologies All information appearing in quotes are direct quotes from Z690.1 or ISO
Aerospace Systems, 1 Hamilton Road, Guide 73.
Windsor Locks, CT 06096. E-mail:
stephen.luko@utas.utc.com
292
TABLE 1 ISO and ASNI Equivalent Risk Management Standards
ISO Title ANSI Title
Guide 73 (2009) Risk management, Vocabulary Z690.1-2011 Vocabulary for Risk Management
Standard 31000 (2009) Risk Management: Principles and Guidelines Z690.2-2011 Risk Management Principles
Standard 31010 (2009) Risk Management: Risk Assessment Techniques Z690.3-2011 Risk Assessment Techniques
Risk Appetite
Risk Tolerance
TABLE 2 Z690.1-2011, ISO Guide 73; Risk Management, Terms Risk Aversion
by Subsections Risk Aggregation
1. Terms Related to Risk Risk Acceptance
Risk 3.8 Terms Related to Risk Treatment
2. Terms Related to Risk Management Risk Treatment
Risk Management Control
Risk Management Framework Risk Avoidance
Risk Management Policy Risk Sharing
Risk Management Plan Risk Financing
3. Terms Related to the Risk Management Process Risk Retention
Risk Management Process Residual Risk
Stakeholder Resilience
Risk Perception 3.8.2 Terms Relating to Monitoring and Measuring
3.2 Terms Relating to Communication and Consultation Monitoring
Communication and Consultation Review
3.3 Terms Related to Context Risk Reporting
Establishing the Context Risk Register
External Context Risk Profile
Internal Context Risk Management Audit
Risk Criteria
3.4 Terms Related to Risk Assessment This Guide provides the definitions of generic terms
Risk Assessment related to risk management. It aims to encourage a mutual
3.5 Terms Related to Identification and consistent understanding of, and a coherent approach
Risk Identification to, the description of activities relating to the management
Risk Description of risk, and the use of uniform risk management termin-
Risk Source ology in processes and frameworks dealing with the man-
agement of risk. This Guide is intended to be used by: a)
Event
those engaged in managing risks, b) those who are
Hazard
involved in activities of ISO and IEC, and c) developers
Risk Owner of national or sector-specific standards, guides, proce-
3.6 Terms Related to Risk Analysis dures and codes of practice (ANSI=ASSE Z690.1 2011, 8).
Risk Analysis
Likelihood Thus, these guides serve a broad audience, from
(Continued) general industry- and sector-specific managers, to
S. N. Luko 294
Thus, probability is mathematical, whereas likeli- alone). Then we compare this to the occurrence
hood is more general and may even be qualitative of the same departure under all possible con-
and assigned subjectively. ditions. Note also that we may be uncertain about
The term uncertainty is generally used in its non- what might happen, its probability of occurrence,
technical sense as a state of mind where we are not and the subsequent consequences.
sure about what will happen. This term is not specifi- 2. More generally, ‘‘engaging in risky behavior’’
cally defined in this standard other than NOTE 5 means that the behavior is associated with an
under risk, but as other terms are quite general, we increase in the likelihood (probability) that a
can take it that uncertainty as used here is equally departure from a stated objective might occur. If
broad. NOTE 5 states that it applies to the future the stated objective is ‘‘accident avoidance’’ when
event outcome, the consequence of an event, and driving in a snowstorm, then the risky behavior
its likelihood (probability). Thus, when working a might mean not slowing down enough in a line
risk scenario we often find that a final event, the con- of traffic or following too closely, or engaging in
sequences of the event, and=or the probability of the excessive speed. An event might be the occurrence
event have some degree of uncertainty, and these of an accident, which can have quite variable con-
have to be considered in any final risk assessment. sequences. Thus, we see that the event and its con-
In using the risk concept, then, there is an objective sequences are uncertain. The probability of the
or expected desirable outcome, but this may be com- event may be more certain in this case because
Downloaded by [Stephen N. Luko] at 11:08 07 June 2013
promised to some degree by virtue of our uncertainty there may be a good deal of past intelligence (data)
about how all of the variables affecting the outcome concerning this type of accident.
would eventually play out to give us the final out- 3. In matters of quality, risk generally means the pro-
come. Some simple examples of how this is used in duction of or the escaping of a nonconforming
ordinary usage may prove instructive here. product or service to a downstream operation or
a field application. Quality is often measured
1. When we say ‘‘Risk of injury to a minor’’ we using quality indices such as Cpk, Ppk, or other
generally mean that the situation or behavior similar metrics. A Cpk of 1.5 or higher might be a
engaged in with respect to the minor can lead management objective. Such indices have an
to a departure from an objective (in the ISO lan- implied probability built into them, so that if
guage). The objective might be, for example, the Cpk ¼ 1.5, for example, the implied probability is
safe keeping of a child overnight at a neighbor’s between 3.4 and 6.8 nonconforming units in
house. Leaving the child alone for a time is the one million units produced—at least in theory.
‘‘risky’’ behavior. We would say that leaving the We can consider this as the baseline acceptable
child alone for a time increases the likelihood risk; however, notice that there may be uncer-
(probability) that the objective would be compro- tainty concerning (a) whether the normal distri-
mised. Various types of events might happen. For bution applies to the data; (b) whether the data
example, the child could eat something it came from a process in statistical control; (c) the
shouldn’t and the consequence might be a serious fact that the index was calculated using point esti-
illness or even death. In everyday life this might mates of the mean and standard deviation—not
also happen, but under the watchful eyes of the true values of the parameters; and (d) the fact
adults, the event is considered very unlikely. that special causes might occur at any time giving
The risk of injury comes about because the prob- rise to additional nonconforming (and possibly
ability of something happening (some departure escaping) units. Each of these as well as other
from objectives) is many times higher than what considerations makes up the risk in quality mat-
has been observed in the past for similar events ters. More generally, the discipline of quality
happening in a properly supervised setting. Note engineering may be considered as a
that the quantification is important here. We often risk-mitigating discipline.
need to look back to see how often the undesir-
able departure (event) has happened in the past All of the above is very general and designed for use
under the potential conditions (leaving the child by managers desiring to incorporate knowledge of
and control program risk factors for control pro- Example: The team calculated the risk of a terrorist
grams that do not incorporate final corrective action attack after analyzing intelligence reports, vulnerability
assessments and consequence models.
(e.g., recurring inspections), risk factors usually
Extended Definition: potential for an adverse outcome
cover a 20-year (60,000-hour) period or shorter inter- assessed as a function of threats, vulnerabilities and conse-
val corresponding to the expected life of the fleet. quences associated with an incident, event or occurrence.
Annotation: 1) Risk is defined as the potential for an
unwanted outcome. This potential is often measured and
1. Uncorrected Risk Factor—The forecasted number used to compare different future situations; 2) Risk may
of future events expected to occur in the entire manifest at the strategic, operational and tactical levels (27).
worldwide fleet (or, if applicable, the relevant
affected subfleet) if no corrective actions are The above may be considered as a baseline defi-
incorporated. nition in the DHS Lexicon. Many other terms in this
2. Control Program Risk Factor—The forecasted num- document contain the term risk. Notice, though, that
ber of future events expected to occur in the entire this does harmonize with the ISO version of risk. In
worldwide fleet (or, if applicable, the relevant fact, the DHS (2010) document states that one source
affected subfleet) during the control program. of validation for their Lexicon is ‘‘International
3. Corrected Risk Factor—The forecasted number of Standards Organization (ISO) Risk Management
future events expected to occur after the entire Vocabulary ISO=ICE Guide 73’’ (27).
worldwide fleet (or, if applicable, the relevant
affected subfleet) incorporates the final corrective
actions’’ (6).
Risk Management Vocabulary
In section 2, Terms Relating to Risk Management,
The FAA (2003) risk factor is an expected or we find the very general definition: ‘‘2.1 ‘Risk
forecasted number of future events as applied to a Management’—Coordinated activities to direct and
specific fleet of aircraft, within a defined time period, control an organization with regard to risk’’ (ANSI=
whereas risk in Z690.1 (2011) is a departure from an ASSE Z690.1 2011, 8). This is further developed using
objective in the sense of any departure being a result terms such as risk management framework, policy,
of uncertainty. The latter is seen to be more general and plan. This terminology speaks to general man-
than how the FAA is applying the term. This is an agement of organizations where risk may play a key
important point. Managers looking to incorporate role. There needs to be a general policy, an under-
risk ideas into their business plans could look at standing of the framework in how the policy is
how others have done this, but standards such as applied, and a plan to manage the risk. The concepts
S. N. Luko 296
TABLE 3 Simple Checklist for a Basic Risk Management Process
General policy—Statements to include intentions and basic organizational directives involving the treatment of risk.
Metrics—How is risk to be defined and measured in the organization? Consider objectives, expectations, how events are
defined, the consequences of any events, and the measures of associated likelihoods (how).
Requirements for the process—Consider (a) human resource requirements; (b) professional requirements such as risk
analysts, statisticians, engineering or technical experts, and managers; (c) technical components such as computer
programs, reporting templates, data management software; (d) training and communications requirements; standard
work or general written=documented procedures and methodology.
Communication plan—Includes training at various levels of an organization and reporting templates.
Risk assessment, analysis methodology, and mitigating corrective action planning and development
Monitoring and improvement of the process
In addition to these basic components, section 3 of Z690.1 defines numerous other important terms and concepts that
managers may want to consider when trying to introduce=implement a risk management process in their organizations
(see Table 1). Not all of these will apply in all organizations. What is important and utilitarian is the generality of
application of the Z690.1 catalog.
are general enough so that they may be used by a standard terminology to describe their intentions
wide variety of organizations and situations where and begin the process of creating the risk manage-
risk is important in managing the organization. ment process. The ISO documents as well as many
Downloaded by [Stephen N. Luko] at 11:08 07 June 2013
Section 3 concerns the broad topic of the risk other resources are invaluable in describing this.
management process and makes up the bulk of the It is good that people who need to use risk con-
remaining terms in this standard. There are subsec- cepts do not have to be mathematicians or statisti-
tions on communication and consultation, context, cians to use these concepts. This greatly reduces
assessment, identification, analysis, evaluation, intimidation by users who otherwise would never
monitoring and measuring. In fact, the terminology bother to consider risk topics as part of their organi-
in this section reads like a short course in the treat- zations. However, there is some danger in using
ment of risk in organizations. The very first term risk these concepts in general qualitative ways, and users
management process states that ‘‘ . . . the treatment of are cautioned that risk generally means what can
risk in organizations involves, systematic application happen, how often and with what consequences,
of management policy, procedures and practices to and these are far more meaningful and helpful to
the activities of communicating, consulting, estab- organizations when quantified.
lishing the context and identifying, analyzing,
evaluating, treating, monitoring and reviewing risk’’
(ANSI=ASSE Z690.1 2011, 9). With this description, ABOUT THE AUTHOR
companies and organizations seeking to create a risk
Stephen N. Luko is an industrial satistician with
management process can easily make a ready check-
United Technologies Aerospace Systems. He is a
list summarizing the major components of such a
senior member of ASQ and the editor of this column.
process. A simple example is shown in Table 3.
CONCLUSION REFERENCES
The concept of risk and its management has been ANSI=ASSE Z690.1–2011. (2011). Vocabulary for Risk Management.
increasingly important to organizations in recent Washington, D.C.: American National Standards Institute.
ANSI=ASSE Z690.2–2011. (2011). Risk Management Principles and
years. That quality, quality engineering, and quality Guidelines. Washington, D.C.: American National Standards Institute.
management are related to risk is without question. ANSI=ASSE Z690.3–2011. (2011). Risk Assessment Techniques.
The overall process of creating formal risk manage- Washington, D.C.: American National Standards Institute.
Federal Aviation Administration. (2003). Advisory Circular 39–8.
ment tools in organizations starts by just thinking Washington, D.C.: Federal Aviation Administration.
about and discussing what is ‘‘risky’’ in an organiza- ISO Guide 73. (2009). Risk Management Terminology. Geneva,
Switzerland: International Organization for Standardization (ISO).
tion. This is, of course, quite variable and context U.S. Department of Homeland Security. (2010). DHS Risk Lexicon.
dependent. At some point, practitioners need good Washington, D.C.: U.S. Department of Homeland Security.