This article was downloaded by: [University of Otago]

On: 24 December 2014, At: 02:11

Publisher: Taylor & Francis
Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,
37-41 Mortimer Street, London W1T 3JH, UK

Quality Engineering
Publication details, including instructions for authors and subscription information:
http://www.tandfonline.com/loi/lqen20

Risk Management Principles and Guidelines

a
Stephen N. Luko
a
United Technologies Aerospace Systems (UTAS) , Windsor Locks , Connecticut
Published online: 02 Sep 2013.

To cite this article: Stephen N. Luko (2013) Risk Management Principles and Guidelines, Quality Engineering, 25:4, 451-454,
DOI: 10.1080/08982112.2013.814508

To link to this article: http://dx.doi.org/10.1080/08982112.2013.814508

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained
in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no
representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the
Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and
are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and
should be independently verified with primary sources of information. Taylor and Francis shall not be liable for
any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever
or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of
the Content.

This article may be used for research, teaching, and private study purposes. Any substantial or systematic
reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any
form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://
www.tandfonline.com/page/terms-and-conditions
 Quality Engineering, 25:451–454, 2013
Copyright # Taylor & Francis Group, LLC
ISSN: 0898-2112 print=1532-4222 online
DOI: 10.1080/08982112.2013.814508
Reviews of Standards and Related Material
Risk Management Principles and
Stephen N. Luko
United Technologies Aerospace
Systems (UTAS), Windsor Locks,
Connecticut
Downloaded by [University of Otago] at 02:11 24 December 2014
Address correspondence to Stephen
N. Luko, United Technologies
Aerospace Systems (UTAS), 38
Fountainhead Road, Windsor Locks,
CT 06786. E-mail: stephen.luko@utas.
utc.com
Guidelines
ABSTRACT This article examines ISO 31000-2009, also referred to as
ANSI=ASSE Z690.2, the second of a trio of standards dealing with the concept
of Risk. In our first review (Luko 2013) risk management terminology
was reviewed. The terminology documents, ISO Guide 73 and ANSI=ASSE
Z690.1-2011, were found to be identical and contained all of the risk vocabu-
lary used in the subsequent two standards. In the present review, the second
of the trio of standards concerning risk is treated. The general topic of this
standard is risk management principles and guidelines.
KEYWORDS risk, risk management, risk terminology
INTRODUCTION
The second of the trio of documents concerned with the concept of risk
are designated as follows.
1. ISO 31000-2009, Risk Management—Principles and Guidelines
2. ANSI=ASSE Z690.2-2011, Risk Management—Principles and Guidelines
Note: ISO stands for International Organization for Standardization; ANSI
standard for American National Standard Institute; and ASSE stands for the
American Society of Safety Engineers.
These documents are identical in their entire substance and have a very minor
difference in their organization of terminology given in section 2 of each docu-
ment. To be sure, exactly 29 terms are listed in both the ISO and the ANSI versions
of this document, and these terms and their definitions are identical. The defini-
tions are just selections from ISO Guide 73 or ANSI=Z690.1. The order of appear-
ance of terms in their sections on terminology is slightly different. The ANSI
document is a national adoption of the ISO version. We will consider further
comments of this review to apply equally to each of the ANSI or ISO versions
and refer to one document using the abbreviation RM for risk management.
In the introduction to the RM document we find, again, the definition of
risk from the vocabulary document. To review, the vocabulary document,
ISO Guide 73, definition states: ‘‘Risk—The effect of uncertainty on objec-
tives’’ (2009, p. 1). The opening sentence in the Introduction section of the
RM document states: ‘‘The effect this uncertainty has on an organization’s
451
 objectives is ‘risk.’’’ A further discussion of the terms RISK MANAGEMENT
uncertainty, objectives, and risk was explored in
Throughout this standard there are three fundamen-
depth in the first review of the vocabulary docu-
tal concepts that the documents are structured around:
ments. For the present purpose, it is sufficient to point
principles, framework, and process. Principles are very
out the great generality of these terms. An organiza-
broad statements that tell why such activity is important
tion’s objective can be anything that is desirable to
and=or the salient features of RM. For example, we find
the organization or planned as a desirable future
‘‘Creates and protects value’’ and ‘‘Integral part of
state. Uncertainty is a set of factors that would thwart
organizational processes’’ as examples of principles;
the achievement of an objective resulting in an unde-
and ‘‘Communication and consultation with stake-
sirable state of affairs, circumstances, or events. Such
holders’’ and ‘‘Establishing the context’’ as examples
events constitute risk and carry a descriptive compo-
of the process (ISO 31000-2009, p. 9, 12, 13). Frame-
nent (precisely what can happen), a probability or
work includes broad overall activities that one would
likelihood component (how often might the event
employ in developing an RM process in any organiza-
happen), and a consequence component (at what
tion. The items ‘‘Mandate and Commitment,’’
cost). All of this can be quite variable and complex
‘‘Implementation of Risk Management,’’ and ‘‘Monito-
in practice; however, the importance in application
ring and Review’’ are such broad activities. The third
is the generality of real-word phenomena that fit
Downloaded by [University of Otago] at 02:11 24 December 2014

leg, the actual RM process, includes all of the actual

within the boundary of this model.
ISO 31000-2009 focuses on management activity
and should be of interest to a broad range of managers
and technical professionals. The key information
about how this RM standard is to be understood and
applied is contained in a short introduction section
excerpted below.
Organizations manage risk by identifying it, analyzing
it, and then evaluating whether the risk should be modi-
fied by risk treatment in order to satisfy their risk criteria.
Throughout this process they communicate and consult
with stakeholders and monitor and review the risk and
the controls that are modifying the risk in order to insure
that no further risk treatment is required. This standard
describes this systematic and logical process in detail.
. . . This standard establishes a number of principles that
need to be satisfied to make risk management effective.
This standard recommends that organizations develop,
implement and continuously improve a framework whose
purpose is to integrate the process for managing risk
into the organization’s overall governance, strategy and
planning, management, reporting processes, policies,
values and culture.
. . . The generic approach described in this standard
provides the principles and guidelines for managing any
form of risk in a systematic, transparent and credible
manner and within any scope and context.
Each specific sector or application of risk management
brings with it individual needs, audiences, perceptions
and criteria. Therefore a key feature of this standard is
the inclusion of ‘‘establishing the context’’ as an activity
at the start of this general risk management process.
Establishing the context will capture the objectives of
the organization, the environment in which it pursues
those objectives, its stakeholders and the diversity of risk
criteria—all of which will help reveal and assess the nature
and complexity of its risks. (ISO 31000-2009, p. v, ANSI=
ASSE Z690.2-2011, p. 7)
activities one might be engaged in somewhere in the
RM process. Establishing context, risk identification,
risk analysis, risk evaluation, and risk treatment make
up the items in this portion of the standard.
Thus, the purpose of the introduction is to give an
overall preview as to how the standard is applied.
It is completely generic and without context, but its
ultimate application may be in any kind of enterprise
or organization, however large or small. Most
important in this is that the context is absent, but
the standard is detailed enough that it is useful once
a context is established.
Following a short section on general scope
(section 1) the section on terminology (section 2)
essentially repeats all of the appropriate applied terms
from the vocabulary document. This is followed by a
short section 3 on principles; a section on framework
(section 4); and a longer section (section 5), concern-
ing process. There is also an Annex A titled ‘‘Attributes
of Enhanced Risk Management.’’ These are bench-
marks for some aspects of a high-performing RM
process, the aim of which is to assist organizations
in measuring their performance regarding RM.
SECTION 3—PRINCIPLES
The section on principles, although short and con-
fined to 11 basic principles, nevertheless is founda-
tional for RM. Consider for example the first, principle.
a) Risk management creates and protects value. Risk
management contributes to the demonstrable achievement

S. N. Luko 452
 of objectives and improvement of performance in, for
example, human health and safety, security, legal and
regulatory compliance, public acceptance, environmental
protection, product quality, project management,
efficiency in operations, governance and reputation. (ISO
31000-2009, p.7; ANSI=ASSE Z690.2-2011, p.14)
It is easy to see how broad this application is and that
it also contains ethical dimensions. The additional 10
core principles addressed in this short section really
speak to the highest levels of management and lead-
ership in an organization: These concepts include
value, management responsibility, decision analysis,
addressing uncertainty; RM is systematic, timely, and
structured; best information; RM is tailored to context,
human, and cultural factors; RM is transparent and
inclusive; RM is iterative and responsive to change;
and RM facilitates continual improvement. Each of
the 11 principles occupies no more than three of four
Downloaded by [University of Otago] at 02:11 24 December 2014
lines of the standard but could conceivably occupy
senior managers for many days in their ramifications
for the organization.
SECTION 4—FRAMEWORK
Framework comprises core supporting organiza-
tional structure, mandates, and overall management
philosophy that are required for successful RM
implementation. Here we find such things as mandate
and commitment, legal and regulatory compliance,
accountability and responsibility, internal and exter-
nal communication, reporting, resources, implemen-
tation and integration into the organization, and
continual review. Each of these is given the space of
a few sentences to elaborate. The space is short but
it is outlined in brief and to the point. For example,
under Resources we find:
. People, skills, experience, and competence
. Resources needed for each step of the RM process
. Processes, methods, and tools to be used for
managing risk
. Documented processes and procedures
. Information and knowledge management systems
. Training programs
It is important to note that the standard tells us
that ‘‘This framework is not intended to prescribe
amanagement system, but rather to assist the organi-
zation to integrate risk management into its overall
management system’’ (ISO 31000-2009, p. 11,
ANSI=ASSE Z690.2-2011, p. 18).
453
SECTION 5—PROCESS
This section is the longest section containing
seven subsections as follows:
5.1 General
5.2 Communication and consultation
5.3 Establishing the context
5.4 Risk assessment
5.5 Risk treatment
5.6 Monitoring and review
5.7 Recording the risk management process
Process may be understood as an outline of how RM
should work in practice. The ‘‘General’’ section is short
and describes risk management as related to general
management as well as the interrelations of the next
six subsections. Section 5.2 to 5.7 shows how a
high-quality system=process would work. In outline,
one needs (a) the highest level of management support;
(b) a communication plan that includes who does the
communicating, to whom; in what frequency; in what
detail (what’s included); (c) a context; (d) an assessment
and analysis methodology; a methodology for treating
risk; and a review and documentation process.
The section on ‘‘Establishing the Context’’ speaks
to how organizations identify and articulate their
objectives. In what context are we applying risk
management? There is both an internal and external
context. Internal context includes internal variables
that may affect the realization of an organization’s
objectives. Foremost of these is the internal stake-
holder. These are people. The organization’s culture
is also considered, as is the organization’s technical
capability and models=standards that are in use.
External context includes external variables that may
affect the realization of the organization’s objectives.
Some of this may include parameters related to social,
legal, political, regulatory financial, economic, natural,
and competitive environments. Again, all of this is related
to the key drivers of an organization’s objectives.
Sections 5.4 through 5.6 have to do with the prac-
tical art of risk assessment, risk analysis, and treatment
and monitoring of risk and review. ‘‘Assessing risk’’ is
to identify potential risks, analyze the degree to which
there is a risk, and evaluate such risks. ‘‘Risk analysis’’
is to quantify the likelihood of associated events and
their consequences, and this may be quite variable in
practice. We are told that risk analysis may be carried
Risk Management Principles and Guidelines
 out with varying degrees of detail depending on
context. Analysis can be quantitative, qualitative, or
contain some degree of both. Consequences and like-
lihoods are often expressed using a mathematical
model but may also include prior experience or cur-
rently available data. ‘‘Evaluation’’ is used to assist in
making decisions based on the results of risk analysis.
It is about which risks need attention and what the
priority of treating several risks is. The ‘‘treatment’’
of risk is the determination of action(s) that are neces-
sary to reduce risk to tolerable levels. This includes
the effective application of a plan of treatment over
time and the periodic assessment of the effectivity
of the treatment and possible modification of such
treatments. The treatment process itself is periodic.
The description of ‘‘ongoing monitoring and
review’’ is found is section 5.6. First, both activities
Downloaded by [University of Otago] at 02:11 24 December 2014
should be planned and appropriate responsible per-
sonnel identified. Both activities can apply to any
aspect of the RM process. Review also entails review-
ing progress in implementing risk treatment plans.
This may also provide a performance measure.
Review activity should be captured in some kind of
report and distributed as appropriate both within the
organization and to external stakeholders.
The final section, 5.7, concerns good record-
keeping practices. We are told that RM activities
should be traceable. ‘‘Records provide the foundation
for improvement in methods and tools as well as in
the overall process.’’ Record-keeping should also
consider reusing information or data, cost of main-
taining records, legal and regulatory requirements,
method of access, retention period, and sensitivity.
CONCLUSION
Assuming that all objectives are important and that
these objectives are subject to uncertainty, there is
risk in all organizations. A first step that an organiza-
tion can take with RM is the recognition of risk.
Further understanding of risk means understanding
what degree of departure an outcome may take from
the objective. This requires knowledge of what can
S. N. Luko
happen, how often, and with what consequence.
The process whereby an organization takes control
of risk is broadly called risk management and con-
cerns the specification and quantification of risk such
as described above. The purpose of such activity is to
clarify what the risks are, communicate this infor-
mation, and remove risk or mitigate risk to manage-
able tolerable levels. In working with RM, there
needs to be a context that applies to the specifics of
the organization, a means of assessing and analyzing
risk, and a process for treating risk. Communication,
monitoring, and review are also key. In addition,
standards, training=education, and documenting are
important to a degree depending of the organization.
The concept of risk is fast becoming part of the
general lexicon of quality. However we define
quality and its sister disciplines, there is no question
that risks are counter productive to quality and that
RM can be considered as a quality-preserving
activity. Quality professionals and practitioners alike
are therefore advised to better understand the new
risk paradigm in the context of their organizations.
Toward that end, these standards do provide a good
framework from which application can take root.
ABOUT THE AUTHOR
Stephen N. Luko is an industrial statistician with
United Technologies Aerospace Systems in Windsor
Locks, CT. He is a senior member of ASQ and the
editor of this column.
REFERENCES
ANSI=ASSE Z690.1-2011. (2011). Vocabulary for Risk Management.
Washington, DC: American National Standards Institute.
ANSI=ASSE Z690.2-2011. (2011). Risk Management Principles and
Guidelines. Washington, DC: American National Standards Institute.
ANSI=ASSE Z690.3–2011. (2011). Risk Assessment Techniques. Washington,
DC: American National Standards Institute.
ISO 31000-2009. (2009). Risk Management – Principles and Guide-
lines. Geneva, Switzerland: International Organization for
Standardization.
ISO Guide 73. (2009). Risk Management Terminology. Geneva,
Switzerland: International Organization for Standardization (ISO).
Luko, S. N. (2013). Risk management terminology. Quality Engineering,
25(3): 292–297.
454