7.1 Introduction

The topic of this book is risk assessment, but identifying and describing risk cannot by itself reduce risk. We need to make decisions based on the results and make sure that these decisions are implemented and followed up before we can expect to see any effect. Systematic performance of these and other activities aimed at controlling risk are what we may call risk management. This chapter provides a brief introduction to this topic to give a better understanding of how and where risk assessment fits into the bigger picture of risk management.

The international standard ISO 31000 “Risk management guidelines,” was published in 2009 and has later been updated in 2018 (ISO 31000 2018). This standard is widely recognized, but a vast body of other standards and guidelines provide advice on what risk management is and how it should be implemented. Examples include the following:

• ISO 45001. “Occupational health and safety management systems – Requirements with guidance for use”
• CCPS (2016). “Guidelines for implementing process safety management”
• ICAO (2018). “Safety Management Manual”
• U.S. Homeland Security (2011). “Risk management fundamentals”
• UK HSE (2013). “Managing for health and safety”
• ISO/IEC 27001. “Information technology – Security techniques – Information security management systems”

Most of these documents are either specific to certain types of risk (e.g. ISO 45001 that focus on occupational risk) or to specific industries ...