ISO 31000 is the meat of the first section of the book (chapters 1-8). The second then delves into "strategies for selecting, modifying and combining risk management methods", and the third offers case studies that show the techniques applied in practice. The book concludes with a directory of acronyms, an excellent glossary (everything from "acceptable risk" to "worst credible consequence") and an index.
The authors take a systematic approach and the step-by-step structure, supported by clear tables, diagrams and occasional photos, makes it easy to follow. But what lifts it to another level is that they overlay this information with details of 27 specific risk management techniques.
Some of those mentioned (hazard and operability studies, plan-do-check-act, risk matrices) are familiar while others, such as the Delphi technique, striped bowtie risk assessment, layers of protection analysis, were new to me. The structure works well: from the assessor's point of view, it gives the reader practical pointers on the tools most likely to help with each stage in the risk management process. It also makes it easier to understand how the tools work because they are applied to the problem they are best suited to solving.
The authors never fall into the trap of promoting one technique over others; rather, they argue that the ultimate test is whether the tool works in the setting in which it is applied. The authors note that assessors will often need to use more than one tool.
It would be easy to dismiss this book as relevant only to those who manage US operations, or work in organisations that apply US standards, but, as a directory of risk management techniques, it deserves a far wider readership.
I liked the broad approach to risk -- it extends to the risk assessment for process safety and environmental protection -- as well as detail on how to make financial and non-financial cases for risk improvement. If the book has a weak spot, it is health; the authors' overwhelming emphasis is on accident prevention.