Georgi Popov - Risk Assessment

Through the use of risk assessment, an organization is able to make better decisions regarding risk and achieve its business objectives. Removing uncertainly by assessing risk allows an organization to manage with a certain degree of confidence.

The fundamental process of identifying, analyzing, and evaluating risk is necessary in providing those responsible for making business decision an understanding of the risk. This understanding allows decisions to be made regarding whether the identified risk is tolerable, and what control measures are most appropriate. Ultimately, the “output” of risk assessment is an “input” to the decision‐making processes.

The following sections describe the sequence of components that take place within a risk assessment process. This is illustrated in Figure 3.3.

Figure 3.3 Simplified steps of a risk assessment.

In the ANSI/ASSP Z590.3‐2011(R2016), Prevention through Design: Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Process es standard, the initial steps outlined in (Section 7) “The Hazard Analysis and Risk Assessment Process” are (7.1) “Communication and Direction” followed by (7.2) “Establish Risk Criteria.” In the ANSI/ASSP/ISO 31000 risk management standard, the process begins with establishing context and ANSI/ASSP/ISO 31010 outlines this in Section 6.1 “Plan the assessment.” This includes “define the purpose and scope of the assessment,” “understand the context,” “engage with stakeholders,” “define objectives,” “consider human, organizational and social factors,” and “review criteria for decisions.” As part of establishing risk criteria, the selection of a risk assessment matrix is significant, and should be included at the beginning of the process.

An organization should select or develop a risk assessment matrix that the stakeholders broadly agree upon to be used in the risk assessment process. This key component is used to define and determine risk levels within an organization. An example of a risk assessment matrix adapted is provided in Table 3.1.

Table 3.1 Example of a risk assessment matrix.

The purpose of the risk assessment matrix is to provide “a method to categorize combinations of likelihood of occurrence and severity of harm, thus establishing risk levels” (ANSI/ASSP Z590.3, 2016). In essence, it is a risk “measuring stick” and communication tool used to help categorize and prioritize risks within the organization so that decision makers can take the most appropriate action in regard to risks and their treatment. There are a number of sources from which to select a risk assessment matrix. Notable examples are provided in the ANSI Z590.3 Prevention through Design standard, the US Military standard MIL‐STD‐882E, and the ANSI B11.TR3‐2000 technical report, among others.

It is important that the risk rating criteria and matrix used by an organization are consistent. When developing or selecting a risk assessment matrix which expresses numerical values, rating criteria should be standardized so that a lower risk score or risk priority number (RPN) value indicates a lower risk level. Thus, on a 10‐point risk scale, a risk score of 1 is considered the lowest level, while a 10 is considered the highest risk. For example, Table 3.2provides an example of risk criteria reprinted with permission from ANSI/ASSP Z590.3. The example uses severity of consequence and occurrence probability factors which are multiplied to determine the risk level. Risk levels are defined as: Very High (15 or greater); High (10–14); Moderate (6–9); and Low (1–5). The corresponding Risk Scoring Levels and Actions Required shown in Table 3.3are reprinted with permission from ANSI/ASSP Z590.3. The standard states that these numbers are judgmentally determined, are qualitative, and only have value in relation to each other.

Table 3.2 Example 5‐point risk assessment matrix.

Source : Adapted from ANSI/ASSP Z590.3‐2011(R2016)

Table 3.3 Risk scoring levels and action required.

Source : Adapted from ANSI/ASSP Z590.3‐2011(R2016).

Notice that both matrix examples are in the upper right‐hand quadrant known as Quadrant I of the Cartesian coordinate system. It is the authors’ opinion that a risk assessment matrix should be positioned in the first quadrant (Quadrant I). This allows the user to read the matrix from left to right/bottom to top, with risk levels progressing from low to high accordingly, as indicated in Figure 3.4.

Figure 3.4 The four quadrants of a Cartesian coordinate system.

At this stage, an organization should consider their acceptance risk level in terms of the planned risk assessment exercise. Management and other involved stakeholders should agree on the levels that require “stop work,” “immediate action required,” “remedial action,” on down to “acceptable level – no further action.” As stated in ANSI/ASSP Z590.3, “Personnel who craft risk assessment matrices may have differing ideas about acceptable risk levels and the management actions that should be taken in a given risk situation, and those differences must be resolved so that all personnel understand the process.”

The purpose and scope known as the context of the risk assessment must be established. This step is considered critical since it sets the direction, tone, and expectations for the project. Within the organization’s risk management process, the context should define the purpose and scope of the assessment; the stakeholders/team members responsibilities and accountabilities; the degree, extent, or rigor of the assessment; the risk assessment methodologies; the risk criteria; and resources available. Ultimately, the context defines the parameters for managing the risk throughout the process as stated in ANSI/ASSP/ISO 31010.