ISO 31010 – Risk assessment techniques
The international standard, ISO IEC 31010 Risk management — Risk assessment techniques, a supporting standard for the international risk standard ISO 31000, provides guidance on the selection and application of techniques for assessing risk in a wide range of situations. Various techniques can be used to assist in making decisions where there is uncertainty, to provide information about particular risks and as part of a process for managing uncertainties, risks and opportunities.
ISO 31010 introduces the reader to the application of a range of risk assessment techniques. There are specific references to other international standards where the concept and application of techniques are described in greater detail.
The purpose of risk assessment is to provide evidence-based information and analysis to make informed decisions on how to treat particular risks and how to select between options.
The choice of technique and the way it is applied should be tailored to the context and use. The technique used should provide the relevant information in the type and form needed by internal and external stakeholders for decision making.
Principal benefits of a performing risk assessment include:
- Providing objective information for decision makers.
- An understanding of uncertainties, risks and opportunities, and their potential impact upon objectives and success.
- Identifying, analysing and evaluating risks and determining the need for their treatment.
- The quantification or ranking of risks.
- Contributing to the understanding of risks in order to assist in the selection of treatment and cost-effective options.
- Identification of the important contributors to risks and weak links in systems and organisations.
- Comparison of risks in alternative systems, technologies or approaches.
- Identification and communication of uncertainties, risks and opportunities.
- Assisting with establishing priorities for wellbeing, health and safety.
- Rationalising a basis for preventive maintenance and inspection.
- Post-incident investigation and prevention.
- Selecting different forms of risk treatment and mitigations.
- Meeting regulatory and compliance requirements.
- Providing information that will help evaluate the tolerability of the risk when compared with pre-defined criteria.
In general terms, the number and type of technique selected should be scaled to the significance of the decision and consider constraints on time and other resources, and opportunity costs. In deciding whether a qualitative or quantitative technique is more appropriate, the main criteria to consider are the form of output of most value and use to stakeholders and the availability and reliability of best available data.
Quantitative techniques generally require high quality data if they are to provide meaningful results. However, in some cases where data is not sufficient, the rigour needed to apply a quantitative technique can provide an improved understanding of the risk, even though the result of the calculation might be uncertain.
There is often a choice of techniques relevant for a given circumstance. Several techniques might need to be considered and applying more than one technique can sometimes provide useful and better understanding. Different techniques can also be appropriate as more information becomes available.
In selecting a technique or techniques the following should therefore be considered:
- the purpose of the assessment;
- the needs of internal and external stakeholders;
- any legal, regulatory, compliance and contractual requirements;
- the operating environment and scenario;
- the importance of the decision (e.g., the consequences if a wrong decision is made);
- any defined decision criteria and their form;
- the time available before a decision must be made;
- information that is available or can be obtained;
- the complexity of the situation; and
- the expertise available or that can be obtained.
Some of the techniques described in the standard can be applied during activities of the ISO risk management process in addition to their usage in risk assessment. Application of the techniques to the risk management process is illustrated in the figure below.