BY: Indra Mendoza, Global Standard Auditor.
Every organization, regardless of whether it is small or large, faces external and internal factors that take away certainty from the possibility of achieving its objectives. This effect of lack of certainty is a risk, and it is inherent to all activities (Kevin W. Knight, 2009).
That is why it has become a constant need to establish strategies to protect themselves, manage risks, and make decisions. These factors can be of any type and represent risks of processes, internal and/or external fraud, financial and/or economic, technological and/or computer, human, commercial practices, natural disasters, raw materials, product and/or service quality, labor or work, environmental, social, logistical, documentary, physical and psychological, food, insecurity, and sabotage, among many others.
A reference framework for managing these risks is ISO 31000:2018. Risk management – Guidelines, as well as ISO/IEC 31010:2019 Risk management – Risk assessment techniques. These standards recommend that organizations develop, implement, and continuously improve a framework or support structure, that aims to integrate the risk management process into the organization, planning and strategy, processes, policies, values, and culture.
The risk management process consists of:
Identification: Is the process by which risks are discovered, recognized, and recorded. Risks must be identified, whether or not their sources are under control.
Analysis: This is to understand the nature of the risk and its characteristics, this involves a detailed consideration of uncertainties, risk sources, consequences, probabilities, events, scenarios, controls, and effectiveness. It consists of determining the consequences and their probabilities, these are then combined to determine a level of risk. The methods used in risk analysis can be qualitative, semi-quantitative, or quantitative.
Evaluation: The purpose of risk assessment is to support decision-making.
Risk treatment: The purpose of risk treatment is to select and implement options to address the risk.
Select risk treatment options a process aimed at modifying the risk, which may involve avoiding the risk by deciding whether or not to initiate or continue with the activity that motivates the risk, accepting or increasing the risk to seek an opportunity, eliminating the source of risk, changing the probability or frequency of occurrence (decreasing), sharing the risk with others or other interested parties (including contracts or risk financing), and maintaining the risk based on an informed decision.
Preparation and implementation of plans. The information provided in the treatment plan should include the treatment of the risk, including expected benefits, persons responsible, proposed actions, resources needed, contingencies, performance measures, constraints, required reporting and monitoring, expected timelines for completion, and completion of actions.
Monitoring and review. Factors should be identified for monitoring and review so that the risk assessment can be updated as necessary.
Risk analysis can be carried out in varying degrees of depth and detail and using one or more methods ranging from simple to complex. This will depend on the objectives of the study, the type and range of risks being analyzed, the potential magnitude of the consequences, the degree of expertise, human and other resources required, the availability of information and data, the need for modification/updating of the risk assessment, any contractual and regulatory requirements, and whether the method can provide a quantitative result.
Risk analysis techniques are listed below:
A: applicable, SA: strongly applicable, NA: not applicable. |
|||||
Tools and tchniques |
Risk assessment process |
||||
Risk identification |
Risk analysis |
Risk evaluation |
|||
Consequence |
Likelihood |
Level of risk |
|||
ALARP, ALARA and SFAIRP |
NA |
NA |
NA |
SA |
SA |
Bayesian analysis |
NA |
NA |
SA |
NA |
NA |
Bayesian networks |
A |
NA |
SA |
SA |
SA |
Bow tie analysis |
SA |
SA |
A |
A |
A |
Brainstorming |
A |
A |
NA |
NA |
NA |
Business impact analysis |
A |
SA |
NA |
NA |
NA |
Casual mapping |
A |
A |
NA |
NA |
NA |
Cause-consequence analysis |
SA |
SA |
SA |
A |
A |
Checklists, classifications and taxonomies |
SA |
NA |
NA |
NA |
NA |
Cindynic approach |
NA |
NA |
NA |
NA |
NA |
Consequence/likelihood matrix |
NA |
A |
A |
SA |
A |
Cost/benefit analysis |
NA |
SA |
NA |
NA |
SA |
Cross impact analysis |
NA |
NA |
SA |
NA |
NA |
Decision tree analysis |
NA |
SA |
SA |
A |
A |
Delphi technique |
SA |
NA |
NA |
NA |
NA |
Event tree analysis |
NA |
A |
A |
A |
A |
Failure modes and effects analysis |
SA |
NA |
NA |
NA |
NA |
Failure modes and effects and criticality analysis |
SA |
SA |
SA |
SA |
SA |
Fault tree analysis |
A |
NA |
SA |
A |
A |
F-N diagrams |
A |
SA |
SA |
A |
SA |
Game theory |
A |
SA |
NA |
NA |
SA |
Hazard and operability studies (HAZOP) |
SA |
A |
NA |
NA |
NA |
Hazard analysis and critical control points (HACCP) |
SA |
SA |
NA |
NA |
SA |
Human reliability analysis |
SA |
SA |
SA |
SA |
A |
Ishikawa (fishbone) |
SA |
A |
NA |
NA |
NA |
Layer protection analysis (LOPA) |
A |
SA |
A |
A |
NA |
Markov analysis |
A |
A |
SA |
NA |
NA |
Monte Carlo simulation |
NA |
A |
A |
A |
SA |
Multi-criteria analysis (MCA) |
A |
NA |
NA |
NA |
SA |
Nominal group technique |
SA |
A |
A |
NA |
NA |
Pareto charts |
NA |
A |
A |
A |
SA |
Privacy impact analysis/ data privacy impact assessment (PIA/DPIA) |
A |
SA |
A |
A |
SA |
Reliability centred maintenance |
A |
A |
A |
A |
SA |
Risk indicices |
NA |
SA |
SA |
A |
SA |
S-curves |
NA |
A |
A |
SA |
SA |
Scenario analysis |
SA |
SA |
A |
A |
A |
Structured or semi-structured interviews |
SA |
NA |
NA |
NA |
NA |
Structured “What if?” (SWIFT) |
SA |
SA |
A |
A |
A |
Surveys |
SA |
NA |
NA |
NA |
NA |
Toxicological risk assessment |
SA |
SA |
SA |
SA |
SA |
Value at risk (Var) |
NA |
A |
A |
SA |
SA |
Source: ISO/ IEC 31010:2019 Risk management – Risk assessment techniques.
The most commonly used are described:
Brainstorming can be used in conjunction with other risk analysis methods or as a stand-alone technique to stimulate imaginative thinking at any stage of the risk management process and any stage of a system’s life cycle and can be formal or informal. In formal brainstorming, participants must be prepared in advance, and the session has a defined purpose and outcomes with a way to evaluate advanced ideas. Informal brainstorming is less structured and is often more case-specific.
Structured and semi-structured interviews are useful when it is difficult to bring people together for a brainstorming session or when a free-flowing group discussion is not appropriate for the situation, or the people involved.
These interviews are often used to identify risks or to note the effectiveness of existing controls as part of the risk analysis. They can be conducted at any stage of a project or process and are a means of providing input for risk assessment to stakeholders.
The Delphi technique is a procedure for obtaining a reliable consensus from a group of experts. Although the term is widely used to refer to some form of brainstorming, an essential feature of the Delphi technique is that experts express their opinions individually and anonymously, while access to the opinions of other experts is provided as the process progresses.
It can be applied at any stage of the risk management process, at any stage of the life cycle of a system, or anywhere where the consensus of expert opinions is needed, and questions are asked through a semi-structured questionnaire. It is important to mention that experts are not brought together to have their opinions be independent.
Checklists can be used to identify hazards and risks or to assess the effectiveness of controls. They can also be used as part of other risk assessment techniques but are most useful when applied to check that the entire system has been covered after a more imaginative technique has been applied to identify new problems.
It is the most commonly used analysis at the beginning of project development when there is little information. It can also be useful for analyzing existing systems to prioritize hazards and risks for further analysis or when circumstances prevent the application of a more extensive technique than the one being used.
A list of hazards and generic hazardous situations and risks is formulated, considering characteristics such as the materials used or produced and their reactivity, the equipment used, the operating environment, the overall layout, the interfaces between system components, etc. To identify risks for later assessment, a qualitative analysis of the consequences of an undesirable event and its probability of occurrence can be performed.
The PHA should be updated to detect any new hazards. The results obtained can be presented in different forms, such as tables and tree diagrams.
HAZOP is the acronym for hazard analysis (HAZard) and operability (OPerability), which is a structured and systematic examination of an existing or planned product, process, procedure, or system to identify risks to people, equipment, environment, and/or organizational objectives. Usually done by a multidisciplinary team during a series of meetings. HAZOP is similar to FMEA (failure mode and effect analysis) in that it identifies failure modes. It differs in that the working group considers undesirable results and deviations from expected results, and conditions and work are repeated to locate possible causes and failure modes, whereas FMEA begins by identifying failure modes.
***Standards for reference: IEC 61882, Hazard and Operability Studies (HAZOP studies). Application guide.
HACCP provides a framework for identifying hazards and establishing controls at all important parts of a process to protect against hazards and to maintain the reliability and safety of a product’s quality.
It is intended to ensure that risks are minimized by controls throughout the process, rather than by an inspection of the final product. It starts with a process diagram and information on hazards that could affect the quality, safety, or reliability of the product or process results.
HACCP analysis consists of seven principles: identifying hazards and preventive measures, determining the points in the process where hazards can be controlled or eliminated, determining critical control points (CCP), establishing a critical limit(s), CCP control monitoring system, corrective actions to be taken when monitoring indicates that a particular CCP is not controlled, testing procedures to confirm that the system is working effectively, and the documentation system.
***Standards of reference: ISO 22000, Food Safety Management Systems. Requirements for any organization in the food chain/ NOM-251-SSA1-2009, Hygiene Practices for the processing of food, beverages, or food supplements.
This process is used to assess risks to plants, animals, and humans as a result of exposure to hazards from chemicals, microorganisms, or other species. This method requires reliable data on the nature and characteristics of the hazards, the susceptibility of the population model (or populations), and how the two react to each other. These data are usually based on laboratory research or obtained from epidemiological statistics.
The procedure is as follows: problem formulation, hazard identification, and hazard analysis, this involves understanding the nature of the hazard and how it reacts with the population model, exposure analysis, determining how and the quantity of hazardous substance or its residues could reach a sensitive population model, risk characterization, the information obtained from the hazard analysis and exposure analysis being grouped to estimate the probabilities of particular consequences occurring.
The SWIFT technique was initially developed as a simpler alternative to the risk and operability study (HAZOP). This technique consists of a systematic workgroup-based study using a set of “immediate effect” words or phrases used by the coordinator within a workgroup meeting to stimulate participants to identify risks.
The coordinator and working group use standardized “what if….?” phrases combined with the prompts to investigate how a system, plant item, organization, or procedure will be affected by deviations from normal operation and behavior.
The SWIFT technique is normally applied to more than one level of systems at a lower level of detail than in the HAZOP study and is used to examine the consequences of changes and altered or created risks.
Scenario analysis is the name given to the development of descriptive models of what might happen in the future. The structure of the scenario analysis can be informal or formal, and once the working group and the corresponding communication channels have been established, and the context of the problem and the issues to be considered have been defined, the next step is to identify the nature of the changes that might occur: external changes; decisions that will need to be made soon, but which may have a variety of outcomes; stakeholder needs and how these needs might change; macro-environmental changes (regulations, demographics, etc.). Some will be inevitable, and some will be uncertain.
Local and macro factors or trends can be listed and ranked by importance (1) and uncertainty (2), with special attention given to the factors that are most important and uncertain. The key factors or trends are delineated from each other on a map to show the areas where scenarios can develop. A series of scenarios are proposed, each focused on a plausible change in parameters.
The analysis of a major loss to prevent recurrence is referred to as Root Cause Analysis (RCA), Root Cause Failure Analysis (RCFA), or loss analysis. This analysis attempts to identify the root or original causes rather than addressing only the immediately obvious symptoms. It is recognized that corrective action may not always be effective, and that continuous improvement may be necessary.
RCA analysis is applied in various contexts with the following areas of use: safety-based RCA is used in accident investigations and the areas of occupational health and safety. Failure analysis is used in reliability and maintenance-related technology systems, production-based RCA is applied in the field of quality control within industrial manufacturing, process-based RCA is focused on business processes, system-based RCA has been developed with a combination of the above areas to deal with complex systems with application in change management, risk management, and systems analysis.
There are several applications of FMEA analysis: design (or product) analysis used for components and products, system analysis used for systems, process analysis used for manufacturing and assembly, service analysis, and software analysis. However, to improve reliability, changes are usually easier to implement at the design stage.
FMEA and FMECA analysis can be used to assist in the selection of design alternatives with high reliability, ensure that all system and process failure modes and their effects on operational success have been considered, identify human error modes and their effects, provide a basis for planning the testing and maintenance of physical systems, improve the design of procedures and processes, provide qualitative or quantitative input to analysis techniques such as fault tree analysis. They can provide inputs for other analysis techniques such as fault tree analysis at a qualitative or quantitative level.
**Standards for reference: IEC 60812, System reliability analysis techniques. Failure mode and effects analysis procedure (FMEA).
A fault tree can be used qualitatively to identify the potential causes and paths by which a failure occurs (the top event), or quantitatively to calculate the probability of the top event, providing knowledge of the probabilities of the causal events. It can be used in the design stage of a system to identify potential causes of failure and thus to select between different design options. It can be used in the operation phase to identify how major failures may occur, and the relative importance of the different paths leading to the top event.
A fault tree can also be used to analyze a fault that has occurred, to represent in a diagram how different events came together to cause the fault.
**Standards for reference: IEC 61025, Fault Tree Analysis (FTA).
The LOPA is a semi-quantitative method for estimating the risks associated with an undesired event or scenario. It is used to analyze whether there are sufficient measures to control or mitigate the risk. LOPA is performed by a group of experts where the initiating causes of an unintended consequence are identified, data on their frequencies and consequences are sought, a cause-consequence pair is selected, the layers of protection that prevent the cause leading to the unintended consequence are identified and analyzed for their effectiveness, the independent layers of protection that prevent the cause leading to the unintended consequence are identified, independent protection layers (IPLs) are identified (not all protection layers are IPLs), the probability of failure of each IPL is estimated; the frequency of the initiating cause is combined with the probabilities of failure of each IPL, and the probabilities of all conditional modifiers to determine the frequency of occurrence of the unintended consequence. Orders of magnitude are used for the frequencies and probabilities; the calculated risk level is compared to the risk tolerance levels to determine if additional protection is required.
**Standards for reference: IEC 61508 (all parts), Functional Safety of Safety-Related Electrical/Electronic/Programmable Electronic/Electronic Systems/ IEC 61511, Functional Safety. Safety instrumented systems for the process industry sector.
A decision tree is used to manage project risks and in other circumstances to help select the best course of action when uncertainty exists. The graphical presentation can also help communicate reasons for decisions. A decision tree starts with an initial decision, for example, to proceed with project A rather than Project B, as the two projects above are hypothetical, different events will occur and different foreseeable decisions will need to be made. These are presented in a tree format, similar to the event tree.
The bowtie analysis is used to present a risk by showing a range of possible causes and consequences. Used when the situation does not warrant the complexity of a full fault tree analysis or when trying to ensure that there is a barrier or control for each failure path, this analysis is useful when there are clear independent paths that address the failure.
Indexes can be used to rank different risks associated with an activity when the system is well understood. Risk indexes allow the integration of a range of factors that have an impact on the level of risk into a single numerical risk level score. They are used for many different types of risk, usually as a means of defining the scope of the risk rating according to the level of risk. This can be used to determine risks that need additional in-depth and possibly quantitative risk assessment.
The consequence/probability matrix is used to rank risks, risk sources, and risk treatments based on the level of risk. It is normally used as a filtering tool when many risks have been identified, for example, to define which risks need further or more detailed analysis. A form of the consequence/probability matrix is used in FMEA or to adjust priorities after HAZOP (hazard and operability studies). It can also be used in situations where the data are insufficient for a detailed analysis, or the situation does not warrant the time and effort for more quantitative analysis.
BIBLIOGRAPHY: