Risk Assessment is a process to identify potential hazards and analyze what could happen if a hazard occurs. A business impact analysis (BIA) is the process for determining the potential impacts resulting from the interruption of time sensitive or critical business processes.
Broadly speaking, a risk assessment is the combined effort of:
- identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment (i.e. risk analysis); and
- making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors (i.e. risk evaluation).
Put in simpler terms, a risk assessment determines possible mishaps, their likelihood and consequences, and the tolerances for such events. The results of this process may be expressed in a quantitative or qualitative fashion. Risk assessment is an inherent part of a broader risk management strategy to "introduce control measures to eliminate or reduce" any potential risk-related consequences.
The Importance of Risk Assessment
Risk assessments are very important as they form an integral part of an occupational health and safety management plan. They help to:
- Create awareness of hazards and risk.
- Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the public, etc.).
- Determine whether a control program is required for a particular hazard.
- Determine if existing control measures are adequate or if more should be done.
- Prevent injuries or illnesses, especially when done at the design or planning stage.
- Prioritize hazards and control measures.
- Meet legal requirements where applicable.
Advantages and Disadvantages of Risk Assessment Methods
The Advantages and disadvantages of typical risk assessment methods are illustrated in the table below.
Performing an Effective Risk Assessment
Once you have gathered the data and set the scope for a risk assessment project, the process moves on to conducting the risk assessment itself. Risk assessment serves many purposes for an organization, including reducing operational risks, improving safety performance and achieving objectives. While many individuals are involved in the process and many factors come into play, performing an effective risk assessment comes down to three core elements: risk identification, risk analysis and risk evaluation.
- Risk Identification: To effectively address the hazards and risks within a workplace, you must first properly identify them. When conducting risk identification, the ISO 31000-2018 standard recommends that safety professionals and stakeholders examine a wide variety of factors, including:
- Tangible and intangible sources of risk
- Threats and opportunities
- Causes and events
- Consequences and their impact on objectives
- Limitations of knowledge and reliability of information
- Vulnerabilities and capabilities
- Changes in external and internal context
- Indicators of emerging risks
- Time-related factors
- Biases, assumptions and beliefs of those involved
The risk assessment team can use tools such as risk assessment matrices and heat maps to compare and, therefore, prioritize hazards. These tools allow safety professionals to place risks into the matrix or map based on the likelihood and severity of a potential incident. From there, decision-makers can analyze each risk to determine the highest-level risks to address.
- Risk Analysis: Working from the information gathered during risk identification, stakeholders can then begin to analyze the risk levels of certain hazards and prioritize actions based on existing controls, among other criteria. Risk analysis involves a detailed consideration of uncertainties, hazards, consequences, likelihood, events, scenarios, controls and their effectiveness. An event can have multiple causes and consequences and can affect multiple objectives. Earlier identified hazards can be included in preliminary hazard analysis. In such an analysis, an assessor analyzes current conditions with existing controls and a potential future state with proposed additional controls. Tools such as risk assessment matrices and heat maps can be used to compare, and therefore, prioritize hazards. These tools allow safety professionals to place risks into the matrix or map based on the likelihood and severity of a potential incident. From there, decision makers can then analyze each risk to determine the highest-level risks to address. The results from a preliminary hazard analysis can then be transferred to a more detailed approach such as a bow-tie risk assessment diagram for further evaluation to provide more in-depth information to decision makers. In terms of finding acceptable solutions for a particular hazard, a layer of protection analysis (LOPA), studies whether existing or proposed barriers are able to achieve acceptable risk levels. When conducting a LOPA, safety professionals select hazards and consequences, and independent protection layers (IPLs) are identified for each hazard/consequence pair. IPLs are physical barriers such as engineering controls, design changes or warning devices designed to prevent the initiating cause proceeding to the unwanted consequence.
Taking this type of approach to risk analysis allows safety professionals to consider what additional IPLs could be installed to prevent a particular risk and calculate the impact that those controls would have on the severity and likelihood of an incident.
- Risk Evaluation: As the final step of risk assessment, risk evaluation calls on safety professionals to examine the results of the risk analysis and compare them to established risk criteria in order to determine where additional controls may be required and what those controls might be. As noted, bow-tie risk analysis is a technique for risk evaluation that has gained traction in the safety profession because it provides a more holistic view of risk and paints a picture of a specific hazardous event. The bow-tie analysis is centered around a potential incident, examining its causes, the preventive controls in place, the mitigative controls if it were to occur and the consequences of the incident.
The benefit of a bow-tie analysis is the ability to better visualize a specific hazardous event, how it could occur, the consequences and how those consequences could be prevented or mitigated. Such an analysis does not, however, usually include a risk scoring mechanism, nor does it reflect the effectiveness of controls. Regardless of the method, keep in mind that risk-based decision-making should take into account the wider context as well as the actual and perceived consequences to internal and external stakeholders.
- Risk Communication: Threaded throughout all steps of the risk assessment process is a fourth element, equally crucial to effective risk management – risk communication. Safety professionals must keep in mind that they must communicate the risks identified, analyzed and evaluated during the assessment to all involved so that everyone has a comprehensive understanding of the existing risks and how they can best be prevented or mitigated to achieve organizational objectives. Taking these steps enables all involved to have a comprehensive understanding of the hazards and risks that exist within facilities and processes, the consequences of the hazards present, and how those can be prevented or mitigated to protect workers’ health and safety.
Implementing Control Measures
After identifying and assigning a risk rating to a hazard, effective controls should be implemented to protect workers. Working through a hierarchy of controls can be an effective method of choosing the right control measure to reduce the risk.
- Eliminate or control all serious hazards immediately.
- Use interim controls while you develop and implement longer-term solutions.
- Select controls according to a hierarchy that emphasizes engineering solutions (including elimination or substitution) first, followed by safe work practices, administrative controls, and finally personal protective equipment.
- Avoid selecting controls that may directly or indirectly introduce new hazards.
- Review and discuss control options with workers to ensure that controls are feasible and effective.
- Use a combination of control options when no single method fully protects workers.
Risk Assessment Vs Business Impact Analysis
Risk assessments recognize all of the risks that have the potential to impact the organization’s operations. It calculates both the impact and the forward likelihood of potential events. A risk assessment is therefore greatly concerned with the possible causes of disruption, from which likelihood is then derived. It’s a valuable tool for recognizing threats and taking action to minimize risks to an acceptable level.
Business Impact Analysis (BIA) assesses the amount your organisation stands to lose (or perhaps even gain) under defined circumstances. The analysis assumes worst-case scenarios and involves understanding the type and rate of expected loss under fixed conditions. BIA is used to recognise the magnitude of financial and operational impacts that derive from disruptions. It enables you to understand how your business would cope during downtime and calculate Recovery Time Objectives (RTOs) for your services.
The core difference between the two business continuity tools is that Business Impact Analysis (BIA) does not directly focus on the likelihood of events, rather, it assumes worst-case scenarios. The differences that stem from this are summarised in the table below.
Whereas Business Impact Analysis can be conducted unescorted by risk assessment, risk assessment can’t reasonably occur without some form of BIA: risk assessment should use BIA to quantify and prioritise the risks it finds. The ‘siloing effect’ of ISO and other standards that are being adopted by organisations worldwide can result in confusion. Business continuity managers are faced with the artificial exclusivity demanded by compliance on the one hand and the overlapping integrated reality that is business. ISO 22317 provides best practises for the BIA process, without reiterating any of the points in ISO 22301. However, as it provides information from a generalist perspective, practitioners may find that they need to create a workable roadmap or use business continuity software that is more appropriate to the size and scale of their organization.
Risk Assessment Framework (RAF)
Risk Management Framework (RMF)
Information Technology Risk (IT Risk)
Enterprise Risk Management (ERM)
Risk IT Framework
Risk Based Testing
Risk-Adjusted Return on Capital (RAROC)
Risk Maturity Model (RMM)
Operational Risk Management (ORM)
- Defining Risk Assessment Ready.Gov
- A broad definition of Risk Assessment Wikipedia
- Why is Risk Assessment Important? CCOHS
- Advantages and Disadvantages of Risk Assessment Methods Hui Li et al.
- Conducting a Risk Assessment assp.org
- How to Implement Control Measures? iAuditor
- Difference between Risk Assessment and Business Impact Analysis IP specialist