Risks definition, types, evaluation and risk management

By Guillaume Promé
Feb. 16, 2022 Risk management

Guide to Risks:

  1. Risk Definition and useful concepts
  2. Principles of risk management, including risk assessment and evaluation
  3. The different types of risks

Risks

Risk definition

Risk definition

Risk modelBy definition a risk is a harm that “could” occur.

A risk is characterized according to two parameters:

    1. His severity: the extent of potential harm
    2. His probability of occurrence: “how likely it is that the harm will occur”

This pair of values is used to estimate a level of risk.

Note that a risk is not a physical reality, it is an indicator entirely defined according to your way of seeing things.

There is no such thing as zero risk!

This is an effect of the definition of risk: zero risk does not exist. Whether it concerns probability or severity zero cancels out the risk, which becomes an impossible harm or a possibility without harm…

Risks estimated and then observed

The notion of risk has two distinct phases:

  1. A first phase during estimates before the possible occurrence of the risk (e.g. in pre-project) estimates are made according to the state of the art, the probabilities of occurrence and the estimated severities are hypotheses.
  2. A second phase when the risk may occur / does occur (e.g. after a product has been marketed, after the start of an epidemic…) the data are factual, derived from surveillance activities. The probabilities are real statistics, the harms real observations.

Other definitions

  • Hazards: Potential source of harm.
  • Dangerous situation: the situation that exposes people/environment/society/… to hazard.
  • Major risk: a risk whose level is above a threshold that you (or the context) have defined
  • Disaster: a risk that is uncontrollable
  • Risk management: all the stages from identification to follow-up and control of risks
  • Risk identification: imagine the risks that may arise, this identification is constantly updated
  • Risk assessment: assigning a level to each risk, based on its probability and severity
  • Risk evaluation: assessing the “acceptability” of risks, based on previously defined estimates and acceptability criteria
  • Risk control: all actions implemented to reduce the identified risks. Ideally, the risks are totally prevented (they are eliminated), otherwise they are reduced in frequency and/or severity.
  • Residual risk: the level of a risk after all control measures have been implemented
  • Communication: between the different parties involved in the risk management
  • Follow-up: monitoring activities, which continuously feed into risk management

Favourable” risks?

One final subtlety: since ISO 9001 has been aligned with the High Level Structure, a new concept is being used in the quality world: that of Opportunity, a “favourable” risk.

This allows for strengths and weaknesses / risks and opportunities (the SWOT method) analyses, but it mostly adds blurry and confusion.

Remember that a favourable risk is a benefit. It may be characterised as a risk, with a probability of occurrence and a positive impact.

Risk management

Risk management process

Planning risk management

Initially, it is necessary to clearly define the tasks to be carried out and establish the responsibilities :

  • regarding risk acceptance policy (criteria) (should be defined by the top the management of the company), and
  • regarding all the other tasks related to risk management, described below

Identify the risks

The quality of your analysis will depend directly on your knowledge of the context, it is advisable to describe it by specifying :

  • The people/environment/equipment… involved
  • The different hazards
  • The scenarios leading to the hazardous situations
  • The potential harms

This necessarily involves a review of the state of the art :

  • the risks already known,
  • the controls already implemented,
  • good practices (guides, standards, specifications, regulations …)
  • the technical possibilities and limitations that are associated.

Estimate the risks

This is where things get complicated, you have to estimate – at least qualitatively if not quantitatively – probabilities and severities, yet:

  • These estimates concern a huge range (e.g.:probabilities that vary from 1/1’000’000 to 50%; money loss from €1 to €1M; harm to health ranging from mere discomfort to death…) that are difficult to grasp
  • You have no idea of the estimates.

At first approach the estimates are clearly a “range”, they are refined afterward with data:

  • From the state of the art
  • From experimentation
  • From modelling
  • From the field

Risk level estimatation using probability/severity matrix

Most analysis are performed with matrices, usually a 3×3 matrix (even 5×5), that gives a risk level based on the severity/probability pair, example:

SEVERITY PROBABILITY
LOW MEDIUM HIGH
SIGNIFICANT Medium Risk High Risk High Risk
MODERATED Acceptable risk Medium risk High Risk
NEGLIGIBLE Acceptable risk Acceptable risk Acceptable risk

Quantitative risk estimates

  • Probabilities are expressed in %
  • Harms are quantified when possible (example: financial analysis) or estimated according to a scale, e.g. 5: max, 4: critical, 3: very high, 2: high, 1: medium, 0: low, -1: very low …
See annex for examples of probability, severity and risk level scales in various contexts.

Controlling risks

Principles

The idea is to define measures to reduce risks. There are many approaches available, but they need to be applied in order of effectiveness :

  1. Total removal of the risk
  2. Use of means of protection
  3. Implementation of prevention, through stakeholder information
  4. Compensation (offset) for the risk if it is not reduced

When to stop controlling risks

This is one of the most delicat point in risk management: knowing when to stop controlling risks. Risks are considered sufficiently controlled when… your criteria say so!

There are two approaches:

  1. One theoretical: control is stopped when the residual risk is smaller than a predefined threshold
  2. One practical: control is stopped when control is no longer possible

The theoretical approach is dictated by standards and regulations, which vacillate between two concepts:

  • reduction AFAP: “As Far As Possible“: as much as possible, which makes no sense (we can always do more) and is a source of countless headaches with the authorities.
  • reduction ALARP: “As Low As Reasonably Practicable“: as much as reasonably possible, you will understand that the notion of reasonable is not objective, this philosophy is impractical

In practice the reduction is AFACP: “As Far As Contextually Possible“. Control stops when you conform to the state of the art. Note that this lead to update control as soon as the context changes.

Evaluate the acceptability of residual risks

Your risks have been identified, a level of initial risk has been estimated for fun, you have reduced the risks AFACP, a level of residual risk has been estimated.

Still need to do a review :

    • Of control activities,
    • Residual risk levels,
    • Planned actions for follow-up and updating of risk management

And to conclude on the acceptability of the risks.

Acceptability must be maintained over time, monitoring activities will ensure this.

Inform / Communicate / Sensitize (make aware of)

Communication will be needed to :

  • Sensitize of residual risk levels.
  • Create understanding of control measures for risks resting with the user.
  • Awareness of the need to report information (and especially problems).

Monitoring the risks

It is crucial to correctly choose the indicators that will enable monitoring known risks and detecting emerging risks. The definition of indicators is never fixed, it evolves with your understanding of the risks. The risk observed will reflect the indicators chosen, with all the problems of imprecision, bias and possible misinterpretation.

To choose follow-up indicators, consider:

  • The needs to improve the estimation of known risks,
  • The means to detect emerging risks,
  • The availability of indicator on comparable or correlated risks,
  • The ease of interpretation of indicators,
  • Their form, the means of data collection, the modalities of analysis, the means of data presentation …

The major types of risks

Major types of risks

Natural risks

Risks caused by natural phenomena, which may create harm to the population, equipment or structures.
They are managed by authorities and may involve private actors.

Examples of natural risks :

  • Hot weather
  • Great cold, snow, hail
  • Flooding
  • Drought
  • Forest fires
  • Storm
  • Tsunami
  • Avalanches
  • Land movement
  • Clay shrinkage/swelling
  • Cyclones
  • Volcanic eruption
  • Earthquake

Health risks

Health risks can affect the population (and/or animals).
These risks are controlled by the authorities and if necessary by private actors.

Health risks historically concern problems of contamination, but they are also extended to technologies, natural risks …

A health risk becomes a health disaster when it is no longer under control.

Examples of hazards (contamination risks):

  • Biological (viruses, parasites, bacteria…)
  • Chemical (hydrocarbons, heavy metals…)
  • Physical (radiation, temperature, hazardous materials…)

Example of hazardous situation (contamination risks) :

  • Exposure via digestive tract
  • Exposure via the respiratory route
  • Exposure via mucous membranes

Categories of health risks in health for animals in France :

  1. 1st category: may affect public health
  2. 2nd category: may harm the economy
  3. 3rd category: control involves private actors

Medical risks

These risks mainly concern patients and even their relatives and healthcare professionals. They may occur in the context of medical care.

These risks are to be controlled by professionals in the sector (industrialists and health professionals) under the supervision of competent authorities.

Ruling on the acceptability of medical risks requires involving the patient.

Example of harm:

  • Death
  • Permanent disability
  • Temporary disability
  • Significant pain
  • Grief

Examples of hazards:

  • Bad technical move
  • Bad organization
  • Nosocomial infection
  • Bad prescription
  • Material problem

Examples of control measures :

  • Training of healthcare professionals
  • Implementation of a quality system
  • Risks elimination by design of devices, products, protocols
  • Adding means of protection
  • Information, awareness, prevention

Occupational risk/ in enterprises / in working context

Occupational risks can impact employees, they are controlled by the employer.

This constitutes a legal obligation in France (see the labour code) and an International Standards on Occupational safety and health from ILO.

Examples of hazards :

  • Asbestos
  • Work at height
  • Psychosocial risks (see below)
  • Musculoskeletal disorders
  • Penetrability
  • Heat / Cold
  • Road work
  • Noise
  • Confined spaces
  • Exposure to hazardous substances (asbestos paint lead welding…)

The risks are to be evaluated and documented in a specific document.

Psychosocial risks

Psychosocial risks are part of the family of “occupational health risks“.

They refer to risks of physical or psychological harm, they are essentially caused by Man, on Man.

Examples of harm:

  • Stress (possible causes: management, schedules, interruptions…)
  • Violence/physical or sexual mobbing (caused by employees and/or external persons or users…)
  • Burnout (possible causes: overwork, poor planning, poor management…)

Technological risks

Technological risks accompany innovation and can impact the population, its infrastructure, its environment.

Examples of technological risks:

  • Transport and storage of hazardous materials
  • Industrial accident (ex: AZF)
  • Nuclear accident
  • Dam failure
  • Mining risks
  • Soil pollution
  • Pollutant and GHG emissions to the atmosphere
  • Pollution from networks and pipelines
  • Hydrocarbon industry
  • Hazardous waste
  • Silos

In France, technological risks are controlled within the framework of PPRTs: “Plans de Prévention des Risques Technologiques”, notably for flood risks and drought risks (link).

Digital risks / Cybersecurity risks

The digital risks can impact products and/or their users, they are to be controlled by the designers of digital solutions.

Nowadays, the focus is on the cybersecurity risks of all sensitive areas.

Examples harm:

  • Confidentiality breach.
  • Integrity breach
  • Availability breach
  • Propagation of false news
  • Incitement to hatred
  • Bullying the masses

Examples of hazards (attackers/hackers) :

  • State organization
  • Terrorist organization
  • Person internal to the targeted organization
  • Lone attacker
  • Hobbyist/enthusiast
  • Robot

In France, the ANSSI carries out risk analysis according to the EBIOS method.

Social risks

Social risks are extremely broad, they can impact the population and their causes are very diverse.

Examples of social risks :

  • Health risks:
    • Risks for of disease (ex: AIDS)
    • Risks for accident (ex: accidents at work)
    • Risk of disability (ex: road accidents)
    • Risk of death (ex: severe pollution)
    • Risks for motherhood (e.g. lower fertility, infant mortality, mortality in childbirth …)
    • Risks for old age (many risks are correlated with age)
  • Economic / Financial / employment risks (poverty, insecure employment, unemployment, retirement…)
  • Risks for inequality / exclusion (social, professional… according to gender, age, origin, religion …)
  • Risks to the family
  • Risks associated with housing (price, density, facilities…)
  • Risks associated with demography, immigration, emigration
  • Risks associated with skills (insufficiency, obsolescence…)

Financial risks

Financial risks result in a financial loss, for an individual or organization, in financial transactions.

There are many causes, control is individual and, where appropriate, by the authorities.

Examples of hazards:

  • Market fluctuation
  • Rate fluctuation
  • Mismanagement
  • Non-repayable credit
  • Weather (and yes)

Geographic risks

The risk is expressed in terms of hazard, and vulnerability factor (vulnerability to harm).

Hazards may be natural, man-made, or caused by his technologies…

Examples of vulnerabilities:

  • Inappropriate equipment
  • Overcrowding
  • Technological dependency
  • Under skilling
  • Underestimation/miscalculation of risk
  • Unplanned controls

Geopolitical risks

These risks affect the relationships between states, they are most often caused by the states, who will have to control them. This is the last level of risk, before climate risks.

Examples of hazards:

  • Armed conflicts
  • Trade wars
  • Independence, Nationalism (ex: Brexit)
  • Specific ideology (ex: terrorism)
  • Access to natural resources (ex: water, oil)
  • Inequality (ex: wealth inequality, health inequality)
  • Exportation of disorder (ex: death of George Floyd)
  • Health disaster (ex: covid-19)

Climatic risks

Mainly caused by human activities, they impact people, wildlife, flora and all ecosystems.

Examples of hazards:

  • GHG emissions
  • Deforestation
  • Soil pollution
  • Sea pollution

Examples of harm:

  • Rising water levels
  • Rising temperatures
  • Extinction of some wildlife
  • Extinction of part of the flora
  • Technological risks
  • Social risks
  • Health risks
  • Economic risks
  • Geopolitical risks

Annexes

Examples of probability, severity and risk levels

These examples are for information only, each context will use its own scale.

Probability scale

Level Description Value
5 systematic 100%
4 Very common 10%
3 Frequent 1%
2 Uncommon 1/1’000
1 Rare 0.1/1’000
0 Very rare 0.01/1’000
-1 Improbable 1/1’000’000
-2 Threshold 1/10’000’000
<Threshold

Harm severity scales

Severity
Level Description Natural harm
Cyclone (Saffir-Simpson scale)
Medical harm,
according to AIS score (Abbreviated Injury Scale)
Occupational harm Psychosocial harm
(stress)
Digital harm
(ANSSI grid)
Financial harm
(volatility over 5 years)
5 Catastrophic High floods, extensive damage to homes and urban buildings Death Death Death of spouse Heavy impacts on 10,000,000 people. Permanent loss of critical infrastructure. >25%
4 Critical Irreparable damage can be caused to small homes. Cerebral contusion Permanent sequelae Death of a close relative Heavy impacts on 1,000,000 people. Disruption to the national economy. Temporary loss of critical infrastructure. Permanent loss of major infrastructure 15-25%
3 Severe Severe to irreparable damage to precarious housing.
Flooding near the coast
Fractured femur Temporary sequelae Changes in the financial situation Heavy impacts on 100,000 people. Disruption to regional economy. Temporary loss of major infrastructure. 10-15%
2 Serious Structural damage to houses. Severe harm to vegetation Coastal fractures Temporary work disability Changes in the frequency
of quarrels with spouse
Heavy impacts on 10,000 people. Disruption to local economy 5-10%
1 Moderate Limited harm to mobile homes, vegetation and signs Ear injury Small accident without time off work Change in responsibilities
at work
Heavy impacts on 1,000 people. 2-5%
0 Low Lots of rain, negligible damage Low pain Tiredness Change in leisure activities Heavy impacts on less than 1,000 people. 0.5-2%
-1 Minimal Lots of rain, no property damage Simple annoyance Annoyance Low impacts <0.5%
-2 Threshold Imperceptible Imperceptible Imperceptible Imperceptible Imperceptible Imperceptible
< Threshold

Risk level scales

RISK LEVEL
Level Description Natural risk
(“Meteo France” level)
Health risk
(biological risk)
Technological risk (nuclear incident)
5 Catastrophic Extensive health and environmental effects
4 Critical Red level: dangerous phenomena of exceptional intensity Level 4: hazardous or exotic agents with a high risk of death and airborne transmission, or similar agents with unknown risk of transmission Significant rejection likely to require full implementation of planned countermeasures
3 Severe Limited rejection likely to require partial application of planned countermeasures.
2 Serious Orange level: hazardous events Level 3: indigenous or exotic agents that may be contagious through the air and may have serious or even fatal consequences. Minor rejection: public exposure in the range of prescribed limits.
1 Moderate Public exposure representing a fraction of the prescribed limits.
0 Low Yellow level: punctual hazardous events Level 2: agents associated with human disease with transmission through percutaneous injury, ingestion, or exposure to a mucous membrane. Significant contamination or overexposure of a worker.
-1 Very low Anomaly out of the allowed operating regime.
-2 Threshold Level green: clear Level 1: agents not generally causing disease in healthy adults Anomaly not significant from a safety perspective

Related contents