Risks definition, types, evaluation and risk management
Guide to Risks:
- Risk Definition and useful concepts
- Principles of risk management, including risk assessment and evaluation
- The different types of risks
By definition a risk is a harm that “could” occur.
- His severity: the extent of potential harm
- His probability of occurrence: “how likely it is that the harm will occur”
This pair of values is used to estimate a level of risk.
Note that a risk is not a physical reality, it is an indicator entirely defined according to your way of seeing things.
There is no such thing as zero risk!
This is an effect of the definition of risk: zero risk does not exist. Whether it concerns probability or severity zero cancels out the risk, which becomes an impossible harm or a possibility without harm…
Risks estimated and then observed
The notion of risk has two distinct phases:
- A first phase during estimates before the possible occurrence of the risk (e.g. in pre-project) estimates are made according to the state of the art, the probabilities of occurrence and the estimated severities are hypotheses.
- A second phase when the risk may occur / does occur (e.g. after a product has been marketed, after the start of an epidemic…) the data are factual, derived from surveillance activities. The probabilities are real statistics, the harms real observations.
- Hazards: Potential source of harm.
- Dangerous situation: the situation that exposes people/environment/society/… to hazard.
- Major risk: a risk whose level is above a threshold that you (or the context) have defined
- Disaster: a risk that is uncontrollable
- Risk management: all the stages from identification to follow-up and control of risks
- Risk identification: imagine the risks that may arise, this identification is constantly updated
- Risk assessment: assigning a level to each risk, based on its probability and severity
- Risk evaluation: assessing the “acceptability” of risks, based on previously defined estimates and acceptability criteria
- Risk control: all actions implemented to reduce the identified risks. Ideally, the risks are totally prevented (they are eliminated), otherwise they are reduced in frequency and/or severity.
- Residual risk: the level of a risk after all control measures have been implemented
- Communication: between the different parties involved in the risk management
- Follow-up: monitoring activities, which continuously feed into risk management
One final subtlety: since ISO 9001 has been aligned with the High Level Structure, a new concept is being used in the quality world: that of Opportunity, a “favourable” risk.
This allows for strengths and weaknesses / risks and opportunities (the SWOT method) analyses, but it mostly adds blurry and confusion.
Remember that a favourable risk is a benefit. It may be characterised as a risk, with a probability of occurrence and a positive impact.
Planning risk management
Initially, it is necessary to clearly define the tasks to be carried out and establish the responsibilities :
- regarding risk acceptance policy (criteria) (should be defined by the top the management of the company), and
- regarding all the other tasks related to risk management, described below
Identify the risks
The quality of your analysis will depend directly on your knowledge of the context, it is advisable to describe it by specifying :
- The people/environment/equipment… involved
- The different hazards
- The scenarios leading to the hazardous situations
- The potential harms
This necessarily involves a review of the state of the art :
- the risks already known,
- the controls already implemented,
- good practices (guides, standards, specifications, regulations …)
- the technical possibilities and limitations that are associated.
Estimate the risks
This is where things get complicated, you have to estimate – at least qualitatively if not quantitatively – probabilities and severities, yet:
- These estimates concern a huge range (e.g.:probabilities that vary from 1/1’000’000 to 50%; money loss from €1 to €1M; harm to health ranging from mere discomfort to death…) that are difficult to grasp
- You have no idea of the estimates.
At first approach the estimates are clearly a “range”, they are refined afterward with data:
- From the state of the art
- From experimentation
- From modelling
- From the field
Risk level estimatation using probability/severity matrix
Most analysis are performed with matrices, usually a 3×3 matrix (even 5×5), that gives a risk level based on the severity/probability pair, example:
|SIGNIFICANT||Medium Risk||High Risk||High Risk|
|MODERATED||Acceptable risk||Medium risk||High Risk|
|NEGLIGIBLE||Acceptable risk||Acceptable risk||Acceptable risk|
Quantitative risk estimates
- Probabilities are expressed in %
- Harms are quantified when possible (example: financial analysis) or estimated according to a scale, e.g. 5: max, 4: critical, 3: very high, 2: high, 1: medium, 0: low, -1: very low …
The idea is to define measures to reduce risks. There are many approaches available, but they need to be applied in order of effectiveness :
- Total removal of the risk
- Use of means of protection
- Implementation of prevention, through stakeholder information
- Compensation (offset) for the risk if it is not reduced
When to stop controlling risks
This is one of the most delicat point in risk management: knowing when to stop controlling risks. Risks are considered sufficiently controlled when… your criteria say so!
There are two approaches:
- One theoretical: control is stopped when the residual risk is smaller than a predefined threshold
- One practical: control is stopped when control is no longer possible
The theoretical approach is dictated by standards and regulations, which vacillate between two concepts:
- reduction AFAP: “As Far As Possible“: as much as possible, which makes no sense (we can always do more) and is a source of countless headaches with the authorities.
- reduction ALARP: “As Low As Reasonably Practicable“: as much as reasonably possible, you will understand that the notion of reasonable is not objective, this philosophy is impractical
In practice the reduction is AFACP: “As Far As Contextually Possible“. Control stops when you conform to the state of the art. Note that this lead to update control as soon as the context changes.
Evaluate the acceptability of residual risks
Your risks have been identified, a level of initial risk has been estimated for fun, you have reduced the risks AFACP, a level of residual risk has been estimated.
Still need to do a review :
- Of control activities,
- Residual risk levels,
- Planned actions for follow-up and updating of risk management
And to conclude on the acceptability of the risks.
Acceptability must be maintained over time, monitoring activities will ensure this.
Inform / Communicate / Sensitize (make aware of)
Communication will be needed to :
- Sensitize of residual risk levels.
- Create understanding of control measures for risks resting with the user.
- Awareness of the need to report information (and especially problems).
Monitoring the risks
It is crucial to correctly choose the indicators that will enable monitoring known risks and detecting emerging risks. The definition of indicators is never fixed, it evolves with your understanding of the risks. The risk observed will reflect the indicators chosen, with all the problems of imprecision, bias and possible misinterpretation.
To choose follow-up indicators, consider:
- The needs to improve the estimation of known risks,
- The means to detect emerging risks,
- The availability of indicator on comparable or correlated risks,
- The ease of interpretation of indicators,
- Their form, the means of data collection, the modalities of analysis, the means of data presentation …
The major types of risks
Risks caused by natural phenomena, which may create harm to the population, equipment or structures.
They are managed by authorities and may involve private actors.
- Hot weather
- Great cold, snow, hail
- Forest fires
- Land movement
- Clay shrinkage/swelling
- Volcanic eruption
Health risks can affect the population (and/or animals).
These risks are controlled by the authorities and if necessary by private actors.
Health risks historically concern problems of contamination, but they are also extended to technologies, natural risks …
A health risk becomes a health disaster when it is no longer under control.
- Biological (viruses, parasites, bacteria…)
- Chemical (hydrocarbons, heavy metals…)
- Physical (radiation, temperature, hazardous materials…)
Example of hazardous situation (contamination risks) :
- Exposure via digestive tract
- Exposure via the respiratory route
- Exposure via mucous membranes
Categories of health risks in health for animals in France :
- 1st category: may affect public health
- 2nd category: may harm the economy
- 3rd category: control involves private actors
These risks mainly concern patients and even their relatives and healthcare professionals. They may occur in the context of medical care.
These risks are to be controlled by professionals in the sector (industrialists and health professionals) under the supervision of competent authorities.
Ruling on the acceptability of medical risks requires involving the patient.
- Permanent disability
- Temporary disability
- Significant pain
Examples of hazards:
- Bad technical move
- Bad organization
- Nosocomial infection
- Bad prescription
- Material problem
Examples of control measures :
- Training of healthcare professionals
- Implementation of a quality system
- Risks elimination by design of devices, products, protocols
- Adding means of protection
- Information, awareness, prevention
Occupational risk/ in enterprises / in working context
Occupational risks can impact employees, they are controlled by the employer.
This constitutes a legal obligation in France (see the labour code) and an International Standards on Occupational safety and health from ILO.
- Work at height
- Psychosocial risks (see below)
- Musculoskeletal disorders
- Heat / Cold
- Road work
- Confined spaces
- Exposure to hazardous substances (asbestos paint lead welding…)
The risks are to be evaluated and documented in a specific document.
Psychosocial risks are part of the family of “occupational health risks“.
They refer to risks of physical or psychological harm, they are essentially caused by Man, on Man.
- Stress (possible causes: management, schedules, interruptions…)
- Violence/physical or sexual mobbing (caused by employees and/or external persons or users…)
- Burnout (possible causes: overwork, poor planning, poor management…)
Technological risks accompany innovation and can impact the population, its infrastructure, its environment.
- Transport and storage of hazardous materials
- Industrial accident (ex: AZF)
- Nuclear accident
- Dam failure
- Mining risks
- Soil pollution
- Pollutant and GHG emissions to the atmosphere
- Pollution from networks and pipelines
- Hydrocarbon industry
- Hazardous waste
In France, technological risks are controlled within the framework of PPRTs: “Plans de Prévention des Risques Technologiques”, notably for flood risks and drought risks (link).
Digital risks / Cybersecurity risks
The digital risks can impact products and/or their users, they are to be controlled by the designers of digital solutions.
Nowadays, the focus is on the cybersecurity risks of all sensitive areas.
- Confidentiality breach.
- Integrity breach
- Availability breach
- Propagation of false news
- Incitement to hatred
- Bullying the masses
Examples of hazards (attackers/hackers) :
- State organization
- Terrorist organization
- Person internal to the targeted organization
- Lone attacker
In France, the ANSSI carries out risk analysis according to the EBIOS method.
Social risks are extremely broad, they can impact the population and their causes are very diverse.
- Health risks:
- Risks for of disease (ex: AIDS)
- Risks for accident (ex: accidents at work)
- Risk of disability (ex: road accidents)
- Risk of death (ex: severe pollution)
- Risks for motherhood (e.g. lower fertility, infant mortality, mortality in childbirth …)
- Risks for old age (many risks are correlated with age)
- Economic / Financial / employment risks (poverty, insecure employment, unemployment, retirement…)
- Risks for inequality / exclusion (social, professional… according to gender, age, origin, religion …)
- Risks to the family
- Risks associated with housing (price, density, facilities…)
- Risks associated with demography, immigration, emigration
- Risks associated with skills (insufficiency, obsolescence…)
Financial risks result in a financial loss, for an individual or organization, in financial transactions.
There are many causes, control is individual and, where appropriate, by the authorities.
- Market fluctuation
- Rate fluctuation
- Non-repayable credit
- Weather (and yes)
The risk is expressed in terms of hazard, and vulnerability factor (vulnerability to harm).
Hazards may be natural, man-made, or caused by his technologies…
- Inappropriate equipment
- Technological dependency
- Under skilling
- Underestimation/miscalculation of risk
- Unplanned controls
These risks affect the relationships between states, they are most often caused by the states, who will have to control them. This is the last level of risk, before climate risks.
- Armed conflicts
- Trade wars
- Independence, Nationalism (ex: Brexit)
- Specific ideology (ex: terrorism)
- Access to natural resources (ex: water, oil)
- Inequality (ex: wealth inequality, health inequality)
- Exportation of disorder (ex: death of George Floyd)
- Health disaster (ex: covid-19)
Mainly caused by human activities, they impact people, wildlife, flora and all ecosystems.
- GHG emissions
- Soil pollution
- Sea pollution
Examples of harm:
- Rising water levels
- Rising temperatures
- Extinction of some wildlife
- Extinction of part of the flora
- Technological risks
- Social risks
- Health risks
- Economic risks
- Geopolitical risks
Examples of probability, severity and risk levels
These examples are for information only, each context will use its own scale.
Harm severity scales
Cyclone (Saffir-Simpson scale)
according to AIS score (Abbreviated Injury Scale)
|Occupational harm||Psychosocial harm
(volatility over 5 years)
|5||Catastrophic||High floods, extensive damage to homes and urban buildings||Death||Death||Death of spouse||Heavy impacts on 10,000,000 people. Permanent loss of critical infrastructure.||>25%|
|4||Critical||Irreparable damage can be caused to small homes.||Cerebral contusion||Permanent sequelae||Death of a close relative||Heavy impacts on 1,000,000 people. Disruption to the national economy. Temporary loss of critical infrastructure. Permanent loss of major infrastructure||15-25%|
|3||Severe||Severe to irreparable damage to precarious housing.
Flooding near the coast
|Fractured femur||Temporary sequelae||Changes in the financial situation||Heavy impacts on 100,000 people. Disruption to regional economy. Temporary loss of major infrastructure.||10-15%|
|2||Serious||Structural damage to houses. Severe harm to vegetation||Coastal fractures||Temporary work disability||Changes in the frequency
of quarrels with spouse
|Heavy impacts on 10,000 people. Disruption to local economy||5-10%|
|1||Moderate||Limited harm to mobile homes, vegetation and signs||Ear injury||Small accident without time off work||Change in responsibilities
|Heavy impacts on 1,000 people.||2-5%|
|0||Low||Lots of rain, negligible damage||Low pain||Tiredness||Change in leisure activities||Heavy impacts on less than 1,000 people.||0.5-2%|
|-1||Minimal||Lots of rain, no property damage||Simple annoyance||Annoyance||…||Low impacts||<0.5%|
Risk level scales
(“Meteo France” level)
|Technological risk (nuclear incident)|
|5||Catastrophic||…||…||Extensive health and environmental effects|
|4||Critical||Red level: dangerous phenomena of exceptional intensity||Level 4: hazardous or exotic agents with a high risk of death and airborne transmission, or similar agents with unknown risk of transmission||Significant rejection likely to require full implementation of planned countermeasures|
|3||Severe||…||…||Limited rejection likely to require partial application of planned countermeasures.|
|2||Serious||Orange level: hazardous events||Level 3: indigenous or exotic agents that may be contagious through the air and may have serious or even fatal consequences.||Minor rejection: public exposure in the range of prescribed limits.|
|1||Moderate||…||…||Public exposure representing a fraction of the prescribed limits.|
|0||Low||Yellow level: punctual hazardous events||Level 2: agents associated with human disease with transmission through percutaneous injury, ingestion, or exposure to a mucous membrane.||Significant contamination or overexposure of a worker.|
|-1||Very low||…||…||Anomaly out of the allowed operating regime.|
|-2||Threshold||Level green: clear||Level 1: agents not generally causing disease in healthy adults||Anomaly not significant from a safety perspective|