Risk assessment tools can be used for quick assessments, supporting risk management, scenario analysis, function analysis, controls assessment, and statistical analyses. Risk assessments can be qualitative and/or quantitative.
There are a number of techniques for conducting a risk assessment. We recommend ISO 9001:2015 companies start their RBT journey using qualitative heat maps or even a checklist. As the company matures its risk assessment and management system or requires a higher level of risk assurance, then we recommend selecting additional risk tools and techniques.
ISO 31010 offers the following list of risk assessment tools:
| Method | Description | Application |
| Checklists | Simple and quick identification of possible risk uncertainties. | Used in varied ways. Checklist assessments. Low complexity. Tailored to application. |
| Preliminary hazard analysis. | Objective is to identify hazardous situations. | Used for threat analysis and cyber security, etc. |
| Structured interview and brainstorming | Objective is to collect ideas, rank, and evaluate them. | Used for risk auditing |
| Delphi method | System for combining expert opinions about probability and likelihood in the risk assessment. | Used for collaborative risk assessments. |
| Structured ‘what if’ | System by a team to identify and own risks. | Used in facilitated workshop. |
| Human reliability | Objective is to understand ergonomic and human system performance. | Used to understand human reliability and risks. |
| Root cause analysis | Objective is to understand root cause of a singe loss. | Used in single loss analysis. Medium complexity |
| Scenario analysis | Identifies future scenarios through extrapolation of the present. | Used to envision future risks. Qualitative. |
| Toxicological risk assessment | Hazards are identified and analyzed including pathways. | Used to comply with regulatory requirements. Specific application. |
| Business impact analysis | Analysis of key disruption risks that can impact business continuity. | Used in critical applications. |
| Fault tree analysis | High risk events are identified and lower level risks prioritized. Mitigations are assigned to risks. | Used in many risk applications. |
| Event tree analysis | Inductive reasoning to translate event likelihood into possible outcomes. | Used with previous tools in multiple applications. |
| Cause/consequence analysis | Combination of fault tree and event tree analysis. | Used in multiple applications from first/second/party assessments. |
| Cause/effect analysis | Effect can have number of causes that are analyzed. | Often used with other assessment techniques. |
| Failure Mode and Effects Analysis (FMEA) | Analysis of failure modes and effects, which are then mitigated/treated. | Used mainly at the product level to ID possible design failures. |
| Reliability centered maintenance | Method to analyze maintainability failures, safety, availability, and operational economy. | Used mainly for operational risk assessments. |
| Sneak analysis | Method to identify design problems. Sneak condition refers to a latent hardware or software unwanted event. | Used mainly in product design. |
| Hazard and operability studies (HAZOP) | Process of risk identification of possible deviation of intended operation. | Used in operational analysis. |
| Hazard analysis and critical control points (HACCP) | Process to assure product quality, reliability, and safety of processes. | Used in food safety and similar areas. |
| Layers of protection analysis (LOPA) | Process to analyze control effectiveness. | Used in operational control effectiveness analysis. |
| Bow tie analysis | Visual qualitative analysis of pathways and causes of risks. | Used in product and process levels. Multiple uses. |
| Markov analysis | Quantitative analysis of complex systems | Used in repairable electronic and mechanical systems. |
| Monte Carlo analysis | Process to analyze variations in systems | Used in complex systems. |
| Bayesian analysis | Quantitative statistical analysis of distribution of data. | Used where sufficient data is known. |
We have used all of the above risk assessment tools. They are all good, but should be used in the right application by a trained risk professional. Otherwise, it can be become a practice of ‘garbage in and garbage out.’
Bio:
Greg Hutchins PE and CERM (503.233.101 & GregH@QualityPlusEngineering.com) is the founder of:
CERMAcademy.com
800Compete.com
QualityPlusEngineering.com
WorkingIt.com
He is the evangelist behind Future of Quality: Risk®. He is currently working on the Future of Work and machine learning projects.
He is a frequent speaker and expert on Supply Chain Risk Management and cyber security. His current books available on all platform are shown below:
