Some of the techniques described in this document can be applied during steps of the ISO risk management process in addition to their usage in risk assessment. Application of the techniques to the risk management process is illustrated in Figure A. Annex B contains an overview of each technique, its use, its inputs and outputs, its strengths and limitations and, where applicable, a reference for where further detail can be found.
Within each grouping, techniques are arranged alphabetically and no order of importance is implied. The majority of techniques in Annex B assume that risks or sources of risk can be identified. There are also techniques which can be used to indirectly assess residual risk by considering controls and requirements that are in place see for example IEC [36].
While this document discusses and provides example techniques, the techniques described are non-exhaustive and no recommendation is made as to the efficacy of any given technique in any given circumstance. Care should be taken in selecting any technique to ensure that it is appropriate, reliable and effective in the given circumstance. The techniques described represent structured ways of looking at the problem in hand that have been found useful in particular contexts.
The list is not intended to be comprehensive but covers a range of commonly used techniques from a variety of sectors. For simplicity the techniques are listed in alphabetical order without any priority. Each technique is described in more detail in Annex B, as referenced in column 1 of Table A. A basic Bayesian network has estimate diagrams variables representing uncertainties.
An risk extended version, known as an influence decide diagram, includes variables representing between uncertainties, consequences and actions. Both causes and consequences of conseq. These form systemic sources and drivers of risk. Outcomes are usually expressed in monetary terms or in terms of utility. An alternative representation of a decision tree is an influence diagram see B. People participate individually but receive feedback on the responses of others after each set of questions.
Variations include a success tree analysis where the top event is desired and a cause analyse tree used to investigate past events. Risk is then considered for analysis each of these scenarios. Some of the techniques are also used in other steps of the process. This is illustrated in Figure A. Figure A. This provides for a breadth of expertise and allows stakeholder involvement.
Stakeholder and expert views can be obtained on an individual basis e. Views can include disclosure of information, expressions of opinion or creative ideas. Clause B. In some situations stakeholders have a specific expertise and role, and there is little divergence of opinion. However, sometimes significantly varying stakeholder views might be expected and there might be power structures and other factors operating that affect how people interact.
These factors will affect the choice of method used. The number of stakeholders to be consulted, time constraints and the practicalities of getting all necessary people together at the same time will also influence the choice of method. Where a group face-to-face method is used, an experienced and skilled facilitator is important to achieving good outputs. Checklists derived from classifications and taxonomies can be used as part of the process see B.
Any technique for obtaining information that relies on people's perceptions and opinions has the potential to be unreliable and suffers from a variety of biases such as availability bias a tendency to over-estimate the likelihood of something which has just happened , clustering illusion the tendency to overestimate the importance of small clusters in a large sample or bandwagon effect the tendency to do or believe things because others do or believe the same.
Guidance on function analysis which can be used to reduce bias and focus creative thinking on aspects which have the greatest impact is given in EN [4]. The information on which judgements were based and any assumptions made should be reported. Any analysis or critique of the ideas is carried out separately from the brainstorming.
This technique gives the best results when an expert facilitator is available who can provide necessary stimulation but does not limit thinking. The facilitator stimulates the group to cover all relevant areas and makes sure that ideas from the process are captured for subsequent analysis. Brainstorming can be structured or unstructured. For structured brainstorming the facilitator breaks down the issue to be discussed into sections and uses prepared prompts to generate ideas on a new topic when one is exhausted.
Unstructured brainstorming is often less formal. In both cases the facilitator starts off a train of thought and everyone is expected to generate ideas. The pace is kept up to allow ideas to trigger lateral thinking. The facilitator can suggest a new direction, or apply a different creative thinking tool when one direction of thought is exhausted or discussion deviates too far.
The goal is to collect as many diverse ideas as possible for later analysis. It has been demonstrated that, in practice, groups generate fewer ideas than the same people working individually. These encourage more individual participation and can be set up to be anonymous, thus also avoiding personal political and cultural issues. Quantitative use is possible but only in its structured form to ensure that biases are taken into account and addressed, especially when used to involve all stakeholders.
Brainstorming stimulates creativity and is therefore very useful when working on innovative designs, products and processes. Participants need to have between them the expertise, experience and range of viewpoints needed for the problem in hand.
A skilled facilitator is normally necessary for brainstorming to be productive. Limitations include the following. This can be overcome by effective facilitation. Quality, conformity, and conflict: Questioning the assumptions of Osborn's brainstorming technique B.
It is a method to collect and collate judgments on a particular topic through a set of sequential questionnaires. An essential feature of the Delphi technique is that experts express their opinions individually, independently and anonymously while having access to the other experts' views as the process progresses. The group of experts who form the panel are independently provided with the question or questions to be considered. The information from the first round of responses is analysed and combined and circulated to panellists who are then able to reconsider their original responses.
Panellists respond and the process is repeated until consensus or quasi consensus is reached. If one panellist or a minority of panellists consistently keep their response, it might indicate that they have important information or an important point of view.
It can be used in forecasting and policy making, and to obtain consensus or to reconcile differences between experts. It can be used to identify risks with positive and negative outcomes , threats and opportunities and to gain consensus on the likelihood and consequences of future events. It is usually applied at a strategic or tactical level. Its original application was for long-time-frame forecasting, but it can be applied to any time frame. The number of participants can range from a few to hundreds.
Written questionnaires can be in pencil-and-paper form or distributed and returned using electronic communication tools including email and the internet. The use of technology systems helps to ensure agility and precision in the compilation of information at each cycle.
The Delphi technique: Past, present, and future prospects. Technological forecasting and social change , 78, Special Delphi Issue B. Views are first sought individually with no interaction between group members, then are discussed by the group. The process is as follows. If group dynamics mean that some voices have more weight than others, ideas can be passed on to the facilitator anonymously. Participants can then seek further clarification. It is also useful for prioritizing ideas within a group.
A semi- structured interview is similar, but allows more freedom for a conversation to explore issues which arise. In a semi-structured interview opportunity is explicitly provided to explore areas which the interviewee might wish to cover. Questions should be open-ended where possible, should be simple, and in appropriate language for the interviewee, and each question should cover one issue only. Possible follow- up questions to seek clarification are also prepared.
The questions should be tested with people of similar background to those to be interviewed to check that the questions are not ambiguous, will be correctly understood and the answers will cover the issues intended. Care should be taken not to "lead" the interviewee.
Their answers can be confidential if necessary. They provide in-depth information where individuals are not biased by the views of other members of a group. They are useful if it is difficult to get people together in the same place at the same time or if free-flowing discussion in a group is not appropriate for the situation or people involved.
It is also possible to get more detailed information in an interview than is possible by survey or in a workshop situation. Interviews can be used at any level in an organization. It can be difficult to group this unambiguously into a form amenable to analysis. Typically, a survey will involve a computer- or paper-based questionnaire. This allows statistical analysis of the results, which is a feature of such methods. Some questions with free answers can be included, but their number should be limited because of analysis difficulties.
The number of responses needs to be sufficient to provide statistical validity. Return rates are often low, meaning many questionnaires need to be sent out. Some expertise is needed in developing a questionnaire that will achieve useful results and in the statistical analysis of results. The techniques described in Clause B. The use of multiple techniques including both top down and bottom up methods encourages comprehensive risk identification. Approaches which challenge outcomes of risk identification such as red teaming can also be used to help check no relevant risks have been overlooked.
NOTE Red teaming is the practice of viewing a problem from an adversary's or competitor's perspective [13]. The techniques described can involve multiple stakeholders and experts. Methods that can be used to elicit views, either individually or in a group, are described in Clause B. They are also used when managing risk, for example to classify controls and treatments, to define accountabilities and responsibilities, or to report and communicate risk.
A checklist can be based on experience of past failures and successes but more formally risk typologies and taxonomies can be developed to categorize or classify risks based on common attributes. In their pure forms, typologies are "top-down" conceptually derived classification schemes whereas taxonomies are "bottom-up" empirically or theoretically derived classification schemes.
Hybrid forms typically blend these two pure forms. Risk taxonomies are typically intended to be mutually exclusive and collectively exhaustive i.
Risk classifications can focus on isolating a particular category of risk for closer examination. Both typologies and taxonomies can be hierarchical with several levels of classification developed.
Any taxonomy should be hierarchical and be able to be subdivided to increasingly fine levels of resolution. This will help maintain a manageable number of categories while also achieving sufficient granularity. They can be applied using questionnaires, interviews, structured workshops, or combinations of all three, in face-to-face or computer-based methods.
Examples of commonly used checklists, classifications or taxonomies used at a strategic level include the following. Categories relevant to the particular situation can be selected and checklists developed for examples under each category. From this, risk treatments and early warning indicators for the risk drivers can be developed.
These are preliminary safety risk assessments usually carried out at the early design stage of a project. Pre—identified categories of risk can be useful in directing thinking about risk across a broad range of issues. However it is difficult to ensure such categories are comprehensive, and by subdividing risk in a predefined way, thinking is directed along particular lines and important aspects of risk might be overlooked. Checklists, typologies and taxonomies are used within other techniques described in this document; for example, the key words in HAZOP B.
A taxonomy that can be used to consider human factors when identifying risk is given in IEC [16]. In general, the more specific the checklist, the more restricted its use to the particular context in which it is developed.
Words that provide general prompts are usually more productive in encouraging a level of creativity when identifying risk. For each element the ways in which it might fail, and the failure causes and effects are considered.
For FMECA, the study team classifies each of the identified failure modes according to its criticality. Several different methods of criticality can be used. A quantitative measure of criticality can also be derived from actual failure rates and a quantitative measure of consequences where these are known.
A failure is given a higher priority if it is difficult to detect. It can also be applied to processes and procedures, such as in medical procedures and manufacturing processes. It can be performed at any level of breakdown of a system from block diagrams to detailed components of a system or steps of a process.
FMEA can be used to provide information for analysis techniques such as fault tree analysis. It can provide a starting point for a root cause analysis.
The information needed can include drawings and flow charts, details of the environment in which the system operates, and historical information on failures where available.
FMEA is normally carried out by a cross functional team with expert knowledge of the system being analysed, led by a trained facilitator. It is important for the team to cover all relevant areas of expertise. FMECA usually provides a qualitative ranking of the importance of failure modes, but can give a quantitative output if suitable failure rate data and quantitative consequences are used. Similar guidewords such as "too early", "too late", "too much", "too little", "too long", "too short", "wrong direction", "wrong object", "wrong action" can be used to identify human error modes.
Table B. The HAZOP process can deal with all forms of deviation from design intent due to deficiencies in the design, component s , planned procedures and human actions. It is most often used to improve a design or identify risks associated with a design change. It is usually undertaken at the detail design stage, when a full diagram of the intended process and supporting design information are available, but while design changes are still practicable. It can however, be carried out in a phased approach with different guidewords for each stage as a design develops in detail.
A HAZOP study can also be carried out during operation but required changes can be costly at that stage. For hardware this can include drawings, specification sheets, flow diagrams, process control and logic diagrams, and operating and maintenance procedures. For non-hardware related HAZOP, the inputs can be any document that describes functions and elements of the system or procedure under study, for example, organizational diagrams and role descriptions, or a draft contract or draft procedure.
A HAZOP study is usually undertaken by a multidisciplinary team that should include designers and operators of the system as well as persons not directly involved in the design or the system, process or procedure under review. Records should include the guideword used, and possible causes of deviations. They can also include actions to address the identified problems and the person responsible for the action.
In general terms, it consists of defining a plausible scenario and working through what might happen given various possible future developments. For relatively short time scales it can involve extrapolating from what has happened in the past. For longer time scales, scenario analysis can involve building an imaginary but credible scenario then exploring the nature of risks within this scenario.
It is most often applied by a group of stakeholders with different interests and expertise. Scenario analysis involves defining in some detail the scenario or scenarios to be considered and exploring the implications of the scenario and associated risk.
It can be used at both strategic and operational level, for the organization as a whole or part of it. Long-term scenario analysis attempts to aid planning for major shifts in the future such as those that have occurred over the past 50 years in technology, consumer preferences, social attitudes, etc.
Scenario analysis cannot predict the probabilities of such changes but can consider consequences and help organizations develop strengths and the resilience needed to adapt to foreseeable change. It can be used to anticipate how both threats and opportunities might develop and can be used for all types of risk.
Short-time-frame scenario analysis is used to explore the consequences of an initiating event. Likely scenarios can be extrapolated from what has happened in the past or from models. Examples of such applications include planning for emergency situations or business interruptions. If data are not available, experts' opinions are used, but in this case it is very important to give utmost attention to their explanations for their views.
For complex or very long-term scenarios, expertise in the technique is required. The effects considered can be both beneficial and detrimental. The stories may include plausible details that add value to the scenarios. Other outputs can include an understanding of possible effects of policy or plans for various plausible futures, a list of risks that might emerge if the futures were to develop and, in some applications, a list of leading indicators for those risks.
This can be preferable to the traditional approach of relying on forecasts that assume that future events will probably continue to follow past trends. This is important for situations where there is little current knowledge on which to base predictions or where risks are being considered in the longer term.
This could produce unrealistic results that might not be recognized as such. Before the study commences the facilitator prepares a prompt list to enable a comprehensive review of risks or sources of risk. At the start of the workshop the context, scope and purpose of the SWIFT is discussed and criteria for success articulated. Using the guidewords and "what if? The facilitator uses the prompt list to monitor the discussion and to suggest additional issues and scenarios for the team to discuss.
The team considers whether controls are adequate and if not considers potential treatments. During this discussion, further "what if? In some cases specific risks are identified and a description of the risk, its causes, consequences and controls can be recorded.
In addition, more general sources or drivers of risk, control problems or systemic issues may be identified. Where a list of risks is generated a qualitative or semi-quantitative risk assessment method is often used to rank the actions created in terms of level of risk.
This normally takes into account the existing controls and their effectiveness. In particular, it is used to examine the consequences of changes and the risk thereby altered or created. Both positive and negative outcomes can be considered. This is established through interviews, gathering a multifunctional team and through the study of documents, plans and drawings by the facilitator. Although the facilitator needs to be trained in the application of SWIFT, this can usually be quickly accomplished.
Often there is a hierarchy of causes with several layers before the root cause is reached. Generally causes are analysed until actions can be determined and justified. Causal analysis techniques can explore perceptions of cause under a set of predetermined headings such as in the Ishikawa method see B. Bow tie analysis see B. These techniques are not repeated here. The cindynic approach identifies intangible risk sources and drivers that might give rise to many different consequences.
The cindynic approach starts by collecting information on the system or organization which is the subject of the study and the cindynic situation defined by a geographical, temporal and chronological space and a set of stakeholder networks or groups.
It then uses semi-structured interviews see B. NOTE The elements characterizing internal and external contexts can be put together according to the five criteria of the cindynic approach.
The approach takes into account perceptions as well as facts. Once this information is obtained, the coherence between objectives to be reached and the five criteria of cindynics are analysed and tables are set up listing deficits and dissonances. The approach has since been extended to improve the economic efficiency of organizations. The technique seeks systemic sources and drivers of risk within an organization which can lead to wide ranging consequences.
It is applied at a strategic level and can be used to identify factors acting in a favourable or unfavourable way during the evolution of the system towards new objectives. It can also be used to validate the consistency of any project and is especially useful in the study of complex systems. The analysis usually involves a multidisciplinary team including those with real-life operational experience and those who will carry out treatment actions to address the sources of risk identified.
By comparing the information gathered as input between situations taken at times t 1 , t 2 , These tables enable a programme for reduction of deficits and dissonances to be established. It therefore does not benefit from the same maturity acquired through past developments as traditional approaches. Cindyniques — Concepts et mode d'emploi B. The possible contributory factors are organized into broad categories to cover human, technical and organizational causes.
The information is depicted in a fishbone also called Ishikawa diagram see Figure B. The main steps in performing the analysis are the following. Examples of commonly used categories include: — 6Ms, for example, methods, machinery, management, materials, manpower, money; — materials, methods and processes, environment, equipment, people, measurements.
NOTE Any set of agreed categories can be used that fit the circumstances being analysed. Figure B. The method can be used to examine situations at any level in an organization over any time scale. The diagrams are generally used qualitatively. It is possible to assign probabilities to generic causes, and subsequently to the sub-causes, on the basis of the degree of belief about their relevance. However, contributory factors often interact and contribute to the effect in complex ways and there can be unidentified causes, which make quantification invalid.
The fishbone diagram is structured by representing the main categories as major bones off the fish backbone with branches and sub-branches that describe more specific sub-causes in those categories. Bow tie analysis B. Event tree analysis B. Any causal analysis technique can be used as a basis for checking that each cause is controlled.
It shows the controls that modify the likelihood of the event and those that modify the consequences if the event occurs. It can be considered as a simplified representation of a fault tree or success tree analysing the cause of an event and an event tree analysing the consequences. Bow tie diagrams can be constructed starting from fault and event trees, but are more often drawn directly by a team in a workshop scenario.
Some level of quantification of a bow tie diagram can be possible where pathways are independent, the probability of a particular consequence or outcome is known and the probability that a control will fail can be estimated. However, in many situations, pathways and barriers are not independent, and controls may be procedural and their effectiveness uncertain.
Quantification is often more appropriately carried out using fault tree analysis B. It can be used to explore in detail the causes and consequences of events that are recorded in a simple form in a risk register B.
It is particularly used for analysing events with more serious consequences. A bow tie is used when assessing controls to check that each pathway from cause to event and event to consequence has effective controls, and that factors that could cause controls to fail including management systems failures are recognized. It can be used as the basis of a means to record information about a risk that does not fit the simple linear representation of a risk register. The bow tie is used when the situation does not warrant the complexity of a full fault tree analysis and event tree analysis but is more complex than can be represented by a single cause-event-consequence pathway.
For some situations cascading bow ties can be developed where the consequences of one event become the cause of the next. This information may be taken from the output of techniques to identify risks and controls or from the experience of individuals.
It also shows potential consequences and the measures that can be taken after the event has occurred to modify them. POST J. The technique provides a structure for identifying sources of risk hazards or threats and putting controls in place at all relevant parts of a process to protect against them. HACCP is used at operational levels although its results can support the overall strategy of an organization.
HACCP aims to ensure that risks are minimized by monitoring and by controls throughout a process rather than through inspection at the end of the process. It has been extended for use in manufacture of pharmaceuticals, medical devices and in other areas where the biological, chemical and physical risks are inherent to the organization. The principle of the technique is to identify sources of risk related to the quality of the output of a process, and to define points in that process where critical parameters can be monitored and sources of risk controlled.
This can be generalized to many other processes, including for example financial processes. The HACCP plan delineates the procedures to be followed to assure the control of a specific design, product, process or procedure. Appropriate controls also need to be defined. HACCP might need to be combined with other tools to provide these inputs. It can be considered as a particular case of an event tree B.
A cause-consequence pair is selected from a list of identified risks and the independent protection layers IPLs are identified. An IPL is a device, system or action that is capable of preventing a scenario from proceeding to its undesired consequence. Each IPL should be independent of the causal event or of any other layer of protection associated with the scenario and should be auditable.
The probability of failure of each IPL is estimated and an order of magnitude calculation is carried out to determine whether the overall protection is adequate to reduce risk to a tolerable level. The frequency of occurrence of the undesired consequence can be found by combining the frequency of the initiating cause with the probabilities of failure of each IPL, taking into account any conditional modifiers.
Orders of magnitude are used for frequencies and probabilities. It can also be used quantitatively to allocate resources to treatments by analysing the risk reduction produced by each layer of protection. It can be applied to systems with a long- or short-term time horizon and is usually used in dealing with operational risks. Level 4 has the highest level of safety integrity and level 1 has the lowest. Limitations of LOPA include the following. This can include mathematical or engineering models and logic methods such as event tree analysis B.
Experts can be asked to express their opinion on likelihoods and consequences, taking into account relevant information and historical data. There are a number of formal methods for eliciting expert judgement that make the use of judgment visible and explicit see Clause B.
Consequence and likelihood can be combined to give a level of risk. This can be used to evaluate the significance of a risk by comparing the level of risk with a criterion for acceptability, or to put risks in a rank order.
Techniques for combining qualitative values of consequence and likelihood include index methods B. A single measure of risk can also be produced from a probability distribution of consequences see for example VaR B.
Bayesian analysis enables both types of information to be used in making decisions. Bayesian analysis is based on a theorem attributed to Reverend Thomas Bayes At its simplest, Bayes' theorem provides a probabilistic basis for changing one's opinion in the light of new evidence. Bayes' theorem can be extended to encompass multiple events in a particular sample space.
For example, assume we have some data, D, that we wish to use to update our previous understanding or lack thereof of risk. This shows that once the new data is accounted for, the updated probability for hypothesis j [i. Pr H j D ] is obtained by multiplying its prior probability Pr H j by the bracketed fraction.
This fraction's numerator is the probability of getting these data if the jth hypothesis is true. The denominator comes from the "law of total probability" — the probability of getting these data if, one by one, each hypothesis were to be true. The denominator is the normalization factor. A Bayesian probability can be more easily understood if it is considered as a person's degree of belief in a certain event as opposed to the classical probability which is based upon physical evidence.
Bayesian methods can be developed to provide inference for parameters within a risk model developed for a particular context; for example, the probability of an event, the rate of an event, or the time to an event. Bayesian methods can be used to provide a prior estimate of a parameter of interest based upon subjective beliefs. A prior probability distribution is usually associated with subjective data since it represents uncertainties in the state of knowledge.
A prior can be constructed using subjective data only or using relevant data from similar situations. A prior estimate can provide a probabilistic prediction of the likelihood of an event and be useful for risk assessment for which there is no empirical data.
Observed event data can then be combined with the prior distribution through a Bayesian analysis to provide a posterior estimate of the risk parameter of interest.
Bayes' theorem is used to incorporate new evidence into prior beliefs to form an updated estimate. Bayesian analysis can provide both point and interval estimates for a parameter of interest. These estimates capture uncertainties associated with both variability and the state of knowledge. This is unlike classical frequentist inference which represents the statistical random variation in the variable of interest.
The probability model underpinning a Bayesian analysis depends on the application. Increasingly it is common to build a probability model to represent the causal relationships between variables in the form of a Bayesian network B.
Limitations are the following. Prior Distribution Elicitation B. The document provides summaries of a range of techniques, with references to other documents where the techniques are described in more detail. This second edition cancels and replaces the first edition published in This edition constitutes a technical revision.
Keywords: uncertainty, risk management. The International Organization for Standardization ISO is an international standard-setting body composed of representatives from various national standards organizations.
Founded on 23 February , the organization develops and publishes worldwide technical, industrial and commercial standards. It is headquartered in Geneva, Switzerland and works in countries.
Select a Collection. Save to Collection. Tip Designer. Share this thing. Send to Thingiverse user. Remixed from: Select a Collection. Apr 17, Print Settings. May 12, May 15, Jun 25, Mar 19,
0コメント