ISO/IEC
31010:2011 Risk Management
Organizations of all types and sizes face a
range of risks that may affect the achievement of their objectives. These
objectives may relate to a range of the organization's activities, from
strategic initiatives to its operations, processes and projects, and be
reflected in terms of societal environmental, technological, safety and
security outcomes, commercial, financial and economic measures, as well as social,
cultural, political and reputation impacts. Thus all activities of an
organization involve risks that should be managed, whereas risk management
process aids decision making by taking account of uncertainty and the
possibility of future events or circumstances (intended or unintended) and
their effects on agreed objectives.
Risk management includes the application of
logical and systematic methods for;
Communicating and
consulting throughout this process;
Establishing the
context for identifying, analyzing, evaluating, treating risk associated with
any activity, process, function or product;
Monitoring and
reviewing risks;
Reporting and
recording the results appropriately.
Risk assessment provides a structured process
that identifies how objectives may be affected, and analyses the risk in term
of consequences and their probabilities before deciding on whether further
treatment is required.
Risk assessment attempts to answer the
following fundamental questions:
What can happen and
why (by risk identification)?
What are the
consequences?
What is the
probability of their future occurrence?
Are there any factors
that mitigate the consequence of the risk or that reduce the probability of the
risk?
Is the level of risk
tolerable or acceptable and does it require further treatment?
The standard is intended to reflect current
good practices in selection and utilization of risk assessment techniques, which
does not refer to new or evolving concepts that have not reached a satisfactory
level of professional consensus. Nature of the standard is generic to any
organization big or small across any industries and types of systems. There may
be more specific standards in existence within these industries that establish
preferred methodologies and levels of assessment for particular applications.
If these standards are in harmony with this standard, the specific standards
will generally be sufficient.
Go through below list of the 31 tools which are
given in the ISO 31010:2011. Depending on the industry you are working in, you
will almost certainly recognize at least some of them, even if you haven’t
actually used any of the techniques to assess risk.
Tools of
Risk Assessment
01. Brainstorming
02. Structured or semi-structured
interviews
03. Delphi
04. Check-lists
05. Primary hazard
analysis
06. Hazard and
operability studies (HAZOP)
07. Hazard Analysis
and Critical Control Points (HACCP)
08. Environmental
risk assessment
09. Structure « What
if? » (SWIFT)
10. Scenario analysis
11. Business impact analysis
12. Root cause
analysis
13. Failure mode
effect analysis
14. Fault tree
analysis
16. Cause and
consequence analysis
17. Cause-and-effect
analysis
18. Layer protection
analysis (LOPA)
19. Decision tree
20. Human reliability
analysis
21. Bow tie analysis
22. Reliability centered
maintenance
23. Sneak circuit
analysis
24. Markov analysis
25. Monte Carlo
simulation
26. Bayesian
statistics and Bayes Nets
27. FN curves
28. Risk indices
29. Consequence/probability
matrix
30. Cost/benefit
analysis
31. Multi-criteria
decision analysis (MCDA)
Not everybody of course will have the
resources and capabilities within the organization to attempt such as: e.g.,
Fault tree analysis, Cause/consequence analysis, Monte-Carlo analysis,
Bayesian analysis. Quality managers working for smaller enterprises (SMEs) may
only dream of conducting analysis at the level required by some techniques in
the list. The sheer complexity of some types of risk assessment will render the
tool useless in most organizations employing between 1 and 250 people. However,
that doesn’t mean to say that ISO 31010 isn’t a valuable reference should you
ever be required to think about risk in these terms.
1. Brainstorming
Brainstorming as a
technique could be particularly useful when, for example, identifying risks of
new technology where there is no data or where novel solutions to problems are
needed. As to ISO 31010 “…it encourages imagination which helps identify new
risks and novel solutions”. However, it is not applicable to risk analysis
tasks of consequence, probability or level of risk, which impart limitations
and along with Check-lists and Primary hazard analysis, and most of the
‘Supporting Methods’ of Structured interviews, Delphi technique, SWIFT
(Structured “what if”) and, it does not provide any quantitative output.
Here are a few tips
to help your next brainstorm become a resounding success:
Make the objectives
crystal clear from the start.
What are you trying
to find/solve?
What constraints
are you operating under?
Just as with other
collaborative meeting techniques, allow everyone to have a say.
Facilitate the
session so that the people who are quiet have equal time in the spotlight as
those who have the tendency to dominate discussions.
Take away the
possibilities of anchoring by letting people generate ideas individually first,
before coming together to discuss and elaborate.
Go for quantity
over quality at the start.
There are various
ways to conduct brainstorming; following are some of the methods used in the
industry today.
Brain Writing
The
general principle of this technique is to separate idea generation from
discussion. The team leader shares the topic with the team, and the team
members individually write down their ideas. This helps eliminate anchoring and
encourages everyone on the team to share their own ideas. It also gives
everyone more time to think over their ideas, which is especially helpful for
your introverted participants. This brainstorming technique works best for
teams who seem to be greatly influenced by the first ideas presented during a
meeting.
Figuring Storming
Ever
considered how someone else might handle the situation? Or what they might say
about a particular topic? With figure storming, you aim to do just that.
Think about how someone such as your boss, a famous celebrity, or even your
janitor might handle the situation. Putting yourself in new shoes can give the
team a different perspective and presents the possibility of fresh ideas. This
technique works best for teams who find themselves come across the same ideas
for repetitive projects.
Online
Brainstorming (Brain-netting)
These
days, virtual teams are becoming more and more common across all business
types, where evolution of online or email and collaboration tools makes working
remotely the norm in some environments. Having a central location online where
team members can collaborate is crucial for these virtual teams; consider
cloud-based document storage (e.g. Google Drive) or an online collaboration
tool. This way, all the ideas are archived in one central location and can be
referenced easily.
Rapid Ideation
Sometimes,
time limitations can help generate ideas quickly, because you don’t have time
to filter or overthink each one. With this technique, the team leader provides
context beforehand with information or questions on the topic, budget,
deadline, etc. Then, a time limit is set for individuals to write down as many
thoughts or ideas around the topic as possible, using any mediums available.
People should not worry about filtering their ideas. The time limit for your
rapid ideation session can be anywhere from 5 to 45 minutes, depending on the
complexity of your topic. This technique is good for teams who tend to get
sidetracked, or for placing a time limit on brainstorming sessions that
frequently last longer than expected.
Round Robin
Brainstorming
This
method begins by having the team gathers in a circle. Once the topic is shared,
go around the circle one-by-one and have each person offer an idea until
everyone has had their turn. Simultaneously, a facilitator records each idea so
they can be discussed once the sharing is over. It’s very important to not
evaluate any ideas until everyone has the opportunity to share. This technique
is good when some of your team members have a tendency to stay quiet throughout
meetings.
Star Bursting
This
form of brainstorming focuses on forming questions rather than
answers. Star bursting challenges the team to come up with as many
questions as they can about your topic. An easy way to begin a session like
this would be to start listing questions that deal with who, what, where, when,
and why. This style assures that all aspects of the project are addressed
before any work goes into executing it. It’s a good technique for teams who
tend to overlook certain aspects of a project and end up rushing to get things
done last minute.
Stepladder
Technique
Developed
in 1992, this style of brainstorming encourages every member in the team to
contribute individually before being influenced by everyone else. The session
begins with the facilitator sharing the topic or question with the whole team.
Once the topic is shared, everyone leaves the room except two members of the
team. These two members will then discuss the topic and their ideas. Then, one
additional member is added to the group. This new member will contribute their
ideas BEFORE the other two discuss theirs. Repeat this cycle until everyone
from the original group is in the room. This technique is particularly useful
for teams who are easily influenced by only one or two members, leading
to groupthink. This also helps encourage the shy folks in the group to
share their ideas without feeling intimidated by a room full of people.
2. Structured or Semi-structured Interviews
Researchers use
interviews for a variety of purposes, because interviews can be used as a
primary data gathering method to collect information from individuals about
their own practices, beliefs, or opinions. They can be used to gather
information on past or present behaviors or experiences. Interviews can further
be used to gather background information or to tap into the expert knowledge of
an individual i.e., interviewing a subject-matter expert on a new policy will
likely gather factual material and data, such as descriptions of processes.
Interviews will often include the collection of both types of information. Th e
difference between these types of interviews is readily apparent to most.
Interviews can be placed on a continuum of structure, from “unstructured” to
highly “structured.” Embedded in this continuum is the idea of how much
“control” the interviewer will have over the interaction.
The most controlled
type of interview is structured whereas, the questions are fixed and they are
asked in a specific order. Multiple respondents will be asked identical
questions, in the same order. Structured interviews most closely approximate a
survey being read aloud, without deviation from the script. Structured
interviews have several advantages over surveys including lower levels of item
non-response and the ability for an interviewer to mitigate inappropriate
responses. However, in a structured interview, if a respondent indicates that
they do not understand a question or a term in the question, the interviewer is
generally limited to providing only a previously scripted explanation or
defining the term as “Whatever [the term] means to you.” Otherwise, the
interviewer is generally unable to provide any explanation beyond repeating the
question. These interviews are often used when one has very large samples and
is looking for data that can be generalized to a large population.
Semi-structured
interviews are used often in policy research, where semi-structured
interviewing uses a guide note, with questions and topics that must be covered.
Th e interviewer has some discretion about the order in which questions are
asked, but the questions are standardized, and probes may be provided to ensure
that the researcher covers the correct material. This kind of interview
collects detailed information in a style that is somewhat conversational.
Semi-structured interviews are often used when the researcher wants to delve
deeply into a topic and to understand thoroughly the answers provided.
3. Delphi Technique
A structured
collaborative communication technique originally developed as a systematic,
interactive forecasting method which relies on a panel of experts. By combining
expert opinions, the aim is to support the source and influence identification,
probability and consequence estimation and risk evaluation. The experts answer
questionnaires in two or more rounds. After each round, a facilitator provides
an anonymous summary of the experts’ forecasts from the previous round as well
as the reasons they provided for their judgments. In this way, experts are
encouraged to revise their earlier answers in light of the replies of other
members of their panel.
Delphi can be used
to estimate probability of adverse and positive outcomes as to the ISO 31010: “Expert
opinion can be used in a systematic and structured process to estimate
probability. However, expert judgments should draw upon all relevant available
information including historical, system-specific, organizational-specific,
experimental, design, etc. There are a number of formal methods for eliciting
expert judgment which provide an aid to the formulation of appropriate
questions. The methods available include the Delphi approach, paired
comparisons, category rating and absolute probability judgments. The Delphi
technique can be applied at any stage of the risk management process or at any
phase of a system life cycle, wherever a consensus of views of experts is
needed.” A true consensus approach that avoids the bias of dominant members of
the team can be the wake-up call that management needs to assess risk.
4. Check Lists
Checklist is a
simple form of risk identification, which provides a listing of typical
uncertainties that need to be considered. In common practice users refer to a
previously developed list, codes or standards. Check-lists and reviews of
historical data are, naturally enough, a sensible step if you are serious about
identifying the risks and opportunities in accordance with the requirements of
ISO 9001:2015 Clause 6.1, and intend to plan and implement the appropriate
actions to address them. Although you could enhance the quality of the output
by following a systematic process to identify risks by means of a structured
set of prompts or questions for the experts. As a useful practice, you can
start by making a check-list of the known issues in the environment that can
(a) affect conformity of products and services [risk] and (b) have the ability
to enhance customer satisfaction [opportunity].
No assessor is
likely to fault you for making this much effort; whether or not you have
addressed these risks and opportunities in the design of your quality
management system and its associated processes. However, it is also worth
remembering that check-lists are most useful when applied to check that
everything has been covered after a more imaginative technique that identifies
new problems has been applied.
5. Primary Hazard Analysis
Preliminary hazard
analysis can be defined as “a simple inductive method of analysis of whose
objective is to identify the hazards and hazardous situations and events that
can cause harm for a given activity, facility or system”. However, the term
‘hazard’ is always used in the context of physical harm. At first sight, not a
very promising tool but it does have advantages. Namely, it is able to be used
when there is limited information and it also allows risks to be considered
very early in the system life cycle. In some organizational contexts such as food manufacturing organizations, preliminary hazard analysis could be appropriate as a risk assessment tool for quality when its use helps to prevent Critical Non-conformities which could, for example, result in hazardous or
unsafe conditions for individuals using, maintaining or depending on the
product.
Rest of the 26
methods will be explained in the next 04 articles, if you need to explore them,
please read the 31010:2009 series of posts.