Definition

Email this page to a friend   

Email to a friend

Risk

(Alias: uncertainty)

No game was ever worth a rap for a rational man to play
Into which no accident, no mishap, could possibly find its way.
             - Adam Lindsay Gordon

Risk is the potential for realisation of a set of unwanted circumstances or events.

For example, in the context of the project management process this potential is considered a risk if:

  • The unwanted circumstances or events cause injury, property damage, loss of time, money, software product quality or product functionality
  • Uncertainty or chance is involved
  • Some choice is involved. That is, action can be taken now to avoid a risky event or reduce the magnitude of the associated loss.

In the context of Functional Safety Management; If a hazard exists there is always a finite risk that it will progress to a hazardous event.

Quantifing Risk

Risks are quantified in terms of:

  • The probability that the the unwanted circumstances or events will occur
    (eg. 1 per year)
  • The severity of the consequence
    (e.g. > 5 fatalities).

Risk probability units:

  • Per year
  • Per travelled kilometres
  • Per journey
  • Per head of population.
Risk Components

Sample Quantitative Risk Statements

  • The risk of a fatality on Australian roads is 9.5 in 100,000 head of population per annum (9.5*10-5/yr).
  • Fatal events in Airbus 300 aircraft: .65 events per million flights
  • Fatality from cancer averaged over the population of England and Wales: 1 in 387 per annum

Qualitative Risk Probability

In cases where risk probability cannot be quantified, qualitative measures may be used. The table provides examples.

Characterization

Frequency

Frequent

1/yr

Probable

1/yr to 1/10yr

Occasional

10/yr to 1/100yr

Remote

100/yr to 1/1,000yr

Improbable

1,000/yr to 1/10,000yr

Incredible

< 1/10,000 yr

Identifying Unwanted Outcomes

In identifying risk, risk-aware organisations must first determine the classes of unwanted outcomes that will be considered. For example, one organisation might view fatality and injury as areas of focus while another might add financial loss, property damage, environmental damage and psychological effects.

Classifying Levels of Severity

Determining severity levels is essential component of the risk management process. If a high severity level cannot be tolerated (eg. fatality), an organisation will take action (eg. spend money) to reduce the probability of occurrence. For example a road traffic authority might consider >5 fatalities as a disaster while a rail authority might class a disaster as > 50 fatalities.

Risk classification is a value judgment made by organizations based on community expectations and the practical realities of the environments in which they operate. For example, in the case of a railway network the passenger carrying capacity of trains means that it is possible to have a single incident such as a fire or a collision where greater than 50 fatalities occur. In contrast the road transportation environment does not experience incidents of this severity due to the limited passenger carrying capacity of motor vehicles. As a general rule the scope of risk should accurately reflect hazardous events that are possible in the environment in which the organization operates and the realistic probabilities of these events. Unfortunately there is a significant emotional dynamic in setting risk severity levels. Some organizations are reluctant to admit the possibility of high fatality rates fearing that the documentation of, say, a greater than 50 fatality severity band might imply the organization's acceptance of high casualty rates in the eyes of the general public.

To counter this tendency risk assessors must argue that de-rating realistic risk levels for political reasons is a hazard in itself as a risk assessment that does not recognize real world risks will produce ineffective risk mitigation measures and may result in the realization of the organization's worst nightmare.

The counter argument is that recognising high severity levels does not imply acceptance of these outcomes. Instead it is the first step in ensuring that risk mitigation actions will effectively reduce the probability of these outcomes being realized. The level to which this probability must be reduced is set by community risk tolerability.

The table below provides a sample severity classification for a highway authority.

 

Severity of Consequence

Consequence

Negligible

Marginal

Critical

Catastrophic

Fatalities

nil

nil

1 - 5

> 5

Major injury

nil

1-5

5-20

> 20

Minor injury

< 6

5-10

11 - 20

> 20

Property damage

< .5M

.5 - 2M

2 - 10M

> 10M

Risk Management

In managing risks value judgements must be made as to whether something must be done about a particular risky scenario. All risk assessments have one of the following outcomes:

  • Risk acceptance. The risk is tolerated and no action is taken
  • Risk rejection. The risky activity is discontinued
  • Risk control. An attempt is made to control the risk by taking some risk reduction action.
Collaboration

- Rate this definition.
- Did it help?
- Suggest improvements.
- Request more information.
- Exchange ideas with our member community.

Risk Management Planning Video
Email to a friend