Arial view evening landscape
Compliance ESG19 August, 2021|UpdatedFebruary 22, 2022

Top 5 methods to “assess risks”

Wait… what?

Ha! We lured you in. And now you are stuck. You thought you were going to read something about risk assessment methods but are now realizing risk analysis and risk assessment are not the same. This might make you feel a bit embarrassed at first, disappointment maybe, or even angry? But why go down that road when you can be surprised and enlightened instead: indeed, risk assessment and risk analysis are not exactly the same thing. Let us untangle through this blog post the interchangeably used phrases ‘assessment’ versus ‘analysis’ and provide you with best practice options to start cooking.

Grocery shopping

Risk assessment is the overall process of risk identification, risk analysis and risk evaluation. In risk assessment there is basically only one method to use. What you will need for a descent risk assessment, is to take the following steps:

  1. A way to identify your hazards, threats or perils that contribute to risk;
  2. Determine their significance by stating what the potential impact is, how frequent this is going to happen and who/what may be harmed in what way;
  3. Decide what options you have in taking precautions to deal with them;
  4. Communicate as well as keep a record of the points mentioned above;
  5. Evaluate risk according to risk acceptance criterion;
  6. Iterate risk assessment for unaccepted risk after improvements made

That does sound a lot like a PDCA cycle. Perhaps you already have such a process in place. If so, do not be afraid to refurbish some of the steps with a fresh perspective on things from time to time. Once you have all these ingredients in place you are done. Right? Or is there still a bit more to it?

Start your cooking

You will not be able to serve this dish if it is not fully assembled yet. You will need an analysis method to buffer your assessment with quality insights. Therefore, risk analysis is inevitably a part of doing risk assessment. Doing a risk assessment without thorough risk analysis is like having a dusty vacuum cleaner; it surely happens a lot, but ironically defies the purpose. Without a proper risk analysis, your risk assessment will be too shallow to base management decisions on, and if that is the case, why bother at all?

The encore

Alright, alright, you probably did expect to see some sort of top-5 list in this blog to choose from, so here you have it. The most commonly used risk analysis methods are (ordered randomly):

1 – What-if Analysis

Meant to identify hazards, hazardous situations or event sequences that can result in unwanted outcomes. The method focuses on possible deviations from the entire process lifecycle, with special reference to the designed intent.

2 – Fault Tree Analysis

A top-down visual analysis that combines technical (hardware) failures and human error interactions to accumulate into an unwanted (top) event. It shows pathways plus and/or logic gates that can contribute to the next event to occur.

Figure 1: Fault tree analysis concept

3 – Failure Mode Event Analysis (FMEA)

Used to identify and prioritize all actual or potential ways (or modes) to fail in a design, process, product, or service, that might negatively affect an end user. The purpose is of course to reduce or eliminate these failures.

Figure 2: Example of FMEA analysis, click here for full image

4 – Hazard Operability Analysis (HAZOP)

Structured and systematic bottom-up technique to identify and examine potential non-conformities, starting off with a possible deviation (or node), using guide words to determine its subsequent deep dive analysis.

Figure 3: Example of HAZOP Analysis, click here for full image

5 – Bowtie Analysis

A barrier-based visualization of risks, revealing how a scenario can cascade from a potential threat, to unwanted outcomes or consequences, through a top event in which the first moment of control over a hazard is lost.

Figure 4: Example of bowtie analysis, click here for full image

As you may notice, these are all valid risk analysis methods that may vary in where to focus on. Hopefully this short-list inspires you to make a better consideration as to what method your organization is going to use in supporting your risk assessment through analysis.

Not perfect

Even at CGE Risk, we do confuse the terms assessment and analysis. We talk about engaging in ‘risk management’ by ‘analyzing your risks’ using bowties to ‘close the Deming cycle’. Isn’t it all part of assessing your risks? Perhaps this linguistic confusion is being caused by the extent to which bowtie covers almost every part of that earlier risk assessment recipe. But do try it out and see for yourself if the bowtie method covers all aspects of the risk assessment scope that you are opting for.

* In drafting this blog we typed the word ‘analysis’ instead of ‘assessment’ on two occasions by accident. Fortunately, no writers were harmed in the process.

© CGE Risk. 2021 – The copyright of the content of this blog belongs to CGE Risk Management Solutions B.V.