The risk assessment has to end up with the association of a qualitative or quantitative measure of any risk, in terms of technical, economic or financial intensity. The choice of the methodology is related to the level of details required by the comparison among risk profile and risk appetite and to the availability of data and information. The metrics can refer to:
- probability of occurrence and magnitude of the effects and impacts;
- value at risk or vulnerability, which is the possible value of benefits or threats in relation to the characteristics of the organization.
The estimation of risk can be performed using different qualitative, quantitative or mixed criteria each with a different level of detail and reliability of the results. While the first are characterized by a strong subjectivity that only a high level of experience can compensate, the second need harmonization and conversion of the scales and of the values found. The choice is also related to the desired output of the stage, typically a hierarchical ordering of the risks identified (e.g. some types of exposures and tolerability are defined by regulations, especially for safety and environment). Examples of simple evaluation criteria, according to the already mentioned reference model, are shown in Table 7.4, Table 7.5 and Table 7.6 .
|
Identification code |
ID to associate and create links among information |
|
Category |
According to the classification adopted |
|
Organizational level |
Corporate, business unit, site, process or activities involved |
|
Related target |
Relation to the strategic planning and decisional level |
|
Stakeholders |
Involvement of the different stakeholders |
|
Regulation |
Relation to compulsory (laws or directives) or voluntary (procedures) requirements |
|
Description |
Extended description of the event and its possible evolutions (hazard) |
|
Causes |
First, second and third level causes (direct or indirect) |
|
Consequences |
Description of impacts (direct or indirect) |
|
Emergency |
Potential emergency related to the risk and associate plans of recovery |
|
Inherent risk |
Combination of the probability (or frequency) of the event and the impact or relevance of the effects |
|
Risk appetite |
Threshold level of tolerance of the specific risk |
|
Treatment |
Extended description of the mitigations |
|
Residual risk |
Estimation of the risk after the of mitigation |
|
Control |
Extended description of the control |
|
Risk owner |
Responsibility of the risk and related activities |
|
Control owner |
Responsibility of the control and related activities |
|
High |
- financial impact on the organization probably higher than xxx € |
|
Medium |
- financial impact on the organization probably among yyy € and xxx € |
|
Low |
- financial impact on the organization probably lower than yyy € |
|
Value |
Indicator |
Description |
|
|
High (Probable) |
Probable every year or in more than 25% of cases |
- possible happening of the event in the period of analysis, with many repetitions |
|
|
Medium (Possible) |
Probable in 10 years or in less than 25% of cases |
- possible happening of the event in the period of analysis, with some repetitions |
|
|
Low (Remote) |
Improbable in 10 years or in less than 2% of cases |
- mostly likely it never happens |
|
|
Value |
Indicator |
Description |
|
High (Probable) |
Probable advantages in the year or in more than 75% of cases |
- clear opportunity with reasonable certainty |
|
Medium (Possible) |
Reasonable advantages in the year or between 75% and 25% of cases |
- achievable opportunity that requires an accurate management |
|
Low (Remote) |
Possible advantages in the midterm or in less than 25% of cases |
- possible opportunity that has to be deeply examined |
- 1120 reads
