…process to comprehend the nature of risk and to determine the level of risk
NOTE 1: Risk analysis provides the basis for risk evaluation and decisions about risk treatment
NOTE 2: Risk analysis includes risk estimation.
Likelihood
When determining the likelihood of an unexpected event, the number of times it can potentially occur in a year is measured.
The likelihood of an unexpected event can be measured in terms of frequency of occurrences (that is, occurrence per year—No./Yr). The potential frequency of an event needs to be determined using a descriptive scale. Examples of descriptions that may be used for the likelihood of an unexpected event/loss are:
• almost certain
• likely
• possible
• unlikely
• rare
• very rare
• almost incredible.
Consequence
The effect that such event can have on the organisation is also measured. This is the loss consequence and it is often measured in financial ($) terms. Where possible, the following factors are taken into account:
• injury to people
• financial implications, including financial/asset damage or loss
• adverse reputation and image effects
• environmental damage
• disruption of business operations (both short- and long-term).
When both measures of likelihood and consequence have been determined then a qualitative risk analysis matrix can be developed to prioritise exposures by assigning a risk rating to each particular risk. The qualitative and quantitative risk analysis data is used to set priorities for treatment based on the level of risk to which the organisation is exposed.
The following table is an example of a qualitative risk analysis matrix, the framework of which is based on the results of analysis that led to categories of likelihood and consequences.
While the example illustrates the relevant information and structures, it is important that each organisation develops its own matrix tailored to its specific needs.
Example—Risk analysis matrix
