 ComplianceESGMay 23, 2019

# ISO 31000 blog series – Risk evaluation

In the past blogs, we covered how to set the scope, identify major risks and analyze them using the bowtie methodology.

In this edition, our focus is on evaluating the risk which was analyzed previously.

It is possible to evaluate risks in different ways, divided into two categories, the qualitative and the quantitative way. Using the quantitative way, the focus is set on numbers and data-driven values which are for example based on manufacturer specifications, historical data or any other reliable source, while qualitative data is driven by expert judgments and historical (non-numerical) data.

## The quantitative approach

An example of a quantitative approach is LOPA (Layer Of Protection Analysis) or, in combination with bowtie, the bowtie-adapted LOPA. See figure 1 below. LOPA works with event frequencies and control failure probabilities (probability of failure on demand). Basically, LOPA takes the initial frequency of an event and multiplies this by the probability that the barriers in that specific scenario line would fail. This results in a current frequency of the unwanted outcome or consequence. If this value is lower, then the acceptable target frequency we have set before, then the risk is considered acceptable.

Heavy rain occurs every 2 times we drive a car. As we are not good at defensive driving we fail in doing so during heavy rain every second time (1/2=0.5). This would result in us losing control over the car every 0.5 x 0.5 times which equals 0.25, or every 4 times (the current top event frequency). However, we consider it acceptable only if we lose control every 5 times. Because we don’t meet this condition the criticality for the top event has not been met. If we calculate further and we know that we forget to wear the seatbelt once every 10 times, it would result in a probability of failure on demand of 0.1. If we now multiply the current frequency of the top event (0.25) with the PFD of this specific barrier (0.1) we would get a consequence frequency of 0.025. Or in other words, we would hit the internal of the car every 40 times we drive a car. However, we accept this consequence if it occurs every 0.05 times, in other words, every 20 times (1/0.05 = 20). Thus, because of the current frequency is lower than the acceptable frequency we have met the criticality and accept the risk.

Learn how to do this, while using our lOPA plugin? Hit the button below.

## The qualitative approach

Besides the quantitative ways, there are also qualitative ways of assessing the risks. Some of those are ALARP thinking (elaborated on in our guest blog by Risktec) or the use of risk matrices which is most common. Within the bowtie, a set of risk matrices (figure 2) can be assigned to both the hazard (entire bowtie) as well as every consequence (unwanted outcome of the individual scenarios). The risk matrix helps to categorize the outcomes without assigning very specific values. Usually, this is a 4×5, 5×5 or 6×5 matrix with a severity and a frequency axis. Assessing both individually for the entire hazard or individual scenario would result in a specific risk matrix value.