Did you leave any fish bones in the conference room? Did the boss like your bow tie? I’m not talking about personal habits or fashion statements. Fish bones and bow ties are part of modern risk assessment techniques.

Now is a good time to learn more about risk assessment techniques. The international standard on Risk Management - Risk Assessment Techniques (ISO/ IEC 31010:2009) was published last December along with companion documents ISO 31000:2009 Risk Management – Principles and Guidelines and ISO Guide 73:2009 Risk Management - Vocabulary. All three documents are available at www.iso.org.

Importance: risk assessment and management

Risk assessment is the “overall process of risk identification, risk analysis and risk evaluation” (ISO Guide 73:2009). Risk assessment is integral to modern risk management. Risk management is an integral part of all organizational processes. Risk management “helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action.” (ISO 31000:2009).


While hundreds of risk assessment techniques are used throughout the world, you should particularly learn about the ones listed below. These are examples of risk assessment techniques found in ISO 31010. These techniques have been validated and are used globally for all types of risk. Their use and application is explained within ISO 31010.
  • Bayesian analysis
  • Bow tie analysis
  • Brainstorming (e.g. what-if)
  • Business impact analysis
  • Cause and consequence analysis
  • Cause and effect analysis
  • Checklists
  • Consequence/likelihood matrix
  • Decision tree
  • Delphi technique
  • Environmental risk assessment
  • Event tree analysis
  • Failure mode and effect analysis (FMEA)
  • Failure mode, effect and criticality analysis
  • Fault tree analysis
  • Hazard analysis and critical control points
  • Hazard and operability studies (HAZOP)
  • Human reliability analysis
  • Layers of protection analysis
  • Markov analysis
  • Monte Carlo
  • Preliminary hazard analysis (PHA)
  • Reliability centered maintenance
  • Root cause analysis
  • Scenario analysis
  • Sneak circuit analysis
  • Structured/semi-structured interviews
  • SWIFT (i.e. structured what-if)

Simple to complex

All risk assessment techniques had humble beginnings. The simplest formal technique is the checklist. Add an activity to a checklist and you may create a Job Safety Analysis (JSA) – a fundamental risk assessment technique for most workplaces. Add considerations of frequency and severity to a JSA and it may evolve into a Consequence/Likelihood Matrix. Tweak the matrix with additional considerations, include predictive values with calculations, oftentimes with software assistance, and eventually you reach high level risk assessment techniques such as FMEA. The higher the risk assessment technique(s) the better able users are to “make informed choices, prioritize actions and distinguish among alternative courses of action.”

Employer-required risk assessments

OSHA requires employers to apply risk assessment techniques. For example, OSHA’s process safety management standard at 29 CFR 1910.119 requires an employer to use risk assessment techniques that include checklists, what-if, HAZOP and/or FMEA. OSHA’s PPE standard at 29 CFR 1910.132 requires employers to conduct hazard assessments. Although OSHA does not specify the type of hazard assessment, techniques below such as Cause and Effect Analysis, Consequence/ Likelihood Matrix (often called frequency/severity matrix) and PHA will suffice. Compliance with an OSHA permissible exposure limit and substance specific standards (e.g. asbestos, benzene, cadmium) would employ the Environmental Risk Assessment technique.

Formal process and multiple techniques

Many risks require the application of a formal risk management process (e.g. ISO 31000) and multiple risk assessment techniques to effectively determine the best course of management actions. Emerging risks with high consequence especially call for these actions. For example, consider the following risk profile: Failure to adequately treat [developmental health hazards] may [damage an unborn child] and cause your organization to incur a [$100 million dollar liability]. Note: the first, second and third brackets, respectively, refer to “risk source,” “event” and “consequence.”

Risk assessment techniques such as Brainstorming, Business Impact Analysis, Delphi Technique, Environmental Risk Assessment, and probably other techniques, may be needed to effectively assess the above risk. The Delphi Technique (http://en.wikipedia.org/wiki/ Delphi_method), that considers judgment among a group of experts, would be especially beneficial.

Not perfect

No risk assessment technique is perfect. Each has its own strengths, weaknesses and limitations. Risk assessment techniques, however, are necessary to help decision makers make informed choices, prioritize actions and distinguish among alternative courses of action. If you are part of the decision making process within an organization, then risk assessment techniques are clearly a valuable tool.