Understanding Risk Assessment

When people dis­cuss ‘Risk’ there are a lot of dif­fer­ent assump­tions made about what that means. For me, the study of risk and risk assess­ment tech­niques star­ted in 1995. As a tech­no­lo­gist and con­trols design­er, I had to some­how wrap my head around the whole concept in ways I’d nev­er con­sidered. If you’re try­ing to fig­ure out risk and risk assess­ment this is a good place to get star­ted!

What is risk?

From a machinery per­spect­ive, ISO 12100:2010 defines risk as:

com­bin­a­tion of the prob­ab­il­ity of occur­rence of harm and the sever­ity of that harm”

Risk can have pos­it­ive or neg­at­ive out­comes, but when con­sid­er­ing safety, we only con­sider neg­at­ive risk, or events that res­ult in neg­at­ive health effects for the people exposed.

The risk rela­tion­ship is illus­trated in ISO 12100:2010 Figure 3:

ISO 12100-2010 Figure 3
ISO 12100 – 2010 Figure 3


R = Risk

S = Severity of Harm

P = Probability of Occurrence of Harm

The Probability of Occurrence of Harm factor is often fur­ther broken down into three sub-​factors:

  • Probability of Exposure to the haz­ard
  • Probability of Occurrence of the Hazardous Event
  • Probability of Limiting or Avoiding the Harm

How is risk measured?

In order to estim­ate risk a scor­ing tool is needed. There is no one ‘cor­rect’ scor­ing tool, and there are flaws in most scales that can res­ult in blind-​spots where risks may be over or under-​estimated.

At the simplest level are ‘screen­ing’ tools. These tools use very simple scales like ‘High, Medium, Low’, or ‘A, B, C’. These tools are often used when doing a shop-​floor inspec­tion and are inten­ded to provide a quick meth­od of cap­tur­ing obser­va­tions and giv­ing a gut-​feel assess­ment of the risk involved. These tools should be used as a way to identi­fy risks that need addi­tion­al, detailed assess­ment. To get an idea of what a good screen­ing tool can look like, have a look at the SOBANE Déparis sys­tem.

Every scor­ing tool requires a scale for each risk para­met­er included in the tool. For instance, con­sider the CSA tool described in CSA Z434:

CSA Z434-03 Table 1As you can see, each para­met­er (Severity, Exposure and Avoidance) has a scale, with two pos­sible selec­tions for each para­met­er.

When con­sid­er­ing selec­tion of a scor­ing tool, it’s import­ant to take some time to really exam­ine the scales for each factor. The scale shown above has a glar­ing hole in one scale. See if you can spot it and I’ll tell you what I think a bit later in this post.

There are more than 350 dif­fer­ent scales and meth­od­o­lo­gies avail­able for assess­ing risk. You can find a good review of some of them in Bruce Main’s text­book “Risk Assessment: Basics and Benchmarks” avail­able from DSE online.

A sim­il­ar, although dif­fer­ent, tool is found in Annex 1 of ISO 13849 – 1. Note that this tool is provided in an Informative Annex. This means that it is not part of the body of the stand­ard and is NOT man­dat­ory. In fact, this tool was provided as an example of how a user could link the out­put of a risk assess­ment tool to the Performance Levels described in the norm­at­ive text (the man­dat­ory part) of the stand­ard.

Consider cre­at­ing your own scales. There is noth­ing wrong with determ­in­ing what char­ac­ter­ist­ics (para­met­ers) you want to include in your risk assess­ment, and then assign­ing each para­met­er a numer­ic scale that you think is suit­able; 1 – 10, 0 – 5, etc. Some scales may be inver­ted to oth­ers, for example: If the Severity scale runs from 0 – 10, the Avoidability scale might run from 10 – 0 (Unavoidable to Entirely Avoidable).

Once the scales in your tool have been defined, doc­u­ment the defin­i­tions as part of your assess­ment.

Who should conduct risk assessments?

Lake YogaIn many organ­iz­a­tions, I find that risk assess­ment has been del­eg­ated to one per­son. This is a major mis­take for a num­ber of reas­ons. Risk assess­ment is not a solo activ­ity for a ‘guru’ in a lonely office some­where!

Risk assess­ment is not a lot of fun to do, and since risk assess­ments can get to be quite involved, it rep­res­ents a sig­ni­fic­ant amount of work to put on one per­son. Also, leav­ing it to one per­son means that the assess­ment will neces­sar­ily be biased to what that per­son knows, and may miss sig­ni­fic­ant haz­ards because the assessor doesn’t know enough about that haz­ard to spot it and assess it prop­erly.

Risk assess­ment requires mul­tiple view­points from par­ti­cipants with var­ied expert­ise. This includes users, design­ers, engin­eers, law­yers and those who may have spe­cial­ized know­ledge of a par­tic­u­lar haz­ard, like a Laser Safety Officer or a Radiation Safety Officer. The var­ied expert­ise of the people involved will allow the com­mit­tee to bal­ance the opin­ion of each haz­ard, and devel­op a more reasoned assess­ment of the risk.

I recom­mend that risk assess­ment com­mit­tees nev­er be less than three mem­bers. Five is fre­quently a good num­ber. Once you get bey­ond five, it becomes increas­ingly dif­fi­cult to obtain con­sensus on each haz­ard. Also, con­sider the cost. As each com­mit­tee mem­ber is added to the team, the cost of the assess­ment can escal­ate expo­nen­tially.

Training in risk assess­ment is cru­cial to suc­cess. Ensure that the indi­vidu­als involved are trained, and that at least one has some pre­vi­ous exper­i­ence in the prac­tice so that they may guide the com­mit­tee as needed.

When should a risk assessment be conducted?

Risk Assessment Lifetime Flow Chart
Risk Assessment in the Lifetime of a Product

Risk assess­ment should begin at the begin­ning of a pro­ject, wheth­er it’s the design of a product, the devel­op­ment of a pro­cess or ser­vice, or the design of a new build­ing. Understanding risk is crit­ic­al to the design pro­cess. Cost for changes made at the begin­ning of a pro­ject are min­im­al com­pared to those that will be incurred to cor­rect prob­lems that might have been fore­seen at the start. Risk assess­ment should start at the concept stage and be included at each sub­sequent stage in the devel­op­ment pro­cess. The accom­pa­ny­ing graph­ic illus­trates this idea.

Essentially, risk assess­ment is nev­er fin­ished until the product, pro­cess or ser­vice ceases to exist.

What tools are available?

As men­tioned earli­er in this post, the book ‘Risk Assessment: Basics and Benchmarks” provides an over­view of roughly 350 dif­fer­ent scor­ing tools. You can search the Internet and turn up quite a few as well. The key thing with all of these sys­tems is that you will need to devel­op any soft­ware based tools your­self. Depending on your com­fort with soft­ware, this might be a spread­sheet format, a word pro­cessing doc­u­ment a data­base, or some oth­er format that works for your applic­a­tion.

There are a num­ber of risk assess­ment soft­ware tools avail­able as well, includ­ing ISI’s CIRSMA and DSE’s DesignSafe. As with the scor­ing tools, you need to be care­ful when eval­u­at­ing tools. Some have sig­ni­fic­ant blind spots that may trip you up if you are not aware of their lim­it­a­tions.

Remember too that the out­put from the soft­ware can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assess­ment.

Where can you get training?

There are a few places to get train­ing. Compliance InSight Consulting provides train­ing to cor­por­ate cli­ents and will be launch­ing a series of web-​based train­ing ser­vices in 2011 that will allow indi­vidu­al learners to get train­ing too.

The IEEE PSES oper­ates a Risk Assessment Technical Committee that is open to the pub­lic as well. See the RATC web site.

The Answer to the Scale Question

The Exposure Scale in the CSA tool has a gap between E1 and E2. Looking at the defin­i­tions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Exposures that occur once per hour or less, but more than once per day can­not be scored effect­ively using this scale.

Also, notice the Severity scale: S1 encom­passes injur­ies requir­ing not more than basic first aid. One com­mon ques­tion I get is “Does that include CPR*?”. This ques­tion comes up because most basic first aid courses taught in Canada include CPR as part of the course. There is no clear answer for this in the stand­ard. The S2 factor extends from injur­ies requir­ing more than basic first aid, like a broken fin­ger for instance, all the way to a fatal­ity. Does it make sense to group this broad range of injur­ies togeth­er? This defin­i­tion doesn’t quite match with the Province of Ontario’s defin­i­tion of a Critical Injury found in Regulation 834 either.

All of this points to the need to care­fully assess the scales that you choose before you start the pro­cess. Choosing the wrong tool can skew your res­ults in ways that you may not be very happy about.

*Cardio-​Pulmonary Resuscitation

CSA Z1002 Risk Assessment Standard – 60 Day Public Review

Get more inform­a­tion on CSA Z1002. The draft of this doc­u­ment is now avail­able for pub­lic review through CSA.

60 Day Public Review Starts Today

CSA (the Canadian Standards Association) has been work­ing on a new risk assess­ment stand­ard called Z1002 – Occupational Health and Safety Hazard Identification and Elimination and Risk Assessment and Control, since the fall of 2007.

This risk assess­ment stand­ard is the first of its kind glob­ally and will place the CSA Z100x series of Occupational Health and Safety Management stand­ards at the fore­front glob­ally when it is pub­lished this year.

This stand­ard is destined to become a Canadian National Standard and will have influ­ence on all the stand­ards in the CSA Catalog that include risk assess­ment (CSA Z432, CSA Z434, CSA Z460, CSA Z462, etc.)

As of today, the stand­ard is avail­able for pub­lic review. This means that you can down­load a draft copy of the stand­ard for free and have a look at the con­tent of the doc­u­ment. It’s also hoped that you will provide com­ments on the doc­u­ment that will go back to the tech­nic­al com­mit­tee at the end of the Public Review phase on 17-​Apr-​11 17-​Mar-​11. Every com­ment will be reviewed by the Technical Committee. You have the chance to make change in the doc­u­ment before it is pub­lished later this year.

Public Review is only open for 60 days, so act quickly! On 17-​Apr-​11 17-​Mar-​11 review will close per­man­ently for this edi­tion of the doc­u­ment!

Get The Draft

If you are inter­ested in review­ing and com­ment­ing on the draft, please vis­it:


You can down­load the draft and you can link to the com­ments page for the doc­u­ment to provide your thoughts on it.

More Information

Need more inform­a­tion on this stand­ard? Please con­tact the CSA Project Manager: 
Elizabeth Rankin,
ph: (416) 747‑2011