CanadaCE MarkEU European UnionInternationalRisk AssessmentUSA

Understanding Risk Assessment

A group surrounding a computer discussing a problem.
This entry is part 10 of 9 in the series Risk Assess­ment

When people dis­cuss ‘Risk’ there are a lot of dif­fer­ent assump­tions made about what that means. For me, the study of risk and risk assess­ment tech­niques star­ted in 1995. As a tech­no­lo­gist and con­trols design­er, I had to some­how wrap my head around the whole concept in ways I’d nev­er con­sidered.

If you’re try­ing to fig­ure out risk and risk assess­ment this is a good place to get star­ted!

What is risk?

From a machinery per­spect­ive, ISO 12100:2010 {1] defines risk as:

com­bin­a­tion of the prob­ab­il­ity of occur­rence of harm and the sever­ity of that harm”

Risk can have pos­it­ive or neg­at­ive out­comes, but when con­sid­er­ing safety, we only con­sider neg­at­ive risk or events that res­ult in neg­at­ive health effects for the people exposed.

The risk rela­tion­ship is illus­trated in [1, Fig. 3]:


ISO 12100-2010 Figure 3
ISO 12100 – 2010 Fig­ure 3



R = Risk

S = Sever­ity of Harm

P = Prob­ab­il­ity of Occur­rence of Harm

The Prob­ab­il­ity of Occur­rence of Harm para­met­er is often fur­ther broken down into three sub-para­met­ers:

  • Prob­ab­il­ity of Expos­ure to the haz­ard
  • Prob­ab­il­ity of Occur­rence of the Haz­ard­ous Event
  • Prob­ab­il­ity of Lim­it­ing or Avoid­ing the Harm

How is risk measured?

In order to estim­ate risk, a scor­ing tool is needed. There is no one ‘cor­rect’ scor­ing tool, and there are flaws in most scales that can res­ult in blind-spots where risks may be over or under-estim­ated.

At the simplest level are ‘screen­ing’ tools. These tools use very simple scales like ‘High, Medi­um, Low’, or ‘A, B, C’. These tools are often used when doing a shop-floor inspec­tion and are inten­ded to provide a quick meth­od of cap­tur­ing obser­va­tions and giv­ing a gut-feel assess­ment of the risk involved. These tools should be used as a way to identi­fy risks that need addi­tion­al, detailed assess­ment. To get an idea of what a good screen­ing tool can look like, have a look at the SOBANE Dépar­is sys­tem [2].

Every scor­ing tool requires a scale for each risk para­met­er included in the tool. For instance, con­sider the CSA tool described in CSA Z434-04 [3]:

CSA Z434-03 Table 1

Table 1 – Guard­ing Selec­tion para­met­ers.

As you can see, each para­met­er (Sever­ity, Expos­ure, and Avoid­ance) has a scale, with two pos­sible selec­tions for each para­met­er. Note that the CSA Z434 safe­guard­ing selec­tion tool (now obsol­ete) is NOTRISK ASSESSMENT TOOL. It is a pur­pose built tool inten­ded to assist in the selec­tion of safe­guard­ing for a spe­cif­ic pur­pose. Its out­put is not in terms of risk but in terms of por­tions of the Hier­archy of Con­trols.

When con­sid­er­ing the selec­tion of a scor­ing tool, it’s import­ant to take some time to really exam­ine the scales for each factor. The scale shown above has a glar­ing hole in one scale. See if you can spot it and I’ll tell you what I think a bit later in this post.

There are more than 350 dif­fer­ent scales and meth­od­o­lo­gies avail­able for assess­ing risk. You can find a good review of some of them in Bruce Main’s text­book “Risk Assess­ment: Basics and Bench­marks” avail­able from DSE online [4].

A sim­il­ar, although dif­fer­ent, tool is found in Annex 1 of ISO 13849 – 1. Note that this tool is provided in an Inform­at­ive Annex. This means that it is not part of the body of the stand­ard and is NOT man­dat­ory. In fact, this tool was provided as an example of how a user could link the out­put of a risk assess­ment tool to the Per­form­ance Levels described in the norm­at­ive text (the man­dat­ory part) of the stand­ard.

Con­sider cre­at­ing your own scales. There is noth­ing wrong with determ­in­ing what char­ac­ter­ist­ics (para­met­ers) you want to include in your risk assess­ment, and then assign­ing each para­met­er a numer­ic scale that you think is suit­able; 1 – 10, 0 – 5, etc. Some scales may be inver­ted to oth­ers, for example: If the Sever­ity scale runs from 0 – 10, the Avoid­ab­il­ity scale might run from 10 – 0 (Unavoid­able to Entirely Avoid­able).

Once the scales in your tool have been defined, doc­u­ment the defin­i­tions as part of your assess­ment.

Who should conduct risk assessments?

Lake YogaIn many organ­iz­a­tions, I find that risk assess­ment has been del­eg­ated to one per­son. This is a major mis­take for a num­ber of reas­ons. Risk assess­ment is not a solo activ­ity for a ‘guru’ in a lonely office some­where!

Risk assess­ment is not a lot of fun to do, and since risk assess­ments can get to be quite involved, it rep­res­ents a sig­ni­fic­ant amount of work to put on one per­son. Also, leav­ing it to one per­son means that the assess­ment will neces­sar­ily be biased to what that per­son knows, and may miss sig­ni­fic­ant haz­ards because the assessor doesn’t know enough about that haz­ard to spot it and assess it prop­erly.

Risk assess­ment requires mul­tiple view­points from par­ti­cipants with var­ied expert­ise. This includes users, design­ers, engin­eers, law­yers and those who may have spe­cial­ized know­ledge of a par­tic­u­lar haz­ard, like a Laser Safety Officer or a Radi­ation Safety Officer. The var­ied expert­ise of the people involved will allow the com­mit­tee to bal­ance the opin­ion of each haz­ard, and devel­op a more reasoned assess­ment of the risk.

I recom­mend that risk assess­ment com­mit­tees nev­er be less than three mem­bers. Five is fre­quently a good num­ber. Once you get bey­ond five, it becomes increas­ingly dif­fi­cult to obtain con­sensus on each haz­ard. Also, con­sider the cost. As each com­mit­tee mem­ber is added to the team, the cost of the assess­ment can escal­ate expo­nen­tially.

Train­ing in risk assess­ment is cru­cial to suc­cess. Ensure that the indi­vidu­als involved are trained and that at least one has some pre­vi­ous exper­i­ence in the prac­tice so that they may guide the com­mit­tee as needed.

When should a risk assessment be conducted?


Risk Assessment Lifetime Flow Chart
Risk Assess­ment in the Life­time of a Product [5]

Risk assess­ment should begin at the begin­ning of a pro­ject, wheth­er it’s the design of a product, the devel­op­ment of a pro­cess or ser­vice, or the design of a new build­ing. Under­stand­ing risk is crit­ic­al to the design pro­cess. The costs for changes made at the begin­ning of a pro­ject is min­im­al com­pared to those that will be incurred to cor­rect prob­lems that might have been fore­seen at the start. Risk assess­ment should start at the concept stage and be included at each sub­sequent stage in the devel­op­ment pro­cess. The accom­pa­ny­ing graph­ic illus­trates this idea.

Essen­tially, risk assess­ment is nev­er fin­ished until the product, pro­cess or ser­vice ceases to exist.

What tools are available?

As men­tioned earli­er in this post, the book “Risk Assess­ment: Basics and Bench­marks” provides an over­view of roughly 350 dif­fer­ent scor­ing tools. You can search the Inter­net and turn up quite a few as well. The key thing with all of these sys­tems is that you will need to devel­op any soft­ware-based tools your­self. Depend­ing on your com­fort with soft­ware, this might be a spread­sheet format, a word pro­cessing doc­u­ment a data­base, or some oth­er format that works for your applic­a­tion.

There are a num­ber of risk assess­ment soft­ware tools avail­able as well, includ­ing DSE’s DesignSafe. As with the scor­ing tools, you need to be care­ful when eval­u­at­ing tools. Some have sig­ni­fic­ant blind spots that may trip you up if you are not aware of their lim­it­a­tions.

Remem­ber too that the out­put from the soft­ware can only be as good as the input data. The old saw “Garbage In, Garbage Out” holds true with risk assess­ment.

Where can you get training?

There are a few places to get train­ing. Com­pli­ance InSight Con­sult­ing provides face-to-face train­ing to cor­por­ate cli­ents and offers a self-dir­ec­ted web-based course for indi­vidu­al learners. Com­pli­ance inSight also offers reduced rates on the online courses for groups of 15 or more learners. Con­tact CIC Sales for more inform­a­tion on group dis­counts.

The IEEE Product Safety Engin­eer­ing Soci­ety (PSES) oper­ates a Risk Assess­ment Tech­nic­al Com­mit­tee that is open to the pub­lic as well. See the RATC web site.

The Answer to the Scale Question

The Expos­ure Scale in the CSA tool has a gap between E1 and E2. Look­ing at the defin­i­tions for each choice, notice that E1 is less than once per day or shift, while E2 is more than once per hour. Expos­ures that occur once per hour or less, but more than once per day can­not be scored effect­ively using this scale.

Also, notice the Sever­ity scale: S1 encom­passes injur­ies requir­ing not more than basic first aid. One com­mon ques­tion I get is “Does that include CPR*?”. This ques­tion comes up because most basic first aid courses taught in Canada include CPR as part of the course. There is no clear answer for this in the stand­ard. The S2 factor extends from injur­ies requir­ing more than basic first aid, like a broken fin­ger, for instance, all the way to a fatal­ity. Does it make sense to group this broad range of injur­ies togeth­er? This defin­i­tion doesn’t quite match with the Province of Ontario’s defin­i­tion of a Crit­ic­al Injury found in Reg­u­la­tion 834 [6] either.

All of this points to the need to care­fully assess the scales that you choose before you start the pro­cess. Choos­ing the wrong tool can skew your res­ults in ways that you may not be very happy about.

*Car­dio-Pul­mon­ary Resus­cit­a­tion


[1]     Inter­na­tion­al Organ­iz­a­tion for Stand­ard­iz­a­tion (ISO). “Safety of machinery — Gen­er­al prin­ciples for design — Risk assess­ment and risk reduc­tion,” ISO 12100, 2010.

[2]     J. Mal­chaire, “Depar­is Eng­lish”,, 2018. [Online]. Avail­able: [Accessed: 09- Oct- 2018].

[3]     Cana­dian Stand­ards Asso­ci­ation. “Indus­tri­al Robots and Robot Sys­tems – Gen­er­al Safety Require­ments,” CSA Z434, 2004.

[4]     B. Main, Risk assess­ment: Basics and Bench­marks, 2nd ed. Ann Arbor, MI: Design Safety Engin­eer­ing, 2012.

[5]     Image: Com­pli­ance inSight Con­sult­ing Inc. 2011.

[6]     CRITICAL INJURY — DEFINED. Toronto: Queen’s Print­er for Ontario, 1991.

Series Nav­ig­a­tionThe Prob­ab­il­ity Prob­lem