Introduction

In the last session you looked at how to identify a risk and considered the importance of understanding all of the root causes and the consequences of a risk. Thorough risk identification is a fundamental precursor to what will be covered in Session 4 – assessing a risk. Assessing the risk is the next step in the ISO 31000 standard, referred to as analysis and risk evaluation. In particular you will cover:

• the different points at which risk can be assessed
• the importance of time when making an assessment
• how to assess risks in a quantitative and qualitative way
• why using consistent units of measurement is important in assessing risk
• why it is important to understand the impact and probability of each consequence
• the iterative nature of risk assessment and risk treatment
• complexity and connectivity of risks and how to deal with risks that have more than one consequence and with risks that can have the same consequences (aggregation).

Figure 1 ISO 31000 diagram – risk analysis and risk evaluation

By the end of this session, you should be able to:

• understand the process of arriving at an ‘assessment value’ for the risk – scores and Probability and Impact Diagrams (PIDs) (gross, current, residual)
• understand how to assess risk events (basic probability and impact assessment)
• understand ‘basis of estimate’ – including the Programme Evaluation and Review Technique (PERT)
• have an awareness of risk modelling – including Monte Carlo analysis and Schedule Risk Analysis (SRA).

Now begin Session 4.