Читать книгу Risk Assessment - Georgi Popov - Страница 61

Upon identifying risk sources, the team will analyze the potential risk. As stated by ANSI/ASSP/ISO 31010, risk analysis involves developing an “understanding” of the risk. This analysis of each hazard/risk includes:

 determining the severity of consequences

 estimating the likelihood of occurrence

 assessment of the effectiveness of existing controls

 an estimation of the risk level

The level of risk takes into consideration a combination of the possible consequences and likelihood. A single event or task can have many possible consequences and impact multiple assets.

Risk analysis can be qualitative, semiquantitative, or quantitative in nature depending upon the context of the assessment, and available data. Qualitative analyses are the most common and use descriptors such as “high”, “serious”, “medium,” and “low” for degrees of severity of consequence, likelihood of occurrence, and risk level. Semiquantitative methods use numerical ratings for consequence and likelihood to produce a level of risk, which are based on qualitative descriptive criteria rather than quantitative data. Quantitative analyses which are not as common, use estimated values for consequences and their likelihood producing numerical values of risk in specific units defined in the context. As stated by ANSI/ASSP/ISO 31010, full quantitative analysis may not always be possible or desirable due to insufficient information or the needs of the assessment. In many cases, a comparative semiquantitative or qualitative ranking of risks by qualified assessors is desired for the assessment.