Safety and Security Risk

Management
SEMESTER 1 – MID-TERMS
LECTURE 1 – 9 September 2024
A simple risk assessment approach;
- Risk = Likelihood X Consequence.

Complexity needs risk management

Within an organization, there are processes and procedures.
- Quality Management Systems are ISO 9001, and ISO 13485.
- Health & Safety Management System are ISO 45000.
- Risk Management System is 31000.
Assessing risk is done through identifying, analyzing, and evaluating.

Safety versus Security

Safety and security needs and ways cross over all the time.

Safety Science
Lies down a context to all risk assessment and risk management.
Within organizations are events (often ‘occupational accidents and
diseases);
- Causes, such as legal requirements, previous experience,
engineering, psychology, medicine, etc.
- Prevention.
- Investigation.
Risk is not always isolated and is also connected to the environment,
organizations, and scope.
ISO31000 Clauses
How to read standards
- Scope and references.
- Terms and definitions.
- Principles.
- Framework.
- Process.

The Eight Principles

The Eight Principles are made for an effective risk management system.
The goals of the Eight Principles are value creation and protection.
1. Integrated.
2. Structured & Comprehensive:
- Consistent and comparable.
3. Customized:
- Internal and external context.
4. Inclusive:
- All stakeholders that are involved.
5. Dynamic:
- Responds to changes.
6. Best available information:
- Historic, current, and future.
- Know reliability.
7. Human and Cultural Factors:
- H Behavior influences everything.
8. Continual improvement:
- Learn from experience.
READING 1
ISO31000 (2018): Clause 6.1-6.4.2:
General
The risk management process involves the systematic application of
policies, procedures, and practices to the activities of communicating and
consulting, establishing the context, and assessing, treating, monitoring,
reviewing, recording, and reporting risk.
This process should be a key part of management and decision-making
and fit into the structure, operations, and processes of the organization.
- Human behavior should be considered throughout the risk
management process.
Communication and consultation
The purpose of communication and consultation is to assist relevant
stakeholders (internal and external) in understanding risk, the basis on
which decisions are made, and the reasons why particular actions are
required.
- Communication = promoting awareness and understanding of
risks.
- Consultation = obtaining feedback and information to support the
decision-making.

Scope, context, and criteria

The purpose of establishing the scope, context, and criteria is to
customize the risk management process, enabling effective risk
assessment and appropriate risk treatment. Scope, context, and criteria
involve defining the scope of the process and understanding the external
and internal context.

Risk assessment
Risk assessment is the overall process of risk identification, risk analysis,
and risk evaluation.
The purpose of risk identification is to find, recognize, and describe risks
that might help or prevent an organization from achieving its objectives.

EIC31010 (2019): 6.1-6.3.2:

Implementing risk assessment
The purpose of the assessment should be established, including
identifying the decisions or actions to which it relates, the decision-
makers, stakeholders, and the timing and nature of the output required
(for example whether qualitative, semi-quantitative, or quantitative
information is required).
 When undertaking a risk assessment those involved should be aware
of the broader circumstances in which decisions and actions based on their
assessment will be made. This includes understanding the internal and
external issues that contribute to the context of the organization as well as
wider societal and environmental aspects.

Stakeholders and those who are likely to be able to contribute useful

knowledge or relevant views should be identified, and their perspectives
considered whether or not they are included as participants in the
assessment.

The objectives of the specific system or process for which risk is to

be assessed should be defined and where practicable documented. This
will facilitate the identification of risk and understanding of its implications.

Human, organizational, and social factors should be considered

explicitly and considered as appropriate

Criteria, including risk criteria, which need to be considered when

making decisions, should be reviewed before undertaking the assessment.
Criteria can be qualitative, semi-quantitative, or quantitative.

Manage information and develop models

Before and during a risk assessment, relevant information should be
obtained. This information provides an input to statistical analysis, models,
or the techniques described in Annexes A and B.

Apply risk assessment techniques

The techniques are used to develop an understanding of risk as an input to
decisions where there is uncertainty, including decisions about whether
and how to treat risk.
Assessment techniques can be used for:
 Identifying risk.
 Determining causes, sources, and drivers of risk, and the level
of exposure to them.
 Investigating the overall effectiveness of controls and the
modifying effect of proposed risk treatments.
 Understanding consequences and likelihood.
 Analysing interactions and dependencies.
 Providing a measure of risk.

Popov (2022) Chapter 3-6:

Risk Criteria
An organization should select or develop a risk assessment matrix that the
stakeholders broadly agree upon to be used in the risk assessment
process. This key component is used to define and determine risk levels
within an organization.

The purpose of the risk

assessment matrix is to
provide “a method to
categorize combinations of
likelihood of occurrence and
severity of harm, thus
establishing risk levels”

In essence, it is a risk “measuring stick” and communication tool used to

help categorize and prioritize risks within the organization so that decision-
makers can take the most appropriate action regarding risks and their
treatment.

Establishing Context
The purpose and scope known as the context of the risk assessment must
be established. Within the organization’s risk management process, the
context should define the purpose and scope of the assessment; the
stakeholders/team members' responsibilities and accountabilities; the
degree, extent, or rigor of the assessment; the risk assessment
methodologies; the risk criteria; and resources available.

The context should set the boundaries for the assessment with internal
(resources, knowledge, culture, and values among others) and external
(legal, regulatory, economy, perceptions of external stakeholders, etc.)
parameters in mind.

Risk Identification
For operational risks, hazards are the source of risk. Thus, if risks are to be
assessed, hazards must first be identified and described. Risk
identification is defined as the process of finding, recognizing, and
recording risks. Its purpose is to identify what might happen and/or the
situations that could impact the system or organization. Risk identification
should include the identification and description of the source of the risk
(hazard in the context of physical harm) and its causes; events, situations,
or circumstances that could have a material impact upon objectives; the
nature of impact; and any existing controls for the identified risk.

Preliminary Hazard and Risk Analysis

Preliminary Hazard Analysis (PHA) is a “preliminary” or initial analysis of a
system design, facility, or process that is used in many industries and
applications. PHA is used by safety professionals to identify hazards and
necessary control measures and allow for risk levels to be prioritized for
further risk assessment and management.

Preliminary Hazard Analysis (PHA) is a systematic approach as a method to

identify hazards, assess the initial risks, and identify potential mitigation
measures early in the design stage. It is referred to as a “preliminary”
analysis since is it usually followed by more refined hazard analysis and
risk assessment studies in more complex systems.

Preliminary Hazard List

Before a PHA, a Preliminary Hazard List (PHL) is commonly used to identify
and compile a list of potential, significant hazards associated with a
system’s design. The purpose of a PHL is to initially identify the most
evident or worst‐credible hazards that could occur in the system being
designed. Such hazards may be inherent to the design or created by
potential energy release in the system. A PHL is only a list of the hazards;
however, it can be the basis for an analysis that becomes a PHA or other
risk assessment.

Conducting a Preliminary Hazard and Risk Analysis (PHRA)

A preliminary hazard and risk analysis or PHRA is essential to the
preventive and proactive aspect of a safety management system. The
primary purpose of preliminary analyses is to identify, describe, and
assess significant hazards that might arise from defects and unsafe
conditions in the design and operation of a system or subsystem. The
process steps for conducting a PHRA are similar to other hazard
identification methods and risk assessments.
 1. Establish Risk Criteria: An
organization shall create and obtain
broad agreement on risk criteria
that are suitable to the hazards and
risks with which it deals.
2. Establish the Context: The
purpose of establishing the context
is to customize the risk
management process, enabling
effective risk assessment and
appropriate risk treatment. The
PHRA’s purpose and scope are
defined with its objectives and
limitations. The scope should
include a clear definition of the
system to be assessed, including
physical boundaries, operating
phases, etc.
3. Establish PHRA Team: A team is
recommended over a single
individual when performing a PHRA.
The team should consist of an
experienced facilitator to lead the
team, a scribe to document the
analysis, and several team
members with the necessary
knowledge and experience in the
system and associated hazards.
4. Identify Hazards/Risks: Identify
the system’s potential hazards and
their targets, including hazardous
events or activities. A team
approach using brainstorming to
identify hazards is recommended.
Resources that assist in identifying
hazards may include checklists,
PHL, similar designs/studies, codes
5. Consider Causes and Failure Modes: The possible failure modes
that could result in hazardous situations shall be considered,
including the reasonably foreseeable uses and misuse of facilities,
materials, and equipment.
6. Analyze Severity of Consequences: For each identified hazard,
the worst‐credible case severity resulting from the hazard is
analyzed and scored according to the severity risk ratings.
7. Analyze Likelihood: For each identified hazard, the likelihood of
the hazard occurring is determined and scored according to the
likelihood risk ratings.
 8. Estimate Risk: Each identified risk is estimated using the
established risk criteria to determine the likelihood of occurrence,
severity of consequence, and level of risk.
9. Evaluate Risk: The estimated levels of risk are compared with the
established risk criteria to determine the significance of the level
and type of risk, and where the risk is acceptable to the
organization. For risks that are categorized as unacceptable, further
action is required to reduce risk.
10. Select and Implement Risk Reduction Methods: When the
initial risk assessment so indicates, risk avoidance, elimination,
reduction, or control methods shall be selected and implemented to
achieve an acceptable risk level for each identified hazard.
11. Re‐evaluate Risk: For risks that have been treated with
selected risk reduction measures, a re‐evaluation of the resulting risk
level is performed. If the treated risk level is still considered
unacceptable, actions are taken to further reduce the risk before
proceeding with the operation.
12. Monitor, Record, and Report: The PHRA process, risk
reduction actions taken, and resulting residual risk levels are
recorded, and reported to management and key stakeholders. The
risk reduction measures, and risk levels are continually monitored for
any changes.

LECTURE 2 – 16 September 2024

Definitions of risk, likelihood and hazards.

ISO: Risk = Effect of Uncertainty on Objectives.
IEC: Risk (Source, Event) = Consequence X Likelihood.
Safety: (Hazard, Exposure) = Severity of Loss X Probability.
Security: Risk (Threat) = Impact X (Threat X Vulnerability.

Risk = Exposure *Likelihood* Consequence: Effect of Controls.

Risk Management Process

 Often referred to as HIRAC:
- Hazard Identification
(Risk source).
- Risk (Likelihood &
Consequence).
- Assessment.
- Control.

Implementing Risk Assessments

A project in a continuous process.
1. Plan.
2. Develop & info input.
3. Apply techniques.
4. Review the results.
5. Apply to decisions.

Plan
Planning the assessment itself.
- Purpose: goal of project.
- Project Scope: constraints, references.
- Context: alternatives.
- Stakeholders: all involved.
- Criteria: How do we make decisions? What risks can be accepted?

Manage info & Develop models

Simplify reality in a model.
- Involve stakeholders: (Objective & Consequences).
- Collect data: measurements, Data sheets, Literature/ Scientific
papers, Observations, Expert opinion.
- Analyze data: How reliable, useful, etc.
- Develop model: Simplify, (simulate?).

B.1.2 Brainstorm
Technique for eliciting views from stakeholders and experts.
Summary:
Generate a wide range of ideas about risks without criticism or judgement.
Tips:
- Encourage equal participation from all.
- Focus on quantity over quality.
 - Use a skilled facilitator.
- Follow up with structures analysis to assess and prioritize risks.
Pros and Cons:
 Easy to organize.
 Stimulates creativity,
 Useful for initial risk identification.
- Can be dominated by louder voices.
- Can go wild: be unproductive.
-
Apply Techniques
The risk assessment Sub-process.
Select Techniques, Identify, Analyze and Evaluate:
- Determine sources.
- Existing controls.
- Consequence and likelihood.
- Interaction of risks.
- Measures of risk.

B.2.5 Scenario Analysis

Technique for identifying risks.
Summary:
Developing and analyzing a range of possible future events or conditions
to understand how they might impact risks.
Tips
- Define clear, plausible and relevant scenario’s.
- Extreme and moderate scenario’s.
 In likelihood.
 In consequence/impact.
Pros and Cons:
 Prepare for the unexpected.
 Promotes long-term thinking,
 Visualized multiple outcomes.
- Can be speculative, need experts.
- Time consuming in complex situations.

B.2.6 SWIFT – Structured “What if”

Technique for identifying risks.
Summary:
Structured brainstorming techniques used to identify potential risks by
posing “What if” questions about a process, system or project.
Tips:
- Start with a clear understanding.
- Document all “What if” scenarios and associated risks for follow-up
analysis.
Pros and Cons:
 Flexible.
 Minimal preparation.
 More time efficient than scenario.
- Can be speculative, need experts.
- Might miss certain risks.
B.4.2 Bowtie – causes, consequences and controls
Technique for analyzing controls.
Summary:
Link potential causes of an event to its consequences and identify
preventive and mitigation controls in a bowtie-shaped diagram.
Tips:
- Define the knot: the central “EVENT” and scope.
- Regularly update.
- Good for accidents.
Pros and Cons:
 Easy to understand and communicate.
 See gaps.
 Applicable on whole risk assessment.
- Oversimplifies complex systems.
- Time consuming for complex risks.

B.10.3 Risk Matrix, heat map

Technique for recording and reporting.
Summary:
A graphical tool that helps assess and prioritize risks by evaluating their
likelihood and potential impact.
Tips:
- Define criteria – how do we ‘score’?
 Severity.
 Likelihood.
- Explain to all stakeholders.
- Regularly update the matrix as new risks emerge or existing risks
evolve.
Pros and Cons:
 Simple, easy to use, and widely understood across industries.
 Provides a quick overview for decision-makers.
 Useful for comparing multiple risks side by side.
- Time consuming for complex risks.

B.10.2 Risk registers

Technique for recording and reporting
Summary:
Documentation tool providing a structured approach to managing,
communication and tracking risks and mitigations throughout a project or
organization.
Tips:
- List all identified risks, and rate and prioritize them.
- Assign risk owners responsible for monitoring and addressing each
risk.
- Regularly update the register to reflect changes in risk status or new
risks.
Pros and Cons:
 Centralized document for managing and tracking risks.
  Facilitates proactive risk management by assigning ownership and
monitoring.
 Promotes accountability and communication across teams.
- Can be become cumbersome if overloaded with too many details.
- May not capture interdependencies between risks.
- Requires ongoing maintenance.

B.1.3 Delphi
Technique for eliciting views from stakeholders and experts.
Summary:
Iterative, structured approach with a panel of (anonymous) experts
providing answers and insights in multiple rounds.
Tips:
- Select a divers panel.
- Do more rounds with complex questions and case (until consensus is
reached).
- Facilitating sharing summaries and feedback.
- Use when there is no scientific consensus.
Pros and Cons:
 Less groupthink and bias.
 Consensus among experts for complex issues.
 Can be done remotely and globally.
- Time consuming.
- Needs effort to reach real consensus.

B.1.4 Nominal Group (NGT)

Technique for eliciting views from stakeholders and experts.
Summary:
Structured method for generating and prioritizing risks by having
participants individually suggest risks and ranks them.

B.1.5 (Semi) Structured Interviews

Technique for eliciting views from stakeholders and experts.
Summary:
1-on-1 questions and answers used to gather in-depth insights from
individuals.

B.1.6 Surveys
Technique for eliciting views from stakeholders and experts.
Summary:
Collect information from a large group of stakeholders or participants
through structured questionnaires.

Identifying Risks; A deep dive

B.2.2 Checklists, classifications and taxonomies
Technique for identifying risks.
Summary:
Systematically reviewing a predefined list of potential risks or factors.
Tips:
- Use existing, predefined lists, e.g.:
  PESTLE (political, social, technological, environmental, legal,
ethical, demographic, etc.)
 Hazard overview (mechanical, biological, chemical, pressure,
fire, electrical, etc.)
 Customize & update lists for your assessment.
 Use as starting point, not as a standalone tool.
Pros and Cons:
 Simple and easy to use, even for non-experts.
 Ensures common risks are not overlooked.
- May miss unique emerging risks (new tech).
- Can encourage a checkbox mentality, where deeper is analysis is
bypassed.

B.2.3 Failure Modes and Effects Analysis (FMEA)

Technique for identifying risks.
Summary:
Identify and evaluate failure modes (what could go wrong at each step or
component?) in a system, product, or process and assess impact.
Tips:
- Begin by identifying all key components.
- Critically = FMECA = Assign a Risk Priority Number (RPN) based on
severity, occurrence, and detection of each failure mode.
- Update when new failure modes are discovered.
Pros and Cons:
 Detailed and structured analysis of potential failures.
 Prioritized risks based on objective criteria (RPN).
 Widely applicable in design, manufacturing, and process
improvement.
- Requires detailed system knowledge.
- Subjective risk scoring can lead to inconsistencies.
- May overlook complex interactions (only single failure modes).

“Failure” in technical terms; When systems break down…

- Engineering concept, e.g. failure of a system, component, pump,
engine, door, wall, etc.
- Can be cause, event or consequence.
- Understanding different types of failure is highly relevant for your
ability to correctly assess and manage risks in both safety and
security.
- Special importance for mission-critical systems, redundant
systems, backup systems, etc.
Independent and dependent failures
Independent failures:
- A failure of one or more components that happens independently of
failures of other components.

Dependent failures:
- A failure of one or more components that happens due to some
relationship between the components or their cause of failure.

Cascading failures:
Dependent failure that occurs because of the failure of another
component.
Common Cause (CCFs) & Common Mode (CMFs)
Common Cause Failure (CCF):
- An event where multiple failures occur due to a shared cause.

Common Mode Failure (CMF):

- An event where multiple failures occur due to a shared failure mode.

Systematic Failures:
- Failure of a whole system, e.g. due to lack of redundancy.

Single Point Failures (SPF):

- Component failure that will lead to the failure of a whole system.

B.2.4 HAZOP – Hazard and Operability Analysis

Technique for identifying risks:
Summary:
Analyzing deviations from the design or operational intent of a system or
process.
Tips:
- Break the system or process into “nodes”.
- Use guide words to identify deviations.
- Ensure that a multidisciplinary team.
 - Record findings systematically, including causes, consequences, and
potential safeguards.
Pros and Cons:
 Detailed and thorough.
 Good for accounting human error.
 Generates suggestions for solutions.
 Multidisciplary, multistage.
- Needs lots of information, extensive knowledge.
- Can produce a lot of date > fundamentals lost.

Lecture 3 – 23 September 2024

Causes and Root Cause Analysis

B.3.3 Ishiwaka (fishbone) method
Technique for determining sources, causes and drivers.
Summary:
Identify potential (root) causes by analyzing deviations from the design or
operational intent of a system or process.
Tips:
- Head: define a clear problem.
- Bones: define major categories.
- Brainstorm potential causes per category.
- Analyze each, review, and identify prio’s.
Pros and Cons:
 Intuitive visual tool for root cause analysis.
 Encourages team collaboration.
 Helps identify multiple causes, not just the obvious ones.
- Can not prioritize causes, making it hard to focus on key issues.
- Requires experienced facilitation to ensure thoroughness.

Fault Tree Analysis; Find root causes

B.5.7 Fault tree Analysis (FTA)
Technique for understanding consequences and likelihood.
Summary:
A top-down, deductive method used to analyze the potential causes of
functionality failures by identifying and linking contributing events.
Tips:
- Start with a defined top-level failure (undesired event).
- Break down the system into lower-level events using logical gates
(ANS/OR).
- Focus on key contributors to the failure and their interconnections.
- Quantify probabilities of failure for better risk evaluation.
Pro and Cons:
 Provides a clear, structured way to identify failure causes.
 Helps pinpoint critical system vulnerabilities.
 Support quantitative risk assessments with probability data.
- Requires detailed system knowledge and data.
- Can become difficult to manage for large systems.
 - Focuses on only failures, not successful outcomes or mitigations.

Consequences and Impact

Consequences – impact scope.
Area Example
People (Mental) injury, loss.
Assets Damage, loss.
Reputation (Political) trust, brand.
Operations Downtime, service, disruption, mission lost
Compliance Fines, lawsuits.

Consequence – assessment.
Event Tree Analysis; Find consequences
B.5.6 Event Tree Analysis
Technique for understanding consequences and likelihood.
Summary:
A forward-looking, graphical method used to model the potential outcomes
of an initiating event and the effectiveness of various controls.
Tips:
- Start with a clear initiating event and explore possible outcomes.
- Identify key barriers or controls that affect the event’s progression.
- Use branching paths to represent different outcomes based on
control success or failure.
- Quantify probabilities to assess the likelihood of each scenario.
Pros and Cons:
 Visualized the progression of events from a single initiating incident.
 Help assess the effectiveness of barriers.
 Easy to understand and communicate.
- Limited to predefined events and controls.
- Can become complex with many branching paths.
- Requires accurate data to quantify probabilities effectively.

Lecture 4 –

Cause consequence analysis

B.5.5 Cause-consequence analysis (CCA)
Technique for understanding consequence and likelihood.
Summary:
Combines fault tree and event tree analysis to explore the potential
causes of an event and the consequences that follow.
Tips:
- Focus on key events to avoid overly complex diagrams.
- Use fault trees to identify causes and event trees to explore
consequences.
- Ensure diagrams show all paths from cause to consequence.
Pros and Cons:
 Combines both cause and consequence analysis in one model.
 Visual approach aids understanding of risk pathways.
 Effective for analyzing complex system with many variables.
- Can become complex and difficult to manage.
- Requires detailed data for both causes and consequences.
- Time-consuming to construct for large systems.

B.2.3 Failure Modes and Effects Analysis (FMEA)

Technique for identifying risks.
Summary:
Identify and evaluate failure modes (what could go wrong at each step or
component?) in a system, product, or process and assess impact.
Tips:
- Begin by identifying all key components.
- Critically = FMECA = Assign a Risk Priority Number (RPN) based on
severity, occurrence, and detection of each failure mode.
- Update when new failure modes are discovered.
Pros and Cons:
 Detailed and structured analysis of potential failures.
 Prioritized risks based on objective criteria (RPN).
 Widely applicable in design, manufacturing, and process
improvement.
- Requires detailed system knowledge.
- Subjective risk scoring can lead to inconsistencies.
- May overlook complex interactions (only single failure modes).
Lecture 5

B.1 Techniques for eliciting views from stakeholders and experts

B.1.3 Delphi
Technique for eliciting views from stakeholders and experts.
Summary:
Iterative, structured approach with a panel of (anonymous) experts
providing answers and insights in multiple rounds.

Tips:
- Select a diverse panel.
- Do more rounds with complex questions and case (until consensus is
reached).
- Facilitate sharing summaries and feedback.
- Use when there is no scientific consensus.
Pros and Cons:
 Less groupthink and bias.
 Consensus among experts for complex issues.
 Can be done remotely and globally.
- Time consuming.
- Needs effort to reach real consensus.

B.1.4 Nominal Group (NGT)

Technique for eliciting views from stakeholders and experts.
Summary:
Structured method for generating and prioritizing risks by having
participants individually suggest risks and ranks them.

B.1.5 (Semi) Structured Interviews

Technique for eliciting views from stakeholders and experts.
Summary:
1-on-1 questions and answers used to gather in-depth insights from
individuals.

B.1.6 Surveys
Technique for eliciting views from stakeholders and experts.
Summary:
Collect information from a large group of stakeholders or participants
through structured questionnaires.

B.2 Technique for identifying risks

B.2.2 Checklists, classifications and taxonomies
Technique for identifying risks.
Summary:
Systematically reviewing a predefined list of potential risks or factors.
Tips:
- Use existing, predefined lists, e.g.:
 PESTLE (political, social, technological, environmental, legal,
ethical, demographic, etc.)
 Hazard overview (mechanical, biological, chemical, pressure,
fire, electrical, etc.)
 Customize & update lists for your assessment.
 Use as starting point, not as a standalone tool.
Pros and Cons:
 Simple and easy to use, even for non-experts.
 Ensures common risks are not overlooked.
- May miss unique emerging risks (new tech).
- Can encourage a checkbox mentality, where deeper is analysis is
bypassed.
B.2.3 Failure Modes and Effects Analysis (FMEA)
Technique for identifying risks.
Summary:
Identify and evaluate failure modes (what could go wrong at each step or
component?) in a system, product, or process and assess impact.
Tips:
- Begin by identifying all key components.
- Critically = FMECA = Assign a Risk Priority Number (RPN) based on
severity, occurrence, and detection of each failure mode.
- Update when new failure modes are discovered.
Pros and Cons:
 Detailed and structured analysis of potential failures.
 Prioritized risks based on objective criteria (RPN).
 Widely applicable in design, manufacturing, and process
improvement.
- Requires detailed system knowledge.
 - Subjective risk scoring can lead to inconsistencies.
- May overlook complex interactions (only single failure modes).

B.2.4 HAZOP – Hazard and Operability Analysis

Technique for identifying risks:
Summary:
Analyzing deviations from the design or operational intent of a system or
process.
Tips:
- Break the system or process into “nodes”.
- Use guide words to identify deviations.
- Ensure that a multidisciplinary team.
- Record findings systematically, including causes, consequences, and
potential safeguards.
Pros and Cons:
 Detailed and thorough.
 Good for accounting human error.
 Generates suggestions for solutions.
 Multidisciplary, multistage.
- Needs lots of information, extensive knowledge.
- Can produce a lot of date > fundamentals lost.

B.2.5 Scenario Analysis

Technique for identifying risks:
Summary:
Developing and analyzing a range of possible future events or conditions
to understand how they might impact risks.
Tips:
- Define clear, plausible and relevant scenario’s.
- Extreme and moderate scenario’s.
 In likelihood.
 In consequence / impact.

B.2.6 SWIFT – Structured “What if”

Technique for identifying risks.
Summary:
Structured brainstorming techniques used to identify potential risks by
posing “What if” questions about a process, system or project.
Tips:
- Start with a clear understanding.
- Document all “What if” scenarios and associated risks for follow-up
analysis.
Pros and Cons:
 Flexible.
 Minimal preparation.
 More time efficient than scenario.
- Can be speculative, need experts.
- Might miss certain risks.

B.3 Techniques for determining sources, causes and drivers.

B.3.2 Cindynic approach “science of danger”
Technique for determining sources, causes and drivers.
Summary:
Interdisciplinary approach that focuses on identifying, analyzing, and
managing dangers through a combination of sociology, psychology and
engineering perspectives.

B.3.3 Ishiwaka (fishbone) method

Technique for determining sources, causes and drivers.
Summary:
Identify potential (root) causes by analyzing deviations from the design or
operational intent of a system or process.
Tips:
- Head: define a clear problem.
- Bones: define major categories.
- Brainstorm potential causes per category.
- Analyze each, review, and identify prio’s.
Pros and Cons:
 Intuitive visual tool for root cause analysis.
 Encourages team collaboration.
 Helps identify multiple causes, not just the obvious ones.
- Can not prioritize causes, making it hard to focus on key issues.
- Requires experienced facilitation to ensure thoroughness.

B.4 Techniques for analyzing controls

B.4.2 Bowtie – causes, consequences and controls

Technique for analyzing controls.
Summary:
Link potential causes of an event to its consequences and identify
preventive and mitigation controls in a bowtie-shaped diagram.
Tips:
- Define the knot: the central “EVENT” and scope.
- Regularly update.
- Good for accidents.
Pros and Cons:
 Easy to understand and communicate.
 See gaps.
 Applicable on whole risk assessment.
- Oversimplifies complex systems.
- Time consuming for complex risks.

B.4.3 HACAP – Hazards and critical control points

Technique for analyzing controls.
Summary:
Systematic preventive approach to (food) safety that identifies potential
hazards (HA) and implements “Critical Control Points” (CCP).
Tips:
- Identify Critical Control Points (CCPs): Recognize the steps where
control is essential.
 - Establish Monitoring Procedures: Set clear methods for checking the
CCPs to ensure they are functioning.
- Define Corrective Actions: Prepare actions to take when monitoring
indicates that a CCP is not under control.
Pros and Cons:
 Proactive, preventive approach.
 Internationally Recognized (food).
 Provides clear steps to manage safety risks.
- Requires significant time, training and documentation.
- Can be challenging to apply outside food industry.

B.4.4 LOPA – Layers of Protection Analysis

Technique for analyzing controls.
Summary:
Semi-quantitative risk assessment the adequacy of existing safeguards in
preventing or mitigating hazardous events by analyzing independent
layers of protection.
Tips:
- Clearly specify the initiating event and the potential consequences.
- List all independent LOPS that reduce the likelihood or severity of
the event.
- Use predefined failure probabilities for each LOP to estimate overall
risk reduction (values).
- Compare the calculated risk with acceptable risk criteria to decide
whether additional safeguards are needed.
Pros and Cons:
 Balances qualitative and detailed quatitative methods.
 Ensures each layer of protection is independent and reliable.
 Helps prioritize.
- Requires reliable failure data.
- Limited to scenarios, less useful for innovations.
- May overlook human factors.

B.5 Techniques for understanding consequence and likelihood

B.5.2 & B.5.3 Bayesian / belief networks.

Technique for understanding consequence and likelihood.
Summary:
Probabilistic techniques used to model uncertainty, update beliefs with
new evidence, and quantify the likelihood of different outcomes.
Tips:
- Start with well-established cause-and-effect model and probabilities.
- Use the visual representation to discuss with experts and update.
Pros and Cons:
 Powerful tools for complex, uncertain environments.
 Useful for innovations.
- May overlook human factors.

B.5.4 Business impact analysis (BIA)

Technique for understanding consequence and likelihood.
Summary:
Systematic process used to assess the potential consequence of
disruptions to business operations and determine the critical functions and
resources required to maintain continuity.
Tips:
- Focus on the processes, systems, and resources that are critical for
the operation and survival of the organization.
- Evaluate the financial operation, legal, and reputational impacts of
disruptions.
- Establish Recovery Priorities and timeframes.
- Collaborate with key business units and stakeholders to ensure a
comprehensive view.
Pros and Cons:
 Focuses on Business Continuity.
 Holistic: Considers financial, reputational, and operational risks.
 Supports effective disasters recovery and continuity plans.
- Requires significant tie and effort from various departments.
- Can be difficult to gather accurate data.
- Incorrect assumptions about the severity of impacts may lead to
inadequate or excessive mitigation strategies.

B.5.5 Cause-consequence analysis (CCA)

Technique for understanding consequence and likelihood.
Summary:
Combines fault tree and event tree analysis to explore the potential cause
of an event and the consequences that follow.
Tips:
- Focus on key events to avoid overly complex diagrams.
- Use fault trees identify causes and event tree to explore
consequences.
- Ensure diagrams show all paths from cause to consequence.
Pros and Cons:
 Combines both cause and consequence analysis in one model.
 Visual approach aids understanding of risk pathways.
 Effective for analyzing complex systems with many variables.
- Can become complex and difficult to manage.
- Requires detailed data for both causes and consequences.
- Time-consuming to construct for large systems.

B.5.6 Event tree analysis

Technique for understanding consequence and likelihood.
Summary:
A forward-looking, graphical method used to model the potential outcomes
of an initiating event and the effectiveness of various controls.
Tips:
- Start with a clear initiating event and explore possible outcomes.
- Identify key barriers or controls that affect the event’s progression.
- Use branching paths to represent different outcomes based on
control success or failure.
- Quantify probabilities to assess the likelihood of each scenario.
Pros and Cons:
 Visualizes the progression of events from a single initiating incident.
 Helps assess the effectiveness of safety barriers.
 Easy to understand and communicate.
- Limited to predefined events and controls.
- Can become complex with many branching paths.
- Requires accurate data to quantify probabilities effectively.

B.5.7 Fault tree analysis (FTA)

Technique for understanding consequence and likelihood.
Summary:
A top-down, deductive method used to analyze the potential causes of
system failures by identifying and linking contributing events.
Tips:
- Start with a defined top-level failure (undesired event).
- Break down the system into lower-level events using logical gates
(AND/OR).
- Focus on key contributors to the failure and their interconnections.
- Quantify probabilities of failure for better risk evaluation.
Pros and Cons
 Provides a clear, structured way to identify failure causes.
 Helps pinpoint critical system vulnerabilities.
 Supports quantitative risk assessments with probability data.
- Requires detailed system knowledge and data.
- Can become difficult to manage for large systems.
- Focuses only failures, not successful outcomes or mitigations.

B.5.8 Human reliability analysis

Technique for understanding consequence and likelihood.
Summary:
Evaluates the likelihood of human errors and their impact on system
performance to assess and mitigate risk associated with human factors.
Tips:
- Identify critical tasks where human error could lead to failure.
- Analyze potential errors (e.g. omission, commission, timing) and
their causes.
- Consider environmental and operational conditions affecting
performance.
- Use HRA techniques like THERP or HEART for quantifying human
error probabilities.
Pros and Cons:
 Focuses on the human role.
 Helps improve training, procedures, and interfaces.
 Useful for industries where human error is a significant risk factor
(e.g. aviation, nuclear).
- Requires detailed understanding of human behavior and task
analysis.
- Data on human error probabilities can be difficult to obtain.
- Subjective judgement may influence results.
B.5.9 Markov analysis
Technique for understanding consequence and likelihood.
Summary:
A probabilistic technique used to model the transitions between different
system states over time, allowing for the assessment of system reliability
and availability.
Tips:
- Define all possible system states (e.g., operational, failure,
degraded).
- Identify the transitions (failure or repair rates). Use state diagrams to
visualize.
- Apply Markov chains to calculate long-term reliability and availability
probabilities.
Pros and Cons:
 Models both failure and repair processes over time.
 For complex systems with multiple states and transitions.
 Can handle systems with non-constant failure rates.
- Requires detailed data on failure and repair.
- Can become mathematically complex.
- Assumes constant transition probabilities, which may not always be
realistic.

B.5.10 Monte Carlo simulation

Technique for understanding consequence and likelihood.
Summary:
A quantitative risk analysis technique that uses random sampling and
statistical modeling to estimate the probability of different outcomes.
Tips:
- Define the variables and their probability distributions.
- Run numerous simulations (iterations) to generate a range of
possible outcomes.
- Analyze output data to identify patterns, risk levels, or extreme
cases.
Pros and Cons:
 Can handle complex, nonlinear systems with multiple uncertainties.
 Provides a range of possible outcomes, not just a single estimate.
 Effective for modelling risk in situations with incomplete or variable
data.
- Requires knowledge of statistics and computational power.
- Results depend heavily on the quality of input data and assumptions.
- Interpretation of results can be challenging.

B.5.11 (Data) Privacy impact analysis

Technique for understanding consequence and likelihood.
Summary:
A structured process to assess the risk to individuals’ privacy when
handling personal data, identifying impacts and controls.
Tips:
 - Identify and map the personal data being collected, processed, or
stored.
- Assess the privacy risk associated with each step of data handling.
- Ensure compliance with regulations.
- Implement controls such as data minimization and anonymization.
Pros and Cons:
 Helps ensure compliance with data protection laws (e.g. GDPR)
 Can be used early in the project lifecycle.
 Improves trust with stakeholders.
- Requires expertise in data protection regulations and privacy best
practices.
- May lead to overestimating or understanding certain privacy risks.

LECTURE 6

Risk Evaluation
Simple risk assessment for personal life
The 4-box best/worst analysis – Ben Carson.

As a society we do the same…

Analyze:
 Risk perception.
 knowing the likelihood * consequence.
Evaluate:
 How much risk do we like > risk appetite.
 How much risk can we handle > risk tolerance.
 How much risk is too much > risk capacity.