Risk Assessment.

Information | Understanding | Best Practice.

The ability to accurately and consistently assess risk is critical in the implementation of an effective risk management program. In assessing risk and determining levels of risk there is a need to consider:

– Severity

– Probability

– Detectability


“Severity” is the impact or damage which would arise if the risk were to be realized.

“Probability” is the likelihood that the risk could arise.

“Detectability” is the time it will take to realize that the risk has actually been realized.


The severity, probability and detectability measures will provide information on the level of risks inherent within a process, an organization, etc.. Those tasked with managing the risk processes, need to define:

What level of risk is considered acceptable?

How to determine what are acceptable risk levels?


Severity is a measure of the impact of a risk or the possible consequences of a hazard.

Severity associated with a risk is normally assigned a Score, Level or Rating.

In measuring the severity associated with a risk (or hazard), categories and descriptions may be based on:

– Types of systems or processes being assessed for risk.

– Potential Harms associated with the systems or processes.

– The selected levels of severity.


When determining severity ratings, consideration needs to be given to all relevant factors.



Probability relates to how often the harm associated with a risk may occur. Probability is also known as the “Likelihood”, “Rate of Occurrence” or “Frequency” of a risk arising.

A probability estimate can be:

Quantitative – based on data and statistics

Qualitative – based on experience and judgement


The probability of a risk arising is associated with each potential cause of a risk (or hazard) arising.



Detectability is the ability of system or process controls to detect a hazardous event (a realized risk). Detectability is important, as the longer a hazardous event exists the greater the potential impact associated with the hazard.

For example consider a pharmaceutical drug, which may be contaminated during manufacture. If the contamination can be detected early within the manufacturing process then the risk will be substantially less than if the contamination were only detectable via patient reaction to product use.

Risk controls should either:

– Detect and prevent the occurrence of a hazardous event OR

– Detect and report the occurrence of a hazardous event.


Risk Assessment. The overall measured Risk Level.

There are various methods for determining the overall risk levels, common to all approaches will be the use of both the Severity and Probability measures. Some risk management processes will apply the Detectability measure, e.g. Severity + Probability (S+P) OR Severity + Probability + Detectability (S+P+D)


The Risk Matrix. Risk Prioritization Number.

The RPN – Risk Prioritization Numbers for all risks can then be charted. The chart will show unacceptable risks, plus the higher and lower level risks. The result will be a list of risks, identified in order of criticality.
Risk Management Full Details

Risk Management.