Stage 4 – Risk evaluation

Following the risk analysis process, one can evaluate whether the risk values are acceptable or not, whether risk control options would need to be implemented, and which ones. To do so, ‘acceptable’ or ‘routine’ levels of risk can be determined as part of the establishment of the context in Stage 1.

One simple but often applied criterion for implementing risk control accounts for the number of exposures of the hazardous event. If, for instance, a certain barrier is tested daily and seems to be working, it should be ensured that this will also be the case in the future. For barriers, which are tested on an infrequent or ad hoc basis and fail the test, corrective actions should be implemented.

Another method to support risk evaluation and decision making is the use of risk metrics, which can be used to determine whether the risk falls within these acceptable levels or not [7]. One example where (especially quantitative) risk metrics are important, is in the application of the ALARP principle, which denotes that the system risks should be made “as low as reasonably practicable”. Thus, in cases where the risks are not acceptably low, new risk control options should be implemented, unless it can be demonstrated that the costs involved are disproportionally high compared to the risk-reduction effects. This principle is often applied in practice in such a way that risk control measures are implemented even if risks are low, if the risk control option can be easily implemented at low costs.

Another criterion-based method, used especially in risk management decision making where major investments are considered, is Cost-Benefit Analysis (CBA). In this method, the relative risk reducing effects and the associated costs are determined for each risk control option, which allows decision makers to select the most feasible option. An approach strongly supported by the ISO 31000:2018 standard, useful especially for processes and tools which allow risk estimation over several relatively short time periods, is to focus less on the absolute values of the risk estimates, and give more weight to the changes of the risk levels. When sudden significant changes are found, or sustained incremental changes over an extended period, this may be taken as a sign that additional risk treatment is warranted.

In contemporary risk management approaches, it is recommended to evaluate the risks and determine the appropriate further actions in a managerial review process [6], or in an analytic-deliberative process [8]. The managerial review means that the results of the risk analysis are presented to a (group of) decision maker(s) and considered alongside other decision-relevant information. This can include the costs of the risk treatment options, social factors such as creation or loss of employment, or other legal, political, or cultural factors. The decisions are made on a risk-informed basis, following a discussion.

There may be justified reasons to consider other issues than costs when selecting which risk control options to implement. Previous experience with similar systems, maintainability of the new system elements, or preferences of decision makers and stakeholders, are all qualities one should consider.

It is also essential to carefully consider any legal constraints to implementing risk control options, as often the locus of control in making certain modifications to system designs or operational procedures is under the authority of another actor or stakeholder in the system. This applies to the analytic-deliberative process as well, but here additional stakeholders can voice their concerns in the decision-making process, and they are typically also involved in the risk identification and analysis stages.