SA/SNZ HB 89:2013. Australian/New Zealand Handbook. Risk management Guidelines on risk assessment techniques. Superseding HB SA/SNZ HB 89:2013

Transcription

1 SA/SNZ HB 89:2013 Australian/New Zealand Handbook Risk management Guidelines on risk assessment techniques Superseding HB SA/SNZ HB 89:2013

2 SA/SNZ HB 89:2013 This Handbook was prepared by a working group under the direction of Joint Standards Australia/Standards New Zealand Committee QR-005, Dependability, with representatives from Joint Standards Australia/Standards New Zealand Committee OB-007, Risk Management. It was approved on behalf of the Council of Standards Australia on 5 December 2013 and on behalf of the Council of Standards New Zealand on 5 December This Handbook was published on 18 December The following are represented on Committee QR-005: Asset Management Council Australian Industry Group Australian Organisation for Quality Department of Defence (Australia) Engineers Australia Independent Transport Safety & Reliability Regulator Institution of Professional Engineers New Zealand New Zealand Institute of Safety Management New Zealand Society for Risk Management Risk Management Institution of Australasia University of New South Wales University of Wollongong The following are represented on Committee OB-007: Attorney General s Department Australian Chamber of Commerce and Industry Australian Computer Society Australian Logistics Council Dairy Companies Association of New Zealand Department of Finance Financial Services Institute of Australasia Governance Institute of Australia Minerals Council of Australia Ministry of Business, Innovation and Employment, New Zealand New Zealand Institute of Safety Management New Zealand Society of Risk Management Risk Management Institution of Australasia Royal Australian Chemical Institute Society for Risk Analysis, Australia and New Zealand Regional The Institute of Internal Auditors, Australia United Independent Pools Standards Australia and Standards New Zealand wish to acknowledge the participation of the expert individuals that contributed to the development of this Handbook through their representation on the Committee. Keeping standards up to date Standards are living documents which reflect progress in science, technology, and systems. To maintain their currency, all standards are periodically reviewed, and new editions are published. Between editions, amendments may be issued. Standards may also be withdrawn. It is important that readers assure themselves they are using a current standard, which should include any amendments which may have been published since the standard was purchased. Detailed information about joint Australian/New Zealand standards can be found by visiting the standards webshop at or Standards New Zealand s website at Alternatively, Standards Australia publishes an annual printed catalogue with full details of all current standards. For more frequent listings or notification of revisions, amendments and withdrawals, Standards Australia and Standards New Zealand offer a number of update options. For information about these services, users should contact their respective national standards organisation. We also welcome suggestions for improvement in our standards, and especially encourage readers to notify us immediately of any apparent inaccuracies or ambiguities. Please address your comments to the Chief Executive of either Standards Australia or Standards New Zealand at the address shown on the title page.

3 SA/SNZ HB 89:2013 Australian/New Zealand Handbook Risk management Guidelines on risk assessment techniques Originated as HB Jointly revised and designated as SA/SNZ HB 89:2013. COPYRIGHT Standards Australia Limited/Standards New Zealand All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher, unless otherwise permitted under the Copyright Act 1968 (Australia) or the Copyright Act 1994 (New Zealand). Jointly published by SAI Global Limited under licence from Standards Australia Limited, GPO Box 476, Sydney, NSW 2001 and by Standards New Zealand, Private Bag 2439, Wellington ISBN (Print) ISBN (PDF)

4 SA/SNZ HB 89: PREFACE This Handbook was prepared by a working group under the direction of the Joint Standards Australia/Standards New Zealand Committee QR-005, Dependability, with representatives from the Joint Standards Australia/Standards New Zealand Committee OB-007, Risk Management. It supersedes HB The purpose of this revision is to correct the referenced documents and introduce minor text changes to facilitate use of the Handbook. The Handbook is now a Joint Standards Australia/Standards New Zealand publication. This Handbook is based on International Standard ISO/IEC 31010:2009, Risk management Risk assessment techniques, and incorporates material from AS/NZS 3931:1998, Risk analysis of technological systems Application guide [which is an identical adoption of IEC :1995 (withdrawn)]. The objective of the Handbook is to provide guidance on good practice for assessing risk, as part of a risk management process in accordance with AS/NZS ISO 31000:2009, Risk management Principles and guidelines, and to assist in making decisions under conditions of uncertainty. It provides an overview of a range of risk assessment techniques, and guidance on their selection and implementation. AS/NZS ISO describes the fundamental principles of risk management, provides a framework for integrating risk management into an organization and describes a process for managing risk effectively. The Standard post-dates the development of many of the techniques described in this Handbook, so there may be some discrepancy between terminology traditionally used and that of AS/NZS ISO and ISO Guide 73, Risk management Vocabulary. However, the techniques remain valid and, over time, it is expected that terminology will become fully compatible with the new standards. Many of the techniques described in this Handbook were originally developed to consider risk in technological applications but increasingly they are being applied much more widely. However, techniques specifically developed for and used in the assessment of financial risks are not included here. This Handbook strives to aid the process of ongoing development in the use of the techniques and a consistent terminology, aligned with the definitions in ISO Guide 73:2009 and AS/NZS ISO 31000:2009. Many of the techniques described have not traditionally included a requirement to explicitly link risk to an organization s objectives or to consider the organizational context. However, that is not to suggest that such a link was not assumed or inferred, or is not valuable; a clearly stated link is essential to ensure the effective use of these techniques.

5 3 SA/SNZ HB 89:2013 CONTENTS Page FOREWORD... 4 SECTION 1 SCOPE AND GENERAL 1.1 SCOPE REFERENCED DOCUMENTS TERMS AND DEFINITIONS... 7 SECTION 2 RISK ASSESSMENT CONCEPTS 2.1 PURPOSE RISK ASSESSMENT AND RISK MANAGEMENT SECTION 3 RISK ASSESSMENT PROCESS 3.1 OVERVIEW PREPARATION FOR RISK ASSESSMENT RISK IDENTIFICATION RISK ANALYSIS QUALITATIVE AND QUANTITATIVE TECHNIQUES RISK EVALUATION RECORDING AND REPORTING MONITORING AND REVIEWING RISK ASSESSMENT APPLICATION OF RISK ASSESSMENT DURING LIFE CYCLE PHASES SECTION 4 SELECTION OF RISK ASSESSMENT TECHNIQUES 4.1 GENERAL SELECTION OF TECHNIQUES APPENDICES A COMPARISON OF RISK ASSESSMENT TECHNIQUES B RISK ASSESSMENT TECHNIQUES... 32

6 SA/SNZ HB 89: FOREWORD Organizations of all types and sizes face internal and external factors and influences that make it uncertain whether and when they will achieve their objectives. The effect this uncertainty has on objectives is risk. Objectives may relate to any of an organization s activities from strategic initiatives to its operations, processes and projects. Effects may be positive or negative and can include societal, environmental, technological, safety, financial and economic outcomes, as well as social, cultural, political and reputational impacts. The risk management process aids decision-making by taking account of uncertainty. It involves the application of logical and systematic methods for communicating and consulting throughout the process; establishing the context; identifying, analysing, evaluating risk; treating risk; monitoring and reviewing risk throughout the process; and recording the results appropriately. Risk assessment is that part of the overall risk management process that incorporates the identification, analysis and evaluation of risk to answer the following fundamental questions: What can happen, how and why (by risk identification)? What are the possible consequences (in terms of the impact on objectives) and the factors that may influence them? How likely are the consequences to occur, and what might influence their likelihood? What is the effect of any controls in modifying the consequences or their likelihood? Is the level of risk tolerable or acceptable and does it require further treatment? This Handbook is intended to reflect established good practices in the selection and utilization of risk assessment techniques, and does not refer to new or evolving concepts that have not reached a satisfactory level of professional consensus. It is generic in nature, and is intended to give guidance on the use of techniques across all organizations and situations. There may be more specific standards that establish preferred methodologies and levels of assessment for particular applications.

7 5 SA/SNZ HB 89:2013 STANDARDS AUSTRALIA/STANDARDS NEW ZEALAND Handbook Risk management Guidelines on risk assessment techniques SECTION 1 SCOPE AND GENERAL 1.1 SCOPE This Handbook provides general guidance to assist in the selection and application of techniques that can be applied to various risk assessment activities. It provides an overview of the purpose, general nature and limitations of 30 techniques which can be used when assessing risk. Depending on the purpose and circumstances of the study, these techniques can be applied to the following: Identifying risks. Analysing risks. Evaluating the significance of risks. Risk assessment carried out in accordance with this Handbook forms a part of, and contributes to, an organization s risk management activities as described in AS/NZS ISO 31000:2009. In this Handbook (a) Section 2 shows where risk assessment lies within the AS/NZS ISO risk management process; (b) Section 3 provides guidance on the three steps of the risk assessment process and parts of the wider risk management process that feed into them; (c) Section 4 outlines considerations in the selection of appropriate risk assessment techniques; and (d) Appendices A and B list and provide guidance on 30 risk assessment techniques. The intended audience includes those who need to identify, analyse or evaluate risks and those who specify requirements for risk assessment. The Handbook is not a detailed guide or tutorial on how each technique should be carried out. For example, some techniques require mathematical skills, and others, such as the design of questionnaires, require considerable skill and experience for the outputs to be valid. For this reason, some advice is provided as to where further information can be obtained. The Handbook does not include references to all available techniques, and omission of a technique from this Handbook does not mean the technique is not valid. The fact that a technique is applicable to a particular circumstance does not mean that it should necessarily be applied. This Handbook is not intended for certification, regulatory or contractual use. COPYRIGHT

8 SA/SNZ HB 89:2013 Risk management - Guidelines on risk assessment techniques This is a free sample only. Purchase the full publication here: Or contact Standards New Zealand using one of the following methods. Freephone: (New Zealand) Phone: enquiries@standards.govt.nz