Chapter 4

RISK ASSESSMENT
Modified from Endut, 2016
 LESSON OUTCOME
At the end of this lesson, students will be able to:
Apply the process of risk analysis through the use
of several tools and techniques, as part of the risk
management process.
RISK MANAGEMENT
 RISK ASSESSMENT?
• The term Risk Assessment could have a different meaning for
different people, even country.

AS/NZS 4360:1999 MS IEC/ISO 31010:2011

RISK ASSESSMENT
Risk assessment is the combined effort of:
•Risk analysis - identifying and analyzing potential (future)
events that may negatively impact individuals, assets,
and/or the environment

•Risk evaluation - making judgments "on the tolerability of

the risk on the basis of a risk analysis" while considering
influencing factors
Risk Assessment (Malaysian Standard)
For every industry, there are health, safety and
environmental risks that must be identified and addressed
with sound risk management procedures.

ISO 31000 - RISK MANAGEMENT

Risk assessment attempts to answer the following
fundamental questions:
what can happen and why (by risk identification)?
what are the consequences?
what is the probability of their future occurrence?
are there any factors that mitigate the consequence
of the risk or that reduce the probability of the risk?
 Risk Analysis
• After risk have been identified, their characteristics need to be
assessed so that it is determined whether the risk event is worth
further analysis.

• Once it is decided that a risk event needs analysis then it needs to be

determined whether the risk event information can be acquired
through quantitative or qualitative means.

• Measurement metrics for risk also need to be determined so that these

metrics can be used for computation of risk magnitude and risk
analysis leading to risk mitigation plans.
Risk Analysis
• Risk is measured using two parameters –
 risk probability
 risk consequence (impact)

• Risk probability or likelihood indicates a chance of a risk event

occurring (eg: 50% chances or 1/3 probability)

• Risk consequence, severity or impact represents an outcome generated

from the risk event (eg: minor, major, low, high)

• Risk magnitude is the product of risk probability and risk consequence.

To measure risk magnitude, probability and consequence of a risk event
needs to be determined, which constitute the risk assessment function.
Risk Analysis
 Analysis can be
 qualitative
 semi-quantitative
 quantitative
Qualitative analysis
 Uses words to describe the magnitude of potential consequences and the
likelihood that those consequence will occur
 Defines consequence, probability and level of risk by significance level
such as high, medium and low.
 May combine consequence and probability and evaluate the resultant level
of risk against qualitative criteria.
 May be used
 As an initial screening activity to identify risks which require
more detailed analysis
 Where this kind of analysis is appropriate for decisions
 Where the numerical data or resources are inadequate for a
quantitative analysis
Qualitative
These are some of the qualitative risk analysis outputs:
•Risk categorization and ranking for each risk.
•Prioritized list of risks.
•Further understanding of the risk in the organization.
•A decision about go / no go actions and measures for risk
treatments.
Qualitative analysis
Qualitative analysis
Inherent risk Control risk
Low Medium High

Low Very low Low Medium

Medium Low Medium High
High Medium High Very high

Source: (Cosserat, 2005, 138)

Let’s take one example:
Risk in construction duration
IMPACT OF PROJECT DURATION
Probability of Risk
Probability and Impact Matrix
 Semi-quantitative analysis
• Semi-quantitative approaches are currently widely used to
overcome some of the shortcomings associated with qualitative
approaches.
• Qualitative scales are given values.
• The objective is to produce a more expanded ranking scale than
the ones achieved in qualitative analysis.
• The values allocated may have inaccurate relationship to the
actual magnitude of consequences and likelihood.
• The values taken may not properly reflect relatives and this can
lead to inconsistent or inappropriate outcomes.
• Semi-quantitative methods use numerical rating scales for
consequence and probability and combine them to produce a
level of risk using a formula.
 Semi-quantitative analysis
Threat Impact
Likelihood Low (10) Medium (50) High (100)

High (1.0) Low Medium High

(1.0 x 10 =10) (1.0 x 50 = 50) (1.0 x 100 =100)
Medium (0.5) Low Medium Medium
(0.5 x 10 =5) (0.5 x 50 = 25) (0.5 x 50 = 50)
Low (0.1) Low Low Low
(0.1 x 10 =1) (0.1 x 50 =5) (0.1 x 100 = 10)

High risk (between 50 to 100) – require corrective action as soon as possible

Medium risk ( between 10 to 50) - are necessary corrective action and requires a plan
for incorporating them into current business

Low risk ( less than 10) – decision maker must consider corrective measures are still
necessary to adopt or accept the risk
Semi-Quantitative Analysis
Semi-Quantitative Analysis
Semi- Quantitative Analysis
(Example of risk categorization)
 High negative impact to project / Highly likely to occur — high risk
 High negative impact to project / Medium likely to occur — high risk
 High negative impact to project / Not likely to occur — medium/low risk
 Medium negative impact to project / Highly likely to occur — medium risk
 Medium negative impact to project / Medium likely to occur — medium/low
risk
 Medium negative impact to project / Not likely to occur — low risk
 Low negative impact to project / Highly likely to occur — low risk
 Low negative impact to project / Medium likely to occur — low risk
 Low negative impact to project / Not likely to occur - low risk
Quantitative analysis
 Uses numerical values (not descriptive scale)
 Estimates practical values for consequence and probabilities and produces
values of the level of risk using specific units.
 Both consequences and likelihood using data from a variety of sources
 The quality of the analysis depends on the accuracy and completeness of the
numerical values and the validity of the models used
 Consequences may be determined
 modeling the outcomes of an event or set of events
 Extrapolation from experimental studies or past data

 A quantitative analysis will determine the probability of each risk event

occurring. For example, Risk #1 has an 80% chance of occurring, Risk #2
has a 27% chance of occurring
Quantitative analysis
• For example : Bayesian method

• P(Ei / Aj) = P (Aj/Ei) P (Ei) / P(Aj)

• Where:
• P(Ei) – unconditional or prior probability of errors
• P(Ei/ Aj) – posterior probability (conditional) probability that
the event’s status if related to the experiment result
• P(Aj) – marginal probability of total or simultaneous trial
involving acceptance
 Risk allocation
-the process of identifying risk and determining how and to what extent they should
be shared

-Most owners understand that risk is an inherent part of the construction process
and cannot be eliminated

- Check the contract- allocate risk to another party through contract agreement

- Contract agreement- allocated the risk on a shared basis and allocate to the party
best able to control it

-Example: construction Hospital Universiti Teknologi MARA, Puncak Alam

-PFI project between client – UiTM, concessionaire – Triplx
-If there is risk of delay in delivery project – to whom the risk should be allocate?
 RISK ASSESSMENT MATRIX
• A Risk Assessment Matrix (RAM) is a tool to help you determine
which risks you need to develop a risk response for.
• The first step in developing a RAM is to define the rating scales for
likelihood and impact.
• In a qualitative analysis, likelihood or probability is measured using a
relative scale.
Likelihood Scale
Assessing the likelihood
• Risk analysis – making an estimate of variables that may lie far ahead in the
future
• Qualitative assessment- subjective because it relies largely on human judgment
– Experience
– Personal biases
• Errors arising from biases such as:
– Anchoring (wrongly sticking with a first estimate even though it is inappropriate)
– Selective recall (remembering only certain facts or incidents)
– Over-confidence
– Inappropriate search for patterns in data
– Inappropriate framing of the situation
Cont…
• Advantage of subjective assessment is that it is generally quick to
apply and simple to understand
• Disadvantage – errors in judgment are often difficult to detect and
eradicate
• Type of assessing risk components
– Probability
– Expected frequency
– Chance
– likelihood
Assessing the consequences
Interval descriptor Amplification
1. Insignificant No injuries, low financial loss
2. Minor Minor injuries, rapid containment on-site, medium
financial loss
• The
3. Moderateimpact on the project
Medical alert and light injuries, on-site containment
requires outside assistance, high financial loss
• Impact of the stakeholder
4. Major Extensive injuries, loss of production capability, off-
• The interval site
of the impact
release with no detrimental effect, major
financial loss
5. Catastrophic Deaths occur, toxic off-site release with detrimental
effect, huge financial loss
Assessing the duration of the risk
(exposure time)

Interval Possible indicator

1. Short term Less than the time required for procurement phase
2. Medium short Procurement phase plus one third of operational phase
term where appropriate
3. Medium term Procurement phase plus half of operational phase where
appropriate
4. Medium long term Procurement phase plus two thirds of operational phase
where appropriate
5. Long term Into disposal phase and beyond
Assessing the duration of the risk
(exposure time)
Interval Possible indicator

1. Short term Less than the time required for

procurement phase
2. Medium Procurement phase plus one third of
short term operational phase where appropriate
3. Medium Procurement phase plus half of
term operational phase where appropriate
4. Medium Procurement phase plus two thirds of
long term operational phase where appropriate
5. Long term Into disposal phase and beyond
RISK ASSESSMENT MATRIX
Interval Amplification
descript
or
Impact Scale definition...
Insignific No injuries, low financial loss
ant
Minor Minor injuries, rapid containment
on-site, medium financial loss
Moderate Medical alert and light injuries, on-
site containment requires outside
assistance, high financial loss
Major Extensive injuries, loss of
production capability, off-site
release with no detrimental effect,
major financial loss
Catastrop Deaths occur, toxic off-site release
hic with detrimental effect, huge
financial loss
RISK ASSESSMENT MATRIX
• With your rating scales prepared, you can create a Risk
Assessment Matrix to help you categorize the Risk Level
for each risk event.
RISK ASSESSMENT MATRIX
RISK ASSESSMENT MATRIX
A subjective three-dimensional
risk severity model
Catastrophic

Impact Major

Moderate
Long
Minor Medium-long

n
tio
Medium
Insignificant Medium-short

ra
Du
Short
Unlikely

Possible

Certain
Almost
Rare

Likely

Probability of occurrence
Techniques for risk analysis
• Several techniques in the literature that are currently applied
for project analysis can also be applied for risk analysis.
Assessment tools
 Type of assessment
 Look up methods – checklists, preliminary hazard analysis
 Supporting methods – Delphi technique, SWIFT structured
 Scenario analysis –Root cause, fault tree analysis, business
impact analysis, event tree analysis
 Function analysis –HAZOP, HACCP, reliability centered
maintenance
 Control assessment – Bow tie analysis, layers of protection
analysis
 Statistical methods – Markov, Monte Carlo, Bayesian
Probability and impact grids
• Risk events represented on a grid consisting of probability
on one axis and impacts on another are often used to define
threshold regions on the grid, which represent high risk
events based on past experience or organizational
procedures.
• Probability and impact grids provide a simple format for
showing relative importance of risk events.
Fault tree analysis
• Fault tree analysis determines the chance or a failure event
occurring in the project structure represented in a fault tree.
• Further, the top-level chance or a failure is determined from
events in lower levels passing through logical gates.
• This analysis provides an overview of risk in the overall project
through top-level analysis or specific components of the project
through analysis at lower levels.
Event tree analysis
• Event tree analysis determines how likely a particular event
represented on an event tree is likely to happen from an
initial event.
• The probability of occurrence of a particular outcome is
determined as a product of all probabilities of occurrence in
the associated branch.
• Owing to this examination of all failures that are possible
for an outcome, event tree analysis leads to a comprehensive
mitigation plan.
Discussion
Based on the risks that have been identified in previous
lecture, develop a Risk Assessment Matrix (RAM) for the
aforementioned project.
•The RAM should represent both the qualitative and semi-
quantitative form of risk analysis.
The end for today