Risk Evaluation

Except where determined by safety, legislative or financial insurance requirements, there is typically no right answer as to what constitutes an acceptable risk. Evaluation of risks and the decision as to what constitutes an acceptable response plan ultimately depends on an organization’s “appetite” or “tolerance” for risk, the nature of the risk, and the organisation’s ability to influence factors contributing to or stemming from the risk. Also relevant is the risk management context of the project (how important the project is to the organisation and the resources available to manage the risk).

In the specialised field of technical and safety critical risk management, there are criteria for deciding acceptable levels of risk and by implication, treatments, expressed in the terms “As Low As Reasonably Practicable” (ALARP) and “So Far As Is Reasonably Practicable” (SFAIRP). These terms define the limits to which organisations with a Duty of Care (eg, Transport Authorities) are required to go to protect human life etc. The terms are used to distinguish the required efforts from whatever is possible, which may be grossly disproportionate to the increased level of protection resulting. This kind of Risk Management is outside the scope of this Knowledge Base. Further information on these areas may be obtained by inputting ALARP or SFAIRP into a search engine.

In many organizations, a decision authority matrix may be in place to formalise the sign-off procedures for the evaluation and subsequent management of risks. A decision authority matrix itemises the thresholds of risk consequence (probability * impact) at which risks must be reported and / or their treatment strategy approved.