According to ISO 31000, the process of risk evaluation involves assessing each risk against the objectives of the project and external criteria to see whether the risk and/or its magnitude (exposure) are acceptable or tolerable to the project. As stated earlier, a risk is only a risk insofar as it directly impacts on objectives. External criteria usually refer to compliance with safety, environmental or other statutory requirements or legislation. Risk evaluation assists in determining whether risk treatments are required in addition to existing controls, to bring the risk within an acceptable exposure for the project organisation.
Except where determined by safety, legislative or financial insurance requirements, there is typically no right answer as to what constitutes an acceptable risk. Evaluation of risks and the decision as to what constitutes an acceptable response plan ultimately depends on an organization’s “appetite” or “tolerance” for risk, the nature of the risk, and the organisation’s ability to influence factors contributing to or stemming from the risk. Also relevant is the risk management context of the project (how important the project is to the organisation and the resources available to manage the risk).
In the specialised field of technical and safety critical risk management, there are criteria for deciding acceptable levels of risk and by implication, treatments, expressed in the terms “As Low As Reasonably Practicable” (ALARP) and “So Far As Is Reasonably Practicable” (SFAIRP). These terms define the limits to which organisations with a Duty of Care (eg, Transport Authorities) are required to go to protect human life etc. The terms are used to distinguish the required efforts from whatever is possible, which may be grossly disproportionate to the increased level of protection resulting. This kind of Risk Management is outside the scope of this Knowledge Base. Further information on these areas may be obtained by inputting ALARP or SFAIRP into a search engine.
The Decision Authority Matrix
In many organizations, a decision authority matrix may be in place to formalise the sign-off procedures for the evaluation and subsequent management of risks. A decision authority matrix itemises the thresholds of risk consequence (probability * impact) at which risks must be reported and / or their treatment strategy approved.