The Risk Assessment Process
A number of steps are basic to a quantitative risk assessment, and they are independent of the system or issue being considered. As applied in the engineering, insurance, pharmaceutical, and many other industries for many decades, the basic definition of risk has been standardized by international agreement.1 The process is shown in figure A.1 and can be summarized as:
1. Define context. A risk assessment should take place within a welldefined context. This means that the system being examined and the internal and external influences must be known and defined.
2. Analyze hazard scenarios. Identification of what might go wrong— and when and where—are crucial to the analysis. Once the potential threats and scenarios have been identified, it is necessary to identify how and why these threats or scenarios can be realized. It requires the threat scenarios to be examined (and understood) in considerable detail. Information from databases and other past experience will play an important part in hazard scenario analysis.
3. Analyze risk.
Risk = (probability of threat) × (consequences)
This is concerned with determining the threat probabilities and the consequences (fatalities, damages) that would occur if the threat were realized. Typically, the probabilities are estimated from a combination of relevant data and subjective judgments.
4. Evaluate risks. Analyzed risk must be compared with criteria of risk acceptability, usually applying past experience as a guide. If the risk of