A risk analysis assesses the hazards that may affect an ITS deployment. Those hazards with the most severe risks should be provided with a mitigation strategy, and each strategy should be assigned to an Owner who is responsible for its implementation.
Risk Analysis is divided into five steps:
- Identify the hazard (what might go wrong), be it a financial, technical, organisational, institutional or a requirement hazard;
- Identify the consequence(s) of each hazard, there may be more than one, and assign a probability that they will occur, e.g. Low, Medium, High ;
- Assign an impact to each consequence, e.g. Low, Medium, High ;
- Categorise the risk (probability vs. impact) of each consequence, e.g. using a risk graph (see below)
- Decide which categories of risk need a mitigation strategy, e.g. all red and orange, and identify the actions that need to be taken to reduce the risk to an acceptable level .
The result should be a list of Hazards, with their Mitigation Strategies and Owners
 The examples given above are only examples. The number of possible Probabilities and Impacts, as well as the content of the Risk Graph must be approved by a suitable authority. In the case of Safety and Security hazards they may have legal consequences.
See The RAID Study