A risk analysis assesses the hazards that may affect an ITS deployment. Those hazards with the most severe risks should be provided with a mitigation strategy, and each strategy should be assigned to an Owner who is responsible for its implementation.
Risk Analysis is divided into five steps:
- Identify the hazard (what might go wrong), be it a financial, technical, organisational, institutional or a requirement hazard;
- Identify the consequence(s) of each hazard, there may be more than one, and assign a probability that they will occur, e.g. Low, Medium, High [1];
- Assign an impact to each consequence, e.g. Low, Medium, High [1];
- Categorise the risk (probability vs. impact) of each consequence, e.g. using a risk graph (see below)
- Decide which categories of risk need a mitigation strategy, e.g. all red and orange, and identify the actions that need to be taken to reduce the risk to an acceptable level [1].
The result should be a list of Hazards, with their Mitigation Strategies and Owners
[1] The examples given above are only examples. The number of possible Probabilities and Impacts, as well as the content of the Risk Graph must be approved by a suitable authority. In the case of Safety and Security hazards they may have legal consequences.
Further Reading
See The RAID Study