Welcome to the SAMTRAC Blog

Dissecting methods of risk analysis and their efficacy

[fa icon="calendar"] 6/14/17 6:00 PM / by Jiaqi Sun

Jiaqi Sun

Cover image 14 June 2017.jpg


Today we drill even further down into the different types of risk analysis and their efficacy, taking a look at:

  • The top 10 business risks ranked by interviewees
  • Risk summary by year
  • Bowtie analysis
  • Business impact analysis
  • NIST SP 800-30 (a qualitative matrix approach)
  • CRAMM (Qualitative)


Top 10 business risks ranked by interviewees


Pic 1 14 June 2017.jpg


The chart below is an example of a summary report. Because all risks are not equal, the company prioritises them by assigning points to each respondent's risk ranking:

  • 5 points for the top risk
  • 3 for the second, and
  • 2 for the third.


Risk summary by year

Pic 2 14 June 2017.jpg


Source: Amato, 2017


The goal is to obtain from these experts an evaluation of the probability and cost of incidents in scenarios. This approach is an alternative to when historical data is not sufficient to implement a purely statistical method. According to Fimarkets, It is especially useful to assess the impact of severe risk events, or the impact of simultaneous events.


Bespoke SAMTRAC E-Learning courses available


  • Bowtie analysis

Bowtie is a combination of fault-tree analysis (causal factors to identify undesired events) and event-tree analysis (systems to mitigate consequences) in a simplified two scenarios for identifying multiple root causes, and prevention and mitigation strategies. While fault trees are based on mathematical modelling, event trees have no inherent mathematical value. The combined tools help to identify the most critical controls (Australian Government, 2016).


The bowtie analysis method for identifying critical risk control measures


Pic 3 14 June 2017.jpg


Source: Joy, 2015


Assurance of controls can be a part of the bowtie analysis, as illustrated in the chart below. Although it is not exactly a risk evaluation, control assurance can affect the evaluation process by highlighting those opportunities that are most likely to be successful.


Advanced bowtie with control erosion factors and assurance


Pic 3.1 14 June 2017.jpg


Source: Australian government, 2016


  • FMEA or FMECA (Rot, 2008): FMEA (Failure Mode and Effects Analysis) and FMECA

(Failure Mode and Effects Criticality Analysis) methods were developed in the 1950s for analysing the reliability of weaponry. The method is still used in the aircraft, space and electronic industries today. The essence of FMEA/FMECA is the analysis of impact of every potential defect on the functionality of the whole system, and the order of potential defects according to the level of its severity. Additionally, the FMECA method introduces the analysis of the degree of defect severity, and examines whether it has critical character for functionality of the whole evaluated system (Rot, 2008). These methods are quite laborious, require knowledge and experience of persons who apply them; they are supported with specialist tools, using the elements of knowledge engineering and fuzzy logic.


As part of FMEA, a risk score and risk prioritisation number (RPN) are assigned to the deviation or to the stage of the process that is affected, which helps categorise the deviation.


RPN = Probability x Severity x Detection

Typically, if the RPN falls within a pre-determined range, corrective action may be recommended or required to reduce the risk (i.e. to reduce the probability of occurrence, increase the probability of prior detection or, if possible, reduce the severity of the failure effect). It provides an indication of the effectiveness of corrective actions and can also be used to evaluate the value to the organisation, using the % reduction in RPN:


% reduction in RPN = (RPNinitial-RPNrevised)/RPNinitial

Item RPN might be useful as a way to compare components and determine priority for corrective action or to determine which component will be selected for inclusion in the design.


RPNitem= RPNcause1+…+RPNcausen

(Bhattacharya, 2015)


  • Business impact analysis

Evaluate the threats facing the organisation and their consequences


Such analysis may start with a worst-case scenario, focusing on the business process that is most critical to recover and how it might be recovered remotely. The business-impact analysis should identify critical business functions and assign a level of importance to each function based on the potential operational or financial consequences. It should also set recovery-time objectives and the resources required if an incident occurs (SCRLC, 2011).


  • NIST SP 800-30 (a qualitative matrix approach) (Rot, 2008)

Example of matrix according to the NIST methodology


Pic 4 14 June 2017.jpg


  • CRAMM (Qualitative) (Rot, 2008)

CCTA’s Risk Analysis and Management Methodology (CRAMM), by the UK Government Central Computer and Telecommunications Agency (CCTA), is the governmental standard of analysis and risk management. The process of risk management according to this methodology consists of three subsequent stages:

  1. Identification and evaluation of resources
  2. Evaluation of threats and susceptibility
  3. The selection and recommendation of protection mechanisms


The main aim of IT risk analysis is to:

  • determine the probability of occurrence of incidents interfering with the correct functionality of resources
  • generate lists of main threats that could concern a given asset group
  • determine the risk level for each group in five degree scale.


Read Jiaqi Sun's research article from the beginning

Topics: Risk methodologies, risk assessment techniques, risk evaluation, risk analysis

Jiaqi Sun

Jiaqi Sun

Jiaqi is the R&D and Innovation, Market Research Lead at NOSA. Focusing on market research and consulting in the occupational health, safety, environment and quality (OHSEQ) risk management space for the South African, Chinese and other advanced markets such as USA, UK, Australia and Canada. He has so far engaged in the following projects: o Digital open innovation platform o Predictive analytics o Occupational psycho-social wellness o Business sustainability/Corporate social responsibility gap analysis o Fatigue management o Chinese occupational health and safety industry o Global harmonized system (GHS) for classification and labeling of chemicals o Mining industry operational improvement in South Africa and Africa o South African market overview and trends of mine mechanization and automation o South African and African markets feasibility for environment social and governance (ESG) market research o South African medical waste segregation and management training services market o South African training services market for equipment operation and maintenance in water dams o A conceptual framework linking OHSMS, productivity and sustainable enterprise value: A strategic analysis of the dynamic transmission mechanism o South African training market for electrical safety in hazardous locations (flammable gases and vapour) o Disability equality market overview o The OHSE incident management software market overview and strategic recommendations o The Design of welding machine inspection register o South African lone working OHS training market o Adult Basic Education and Training market expansion strategies in South Africa o OHSE growth in the school sector of South Africa

subscribe to our blog
Download the SAMTRAC Mining glossary

Lists by Topic

see all