An Introduction to IEC 31010 and Risk Assessment Techniques
If you are not a professional risk manager or you haven’t ever had to study risk in a formal, technical capacity you probably won’t have heard of IEC 31010:2019.
In fact even if you do have some professional risk management responsibilities you still might not have heard of it, perhaps depending on how deeply your organization or customers require you to follow the ISO 31000 group of standards, which is a kind-of collective family of quality standards that refer to different aspects of risk management. (1)
We think this is a shame because we think 31010 is a source of some really great technical and practical concepts with a lot cross-disciplinary relevance.
We should also be upfront and say that like other formal standard documents, it’s not cheap, and as of January 2020 acquiring the new-ish 31010:2019 standard direct from the International Organization for Standardization (ISO) website would cost in the region of USD 200. (2)
You might be able to get a second-hand copy of the older 31010:2009 standard for a bit less than this, which would be good for general background knowledge for most purposes, but even so this might still be the most expensive book you bought this year by far.
What’s in IEC 31010?
After the preamble and introductions it starts off like most standard documents do with a list of definitions, technical terms and concepts, and 31010:2019 is actually quite light on these compared to some other standards, which is to its credit. These include a definition of risk and a summary of the formal ISO risk assessment process, which is covered in more detail in ISO 31000.
About 20 pages in (of about 250, if you get the version that has both English and French translations) the standard starts to discuss risk assessment techniques: different styles of techniques, how they could be used, and some advantages and limitations of the different styles, as well as some thoughts about selection of different techniques.
Annex B, from page 40 onwards, is the main body of the document. It contains descriptions of 42 different risk assessment techniques that professionals and non-professionals alike can use to help them with their risk assessment processes.
Some like Bayesian statistics are highly quantitative and do imply a level of skill and facility with numbers to be able to do properly, although many others such as Brainstorming and Bow-Tie Analysis are far more intuitive and accessible to anyone.
With IEC 31010 there is no sense that you have to use any particular technique or that one has anymore importance than another, but rather it’s about picking ones that suit the style of risk assessment process you are carrying out. Using the assets (human and technical) you have available to assist you, that best suit the timeline you need to complete your analysis and your decision-making processes, and the budget you have available.
If you don’t know which techniques to use for which purposes, there is a helpful tabulated summary of when it is recommended to use the different techniques in Annex A.
In the spirit of this blog, and its foundational concept that risk management is really about getting more of the things you want to happen and less of the things you don’t, many of these techniques can be applied to other areas of our business operations or our lives, and for those of us who are not required to use standards like 31010 or ISO 31000 on a professional basis this is going to be the real value that most of us can get from knowing a bit more about ISO / IEC 31010 and its contents.
We understand that this is quite a technical post but please stick with us, because across a series of forthcoming posts we are going to pick out some of these techniques ourselves and talk about them in more depth, and in particular look at practical ways they can be used beyond their relevance to formal risk management.
Many of them involve concept or ideas that with a little bit of adaption can be applied to assisting you reach your personal or business goals, and they are as valid and as good as almost anything we’ve seen from the books we’ve read on personal self-improvement.
We hope you will find this interesting, and if you aren’t reading this website regularly and would like search for this series you can use the ISO and Frameworks theme to find our posts in this category.
(1) Formally the standard is called IEC 31010:2019. ISO and IEC stand for The International Organization for Standardization and The International Electrotechnical Commission (IEC) respectively, and these are the two organisations which are responsible for codifying the standard.
(2) IEC 31010:2019 Risk Management, Risk Assessment Techniques https://www.iso.org/standard/72140.html [Accessed 04 Jan 2020]