Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
1. Scope and Purpose of IEC/ISO 31010
“content”: “
The landscape of organizational risk management requires more than just a high-level policy. The international standard IEC/ISO 31010:2019, Risk management – Risk assessment techniques, serves as the definitive compendium of methods for conducting robust risk assessments within the framework of ISO 31000. This standard guides managers, engineers, analysts, and auditors in selecting and applying appropriate techniques to identify, analyze, and evaluate risks with a high degree of technical rigor.
Foundational Note: IEC/ISO 31010:2019 is a supporting standard for ISO 31000:2018. It does not prescribe a single method but rather provides a toolbox of over 40 techniques mapped to the stages of the risk assessment process. It replaces the 2009 edition and introduces significant updates in human factors and dynamic risk assessment.
1. Scope and Purpose of IEC/ISO 31010
The primary scope of IEC/ISO 31010 is to provide guidance on the selection and application of systematic techniques for risk assessment. The standard is intended to cover the entire risk assessment sub-process of the ISO 31000 framework:
- Risk Identification: Techniques for finding, recognizing, and describing risks that might help or prevent an organization from achieving its objectives (e.g., brainstorming, structured interviews, checklists, SWIFT).
- Risk Analysis: The process of comprehending the nature of risk and determining the level of risk. This includes qualitative, semi-quantitative, or quantitative approaches (e.g., consequence/probability matrices, FMEA, LOPA, FTA).
- Risk Evaluation: The process of comparing the results of risk analysis against risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable.
Critical Distinction: While ISO 31000 provides the framework and principles, IEC/ISO 31010 fills the technical how-to gap by detailing the specific algorithms, workflows, and mathematical foundations for risk estimation and assessment.
2. Technical Requirements and Technique Taxonomy
The core technical value of ISO 31010 is its classification of risk assessment techniques. The standard does not enforce mandatory techniques but establishes criteria for selection based on the decision context, data availability, complexity, and organizational culture.
2.1 Technique Categories
The standard broadly categorizes techniques into functional groups:- Look-up methods: Checklists, Preliminary Hazard Analysis (PHA).
- Supporting methods: Structured interviews, Delphi technique, SWIFT (Structured What-If Technique).
- Scenario analysis: Root cause analysis, FMECA, HAZOP, HACCP.
- Functional analysis: Reliability Block Diagrams (RBD), Fault Tree Analysis (FTA), Event Tree Analysis (ETA).
- Statistical methods: Monte Carlo Simulation, Bayesian Analysis, Markov Analysis.
- Economic methods: Cost-Benefit Analysis (CBA), Value at Risk (VaR).
2.2 Selection Criteria
A key requirement of the standard is the justification of the technique chosen. Factors influencing selection include:- The objectives of the assessment (e.g., safety, financial, operational).
- The nature and degree of uncertainty.
- The complexity of the system or problem.
- The resources, time, and expertise available.
- The ability to quantify outcomes.
Table 1: Common Techniques and Their Application Stages
| Technique | Primary Stage | Quantification Type | Data Requirement |
|---|---|---|---|
| HAZOP (Hazard & Operability Study) | Identification / Analysis | Qualitative | High (Detailed P&IDs, design docs) |
| FMEA / FMECA (Failure Mode Effects Analysis) | Analysis / Evaluation | Semi-Quantitative (RPN) | Moderate (Component functions) |
| Fault Tree Analysis (FTA) | Analysis | Quantitative (Probability) | High (Reliability data) |
| Bow Tie Analysis | Evaluation / Comm. | Qualitative | Moderate (Barrier data) |
| LOPA (Layer of Protection Analysis) | Evaluation | Quantitative (PFH, RRF) | High (SIF / SIL data) |
| Monte Carlo Simulation | Analysis | Quantitative (Distribution) | High (Statistical data) |
3. Implementation Highlights and Workflow
Implementing the standard requires a structured, defensible workflow.
- Context Definition: Before selecting a technique, the organization must define the external and internal context (ISO 31000, Clause 5.3). The technique must fit the scope of the risk assessment.
- Technique Selection: Use the selection matrix in Annex A. For example, if the goal is to identify major process safety incidents, HAZOP is preferred over a generic checklist. For financial portfolio risk, VaR may be chosen.
- Rigorous Application: The team must apply the chosen method correctly. For FTA, this means proper logic gate symbol usage (AND/OR gates) and cut set analysis. For FMEA, it means defining unambiguous ranking criteria for Severity, Occurrence, and Detection (S-O-D).
- Documentation: The standard stresses that assumptions, limitations, uncertainties, and data sources used in the analysis must be fully documented to ensure traceability and repeatability.
- Verification and Validation: Results should be checked for consistency. Different teams analyzing the same scenario using different techniques (e.g., FTA and Event Tree) should arrive at logically consistent conclusions.
Best Practice: Avoid relying on a single technique. ISO 31010 encourages a suite approach. Use a broad qualitative technique (e.g., SWIFT) for initial identification, then a structured quantitative technique (e.g., FMEA or HAZOP) for detailed analysis of critical items.
4. Compliance Notes and Audit Readiness
While ISO 31010 is a guidance standard (not a requirements specification), its proper use demonstrates technical due diligence in risk management. Auditors assessing compliance with ISO 31000 or management system standards (e.g., ISO 9001:2015, Clause 6.1) will look for evidence of the following:
- Justification of Methodology: The organization must prove that its chosen technique is fit for purpose. Relying solely on unstructured expert judgment without a recognized structured method may be considered a gap in rigor.
- Competency: Personnel applying advanced statistical or simulation techniques (e.g., Monte Carlo, Bayesian networks, Markov chains) must have the requisite training, experience, and documented competence.
- Traceability: The risk register must clearly link the risk level (e.g., “High,” “Critical”) back to the results of a specific analysis technique (e.g., an FMEA RPN of 180 or an FTA probability of 1E-6).
- Limitations: Acknowledging the limitations of the model and the data. For instance, stating that a deterministic approach was used instead of a probabilistic one, along with the rationale behind the decision.
Compliance Risk: Using a purely qualitative, subjective matrix for a complex, safety-critical system without supporting quantitative analysis (e.g., FTA, LOPA) can lead to underestimation of residual risk, resulting in non-compliance with duty of care and statutory safety regulations.
As organizations increasingly adopt digital risk management (RiskTech) and integrate AI into decision-making, the techniques within IEC/ISO 31010 are evolving. The standard remains the bedrock for traditional risk assessment while facilitating the move towards dynamic, real-time risk assessment models. For practitioners, mastering the taxonomy of this standard is essential for moving beyond generic compliance toward engineering resilience.
Q: Can I use IEC/ISO 31010 effectively without implementing ISO 31000?
A: Technically, yes, the techniques are universal and can be used in isolation for specific projects (e.g., a HAZOP for a chemical plant). However, IEC/ISO 31010 explicitly references ISO 31000 for the overarching risk management framework. Without the strategic context provided by ISO 31000 (risk criteria, scope definition, external context), the risk assessment may lack alignment with organizational objectives, potentially diminishing its strategic decision-making value.
A: Technically, yes, the techniques are universal and can be used in isolation for specific projects (e.g., a HAZOP for a chemical plant). However, IEC/ISO 31010 explicitly references ISO 31000 for the overarching risk management framework. Without the strategic context provided by ISO 31000 (risk criteria, scope definition, external context), the risk assessment may lack alignment with organizational objectives, potentially diminishing its strategic decision-making value.
Q: What is the main difference between IEC/ISO 31010:2009 and the 2019 edition?
A: The 2019 edition significantly expands the number of techniques from 31 in 2009 to over 40. It places much greater emphasis on human and organizational factors, cognitive biases in risk perception, and cybersecurity risk assessment techniques. The linkage to the ISO 31000:2018 lifecycle model was also substantially strengthened.
A: The 2019 edition significantly expands the number of techniques from 31 in 2009 to over 40. It places much greater emphasis on human and organizational factors, cognitive biases in risk perception, and cybersecurity risk assessment techniques. The linkage to the ISO 31000:2018 lifecycle model was also substantially strengthened.
Q: Does the standard require specific commercial software tools for application?
A: No. IEC/ISO 31010 is entirely methodology-agnostic regarding software. It provides the mathematical and logical principles for techniques (e.g., probability theory for Monte Carlo, Boolean logic for FTA, matrix algebra for Bayesian networks). The choice of execution (manual paper-based analysis, spreadsheets, or dedicated specialized software) is left entirely to the user, based on complexity and the need for auditing.
A: No. IEC/ISO 31010 is entirely methodology-agnostic regarding software. It provides the mathematical and logical principles for techniques (e.g., probability theory for Monte Carlo, Boolean logic for FTA, matrix algebra for Bayesian networks). The choice of execution (manual paper-based analysis, spreadsheets, or dedicated specialized software) is left entirely to the user, based on complexity and the need for auditing.
Q: Is ISO 31010 mandatory for achieving ISO 31000 certification?
A: ISO 31000 itself is not a certification standard (it is a guideline standard). However, many organizations use IEC/ISO 31010 as auditable evidence to demonstrate their capability in conducting rigorous, systematic risk assessments. This evidence is critical when meeting the risk-based thinking requirements found in other certifiable management system standards, such as ISO 9001:2015, ISO 14001:2015, or ISO 45001:2018.
A: ISO 31000 itself is not a certification standard (it is a guideline standard). However, many organizations use IEC/ISO 31010 as auditable evidence to demonstrate their capability in conducting rigorous, systematic risk assessments. This evidence is critical when meeting the risk-based thinking requirements found in other certifiable management system standards, such as ISO 9001:2015, ISO 14001:2015, or ISO 45001:2018.
“