Evaluating risks

Answer:

In order to evaluate risks you need to define criteria. Criteria can be based on one or several features. Usually the criteria for evaluation of risk is a severity or consequence of the risk, if the risk has big severity or consequence, it is ranked higher on the list of risks or it can be labeled as significant risk in opposition to insignificant risks with small severity or consequence.

Another feature that can be taken as a criteria for risk evaluation is frequency of occurrence or probability. Some risk can have a big consequence but it rarely happens, so such risk can be considered as insignificant or low on the list of priorities. The risk with high probability and big consequence should be considered as significant, or unacceptable and such risk should be addressed.

There are additional criteria for evaluation of risk, such as detection, that can be used but the number and type of criteria to be used will depend on the needs of the company. Smaller companies will use simpler criteria that can be qualitative or quantitative and bigger and more complex companies will use more criteria and qualitative methodology.

For more information, see: Methodology for ISO 9001 Risk Analysis https://advisera.com/9001academy/blog/2015/09/01/methodology-for-iso-9001-risk-analysis/