IEC 31010:2019  IEC 2019 – 31 –

Annex A
(informative)

Categorization of techniques

A.1 Introduction to categorization of techniques

Table A.1 explains the characteristics of techniques that can be used for selecting which
technique or techniques to use.

Table A.1 – Characteristics of techniques

Characteristic Description Details (e.g. features indicators)

Application How the technique is used in risk
assessment (see titles of Clauses B.1 to
B.10)
Scope Applies to risk at organizational level,
departmental or project level or individual
processes or equipment level
Time horizon Looks at short-, medium- or long-term
risk or is applicable to any time horizon
Decision level Applies to risk at a strategic, tactical or
operational level
Starting info/data needs The level of starting information or data
needed
Specialist expertise Level of expertise required for correct
use
Qualitative – quantitative Whether the method is qualitative, semi-
quantitative or quantitative
Effort to apply Time and cost required to apply
technique
Elicit views, identify, analyse cause,
analyse controls, etc.
organization (org)
project/department (dep)
equipment/process (equip/proc)
Short, medium, long, any
Strategic (1), tactical (2), operational (3)
High, medium, low
low: intuitive or one to two days' training
moderate: training course of more than
two days
high: requires significant training or
specialist expertise
quantitative (quant)
qualitative (qual)
semi-quantitative (semi-quant)
can be used qualitatively or quantitatively
(either)
high, medium, low

A.2 Application of categorization of techniques

Table A.2 lists a range of techniques classified according to these characteristics. The
techniques described represent structured ways of looking at the problem in hand that have
been found useful in particular contexts. The list is not intended to be comprehensive but covers
a range of commonly used techniques from a variety of sectors. For simplicity the techniques
are listed in alphabetical order without any priority.

Each technique is described in more detail in Annex B, as referenced in column 1 of Table A.2.
 Table A.2 – Techniques and indicative characteristics

Sub- Technique Description Application Scope Time Decision Starting Specialist Qual/quant/ Effort to
clause horizon level info/data expertise semi-quant apply
needs
B.8.2 ALARP/SFAIRP Criteria for deciding significance of risk and evaluate. 1 any 1/2 high high qual/quant high
means of evaluating tolerability of risk. risk
B.5.2 Bayesian analysis A means of making inference about model analyse any any any medium high quant medium
parameters using Bayes' theorem which likelihood
has the capability of incorporating
empirical data into prior judgements about
probabilities.
B.5.3 Bayesian A graphical model of variables and their identify risk any any any medium high quant medium/
networks/ cause-effect relationships expressed using high
Influence probabilities. A basic Bayesian network has estimate
diagrams variables representing uncertainties. An risk
extended version, known as an influence decide
diagram, includes variables representing between
uncertainties, consequences and actions. options

– 32 –
B.4.2 Bow tie analysis A diagrammatic way of describing the Analyse risk 2/3 short/ any low low/ qual/semi- low
pathways from sources of risk to outcomes, medium moderate quant
and of reviewing controls. analyse
controls
describe
risk
B.1.2 Brainstorming Technique used in workshops to encourage elicit views any any any none low/ qual low
imaginative thinking. moderate
B.5.4 Business impact The BIA process analyses the analyse 1 short/ 2 medium low quant/qual medium

IEC 31010:2019  IEC 2019

analysis consequences of a disruptive incident on conseq. medium
the organization which determines the
recovery priorities of an organization's analyse
products and services and, thereby, the controls
priorities of the activities and resources
which deliver them.
B.6.1 Causal mapping A network diagram representing events, analyse 2/3 any 2/3 medium moderate qual medium
causes and effects and their relationships. causes
B.5.5 Cause- A combination of fault and event tree analyse 2/3 any 2/3 medium/ moderate/ quant medium/
consequence analysis that allows inclusion of time causes and high high high
analysis delays. Both causes and consequences of conseq.
an initiating event are considered.
 IEC 31010:2019  IEC 2019
Sub- Technique Description Application Scope Time Decision Starting Specialist Qual/quant/ Effort to
clause horizon level info/data expertise semi-quant apply
needs
B.2.2 Checklists Lists based on experience or on concepts identify risk 2/3 any any high to low/ qual low/medium
classifications, and models that can be used to help or controls develop, moderate
taxonomies identify risks or controls. low to use
B.3.2 Cindynic approach Considers goals, values, rules, data and identify risk 1/2 short or 1 low moderate qual high
models of stakeholders and identifies drivers medium
inconsistencies, ambiguities, omissions
and ignorance. These form systemic
sources and drivers of risk.
B.7.3 Conditional value Also called expected shortfall (ES), is a measure of any short/ 3 high high quant medium
at risk CVaR measure of the expected loss from a risk medium
financial portfolio in the worst a % of
cases.
B.10.3 Consequence/ Compares individual risks by selecting a report risks any any any medium low to use, qual/ low
likelihood matrix consequence/likelihood pair and displaying moderate to semi-quant/
them on a matrix with consequence on one evaluate develop quant
axis and likelihood on the other.

– 33 –
B.9.2 Cost/benefit Uses money as a scale for estimating compare any short/ any medium moderate/ quant medium/
analysis positive and negative, tangible and options medium /high high high
intangible, consequences of different
options.
B.6.2 Cross impact Evaluates changes in the probability of the analyse any short/ any low to high moderate/ quant medium/
analysis occurrence of a given set of events likelihood medium high high
consequent on the actual occurrence of and cause
one of them.
B.9.3 Decision tree Uses a tree-like representation or model of compare any any 2 low/ medium moderate quant medium
analysis decisions and their possible options
consequences. Outcomes are usually
expressed in monetary terms or in terms of
utility.
An alternative representation of a decision
tree is an influence diagram (see B.5.3).
B.1.3 Delphi technique Collects judgements through a set of elicit views any any any none moderate qual medium
sequential questionnaires. People
participate individually but receive
feedback on the responses of others after
each set of questions.
 Sub- Technique Description Application Scope Time Decision Starting Specialist Qual/quant/ Effort to
clause horizon level info/data expertise semi-quant apply
needs
B.5.6 Event tree Models the possible outcomes from a given analyse 2/3 any any low/medium moderate qual/quant medium
analysis (ETA) initiating event and the status of controls conseq. and
thus analysing the frequency or probability controls
of the various possible outcomes.
B.5.7 Fault tree analysis Analyses causes of a focus event using analyse 2/3 medium 2/3 high for depends on qual/quant medium/
(FTA) Boolean logic to describe combinations of likelihood quant complexity high
faults. Variations include a success tree analysis
where the top event is desired and a cause analyse
tree used to investigate past events. causes

B.2.3 Failure modes and Considers the ways in which each identify risks 2/3 any 2/3 depends on moderate qual/semi- low /high
effects (and component of a system might fail and the application quant/quant
criticality) analysis failure causes and effects. FMEA can be
followed by a criticality analysis which
FME(C)A defines the significance of each failure
mode (FMECA).
B.8.3 Frequency / Special case of quantitative evaluate 1 any any high high quant high
number (F/N) consequence/likelihood graph applied to risk

– 34 –
diagrams consideration of tolerability of risk to
human life.
B.9.4 Game theory The study of strategic decision making to decide 1 medium 1/2 high high quant medium/
model the impact of the decisions of between high
different players involved in the game. options
Example application area can be risk
based pricing.
B.4.3 Hazard analysis Analyses the risk reduction that can be analyse 2/3 short/ 2/3 medium moderate qual medium
and critical control achieved by various layers of protection. controls medium
points (HACCP) monitor

IEC 31010:2019  IEC 2019

B.2.4 Hazard and A structured and systematic examination of identify and 3 medium/ 2/3 medium facilitator: qual medium/
operability studies a planned or existing process or operation analyse long high, high
(HAZOP) in order to identify and evaluate problems risks participants:
that might represent risk to personnel or moderate
equipment, or prevent efficient operation.
B.5.8 Human reliability A set of techniques for identifying the analyse risk 2/3 any 2/3 medium high qual/quant medium to
analysis (HRA) potential for human error and estimating and sources high
the likelihood of failure. of risk
B.1.5 Interviews Structured or semi- structured one-to-one elicit views any any any none moderate qual high
conversations to elicit views.
 IEC 31010:2019  IEC 2019
Sub- Technique Description Application Scope Time Decision Starting Specialist Qual/quant/ Effort to
clause horizon level info/data expertise semi-quant apply
needs
B.3.3 Ishikawa analysis Identifies contributory factors to a defined analyse any any any low low/ qual low
(fishbone diagram) outcome (wanted or unwanted). sources of moderate
Contributory factors are usually divided risk
into predefined categories and displayed in
a tree structure or a fishbone diagram.
B.4.4 Layers of Analyses the risk reduction that can be analyse 3 any 2/3 medium moderate/ qual/quant medium/
protection analysis achieved by various layers of protection. controls high high
(LOPA)
B.5.9 Markov analysis Calculates the probability that a system analyse 3 any 2/3 medium/ high quant medium
that has the capacity to be in one of a likelihood high
number of states will be in a particular
state at a time t in the future.
B.5.10 Monte Carlo Calculates the probability of outcomes by analyse any any any medium high quant medium/
analysis running multiple simulations using random likelihood high
variables.
B.9.5 Multi-criteria Compares options in a way that makes decide any any any low moderate qual low/medium

– 35 –
analysis (MCA) trade-offs explicit. Provides an alternative between
to cost/benefit analysis that does not need options
a monetary value to be allocated to all
inputs.
B.1.4 Nominal group Technique for eliciting views from a group elicit views any any any none low qual medium
technique of people where initial participation is as
individuals with no interaction, then group
discussion of ideas follows.
B.8.4 Pareto charts The Pareto principle (the 80–20 rule) set priorities any any any medium moderate semi- low
states that, for many events, roughly 80 % quant/quant
of the effects come from 20 % of the
causes.
B.5.11 (PIA/DPIA) privacy Analyses how incidents and events could analyse any any 1/2 medium moderate/ qual medium
impact analysis / affect a person's privacy (PI) and identifies sources of high
data protection and quantifies the capabilities that would risk
impact analysis be needed to manage it.
conseq
analysis
B.8.5 Reliability centred A risk based assessment used to identify evaluate 2/3 medium 2/3 medium high for qual/semi- medium/
maintenance the appropriate maintenance tasks for a risk facilitator, quant/quant high
(RCM) system and its components. moderate to
decide use
controls
 Sub- Technique Description Application Scope Time Decision Starting Specialist Qual/quant/ Effort to
clause horizon level info/data expertise semi-quant apply
needs
B.8.6 Risk indices Rates the significance of risks based on compare any any any medium low to use, semi-quant low
ratings applied to factors which are risks moderate to
believed to influence the magnitude of the develop
risk.
B.10.2 Risk registers A means of recording information about recording any any any low/medium low/ qual medium
risks and tracking actions. and moderate
reporting
risks
monitor and
review
B.10.4 S-curves A means of displaying the relationship display risk any any 2/3 medium/ moderate/ quant/semi- medium
between consequences and their likelihood high high quant
plotted as a cumulative distribution function evaluate
(S-curve). risk

B.2.5 Scenario analysis Identifies possible future scenarios through identify risk, any medium or any low/medium moderate qual low/medium
imagination, extrapolation from the present conseq. long

– 36 –
or modelling. Risk is then considered for analysis
each of these scenarios.
B.1.6 Surveys Paper- or computer-based questionnaires elicit views any medium/ 2/3 low moderate qual high
to elicit views. long
B.2.6 Structured what if A simpler form of HAZOP with prompts of identify risk 1/2 medium/ 1/2 medium low/ qual low/medium
technique (SWIFT) "what if" to identify deviations from the long moderate
expected.
B.7.1 Toxicological risk A series of steps taken to obtain a measure measure of 3 medium/ 2/3 high high quant high
assessment for the risk to humans or ecological risk long

IEC 31010:2019  IEC 2019

systems due to exposure to chemicals.
B.7.2 Value at risk Financial measure of risk that uses an measure of any short/ 3 high high quant medium
(VaR) assumed probability distribution of losses risk medium
in a stable market condition to calculate
the value of a loss that might occur with a
specified probability within a defined time
span.
IEC 31010:2019  IEC 2019 – 37 –

A.3 Use of techniques during the ISO 31000 process

Table A.3 lists the extent to which each technique is applicable to the different stages of risk
assessment; namely risk identification, risk analysis, and risk evaluation. Some of the
techniques are also used in other steps of the process. This is illustrated in Figure A.1.

Figure A.1 – Application of techniques in the ISO 31000 risk management process [3]

NOTE Figure A.1 is intended to provide an overview and is not an exhaustive list of all techniques that can be used
at each step.
 – 38 – IEC 31010:2019  IEC 2019

Table A.3 – Applicability of techniques to the ISO 31000 process

Risk assessment process

Sub-
Tools and techniques Risk analysis
Risk Risk clause
identification Consequence Likelihood Level of risk evaluation

ALARP, ALARA and SFAIRP NA NA NA NA SA B.8.2

Bayesian analysis NA NA SA NA NA B.5.2
Bayesian networks NA NA SA NA SA B.5.3
Bow tie analysis A SA A A A B.4.2
Brainstorming SA A NA NA NA B.1.2
Business impact analysis A SA NA NA NA B.5.4
Causal mapping A A NA NA NA B.6.1
Cause-consequence analysis A SA SA A A B.5.5
Checklists, classifications and
SA NA NA NA NA B.2.2
taxonomies
Cindynic approach SA NA NA NA NA B.3.2
Consequence/likelihood matrix NA A A SA A B.10.3
Cost/benefit analysis NA SA NA NA SA B.9.2
Cross impact analysis NA NA SA NA NA B.6.2
Decision tree analysis NA SA SA A A B.9.3
Delphi technique SA NA NA NA NA B.1.3
Event tree analysis NA SA A A A B.5.6
Failure modes and effects
SA SA NA NA NA B.2.3
analysis
Failure modes and effects and
SA SA SA SA SA B.2.3
criticality analysis
Fault tree analysis A NA SA A A B.5.7
F-N diagrams A SA SA A SA B.8.3
Game theory A SA NA NA SA B.9.4
Hazard and operability studies
SA A NA NA NA B.2.4
(HAZOP)
Hazard analysis and critical
SA SA NA NA SA B.4.3
control points (HACCP)
Human reliability analysis SA SA SA SA A B.5.8
Ishikawa (fishbone) SA A NA NA NA B.3.3
Layer protection analysis (LOPA) A SA A A NA B.4.4
Markov analysis A A SA NA NA B.5.9
Monte Carlo simulation NA A A A SA B.5.10
Multi-criteria analysis (MCA) A NA NA NA SA B.9.5
Nominal group technique SA A A NA NA B.1.4
Pareto charts NA A A A SA B.8.4
Privacy impact analysis/ data
privacy impact assessment A SA A A SA B.5.11
(PIA/DPIA)
Reliability centred maintenance A A A A SA B.8.5
Risk indices NA SA SA A SA B.8.6
S-curves NA A A SA SA B.10.4
Scenario analysis SA SA A A A B.2.5
 IEC 31010:2019  IEC 2019 – 39 –

Risk assessment process

Sub-
Tools and techniques Risk analysis
Risk Risk clause
identification Consequence Likelihood Level of risk evaluation

Structured or semi-structured
SA NA NA NA NA B.1.5
interviews
Structured "What if?" (SWIFT) SA SA A A A B.2.6
Surveys SA NA NA NA NA B.1.6
Toxicological risk assessment SA SA SA SA SA B.7.1
Value at risk (VaR) NA A A SA SA B.7.2

A: applicable; SA: strongly applicable; NA: not applicable.