Sixth Workshop on Open Systems Dependability
ISO 31010 Risk assessment techniques
and open systems
Jean Cross
Emeritus Professor, UNSW
Australia
I. INTRODUCTION
This paper considers the application of the draft of IEC
/ISO 31010 Risk management – Risk assessment techniques to
open systems. This standard is expected to be published in the
second half of 2018. The paper starts by discussing risk
assessment as envisaged in ISO 31000, then explains how
IEC/ISO 31010 has extended these concepts.
ISO 31010 has two sections. The first covers what is meant
by risk and uncertainty, the benefits of using formal techniques,
and how an understanding of risk is applied when making
decisions. The second section describes the techniques. Annex
A lists about 40 techniques and some of their characteristics
(such as whether they are qualitative or quantitative and the
expertise and effort needed to use them). In annex B, each
technique is summarised in one page, with references given for
further information. In this paper a few techniques are selected
to give a picture of how 31010 might apply to open systems.
II. RISK AND UNCERTAINTY
Risk is defined in ISO 31000 Risk management as the
effect of uncertainty on objectives; so in a dependability
context managing risk concerns the way in which uncertainty
affects the dependability of systems and services. Risk can
have positive consequences (effects of uncertainty may be
positive as well as negative). Sources of potential benefit
(opportunities) need to be managed as well as source of
potential loss (threats).
Uncertainty can involve lack of knowledge, inherent
variability, ambiguity in language and understanding,
indeterminacy, unpredictability, as well as the uncertainty
inherent in complexity. Any of these forms of uncertainty are a
source of risk. One important form of risk is where potential
events can be identified and outcomes predicted. The
uncertainty lies in whether and when an event will occur and in
the magnitude of the outcome. It is possible to make a list of
such risks and to prioritise them for action, for monitoring or
for allocating accountabilities. This is the process described in
ISO 31000. However there are other ways of considering risk
that are particularly relevant to open systems. For example
there are situations where sources of risk can be envisaged but
particular events and outcomes cannot be defined. Such
sources of risk could be shortages of staff or poor morale or
poor communications between different parts of a system.
Often a combination of systemic problems interact to cause
failure. Although these are probably more accurately described
as issues rather than risks, the result is still that there are
- 15 -
Tokyo, 2017-10-21
uncertain consequences to objectives, and dealing with such
issues is part of assessing and managing risk.
III. ASSESSING RISK
A. ISO 31000 view
In ISO 3100 risk assessment involves identifying risks
understanding them and deciding whether further control is
required (risk treatment). Risk assessment and risk treatment
are iterative.
The process for managing risks described in ISO 31000
assumes that risks can be individually identified and an
assessment allows each risk to be compared with pre-defined
criteria. It is generally assumed that the criterion for whether a
risk needs action should be a level of risk, measured by
combining the consequences to objectives with the likelihood
that these consequences might occur. For open systems
consequences are less predictable and likelihoods extremely
difficult to estimate with any validity so the process is most
useful in an open system for short time scales and relatively
closed sub-systems. However ISO31000 does not require the
criterion for whether to treat or not to be level of risk. It uses
the word criteria (plural word) not a criterion (singular word)
and also mentions the need to set criteria taking account of
ethical and legal and other considerations.
B. ISO 31010 Risk Assessment Techniques
IEC/ISO 31010 is broader than ISO 31000. Uncertainty is
defined more broadly and risk assessment is considered to
apply to any type of decision not just whether to treat a risk or
not. The techniques described are used in 4 different
circumstances:
1. To identify and analyse particular risks and decide
whether and how to treat them – This is the process
envisaged by 31000
2. Because someone wants to understand a risk with no
particular decision in mind. This might be the regulator
or the community or any of a system's stakeholders.
3. To make a choice between options where each option is
associated with uncertainties where outcomes may be
positive or negative or both. A decision here means
weighing the potential positives and the potential
negatives taking into account all forms of uncertainty.
 Sixth Workshop on Open Systems Dependability
4. To understand risk more broadly as a background to
planning. This will result in actions to reduce risk even
though particular risks may not be identified.
Different measures of risk are discussed that allow for
events to be unpredictable and consequences to be represented
by a distribution. It is also recognised that understanding risk
involves data analysis and modelling as well as applying other
specific techniques. The techniques described in the annex are
categorized in the following way.
• Eliciting views from stakeholders
• Identifying risk;
• Determining sources and drivers of risk;
• Investigating the effectiveness of controls;
• Understanding consequences, likelihood and risk;
• Analysing interactions and dependencies;
• Selecting between options;
• Evaluating the significance and tolerability of risks;
• Recording and reporting.
Figure 1 The DEOS life cycle model
Every manager, whether in an open or closed system, has
objectives and defined authorities and responsibilities. Every
manager needs think about what might happen to affect those
objectives and what they are able to do so that their objectives
are achieved in the best way. I.e. the 31000 process is still
applicable. Figure 2 shows where the various techniques listed
in 31010 can be used in this . process. Conventional techniques
such as Failure modes and effects analysis, fault tree
analysis and Hazop are still useful as part of achieving the
- 16 -
Tokyo, 2017-10-21
The techniques included are those used by members of the
committee who are experts nominated from different countries.
Some of the techniques were used in dependability applications
as long ago as the middle of the last century. Techniques were
developed to fulfil the need at the time. Although there are few
techniques explicitly intended for open systems, techniques
have evolved over time and continue to evolve and many can
be used in a broad range of situations outside their original
application. Techniques can be adapted, combined and applied
in new ways or extended to satisfy current and future needs.
IV. OPEN SYSTEMS
A. Conventional life style stages
In open systems boundaries and responsibilities are unclear,
no one has a complete understanding of the system which is
complex and changing. An open system includes hardware, but
people and software have an important role and people are
involved in more complex ways as decision makers, rather only
as operators as considered in the past. Dependability
management for open systems is often described through the
DEOS life cycle model illustrated in Figure 1.
required availability and reliability of sub systems. In an open
system risks at the interfaces between subsystems and with
enabling systems are critical and as the system becomes more
complex these risks become more difficult to identify.
Consensus techniques such as the Ishikawa method can be
useful here.
31010 extends the concept of risk assessment to include
the assessment of risk in decisions when there is a need to
select between options, i.e. where options may have both
 Sixth Workshop on Open Systems Dependability Tokyo, 2017-10-21

positive and negative consequences and trade-offs between The DEOS life cycle model introduces two additional
objectives may be required. This may involve cost benefit cycles, the change accommodation failure response.
analysis where as well as expected costs and benefits uncertain
costs and benefits and potential events are taken into account.
Multi-criteria analysis can be used here.

Figure 2 IEC/ISO 31010 Techniques in the risk management process from ISO 31000 FDIS
important for any system but becomes even more critical for
B. Change accommodation open systems and may need some effort so that the right flags
When there is change in the environment or in purpose of a are identified for the changes that matter. A technique relevant
system risks are inevitably introduced. Initial risk assessment to change detection is HACCP (Hazard analysis and critical
will have made various assumptions which may become control point). HACCP is a method developed for food safety
invalid as time goes on. This means that during any risk that involves identifying the points in a procedure (or a system)
assessment, parameters which are critical to the assessment where it is possible to check that things are working as they
need to be identified so they can be monitored. This is

- 17 -
 Sixth Workshop on Open Systems Dependability Tokyo, 2017-10-21

should and intervene if they are not. HACCP provides a the extent to which they would depend on external systems.
formal method to do this. However the drive to higher production that means plant
operate outside their design requirements could perhaps be
In an open system changes made in one part of the system
predicted and planned for. The value of scenario analysis is
can affect another part of the system. In pursuing their own that it encourages one to identify those changes that can be
objectives and managing their risks a manger may make
predicted from current trends and also to build in systems to
decisions which are very sensible from their viewpoint but that detect change.
cause problems because of things they don't know and cannot
be expected to know about other parts of the system. The
Cindynic approach is a technique where interviews are C. Failure response
carried out to find out the goals, values, rules, data and models Since the system is complex risks will remain unidentified
of the different stakeholders. It then identifies dissonances and and failures will occur. It is therefore necessary The critical
deficits. In this way the inconsistencies, ambiguities omissions needs here is to identify early warning signs of failure before
and ignorance that form systemic sources and drivers of risk they escalate,. And to undertake a root cause analysis (RCA)
can be identified. of failure to learn from failure. IEC 31010 covers basic RCA
techniques but these are discussed in much more detail in
Communication and feedback on outcomes of decisions IEC62740 Root cause analysis
that cross sub system boundaries are essential so that
interactions are better considered in the future. Influence
D. The dependability case
diagrams can help identify where feedback should be sought.
The dependability of an open system is assured through a
A characteristic of open systems is that they may continue dependability case. In a dependability case a reasoned
to operate far into the future adapting to change as it occurs argument is made to support the contention that the system is
One way of looking at the long term future and trying to dependable. One approach is to show through analysis
imagine future scenarios is scenario analysis. This technique measurement and prediction that the required level of
identifies possible futures through imagination, extrapolation dependability attributes are achieved. The other approach is to
from the present or modelling. What might happen is then identify risks to dependability and to demonstrate that those
considered for each of these scenarios. Scenario analysis has risks have been addressed. In order to make this argument the
been used for long term planning in the social and political risks need to be analysed to show that the sources and drivers
arena with fairly limited success. What people imagine for the of these risks have been addressed. The use of some of the
long term future is often not what happens. When many formal techniques in IEC/ISO 31010 can help provide
operating industrial process plants were built no one could justification for these arguments.
have predicted what modern control systems would look like or
ANNEX TECHNIQUES REFERRED TO IN TEXT
FMEA Failure Modes And Effects Analysis : Considers the ways in which each component of a
system might fail and the failure causes and effects.
FTA Fault Tree Analysis: Analyses causes of a focus event using Boolean logic to describe
combinations of failures.
Hazop Examination of a planned or existing process or operation in order to identify and evaluate
problems that might represent risk to personnel or equipment, or prevent efficient operation
Ishikawa analysis A team identifies contributory factors to a defined outcome (wanted or unwanted). These
are usually divided into predefined categories and displayed in a tree or a fishbone diagram.
Multi criteria Compares options in a way that makes trade-offs explicit. Provides an alternative to cost
analysis benefit analysis that does not need a monetary value to be allocated to all inputs.
A graphical model of variables and their cause-effect relationships expressed using
Bayes networks/
probabilities. An influence diagram, includes variables representing uncertainties,
Influence diagrams
consequences and actions
Scenario analysis Identifies possible future scenarios through imagination, extrapolation from the present or
modelling. Risk is then considered for each of these scenarios.

- 18 -