Risk number - same (calculated) number for acceptable & not acceptable risk, how to handle?

[Vetty007]

Hi everyone,

I have a question about how you assess a risk as acceptable or unacceptable and whether you do this by comparing it individually with your risk matrix or by using a calculated risk number (=severity x probability) as a limit. So far I have actually used an Excel list (formerly a software) in which I entered my values for severity and probability and by a formula (based on the given limit value or by the defined matrix in the software) the next cell automatically shows whether the risk is acceptable or not. To be honest, I unfortunately didn't question it any further and now it occurred to me, that one can have the same risk number, but according to the matrix (and the classification criteria behind it) the risk can sometimes be acceptable and sometimes unacceptable in a few cases. In this respect, I can't simply say that all risks above a value of e.g. 8 are no longer acceptable - also when giving acceptable/not acceptable in the riskanalysis manually, its easy to use and remember such number. Thus I think, there coulde be a misinterpretation for acceptable/not acceptable as well.

I have now considered using a factor for the values that do not allow a clear assignment, so that the calculation then produces a clear result. However, I am not an Excel expert and would have to see how I can selectively take these factors into account in the formula.

I would therefore be very interested, how you proceed in specifying acceptable and unacceptable in your risk analysis. Also are there already calculation factors available, that take this situation into account or, even better, is there an Excel template available, that already includes such formular? Before trying to create such formulas, I would prefer to buy something tried and tested.

I'm really looking forward to your experiences and thoughts and thank you very much in advance for sharing them

 

[Hi_Its_Matt]

It is definitely better to compare Severity and Probability combinations to the risk table directly, as opposed to using a numerical calculation and threshold. Comparing to the risk table directly, every unique combination of Severity and Probability is assigned it own Acceptable/Unacceptable classification, instead of that classification being based on a numerical value.

Let’s assume you have a simple 1-3 scale for both severity and probability (1 = low, 2 = medium, and 3 = high). If you were determining the risk level by multiplying the individual Severity and Probability ratings, then, as you note, you would end up with duplicate values. Severity of 1 x Probability of 3 = Risk of 3. Similarly, Severity of 3 x Probability of 1 also = Risk of 3. But these are completely different scenarios, and their acceptability may be different.

By using a lookup table, it’s easy to say S1 with P3 is acceptable, and S3 with P1 is unacceptable (or vice-versa).

You can implement this easily in excel with the index() and match() functions.

 

[Hi_Its_Matt]

I can't find a way to edit my previous response, but here is an excellent overview of how to use index() and match() together to create a lookup table.

How to use INDEX and MATCH

INDEX and MATCH is the most popular tool in Excel for performing more advanced lookups. This is because INDEX and MATCH are incredibly flexible – you can do horizontal and vertical lookups, 2-way lookups, left lookups, case-sensitive lookups, and even lookups based on multiple criteria. If you...

exceljet.net

 

[d_addams]

Matt's answer is the way to go. The issue with Vetty's original issue is the false assumption that risk classification is a quantitative process rather than a qualitative process. It feels like it is supposed to be quantitative because we often use numbers, but using say colors to differentiate various 'zones' of the risk matrix is a better way to stratify risk classes.

 

[Vetty007]

very much for your comments and suggestions , which are also going in a way, that I already use, but not for individual risks and rather for summarizing (count) all risks (or rather number combinations) before and after risk mitigation measures in the matrix. But until now I failed to define such a formular (taking into account these different conditions in one formular) after a single risk and showing acceptable/not acceptable with green/red color. But I will look, if chat GPT can help me with finding such a formular. I was just curious, how others handle this situation as I expect that not all use an IT-solution, that automatically rates the results after one had set the criteria

 

[DanMann]

If it helps, before I learnt about index and match, I set up a table with two columns - the first showed the combination of severity and probability (e.g. for a 3x3 table: 11, 12, 13, 21, 22, 23, 31, 32, 33) and the second column showed Acceptable or Unacceptable based on the risk matrix I had, then the formula was =VLOOKUP(X1&Y1,

,2,FALSE) where X1 = Severity and Y1 = Probability.

 

[Bev D]

As @d_addams said you are asking the wrong question.
The use of RPN or SXO 'numbers' has been debunked many times. It is fake math. Or as Dr. Wheeler called it "mathematical Jabberwocky".
The simple reason is that you cannot multiply ordinal numbers - it is a violation of mathematical rules. Your search for a formula will lead you down the wrong path. Stop looking for a mathematical answer to a logic problem requiring human thought. The classification matrix is a reasonable alternative as long as you are assigning the occurrence based on actual testing and not guessing.

You can read my take on this in "Statistical Alchemy" in the resources section here. OR you can - and should - read the following free articles:

Wheeler, Donald, “Problem with Risk Priority Numbers, More Mathematical Jabberwocky”, Quality Digest, June 2011. Problems With Risk Priority Numbers

Youssef, Nataly F. and Hyman, William A., “Analysis of Risk: Are Current Methods Theoretically Sound?
Applying risk assessment may not give manufacturers the answers they think they are getting”, Medical Device & Diagnostic Industry, October 2009
Analysis of Risk: Are Current Methods Theoretically Sound?

Flaig, John, “Rethinking Failure Mode and Effects Analysis”, Quality Digest, June 2015
Rethinking Failure Mode and Effects Analysis

Imran, Muhammad, “The Failure of Risk Management and How to Fix It”, Book Review, Journal of Strategy & Performance Management, 2(4), 2014 pp. 162-165
https://jspm.firstpromethean.com/documents/162-165.pdf

Crosby, David, “Words that Kill Quality and Spill Oil”, Quality Digest, July, 2010
Words That Kill Quality and Spill Oil

The following books are also great resources:

Hubbard, Douglas W., The Failure of Risk Management; Why It’s Broken and How to Fix It, John Wiley and Sons, 2009

Taleb, Nassim Nicholas, The Black Swan: The Impact of the Highly Improbable, Random House Trade Paperbacks, May 2010

 

[Tidge]

I want to add some tangential comments relating to the practice of risk assessment and acceptability for Medical Devices, but I want to quote the most important IMO part of @Bev D post above for positive reinforcement:

As The simple reason is that you cannot multiply to ordinal numbers - it is a violation of mathematical rules. Your search for a formula will lead you down the wrong path. Stop looking for a mathematical answer to a logic problem requiring human thought. The classification matrix is a reasonable alternative as long as you are assigning the occurrence based on actual testing and not guessing.

At best, an "RPN rating", whether flat one-dimensional rating (as in the case of a 'classic' FMEA) or multi-dimensional representation (like a matrix, as suggested, which is a more modern approach), should only be used to motivate risk controls in areas that are in greatest need for risk controls. In practice, for Medical Devices the current 'state-of-the-art' is two-fold:

• identify and reduce all risks, even those that (in a more classical approach) may have been determined to have been 'acceptable' (this preliminary assessment can occur before design inputs are created!)
• perform a benefit/risk analysis for all risks (*1)

It is unstated, but assumed, that in the case of the second bullet point this is the point at which a team is to revisit the lines of risk analysis that they otherwise would not have revisited if a preliminary risk analysis determined that the risks were acceptable because of some formulaic assessment done on day 1 of the project. Bluntly: This is where the critical thinking about how the medical device as designed really has risks under control.

(*1) There are different ways to do this, depending on the structure of the risk management file. Some groups restrict the use of the specific term 'benefit/risk analysis' for the highest level of the file (e.g. "Overall BRA", my intent is not to confuse this terminology with the necessary practice of being able to defend the analysis of individual risks and their implemented controls. Some folks do this at the FMEA level, which can be better than nothing, but FMEA are not an analysis of risks but failure modes.

 

[Ed Panek]

Some devices are more challenging than others. An X-ray machine detects cancer but also can cause cancer. The analysis must have determined the deaths or injuries prevented by the use of the X-ray device are substantially higher than the deaths and injuries caused. Id love to see how they determined the actual values for those numbers. How was that done practically?

 

[Bev D]

Some devices are more challenging than others. An X-ray machine detects cancer but also can cause cancer. The analysis must have determined the deaths or injuries prevented by the use of the X-ray device are substantially higher than the deaths and injuries caused. Id love to see how they determined the actual values for those numbers. How was that done practically?

It wasn’t done with RPN or SO or a SO matrix. It was done with real math. And logic, reason and science.