睿地可靠度論壇(TW-REDI Forum)

標題: 風險分析的內容 (ISO 31000:2009 +ISO 31010:2009) [打印本頁]

作者: hlperng    時間: 2017-12-4 10:19:40     標題: 風險分析的內容 (ISO 31000:2009 +ISO 31010:2009)

本帖最後由 hlperng 於 2018-8-3 11:23 編輯

風險管理的工作包括:情境建立、風險識別、風險分析、風險評估、與風險處理。其中風險識別、風險分析、與風險評估又合稱為風險評鑑過程。
Risk assessment is the overall process of risk identification, risk analysis and risk evaluation.  
[attach]1929[/attach]

根據 ISO 31000:2009,風險分析是風險管理過程中屬於風險評鑑的一項工作,風險管理過程的流程如下圖所示:
[attach]1939[/attach]

ISO 31000:2009 (CNS 31000:2012)

5.4.3 Risk analysis

ISO 31000:2009

CNS 31000:2012

Risk analysis involves developing an understanding of the risk.  Risk analysis provides an input to risk evaluation and to decisions on whether risks need to be treated, and on the most appropriate risk treatment strategies and methods.  Risk analysis can also provide an input into making decisions where choices must be made and the options involve different types and levels of risk.風險分析涉及對瞭解風險之發展,風險分析提供風險評估之輸入並決定風險是否需予以處理,以及決定最適宜的風險處理策略與方法。風險分析亦可提供形成決策之輸入,該決策必須作出選擇而選項包含不同類型與等級的風險。
Risk analysis involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur.  Factors that affect consequences and likelihood should be identified.  Risk is analyzed by determining consequences and their likelihood, and other attributes of the risk.  An event can have multiple consequences and can affect multiple consequences and can affect multiple ojectives.  Existing controls and their effectiveness and efficiency should also be taken into account.  風險分析涉及考量風險之原因與緣由,其正面與負面結果(後果),及該等結果確實發生的可能性。會影響結果的因素極可能性須予以鑑別,風險係藉由決定結果(後果)與其可能性,以及此風險之其他屬性分析之。一事件可舉有多重結果(後果)且可影響多個目標,現有控管與其有效性及效率亦須予以考量。
The way in which consequencs and likelihood are expresses and the way in which they are combined to determine a level of risk should reflect the type of risk, the information available and the purpose for which the risk assessment output is to be used.  These should all be consistent with the risk criteria.  It is also important to consider the interdependence of different risks and their sources.
結果(後果)與可能性的表達方式,與兩者綜合以決定風險等級的方式,須反應風險之類型。備妥的資訊以及風險評鑑之輸出的使用目的,此須與風險準則一致,考量不同風險與其緣由之相互依賴亦是重要的。
The confidence in determination of the level of risk and its sensitivity to preconditions and assumptions should be considered in the analysis, and communicated effectively to decision makers and, as appropriate, other stakeholders.  Factors such as divergence of opinion among experts, uncertainty, availability, quality, quantity and ongoing revlevance of information, or limitations on modelling should be stated and can be highlighted.決定風險等級的可信性及其對於先決條件與假設事項的敏感性須在分析中予以考量,同時須與決策者及在適當時與其他事件相關者進行有效的溝通。各項因素諸如專家間的意見分歧、不確定性、可取用性、品質、數量及資訊之進行中的關聯性或模式化之限制等,須予以說明且可予以強調。
Risk analysis can be undertaken with varying degrees of detail, depending on the risk, the purpose of the analysis, and the information, data and resources available.  Analysis can be qualitative, semi-quantitative or quantitative, or a combination of these, depending on the circumstances.風險分析可依不同的詳細程度予以進行,端視此風險、分析之目的以即可取得的資訊、資料及資源而定。分析可為定性、辦定量或定量方式,或為此等之組合,視狀況而定。
Consequences and their likelihood can be determined by modelling the outcomes of an event or set of events, or by extrapolation from experiemental studies or from available data.  Consequences can be expressed in terms of tangible and intangible impacts.  In some cases, more than on numerical value or descriptor is required to specify consequences and their likelihood for different times, places, groups or situations. 結果(後果)與其可能性可透過模式化一事件或一組事件之結果,或由實驗研究或可取得數據外差已決定之。結果(後果)可以有形或無形的影響之方式表示。在某些案例中,須有一個以上的數值或解說符號來詳述不同時間、地點、群體或情況的結果(後果)與其可能性。



ISO 31010:2009,風險管理 - 風險評鑑技法 (Risk management - Risk assessment techniques)
5 風險評鑑過程 (Risk assessment process)
5.1 一般 (General)
5.2 風險鑑別 (Risk identification)
5.3 風險分析 (Risk analysis)
5.3.1 一般 (General)

ISO 31000:2009

CNS 31000:2012

Risk analysis is about developing an understanding of the risk.  It provides an input to risk assessment and to decisions about whether risks need to be treated and about the most appropriate treatment strategies and methods.風險分析係有關發展對風險之瞭解。此瞭解提供風險評鑑之輸入,並提供決定有關風險是否需予以處理,以及有關最適宜的風險處理策略與方法之輸入。
Risk analysis consists of determining the consequences and their probabilities for identified risk events, taking into account the presence (or not) and the effectiveness of any existing controls.  The consequences and their probabilities are then combined to determine a level of risk.  風險分析包含決定所鑑別的風險事件之後果與其機率,考量任何已有或欠缺的控管及既有控管的有效性,然後合併此後果與其機率以決定風險等級。
Risk analysis involves consideration of the causes and sources of risk, their consequences and the probability should be identified.  An event can have multiple consequences and can affect multiple objectives.  Existing risk controls and their effectiveness should be taken into account.  Various methods for these analyses are described in Annex B.  More than one technique may be required for complex applications.風險分析涉及考量風險之原因及緣由、其後果,及此等後果可能發生的機率。影響後果與機率的因素須以以鑑別。一事件可舉有多重後果且可影響多個目標。既有的風險控管與其有效性須予以考量。此等分析之各種方法描述於附錄 B,對於複雜之應用,可能有一種以上的技術。
Risk analysis normally includes an estimation of the range of potential consequences that might arise from an event, situation or circumstance, and their associated probabilities, in order to measure the level of risk.  However, in some instances, such as where the consequences are likely to be insignificant, or the probability is expected to be extremely low, a single parameter estimate may be sufficient for a decision to be made. 風險分析通常包括估計可能由一事件、情況或狀況產生的潛在後果之範圍,及其伴隨的機率,以量測風險等級。然而在某些案例中,諸如當後果可能微不足道或機率預期極低時,單一參數之估計可能足以形成決定。
In some circumstances, a consequence can occur as a result of a range of different events or conditions, or where the specific event is not identified.  In this case, the focus of risk assessment is on analysing the importance and vulnerability of components of the system with a view to defining treatments which relate to levels of protection or recovery strategies. 在某些狀況中,所產生的後果可能係多種不同事件或情況範圍的後果,或係源自未能鑑別出之特定事件。在此情況,風險評鑑的重點置於界定有關保貨或恢復策略層面之處理措施之觀點,分析此系統構成要向的重要性與弱點。
Methods used in analysing risks can be qualitative, semi-quantitative or quantitative.  The degree of detail required will depend upon the particular application, the availability or reliable data and the decision-making needs of the organization.  Some methods and the degree of detail of the analysis may be prescribed by legislation. 使用於分析風險的方法可為定性、半定量或定量,所要求的詳細程度依據特殊之應用、可靠的資料之可取得性及組織決策過程之需求而定。某些分析方法與詳細程度,法令可能有所規定。
Qualitative assessment defines consequence, probability and level of risk by significance levels such as "high", "medium" and "low", may combine consequence and probability, and evaluates the resultant level of risk aganist qualitative criteria.  
Semi-quantitative methods use numerical rating scales for consequence and probability and combine them to produce a level of risk using a formula.  Scales may be linear or logarithmic, or have some other relationship; formulae used can also vary.  
定性評鑑以顯著程度諸如「高」、「中」及「低」三級來界定後果、機率及風險之等級,可將後果與機率合併,並依據定性之準則評估所合成的風險之等級。半定量方法使用數值量尺評定後果與機率等及,在以公式結合兩者產生出風險等級。量尺可以是線性或對數型,或其他型式。使用的公式亦有不同類型。
Quantitative analysis estimates practical values for consequences and their probabilities, and produces values of the level of risk in specific units defined when developing the context.  Full quantitative analysis may not alway be possible or desirable due to insufficient information about the system or activity being analysed, lack of data, influence of human factors, etc. or because the effort of quantitative analysis is not warranted or required.  In such circumstances, a comparative semi-quantitative or qualitative ranking or risks by specialists, knowledgeable in their respective field, may stall be effective.  定量分析估計後果與某機率實際的數值,並產生發展前後環節時界定的特定單位之風險等級數值。全定量分析可能並非經常可行或合意的,因有關所分析的系統或活動缺乏資料、人為因素的影響等,或由於定量分析的努力後果無法予以保護或要求。在此狀況下,有個別領域中博學多識的專家之比較性的半定量或訂性的風險排序,可能仍為有效的。
In cases where the analysis is qualitative, there should be a clear expanation of all the terms employed and the basis for all criteria should be recorded. 若此分析為定量之情況,使用的所有用語須有明確的解釋,且所有準則的基準須予以紀錄。
Even where full quantification has been carried out, it needs to be recongnized that the levels of risk calculated are estimates.  Care should be taken to ensure that they are not attributed a level of accuracy and precision inconsistent with the accuracy of the data and methods employed. 縱使以進行全定量,需認知到所計算出的風險等級為估計值。須小心確使其不致被歸因於風險等級值之準確度與精密度與使用資料及方法之確確度不一致。
Levels of risk should be expressed in the most suitable terms for that type of risk and in a form that aids risk evaluation.  In some instances, the magnitude of a risk can be expressed as a probability distribution over a range of consequences.風險等級須以最適合於此風險類型之措辭,及有助於風險評估之格式表示。在某些粒子中,風險大小可以機率分配於某一段後果範圍之方式表示之。


5.3.2 控管評鑑 (Control assessment)
5.3.3 後果分析 (Consequence analysis)
5.3.4 可能性分析與機率估算 (Likelihood analysis and probability estimation)
5.3.5 初步分析 (Preliminary analysis)
5.3.6 不確定性與敏感度 (Uncertainties and sensitivities)















歡迎光臨 睿地可靠度論壇(TW-REDI Forum) (http://m1.kdi.tw/) Powered by Discuz! X2