Risk communication

What is risk communication

Risk communication is a specialised branch within the communication framework. It stems from the conflict between experts and lay people. Opposite of crisis communication, risk communication has a long-term preventive perspective and aims to make organisations more resilient to future risks/crisis. This could involve some form communication of unwanted events or loss in the future internally, as well as externally in the organisation. 

Internal/external communication


A) Can be communicated vertically and horizontally.
B) Can be communicated from employees and up from the management and down.
B) Effects the culture in the organisation in relation with the impact on existing culture consider the following: Suitable for the message “top-down” Communication. Few and simple messages. Examine the effect of the message. Consider involving employees before the campaign runs. Clarify employee’s perception of the case before   


1 – Reassure or warn.
2 – Dialogue is important – A risk should never stand alone.
3 – It’s not always enough to comply with the requirements of the law, especially not with the influence of the media including social media 

Pros and cons of involving stakeholders:  


  1. Larger and more nuanced basis for risk assessment.
  2. Increased confidence.
  3. Greater acceptance of the final result.


  1. Time consuming.
  2. Can be cumbersome  

Different types of risk communication

Care communication

Care Communication is about how your organisation should handle risks which are backed by scientific research and generally accepted by the public. This type of communication should be performed before an event occurs. 

Consensus communication

This is type of risk communication where you inform and encourage groups to work together to reach a decision on how risk should be managed (usually whether to prevent or mitigate). 

Here is an example of when internal communication should occur between departments in an organisation. 

  1. A crane accident at a construction site leads to management writing a recommendation to 3 different departments: Health and safety, HR and Operations.
  2. Management writes as follows: These crane accidents WILL have to be avoided in the future! Please find or make an action plan as to how we can eliminate these problems and have it ready by the end of the month!
  3. And it continues from here…  

Crisis communication

This is a communication method related to extern suddenly occurred events. The typically events would be earthquakes, outbreaks/pandemics or otherwise severe influences from nature.  

Why we are not very good at risk assessment


People, or at least most people, are not objective in their decision making. We rely on our intuition to make decisions easier for us. Emotion, is one bias we rely on to make decisions easier. Past experience, is another. Intuition is not a bad thing, it has enabled us to survive on this world for a long time, arguably. But then it comes to making decisions regarding safety of others or assessing risk situations, using our intuition and the biases that follow, is not always a good thing. Let me explain…

But first a shoutout to the inspiration, and source, for this post; Marie Helweg-Larsen, a professor of psychology at Dickinson College. I saw Marie’s talk and presentation at the annual risk management conference held by IDA, the Danish Society for Engineers. That talk inspired me to make this post, where I give my perspective on the subjects Marie presented.

How do we assess risk?

… And why is it important to understand?

I assess risk in order to help people do their job as safe as possible. But thats just one way I assess risk. In my personal life I also make risk assessments, rather frequent actually. But it is not exactly to help myself do my job as safe as possible, I have a desk job, so there is not much risk, at least not physical risk. No… I assess my risk according to health, my distant future, my not so distant future, etc… because risk assessments matter in terms of changing my mind, at least to some degree.

It is important to understand how people assess their risk if you want to change their mind about something. Thinking you are not at risk, based on your own assessment, makes you behave as if you are not at risk. If then, I want to change your mind regarding your safety, I have to understand why you feel safe (not at risk) and make my own risk assessment, present the results to you, and hopefully change your mind, at least to some degree.

This is difficult. Just look at Anti-Vaccination and Anti-Mask movements in current times. Historically it has difficult too… just look at seatbelts and when they were first introduced. Smoking is another great example, and one Marie uses in her arguments as well. It is hard to persuade people to change their ways and change the way they assess their risks. But why?

Why are we not good at assessing risk?

Marie argues that this comes down to, at least, five biases.

  1. Optimistic bias
  2. Confirmation bias
  3. Affect bias
  4. Base rate fallacy
  5. Overconfidence bias

Allow me to explain…

1. Optimistic bias – the rose coloured glasses

People, or individuals, have a tendency to believe they are less at risk than other people doing the same thing or during the same scenario for example. If we use smokers as an example… All smokers, that smoke 15-20 cigarets a day, are more or less equally at risk to various diseases in their later life. But when asked to rate their own risk, they rate themselves as lower than others. This is because we tend to focus more in the optimistic results or data, when making decisions for ourselves, then we do the “negative” results. Now, why this is the case is beyond my understanding of the psychological science field, therefore I suggest reading some Marie’s research (linked in the Sources).

2. Confirmation bias

We tend to search for information that support our own view or opinion. This is perhaps the most well known bias, not only when dealing with risk, but in general. A lot of research has been done on this tendency. Researchers make a great deal of not doing this when writing papers, but they are not always equally successful.
Now, biased information leads to biased interpretation. This means we can interpret some risk as more substantial than others, when we have found more information on one than another.

An example Marie gave in her speech was that: women are worse drivers than men. But, men choose to only acknowledge when women drive bad, and overlook when other men drive bad. This is the essence of confirmation bias. We overlook certain data or information in order to support our own opinion. Whether or not women are worse drivers than men, I will not discuss…

Marie argued that: Social media is a recent amplifier of this bias. Due to “the algorithm”, people see more of the same stuff online in their social media group. They are not exposed to the other side as much. Another amplifier to this is individuals tendency to be very persuaded by groups. I won’t go deeper into this right now, as I am not familiar with the specifics.

3. Affect heuristic

A mental shortcut thet rely on emotions.

Sometimes we rely on our emotions to make certain decisions easier. When facing a hard decision I can be easier to rely on emotions than data. If we don’t have the mental energy or mental surplus to look at all the data and analyse it, then make a decision based on facts and reliable information, it is much easier to rely on one emotions to make a decision. This works decently well in private and in ones personal life. But in a professional setting where other peoples health, and in worst case life, may depend on your decision, you should not rely on your emotion. Instead you should probably rely on data and information gathered by experts or others in a similar situation.

Worries and fears increase perceived risk and vice-versa.

4. Base rate fallacy

We rely, a lot, on our previous experiences when assessing risk. Therefore a risk we have encountered more is perceived as greater. Relying on previous experience is not a bad thing to do. It is arguably the reason humans still exist on this planet. Because we learn from bad decisions, or most of us do anyway… It is what makes us able to adapt and survive.

We kind of covered this in our Subjective risk perception post and why it is bad when assessing risk.

But when dealing with risk previous experience are both good and bad. You have experienced risky scenarios for a reason, what that reason is, is the important question. If you have experience with software update failures and resulting data corruption, you are probably cautions when updating now. But the question of why you experienced failure is an important one. Maybe you didn’t do your preparations well enough (i.e., you slacked off when assessing the risks) or maybe you didn’t do a back-up and now the consequence is perceived as A LOT greater then if you had a back-up?

We should learn from our mistakes, to prevent us from risk scenarios on the future. But we should not make risk assessment based on mistakes that can be avoided and which we should have learned from.

5. Overconfidence bias

We tend to ignore experts and act as experts. The essence of this bias is the Dunning-Krueger Effect which many probably know. The tendency of people with low ability at a task to overestimate their own ability at that task. Whether or nor many people do this in terms of risk assessment I don’t know. Marie argued that it is a problem, and I tend to believe her research. But I have no experience with this bias myself, yet.

I suggest reading about the Dunning-Krueger Effect to learn more.

There is more…

Another reason people are not very good at risk assessments is because of mathematics and numbers. Most people understand math at a basic level, plus, minus, addition, and division. But not many people understand the math behind probability and statistics. This is another reason for relying on the above mentioned biases. We simply cannot always grasp the mathematics of risk assessments and probability of risk scenarios. Of course this is not true of everyone… But it is true for most people who are not studying, or have not studied, math to some degree. I myself, had to take a statistical mathematics course during my education to become a risk manager, and to be perfectly honest… I don’t fully understand probability math either…


What can we do then?

Can we do anything to combat these tendencies? Or are we S**t out of luck?… Of course we can do something!

We can start with accepting that we are biased by nature. When we know our own bias we are much more capable of dealing with it and not be affected as much by it. This, naturally, starts with a lot of self-awareness and getting to know one self. But when that is done or in process, you should start seeing results.

Another thing we can do is trust data and experts. If risk assessments are important to us, we should seek out valid information on the subject. Combine your experiences with data and statistics instead of just using one variable to make decisions.

Then we should Dial down risk estimations. As mentioned numbers are not very effective to most people. Therefore we should use more gist-based estimations or figure out what works in our specific organisations or situations.

Last but not least we should just do the right thing.

In conclusion

Bias has a tendency do make people do dumb things. We tend to focus too much on the optimistic data or results when making decisions for our self. We tend to search for informations that supports our opinion. We tend to be ruled by our emotions. We don’t believe experts and act as experts our selves. And we overestimate our own abilities when doing task where we have almost no abilities. To overcome these biases we have to gain self-awareness and acknowledge our biased views. We should believe experts and statistical data. We should dial down number based risk estimations and use gist-based estimations to change peoples mind. And we should always do the right thing.

That is all from me at this time. Feel free to comment on this post if you have questions or just want to express your opinion.


Marie’s research: https://helweglarsen.socialpsychology.org/publications.

Dunning-Krueger Effect: https://en.wikipedia.org/wiki/Dunning–Kruger_effect.

Seatbelts: https://www.wpr.org/surprisingly-controversial-history-seat-belts.

Risk governance

What is risk governance

Risk governance is not so much a tool as it is a way of handling risk in general. It is a systematic process to identify, rate, control and economically assess risk in an organisation. By making a risk profile for the organisation it is possible to achieve effective risk governance. Risk profiling is the act of establishing what acceptable risk is to the organisation, whether risk is evaluated in terms of money, reputation or damage. A risk profiling should be made in advance of risk governance. It, as all other risk tools, serve as a cost saving mechanism if done correctly, as well as a time saving mechanism.  

It involves five phases/elements: Risk identification, risk description, risk evaluation/assessment, risk strategy & risk reporting.

Risk identification

– What we know from previous encounters. This is where the organisation will look at what has happened to them before or try to identify risks that they have not encountered yet. It is usually performed either by being proactive or reactive. 

  1. The proactive method is where you try to imagine risk you are vulnerable to. By analysing risk factors and performing a likelihood evaluation.
  2. The reactive method is where you analyse previously encountered risk scenarios and register them according to organisations specific variables. By looking at previous events and evaluating them, you in time learn how to manage these risks so they are not as likely. 

Using both these methods will probably yield the best result. But it can be hard to successfully imagine risk, so we recommend at least being reactive, and then when there are enough registered events (hopefully not) then try to imagine what else can happen. It is also a good idea to perform brainstorm sessions at regular intervals with engineers, risk managers and financial managers to at least try and see if there are any future risk scenarios you should be aware of. This process can be done with the previously described risk tools: Brainstorming and Scenario risk analysis 

Risk description

– This is the phase where you establish a common view of risks. 

  1. Here you should establish what you, as an organisation, see as risks. To create common ground for how a risk is perceived and experienced.
  2. This is important to do, because if the organisation doesn’t have a common risk perception then it’s hard to learn from a previous event. There will always be someone who see a risk that someone else doesn’t see. 

Risk evaluation/assessment

– This is the phase where the risk is evaluated/assessed.

  1. Risk is evaluated and rated according to the organisations risk profile to determine which risk are acceptable and which are not.
  2. This is also the phase where the organisation would re-evaluate their risk profile if necessary. In the risk evaluation/assessment phase you evaluate risk according to: Likelihood & Consequence.
  3. This should result in a vulnerability analysis which is a ranking of one’s vulnerabilities.

Risk strategy

– How should the organisation handle risks? 

  1. In this phase a strategy for risk management is chosen based on the previous evaluation of the organisation’s vulnerabilities. This can be done with a Risk Matrix where you place risk in their respective “fields” in the matrix (green, yellow, red) according to their likelihood and consequence. Then you make a plan for handling those risk starting with the red ones or the ones that are most likely and has the highest consequence. 
  2. This is where some risks are either accepted or deemed unacceptable. Is deemed unacceptable, then a plan should be implemented to remove that risk or at least lower its likelihood and/or consequence. 
  3. Ideally every risk is removed, but that is not realistic. The goal here should be to lower every risk as much as possible while still being able to run your company. That is why evaluation is important. In some areas of operation some risks are acceptable even though they are rated as catastrophic e.g. In nuclear energy power plants. The risk of a meltdown is accepted but the risk is managed by safety procedures, and other mitigative barriers. 

Risk reporting

– documentation/evaluation. 

  1. The last phase in this risk governance “tool”. This is where you report your findings to the corporation, and an evaluation is made on the whole thing. 

Why is it a good idea to do risk governance? 

First of all, it is nice to know how likely your organisation is of being “hit” by a specific risk. Because then you can manage it! Secondly it saves the organisation a lot of money both in terms of equipment but also in terms of reputation. You gain branding opportunities by being able to say what a safe company you are. You lessen the fear of accident among workers and therefore maintain a human gain, instead of having workers who are scared of coming to work.


  1. IRGC is a good place to start. Their explanation can be found here.
  2. Another IRGC article about the framework for risk governance can be found here.
  3. CIO Wiki, is also a good place to get an overview. See it here.
  4. ScienceDirect is another great place to look. This is aimed at the IT sector. https://www.sciencedirect.com/topics/computer-science/risk-governance.

Subjective risk perception

Back in week 46 we briefly went over how subjective risk perception could affect collaboration between organisations. As promised we will delve further into why that is in this blogpost. Let us give you a short recap…

The Theory

Subjective risk perception (Paul Slovic, Baruch Fischhoff & Sarah Lichtenstein) can be defined as; an individuals method of understanding or making sense of risks.

But, individuals don’t necessarily always have access to statistical data regarding risks. Therefore they base their conclusion, regarding a risk, on other factores, such as:

  • Availability – we rate a risk according to the information we have about it.
  • Overconfidence – we see our self as “better” than others in various situations where risk is present (driving a car).
  • “It won’t happen to me” – we have a tendency to think things don’t happen to us.

This heuristic way of dealing with risk has its advantages and disadvantages. Heuristic thinking in regard to risk, often lead to bias. Bias can lead to inaccurate risk assessments. Therefore you should always be aware of risk bias and perception when working with risk management!

To gain a better understanding of this theory I suggest reading the material linked in the end of this blog.

1 Effects on cooperation

When two or more organisations are working together on a project they have work with a set of rules, call it common ground. When you have gained common ground everyone on the project knows what to do and what not to do (at least in theory). The issue arises when one organisation either has their own agenda or in some other way seek to gain control of the common ground. By doing this (consciously or unconsciously) the cooperation is skewed towards their interests. This also happens when dealing with risk.

This is why risk bias is especially important to understand!

1.1 Risk bias

Risk bias is essentially risk management decisions made from a personal set of empirical data, instead of a common or well known set. For example: If the owner of an IT project previously experienced a certain event that caused his servers to shut down due to some error while updating a large system of PC’s–effectively erasing a lot of data. This project owner is probably biased towards this specific risk whenever another update comes along. This is a rather harmless bias of course, but this example can be translated to every other project whether its in the construction sector, Off-Shore sector, etc.

For the project manager, and all other decision maker on the project, this means that they have to be very careful when communication risk and when managing risk. Otherwise a lot of resources will be used to mitigate (lower) the wrong risk and a risk that has very harmful potential might get overlooked!

1.2 How to handle risk bias

Quick disclaimer… We do not have the explicit answers to every risk bias scenario. But in our experience and from what we have gathered from interviews one of the best methods is as follows.

1.1.1 Communication

Frequent, respective and precise communications between the consulting organisation and the project organisation is key to healthy cooperation. This is especially true when talking about risk and subjective risk perception. If both organisations are on the same page regarding risk analysis and risk management, the chance of failure to recognise each others problems and therefore overlooking a potentially harmful risk, is lowered a significant amount. Thats is at least what we have found when interviewing project managers.

To put this into practice… Communicate with your stakeholders and other cooperative partners. Try to understand why you think they are biased towards risk (if that is the case), or why they have a specific perception on risk. This of course works both ways.

Communication creates understanding and understanding means better cooperation.

2 Technical risk assessment

A well known factor when working in risk management is the reliance on technical data and expert engineers or the like, when making risk assessments. This could be called an industry bias, but thats not important.

Relying on technical data and experts is not a problem if the project is purely technical. Unfortunately project seldom are and this is where some issues arise.
One issue with relying on experts and technical data is the ability to think outside the box. Again… we are bias to view risk based on our knowledge and expertise. The human error part of the risk evaluation is therefore not part of the equation. You can have all the data in the world and make the most detail risk description of a system or a specific task, but if you forget to calculate the human factor into this risk description, you are prone to failure.

You need to have some people on the risk assessment team who are not experts, who work in “the field” or at least knows what it is like to work there. These people usually bring some creative thinking to the risk assessments and thereby you gain a whole other understanding of risk scenarios where the human factors are present in the equation. Just like an unmanned aircraft can’t, yet, be relied upon to transfer cargo or passengers. The technology is here and has been for some time, but human intuition (pilot intuition) is just so crucial if a problem arises, that we do not yet trust these systems.

2.1 Diverse group of people

One possible solutions to the technical risk assessment problem is the use of a diverse group of people when doing risk identification. A diverse group of people allow for, 1) creativity from the creatives, the non experts and 2) a highly accurate assessment on whether or not they are too creative or if their risk scenarios are even possible from a technical standpoint, the experts. By doing this you gain common ground throughout the whole project, from project owners, project managers and engineers to the people in the field. Nobody feels left out.

2.1.1 In practice

In practice one way this could work is with a statistical theory called the Law of Large Numbers. The more numbers you have as datapoints the more accurate an average you will get.

This works with risk management as follows:

  1. You have a team of diverse people (as many as possible).
  2. They are presented with risk (you could also have them brainstorm risk scenarios themselves in the beginning).
  3. They are then asked to rate these risks in both likelihood and consequence, with a minimum and a maximum value (from 1-10 or 1-5, just be realistic).
  4. When all values are gathered you can then make an average for every risk.

This is called the successiv principle and this method works according to one project manager that we interviewed (we suggest further reading of this principle) as we do not have experience with this.

This methode in some way eliminates both risk bias and the negative effects of subjective risk perception. Of course more work should be done to completely eliminate these factors, but you have to start somewhere.


We talked about subjective risk perception theory, and risk bias. How to handle the possible problems it causes, with communication and understanding and with the successive principle. We discussed technical risk assessments and their downsides, as wells a a methode to avoid the downsides of this, again using the successive principle or just by gathering a diverse group of people when doing risk identification and risk management.

We hope you found this rather long read useful. If you have any questions, feel free to comment on this post down below and we will answer as soon as possible.


1 – Risk Perception theory, can be found here.
2 – Further reading on the successive principle, can be found here.

SWOT analysis

What is a SWOT analysis

Most, if not all, project managers know what a SWOT Analysis is. If not, they are probably not doing their best job of being a PM. A SWOT analysis is an acronym for analysis of Strengths, Weaknesses, Opportunities and Threats. With a SWOT analysis you analyse your organisation both Internally and Externally. We usually set this up in a handy two by two table, each axis will have a one label for one column or row, and another label for the other column or row. One axis will have the labels “Helpful” and “Harmful” while the other has the labels “External Origin” and “Internal Origin”

Example of a SWOT table

How to Conduct a SWOT Analysis

First, assemble your dream team. Then, take a look at the internal factors that affect your business or project. Do you have an exceptionally dedicated team? Do you lack the finances to achieve the success you’re looking for? These internal factors, positive and negative, will become your business’s strengths and weaknesses.

Next, examine the external factors that affect your business. Is there a need for your product in the market? Are there competing businesses that offer a better product? These positive factors are your opportunities while the negative ones are your threats. 

Examine every possible factor and don’t be afraid to poll your employees. They may see factors you don’t. 

As a risk tool

In order to determine risk factors with a SWOT analysis you kind of use it the same way. First figure out the internals: What strengths do you have? Is it a great safety policy or a great risk manager? What are your weaknesses? Does the company policy disappoint in the safety department? Are some employees not following SOP’s or other safety regulations? What is helpful and what is harmful to your project and the workers?

The external factors are then not directly related to opportunities or threats. But you can still analyse external factors based on whether they are helpful or harmful.

As with the above examples; use your employees! They are the ones doing the bulk of the work so listen to their expertise. They may surprise you with their knowledge. 


  1. Wikipedia is a great place to start: https://en.wikipedia.org/wiki/SWOT_analysis. 
  2. This page is also a great source: https://www.wordstream.com/blog/ws/2017/12/20/swot-analysis

Bow-Tie Diagram

What is a bow-tie analysis? 

Bow-tie diagram is a qualitative visual risk analysis tool, that can be used to communicate and analyse risk scenarios. To use the bow-tie, you first start with visually analysing plausible incident scenarios that could exist around a certain hazard. Second the bow-tie represent what an organisation does to control those scenarios by identifying safety barriers. Barriers are then divided into 2 groups; Prevention and Mitigation. Preventive barriers are placed on the left of the top event and Mitigation barriers on the right.  

How do we use a Bow-Tie Diagram? 

In the bow-tie diagram you have a hazard, which creates the top event. On the left side of the diagram, the threats are placed. Threats are those events that ‘’can’’ happen. How do we prevent them? The answer is barriers. Barriers has the function to prevent, control and mitigate treats or consequences. Now we talked about what could happen, and how to prevent it. But what if it happens, and the barriers does not prevent the threat. If you look at the diagram, you will see consequences on the right side of the diagram. Consequences is those events that happen, if the selected barriers are not durable.  

All the different bow-tie specific elements are described in detail below, followed by a diagram as an example: 

Hazard – The ‘hazard’ is an operation, activity or material with the potential to cause harm. Hazards are part of normal business and are often unavoidable. Some may even be necessary to run an operation (e.g., flammable gas). Some examples of hazards are toxic materials (e.g. paints and solvents) high pressure gases (e.g. oxygen, propane, acetylene) radioactive materials (e.g. NORM)  

The “top event” – The top event is the moment when control over the hazard or its containment is lost, releasing its harmful potential. It represents the turning point in the risk analysis, separating prevention from mitigation. This is visually represented in the bow tie diagram by the central ‘knot’ — hence the bow tie analogy. Even though it is undesirable for the top event to occur, there may still be time for barriers to act to stop or limit the consequences. The term top event derives from another type of risk analysis called fault tree analysis, which has similarities with the left side of the bow tie model.

Consequences (bow-tie) – Consequences are unwanted outcomes that could result from the top event and lead to damage or harm. Consequences can be described in terms of safety, environment, asset / property damage, and reputational losses, although the scope of the analysis will determine this. A single top event usually has multiple consequences although typically only the most significant consequences (in terms of quantifiable loss) are included in the analysis.

Threats – Threats are potential reasons for loss of control of the hazard leading to the top event. For each top event there are normally multiple threats placed on the left side of the diagram. Threats have some of the same characteristics as both hazards and barrier failures (fx. having the potential to cause harm) but they are defined separately in the context of bow tie analysis.

Barriers – Barriers are physical or non-physical measures to prevent or mitigate unwanted events. They are the ‘meat on the bones’ of the Bow Tie diagram. Barriers are so-called because each has the capability on its own to interrupt a sequence of events. 
A barrier is placed on the bow tie diagram where it delivers its function or effect; either prevention (threat side) or mitigation (consequence side). Prevention barriers prevent the top event from occurring. Mitigation barriers are employed after the top event has occurred to help prevent or reduce losses and to regain control once it has been lost. 

Degradation factors – The degradation factor is a condition that can reduce the effectiveness of the barrier to which it is attached. A degradation factor does not directly cause a top event or consequence, but since it degrades a barrier on a main pathway, the likelihood of reaching undesired consequences will be higher. A degradation factor can apply to barriers on either side of the bow tie diagram. Degradation factors are sometimes referred to as escalation factors, i.e., Lack of/poor training which makes people unable to activate barriers correctly. 

Degradation controls – Degradation controls do not directly prevent or mitigate the sequence of events, as that is the role of the main pathway barriers. Degradation controls provide greater confidence that the barrier will do its job effectively. Degradation controls are frequently human and organisational factors concerned with the management of risk and barrier assurance (fx. competence, scheduled maintenance). 

Below is an example of a simple bow-tie diagram. In the sources there is a link to the specific software used to make this bow-tie.

An example of a very simple bow-tie diagram.


  1. CGE Risk, the wikipedia for risk management, has a great article explaining, in great detail, the bow-tie method. Check it out here.
  2. The software can be found here.

Capacity assessment

What is a capacity assessment

A capacity analysis is, as the name implies, an analysis of one’s capacities. Specifically, one’s capacity to handle risk and “disasters”. A capacity analysis Is usually made of 2 elements: Before an accident and after an accident, or preventive and reactive. It is a holistic view of your company’s risk prevention and disaster reaction plans/policies. 

Preventive: is what measures one has to possibly prevent a disaster, it could be; Company policies, safety regulations, PPE for workers, etc. 

Reactive: is what measure one has to react to an accident, it could be; Fire extinguishers, contingency plans, local deals with other companies (example will be given later), etc. 

A capacity analysis should be based on the previously made Scenario risk analysis and Risk Matrices your company have made. That makes it possible to more precisely decide where capacity is lacking and where theres need for be better risk managing.

How to use it

There is no “right” way to make a capacity analysis. It is something you have to figure out in your organisation. Do you have the capacity to handle the risks you face during everyday operation? How do you get that? Sometimes just asking the right questions can have a huge impact! 

Some of those questions might be: 

What does the law say? – Are you required by law to specific risk managing procedures?

What does the company policy say? – Does the company have any policies on the area of risk management? If not, go back and look at the law where the company is placed. Now, should they have policies on risk management?

Does your company offer education to workers on how to handle an accident? – First aid, fire training, SOP’s etc.

Do you perform drills with your employees?

Are you equipped with tools to help you react faster to an accident? – Fire alarms, smoke alarms, sprinklers etc.

Tips and tricks: 

  1. If possible, make a deal with other companies to help out in case you face disaster/catastrophe. 
    • Say you’re your crane falls over, then a predetermined deal might save you valuable time and a lot of money. An example of this( almost): The Danish highway Police, have a deal with different companies who does vehicle removal. So, in very little time they can have an accident on the road cleaned up. Where it used to sometime take hours, now they can be on their way in 20-30 minutes (depending on the accident of course).  
  2. Put everything in a chart/diagram and write down details.  
  3. Debrief your employees after an accident and make sure your employees have access to psychological help. 


  1. The Danish Emergency Management Agency (DEMA) has a rather long and detailed document describing capacity assessment. It is unfortunately only in danish… See it here
  2. Working on international source… 

The wonderful risk matrix

What is a Risk Matrix, and how do we use it?

A Risk Matrix is a tool used to rate a risk according to likelihood and consequence/impact. Your organisation have to identify what the specific impact means to them and when a risk is likely to happen. This tool is used in association with a Scenario Analysis and usually you make to different Risk Matrices; one before mitigative measures and one after mitigative measures.

A likelihood scale will most times look like this: 1) highly unlikely, 2) Unlikely, 3) Possible, 4) Likely and 5) Very likely. With this likelihood scale your organisation must define, according to your operational standards, what each step means. It is often measured and defined by frequency in which an accident or emergency is present but, it can also be defined by chance or quantitatively by percentages e.g., probability.

A Consequence/Impact scale is very similar to the likelihood scale, except it is measured in impact. Impact in this case, once again, have to be defined by the individual organisation. Some of the impact or consequence descriptors could be: People, Information, Reputation, Economic etc. Each descriptor then has 5 different levels of severity as given in the example below. But you can, and should, of course define you own according to the specific risk scenario.

An example will be given: 

An example of a risk matrix created for travel safety – before ane mitigative measures.

The risk matrix is divided into colours REDYELLOW and GREEN which depicts the level of seriousness the threat poses. A red risk is clearly bad and should never be allowed to remain. A yellow risk is a bit more nuanced; this can be divided into top yellow, middle yellow and bottom yellow.

— The top part of the yellow area (consequence 4) needs a more detailed assessment of other factors such as; people and their skills. Have they worked on this type of project before, are there any new guys? Then conditions such as weather. Are there optimal conditions to perform these tasks if not, then maybe you should wait. Try doing a more detailed Scenario Analysis at this point, maybe do multiple, whit different factors turned up or down.

— The middle part of the yellow (consequence 3) is not as serious but still needs assessments. These are still serious threats to whatever descriptor you decide to put there, and therefore still needs significant work in order to reduce.

— The bottom part of the yellow (consequence 1 & 2) is somewhat safe to have further along in the project but beware of the high likelihood! The consequence of these risks is rated as fairly low and therefore don’t necessarily need significant work.

All of this is to say that: RED boxes is very bad and should be handled immediately! But YELLOW boxes are also bad and should in most cases be where the bulk of the mitigative measures are placed. But it can, with the right assessments, be acceptable. GREEN should be the main goal for every risk scenario, but that is often not a realistic accomplishment. And again, beware of top green.


  1. Risk manager Julian Talbot has a great article about using a risk matrix.
  2. He also has an article stating what is right with Risk Matrices.
  3. The Danish Emergency Management Agency also did some great work on risk matrices in their Handbook for Risk Based Dimensioning in Danish municipalities (Danish only!).
  4. Furthermore CGE Risk has a great Wiki-like page on Risk Matrices.

Where is my Bulldozer?!

From PMI.org: Have you seen my bulldozer? – Why integrating the execution of risk and quality processes are critical for a project! 


This case study – which is said to be true – is about a project manager, hired by a mining company to build a 3-mile road to the mining site. Upon completing the first 1.3 miles, stage 1, the company wants to celebrate and “officially” open the road but not with a scissors and ribbon, but with bulldozer and ribbon.  

The Bulldozer drives through the ribbon breaking grounds for stage 2, but to the project managers surprise, she hears her colleagues yell “The dozer is sinking?!, The dozer is sinking!” within six minutes of the dozer driving through the ribbon on to new ground, it has sunk out of sight… 

Now some questions have to be answered: 

  1. What happened to the bulldozer, and how do we retrieve it? 
  2. How did this happen?
  3. How could this have been avoided? 
  4. How can we mitigate the impact on the project? 

Now according to the case study, these questions were answered by the project manager, but a valuable exercise in risk management is reflection and creativity when it comes to both discussing previous scenarios and possible risk scenarios. Therefore, the first exercise in this case study is to discuss these 4 questions. Take note of the answers generated as they might be useful later (and might be just the same as the real case answers). 

Now for the answers to question 1 and 2. 

1) What happened to the bulldozer, and how do we retrieve it? 

It drove onto an unidentified/unmarked muskeg pocket (bog/quicksand). The crust covering the pocket cracked under the weight of the dozer, and it sank into the pocket, completely out of sight. A few different methods were attempted to retrieve the dozer, which was 50% self-insured by the company:  

  1. Sonar was attempted, but could not pinpoint the location of the dozer given all the other solid objects in the muskeg pocket. 
  2. Drag lines using a concrete pylon were attempted, but they did not locate the dozer. 
  3. The company sought permission to drain the pocket, but the environmental agency denied permission. 

2) How did this happen? The project manager knew that this was addressed in the risk management plan and that the quality plan addressed the possibility as well. After questioning the lead geological engineer, the project manager learned that soil samples had in fact been taken every 10th of a mile per the project plan, but that the lead geological engineer had not actually performed the core test on the samples, as he had completed a flyover of the landscape at the initiation of the project in the company helicopter and believed the terrain to be stable. 

Now for question 3 and 4 

3) How could this have been avoided? 4) How can we mitigate the impact on the project? 

There are no definitive answers to these questions, as they differ from company to company, and should be discussed internally before a project. Our recommendations is to have 1 person from each individual team (the teams that are vital to the project) answer/react to this case study in association with a risk manager or a facilitator who understands the risk management perspective of this case study. 

By planning correctly and doing drills (preferably RoC Drills) this scenario could have been avoided. Furthermore, mitigation i.e., planning and exercises, are much less expensive than responding to accidents and a lot of stress can be avoided. 

Rehearse before! 

Scenario risk analysis

What is a Scenario Analysis? 

A Scenario Analysis is a tool used to identify possible risks. Usually, this tool is used in succession of a brainstorm where all possible risks are identified. After the most relevant or most commonly known risks are identified a Scenario Analysis will be performed. A Scenario Analysis is then followed by or used in combination with a risk matrix so that the identified and analysed risk can be “rated” according to whatever the organization defines as their impact and likelihood descriptors. 

How to use it 

There is no definitive way to use this tool. You can think of your own way to use it or you can follow some general practices which are as follows: 
— Define the Threat. 
— When does the treat occur? 
— What are the meteorological conditions when the threat occurs? 
— What is the object of the threat (worker(s), tool(s), heavy equipment, etc…). 
— Describe the situation in as much detail as possible.
— Then make an educated guess as to what the likelihood and consequence/impact of this scenario is.

An example of a Scenario Analysis is given here: 
In this scenario an ammonia container is leaking due to poor maintenance and the immediate threat is to employees in the facility and people in homes around the facility.  

Scenario: Ammonia container leaks ammonia. 
Time of day: Time: 09.47, Thursday October 10. 
Meteorological conditions: Wind blowing 3m/sec from SSW 
Object of threat: People/workers in nearby facilities or homes 
Situation: Due to poor maintenance the ammonia container has a broken or bad valve and is therefore leaking. Liquified Ammonia exits the container at 60 litres every minute or 1 litre a second (Imperial Units: 16 gallons a minute).  Employees are instructed to leave the area or use PPE such as masks and chemical suits. The emergency services are to be contacted so they can come in and close the leak and clean up. 
Scenario analysis: 
Likelihood and Consequence Likelihood: Given the nature of the company, rules from the government and safe workplace instalments, this scenario is rated as unlikely.   

Consequence: Is high given the chemical properties of ammonia, which is very dangerous to breath. Ammonia evaporates at –33 degrees Celsius and is deadly at concentration of 5000ppm in air. 
ATT: This scenario is based on Danish geography, rules and regulations, and may therefore differ from other countries in terms of safety measures and rules regarding storage and handling of dangerous chemicals. 

All these factors are, of course, dependent on your organizations main area of operations. The level of detail in these Scenarios are essential to a great threat/risk mitigation. The more you know about the operation procedures the greater detail you can describe the scenario in, and then it is easier to define the risk and threats and therefore to mitigate them in some way. 
With the example as it is right now, there are no definitions or descriptions of what unlikely is or what high consequence is. This is usually where risk matrix would be implemented, at the end of the first scenario analysis, where no mitigation measures have been implemented yet.  


  1. The Danish Emergency Management Agency has a great explanation of this method in their publication (Danish only): Håndbogen for risikobaseret dimensionering.
  2. We are working on an international source…