Defining Risk Criteria
JAA undertook the following six-step process to establish risk criteria at the company.
First, it selected each of the five strategic objectives and articulated its position on expected outcomes and how it would measure such outcomes.
The five objectives were:
1. Maintaining market leadership
2. Sustaining technology leadership
3. Strengthening global presence
4. Delivering quality service
5. Being seen as a leader in compliance with all laws and regulations
For example, the expected outcomes for "being seen as a leader in compliance with all laws and regulations" are minimal injury to employees, zero fatalities, not facing prosecutions and enforcement actions, and minimizing the cost of any cleanup. It decided to measure such outcomes by people impact, legal actions, and duration and cost of any cleanup.
Second, it developed scales for each consequence type using ordinal measurement with the low end representing tolerable or insignificant deviations from the expected values and the high end representing very high consequences that maybe retained only by board approval. Such consequences are demonstrated in Exhibit 22.3 for quantitative consequences and in Exhibit 22.4 for qualitative consequences.
Third, it decided how likelihood would be expressed, and chose ranges from rare to very often with their associated probabilities, as can be seen in Exhibit 22.5a.
Fourth, it developed a table to derive the level of risk, and this can be seen in Exhibit 22.5b. The company opted to express the level of risk as a distribution instead of a point level so that different levels of impact could be expressed with the corresponding likelihood.
Fifth, it decided how the level of risk would be expressed by using a scale consisting of four levels from high to low, based on the combination of impact and likelihood mentioned before. With this table, for each risk, a treatment method is determined by multiplying the likelihood (probability) with impact level. Bow tie analysis is being used to map objectives and the events or consequences.
Finally, it decided on the rules for evaluating a risk, and such rules are listed in the upcoming "Risk Attitude" exhibit, and in Appendix B, "Risk Management Policy."
-  The use of bow tie analysis is described in ISO 31010 "Risk Management – Risk Assessment Techniques."