We recently came across the proposal to include something called "Risk Priority Numbers" in our eQMS software Formwork, and let me tell you, this is a terrible idea, it makes zero sense, and it actively endangers your compliance if you come close to anything like it. Here's why.
The one-sentence summary is this: Don't ever multiply probability numbers which are not between 0 and 1. It doesn't make any sense.
So.. some people in the regulatory community believe that a risk analysis can be done with whole numbers (integers). As an example, you could say that your "risk priority number" (whatever that is) for "occurrence" (= something happens is 1, and your "risk priority number" (??) for "detection" is 2 (???), and then you go ahead and multiple 1*2, which results in 2.
This by itself is already terrible and completely nonsensical from a maths point of view - but, anyway, here's how it looks in an article on the internet:
The one-sentence summary is this: Don't ever multiply probability numbers which are not between 0 and 1. It doesn't make any sense.
So.. some people in the regulatory community believe that a risk analysis can be done with whole numbers (integers). As an example, you could say that your "risk priority number" (whatever that is) for "occurrence" (= something happens is 1, and your "risk priority number" (??) for "detection" is 2 (???), and then you go ahead and multiple 1*2, which results in 2.
This by itself is already terrible and completely nonsensical from a maths point of view - but, anyway, here's how it looks in an article on the internet:
Needless to say, this is completely incorrect.
Let me repeat this again: Probabilities are numbers between 0 and 1. Every number in your risk analysis must be a number between 0 and 1, otherwise you're doing it wrong (tm). You can not, I repeat, you can not do any sort of useful risk analysis with arbitrary integer numbers. It will not work.
But you could try. Here's the risk matrix of the article cited above:
As you can see, this is becoming increasingly absurd. Like.. how does the spacing between those integers even work? For a normal probabilities between 0 and 1, you can correctly state that, say, a probability of 0.4 is double as likely as a probability of 0.2.
But what about the integer numbers above? Is a probability of 24 double as likely as a probability of 12? How did those numbers end up in the table in the first place?
So, here's the summary:
- Your risk analysis must be based on numbers between 0 and 1. Only those are actual probabilities. If your auditor is competent in statistics (unfortunately not all are), they will only accept this sort of approach.
- Only numbers between 0 and 1 can be multiplied in a logically useful way - e.g. you can chain two probabilities of 0.4 and 0.4, resulting in a total probability of 0.4*0.4 = 0.16. This is not possible with the integer approach above.
- Especially if you want to take things into account like the probability of detection (another probability!) and the probability reduction through a risk control measure (also a probability!), you must use numbers between 0 and 1 as otherwise there's no mathematically reasonable way to arrive at the total risk probability.
