Other factors would also be the probability of the occurrence; degree of harm caused by the failure; number of individuals affected and how exactly the failure affects them. Also, I wanted to add that it really all comes down to objective judgement. Often, you can tell how severe a failure is just by looking at the nature of the harm it brings and how likely it is to occur without a deep analysis. From there, index numbers can be assigned or evaluated.

I do agree with the comment above, how severe a failure is by looking at the nature of the harm is a very important aspect. In addition, other factors that may potentially determine risk would be:
1) Vulnerability- which relates to the impact and likely hood of failure to occur, the more vulnerable the entity is to risk, the higher the impact it would have if the event occurs
2) Speed of onset – refers to the time it takes for a risk event to manifest itself or in other words the number of occurrences between each case. This aspect is important in order to develop risk response plans.
3) Scenario analysis – useful in assessing risks and tying them to strategic objectives. Essentially this refers to how the effects of technology, natural gas, oil, currency changes, competitive pressure, and supply chain disruption would impact risk.
I attached a link to a document that refers to these risk assessment factors

http://www.coso.org/documents/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFrmwrk%20-%20for%20merge_files/COSO-ERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf

Hi,

I do agree with the above discussion, Risk severity is categorized into three levels and includes a duration component. The three levels are medical device-related deaths or serious injuries, medical device-related non-serious adverse events, and medical device-related events without reported harm.
Likelihood of risk considers three risk factors related to the potential number of patients at risk of experiencing harm: the likelihood that a medical device will have problems, the likelihood of a patient experiencing harm, and the total number of patients exposed.

It is important to distinguish the types of risks you are analyzing. For example, there are risks that impact business, those that impact manufacturing, and the obvious risks with the device itself. A risk may be considered "high" level because it has a great impact on the business, but not necessarily manufacturing. The factors that determine these levels were mentioned in the above thread, which include likelihood to occur and severity of risk.

That is a good point. Different risks affect different areas and/or different people. A certain risk may delay a project by a few weeks, while another type of risk may potentially cause serious harm to a customer. Both must be handled seriously. In either case, money is lost. If deadlines are missed, it could delay the entire product from being launched. However, if a customer is injured, it could cause a product to be recalled. Both of these cause financial burdens on the company.

-Murad Elias

Risk index number = impact of risk event x probability of occurrence

The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1 and 5 represent the minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses).
The probability of occurrence is assessed on a scale from 1 to 5, where 1 represents a very low probability of the risk event actually occurring while 5 represents a very high probability of occurrence. This axis may be expressed in either mathematical terms (event occurs once a year, once in ten years, once in 100 years etc.) or may be expressed in "plain English" (event has occurred here very often; event has been known to occur here; event has been known to occur in the industry etc.)

Risk factors can change in magnitude depending on the adequacy of risk avoidance and prevention measures taken and due to changes in the external business environment. Hence it is absolutely necessary to periodically re-assess risks and intensify/relax mitigation measures, or as necessary.

Factor analysis of information risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. FAIR underlines that risk is an uncertain event and one should not focus on what is possible, but on how probable is a given event. This probabilistic approach is applied to every factor that is analysed. The risk is the probability of a loss tied to an asset.
FAIR defines six kind of loss:

Productivity – a reduction of the organization to effectively produce goods or services in order to generate value
Response – the resources spent while acting following an adverse event
Replacement – the expense to substitute/repair an affected asset
Fines and judgements (F/J) – the cost of the overall legal procedure deriving from the adverse event
Competitive advantage (CA)- missed opportunities due to the security incident
Reputation – missed opportunities or sales due to the diminishing corporate image following the event

According to an article, Summing the factors of all individual hazards to determine their cumulative effect is reasonably valid assuming all hazards occur simultaneously or within a short enough period that their negative effects (i.e., injuries) would, in fact, be cumulative. Based on the critical factors associated with summing the severity of individual hazards as well as summing the individual probabilities of their occurrence, it becomes clear that to achieve an accurate result, the level of interdependence of the hazards in terms of severity and likelihood is crucial.

Other factors should also contribute to the risk value. The EDP audit staffs usually look for both threat and vulnerability in the corporate information systems. Usually, this can take some time to evaluate. Other factors to consider would be the environment that the risk analysis is being conducted. As mentioned above by others, it is quite important to note the degree of harm that can be cause by the failure and if it is high, the risk value would also be deemed high. I know that many companies use the risk value matrix, which provides a method of organizing opportunities based on the end value of each and the risk involved. Then, by carefully determining which risks are wroth taking and which are not, a low of money, time, and effort can be saved. It can also contribute to creating risk values.

As a co-op at Getinge I was able to work on a project associated with updating the PFMEA (process failure mode effects analysis). This one document lays out each process for creating the final medical device for each product line at Getinge. It defines the risk of each process, the probability of the risk occurring and the severity of the risk. ISO 14971 defines risk as “probability of harm occurring and severity of the harm once it occurs.” A two-dimensional risk chart is a great way to analyze the risk. The chart is divided into generally acceptable (GA), generally unacceptable (GU) and as low as reasonably practical (ALARP). GA represents the region where the probability and severity are pretty low. GU represents the region where probability and severity are high. ALARP is the region in-between GA and GU. This illustrates the risk indexes which are included in defining a risk.

Factors contributing the risk index numbers can be divided into three different group:
A. Overall context such as scientific unknowns, varying susceptibility to risk, positive feedback, and loss of safety margins.
B. Human factors such as social dynamics, conflicts of interest and values.
C. Decision maker: Amount of communication, and malicious attacks.

Risk factors depend on variables such as the severity of the risk, likelihood a particular risk occurs and the types of risks that they are willing to take. The severity of a risk can be severe, critical, significant, or minor and the frequency can be frequent, infrequent, or occasional. The combination of these two variables can show the level of impact. particular risk could potentially have. Companies also have to decide what, if any risks they are willing to take are, how each risk will be addressed, and the comparison of the risk to any possible reward.

I shall assume that by value you are referring to the impact you assign a risk. If using a matrix to measure the value of a risk is not sufficient I shall wonder what value you are concerned about.

Imagine your being in school is funded from a family resource - from your parents' savings. You have, may be, two siblings who could be using the same resource, but your parents feel your younger siblings will be better off holding back until you graduate. How long it takes to graduate measures how much pressure your schooling bears down on your little siblings. If this resource from where your schooling is being funded is limited, then your siblings are being deprived a supply of funds from this family resource.

However, it is hoped that when you graduate, you will become a valuable financial resource for your siblings.

You graduate and your parents' dream of you becoming the resource of your sibling's is realized. You take this responsibility seriously. And your siblings begin to enjoy a similar privilege as you enjoyed when your schooling was funded from your parents' savings.

In this case won't you think it was a valuable risk to take? Of-course, yes.

Some projects may actually be quite risky to undertake; but the benefits will outweigh the risk in the end, you may see this as a risk to attempt to mitigate. This is why RISK ANLYSIS is worth the undertaking.

All of the factors above contributed to the risk value.

Failure Modes and Effects Analysis identifies the opportunities for failure in each step of the process. Each failure mode gets a numeric score that quantifies (a) likelihood that the failure will occur, (b) likelihood that the failure will not be detected, and (c) the amount of harm or damage the failure mode may cause to a person or to equipment. As an organization works to improve a process, it can anticipate and compare the effects of proposed changes by calculating hypothetical Risk Priority Numbers of different scenarios.