Risk assessment techniques explained: 4 families that fit IEC 31010

IEC 31010 helps teams choose the right risk method, and this guide breaks the choice into four families so leaders match technique to the decision.

By Andreza Araújo June 27, 2026 3 min read

risk management scene on risk assessment techniques explained 4 families that fit iec 31010 — Risk assessment techniques expl

Key takeaways

01Separate ISO 31000 from IEC 31010 before the workshop so governance and method do not get mixed up.
02Choose the lightest technique that still answers the real decision, because extra detail only helps when the question needs it.
03Escalate from screening to scenario review when the work has moving parts, change, or a higher consequence.
04Use failure logic for barrier and equipment questions, then check whether the control still exists in the field.
05Keep Andreza Araújo's Make The Difference: Be a Leader in Health & Safety close when the team needs action, not just analysis.

Risk assessment techniques are the methods teams use to study hazards before they become losses. IEC 31010 is useful when an organization needs a method, not a philosophy, because it helps leaders choose how to examine uncertainty with enough rigor for the decision they actually need to make.

Across 25+ years leading EHS at multinationals, Andreza Araújo has seen the same pattern repeat. The company says it wants better risk decisions, then picks a method for ceremony instead of the decision in front of it.

As Andreza Araújo argues in Make The Difference: Be a Leader in Health & Safety, a risk method only matters when the supervisor or manager can turn the output into a clear action on the floor.

Definition

ISO 31000 is the standard for managing risk. IEC 31010 is the companion standard that helps teams select and apply techniques for assessing risk. They are related, but they do not do the same job, which is why leaders confuse governance with method.

In more than 250 cultural-transformation projects supported by Andreza Araújo's team, the fastest improvements came when the tool matched the decision. A board review, a shift-start discussion, and a process-hazard study need different levels of detail, because the decision whose consequence is highest also deserves the clearest picture, and the method in which the answer is framed should match the people who will act on it.

Why do teams confuse ISO 31000 and IEC 31010?

They confuse them because both live in the same risk-management conversation and both sound abstract in isolation. ISO 31000 tells the organization how to think about risk at a governance level, whereas IEC 31010 helps the organization choose a method that can reveal what matters in the field.

The article on What-If Analysis shows what happens when teams use a method to surface options, while HAZOP vs Bow-Tie vs FMEA shows how method choice changes the decision. That distinction matters because a clean label on the study does not matter if the room never reaches the control that would prevent the event.

The 4 families that matter

In practice, teams usually need one of four families: screening, structured scenario review, failure logic, or quantitative comparison. These are not the only techniques in IEC 31010, but they are the fastest way to choose the right level of effort without turning the review into bureaucracy.

Screening: Use this when the team needs to spot obvious hazards quickly, usually in routine work or early scoping. A simple JSA or checklist belongs here.
Structured scenario review: Use this when the team needs to ask what could go wrong across a process or task, especially when the field condition is changing. What-If analysis and HAZOP fit this family.
Failure logic: Use this when the team needs to follow how a control, barrier, or component can fail. FMEA and Bow-Tie analysis are useful here, particularly when one weak point can change the outcome.
Quantitative comparison: Use this when the decision depends on probability or consequence and the organization has enough data to justify the extra effort.

How do you differentiate the families in practice?

Choose the lightest method that can still answer the real question. If the supervisor only needs to brief a crew before routine work, a JSA may be enough. If the team is redesigning a process, the structured method should become richer, because the decision whose consequence is highest also deserves the clearest picture.

The article on Barrier Analysis is useful when the question is whether a control still exists in the field, while FMEA Risk Assessment helps when the team must reason through failure modes before the workshop starts. Both articles sit closer to execution, while IEC 31010 helps the team choose the level of analysis first.

Family	Best use	Common mistake
Screening	Routine work and early scoping	Using it for a high-consequence process change
Structured scenario review	Tasks with many moving parts	Turning it into an endless brainstorming session
Failure logic	Barrier and equipment weakness	Confusing failure paths with the final consequence
Quantitative comparison	Decisions that need a stronger numerical base	Forcing numbers where the evidence is too thin

When should you use IEC 31010 instead of ISO 31000?

Use IEC 31010 when the team already knows it has a risk question and now needs a method to answer it. Use ISO 31000 when the organization is still deciding how risk management fits governance, planning, and accountability. The two are complementary, and the comparison only makes sense when the leader is clear about the decision level.

The clean test is simple. If the question is "how should we manage risk as an organization?" start with ISO 31000. If the question is "which technique should we use to study this hazard or scenario?" start with IEC 31010. That is the difference between a system and a method.

If you want a practical lens for turning analysis into action, Andreza Araújo's Make The Difference: Be a Leader in Health & Safety is the book to keep beside the workshop notes.

Topics iec-31010 iso-31000 risk-management hazop fmea

Frequently asked questions

What is IEC 31010?

IEC 31010 is the standard that helps teams select and apply techniques for assessing risk. It is useful when the question is not whether risk matters, but which method should be used to study a hazard, a scenario, or a control before work starts.

Is IEC 31010 the same as ISO 31000?

No. ISO 31000 is the standard for managing risk at the organizational level, while IEC 31010 helps teams choose the assessment technique. One tells leaders how risk fits governance, and the other helps them decide how to examine the risk question in front of them.

When is a JSA enough?

A JSA is enough when the work is routine, the hazard set is well known, and the team only needs a quick screen before execution. If the task has many moving parts, degraded conditions, or a higher consequence, a more structured method is usually better.

Should every risk review use HAZOP or FMEA?

No. HAZOP and FMEA are useful, but they are not the right answer for every decision. Use the method that fits the question, the time available, and the level of uncertainty. A heavy study on a simple task can waste time and still miss the real issue.

Where should a team start if the method is unclear?

Start by naming the decision that could hurt someone or degrade a critical control. Then match the technique to that decision. If the team still feels stuck, begin with a screening method and escalate only if the first pass shows enough complexity to justify it.

About the author

Andreza Araújo

Safety Culture Expert | Senior EHS Executive

Andreza Araújo is a safety culture expert and senior EHS executive with more than 25 years of experience in environment, health and safety. She is a Civil Engineer and Occupational Safety Engineer from Unicamp, holds a Master's degree in Environmental Diplomacy from the University of Geneva, and completed sustainability studies at IMD Switzerland. Andreza has served in Global Head of EHS roles in Fortune 500 environments, leading cultural transformation programs across multinational operations. She has represented Brazil as a speaker at the United Nations in Paris and has spoken at the International Labour Organization in Turin. She is the author of more than 16 books on safety culture in Portuguese, Spanish, English and German. Her work has earned more than 10 EHS awards, including two recognitions from Indra Nooyi, former PepsiCo CEO.

Civil & Safety Engineer (Unicamp)
M.A. Environmental Diplomacy (University of Geneva)
Sustainability Cert (IMD Switzerland)
People Management & Coaching (Ohio University)
UN Paris speaker representative for Brazil
ILO Turin speaker
LinkedIn Top Voice
Indra Nooyi PepsiCo CEO recognition (2x)

Follow Andreza

Documentaries

Watch Andreza's documentaries

Three productions on safety culture, organizational failure and the human lessons behind major disasters.

Um Dia Para Não Esquecer

73 Segundos — O Desastre Anunciado

TITANIC — O Silêncio Que Ainda Ouvimos

Podcasts

Listen to Andreza's podcasts

She hosts three shows on safety leadership, EHS and organizational culture, in English and Portuguese.

Headline Podcast in English

Headline Podcast in Portuguese

O Conselho de Segurança

risk-management

Risk Velocity Explained: How Fast Exposure Becomes Loss

Risk velocity shows how quickly exposure can become harm, helping EHS leaders match controls, escalation and stop-work authority to time.

Andreza Araújo June 25, 2026 4 min

risk-management

Residual Risk Explained: 5 States EHS Managers Should Separate

Residual risk is what remains after controls are applied, but EHS managers need to separate accepted, tolerated, monitored, escalated, and uncontrolled states.

Andreza Araújo June 19, 2026 3 min

risk-management

Risk Review Cadence: How to Build It in 30 Days

Build a 30-day risk review cadence that turns a safety risk register into decisions, evidence, ownership, and escalation.

Andreza Araújo June 19, 2026 6 min