Table 1 Definitions of values for consequence, likelihood, and risk level used in the risk assessment
Consequence: | |
|---|---|
Small | For the hospital or the service: No violation of law; offence that does not lead to reaction; or negligible financial loss which can be recovered; or small reduction of reputation in the short run. For the patient: No impact on health; or negligible financial loss which can be recovered; or small reduction of reputation in the short run. |
Moderate | For the hospital or the service: Offence, less serious violation of law which results in a warning or a reprimand; or financial loss which can be recovered; or reduction of reputation that may influence trust and respect. For the patient: No direct impact on health or a minor temporary impact; or financial loss which can be recovered; or some loss of reputation caused by revelation of less sensitive or offensive health information. |
Severe | For the hospital or the service: Violation of law which results in minor penalty or fine; or a large financial loss which cannot be recovered; or serious loss of reputation that will affect trust and respect for a long time. For the patient: Reduced health; or some financial loss which cannot be recovered; or serious loss of reputation caused by revealing of sensitive and offending information. |
Catastrophic | For the hospital or the service: Serious violation of law which results in a penalty or fine; or considerable financial loss which cannot be recovered; or serious loss of reputation which is devastating for trust and respect. For the patient: Death or permanent damage of health; or considerable financial loss which cannot be recovered; or serious loss of reputation which permanently affects life, health, and finances. |
Likelihood: | |
Low | Rare, occurs less frequently than every 10th year, or less than 10 % of the times the system/service is used. Detailed knowledge about the system is needed; or special equipment is needed; or it can only be performed deliberately and with the help of internal personnel. |
Medium | May happen, occurs not more than once a year, or between 10 % and 30 % of the times the system/service is used. Normal knowledge about the system is sufficient; or normally available equipment can be used; or it can be performed deliberately. |
High | Fairly often, occurs several times a year, or between 30 % and 50 % of the times the system/service is used. Can be done with minor knowledge about the system; or without any additional equipment being used; or it can occur because of wrong or careless usage. |
Very high | Very often, occurs several times a month or more frequent than 50 % of the times the system/service is used. Can be done without any knowledge about the system; or without any additional equipment being used; or it can occur because of wrong or careless usage. |
Risk level: | Â |
Low | Acceptable risk. The service can be used with the identified threats, but the threats must be observed to detect changes that could increase the risk level. |
Medium | Possibly an acceptable risk for this particular service, but each threat must be considered separately and the development of the risk must be monitored on a regular basis, with an assessment of whether remedial measures should be implemented. |
High | Unacceptable risk. Cannot start using the service before risk reducing measures have been implemented. |