**6. How to determine risk?**

Risk is determined by the combination of the two already mentioned factors, probability and severity, to which a third one, detection, can be added when a system of detection is in place. This gives us the classical formula:

Risk = Probability of occurrence of the harm x Severity of the harm x Detection of the harm.

Instead of probability it is often used the term frequency, pointing out that most of times what we really know is how often it happened in a well established process. It is evident that even if we don't know how to estimate probability, if we really do know that harm never happened in our process we can affirm that probability is very low.

Severity is easier to understand because we are only asked to assess the importance of harm.

The capacity of detection of harm is linked to the existence of a system for its detection. Thus, its assessment tends to be more objective, as it is related to the equipment. This factor, however, has a marked particularity: risk increases when the capacity of detection decreases; it is an inverse factor. This is not a problem if we bear in mind this fact, but it can be easily overcome by changing the way we express it, for instance, instead of talking about "detection of the harm" we could say "difficulty of detection of the harm", thus turning it a direct factor like the other two.
