2.3.1. Risk Categorisations

The most high-level and generally applicable categorisation of risks in any type of project, business and industry is based on the risk breakdown structure, a risk managemen<sup>t</sup> tool, which has been broadly applied [40–42]. Hall and Hullet [40] proposed three 'universal risk areas', namely managemen<sup>t</sup> risk, external risk, and technological risk, which differ from the four risk types proposed by Tanim et al. [43] comprising strategic, financial, operational, and compliance risks. These may be suitable for threats and particularly for consequences, but not so much for barriers.

The project managemen<sup>t</sup> perspective of Lester [44] provides four main risk categories, namely organisational, environmental, technical, and financial, with further sub categories of technical, economic, environmental, operational, legal political, cultural, financial, commercial, resource, and security risks. It is one of the more detailed frameworks available.

The risk categorisation scheme of Chung and Zhu [45] includes operational, economic and environmental, strategic, technological and legal risks. This scheme was used to categorise company risks from news articles using a machine-learning algorithm. However, the categorisation emphasises managemen<sup>t</sup> risks, less so the human involvement.

Industry specific approaches exist, such as a categorisation of airport construction risks into technical, logistical, economical, financial, legal, construction, commercial, social, natural, and legal [46]. In the pharmaceutical and health care industry, risks have been divided into facility, personnel, process, system, and product risks [47]. While these categories may well fit within the relevant industry, they may be less suitable for categorising risks in other areas—similar to the categorisation used in health care (see Section 2.2).

The PEST, also called the STEP framework, is a tool used in market research [48]. The acronym stands for Sociological, Technological, Economic and Political. This categorisation was later enhanced to PESTLE by adding a legal and environmental component. This framework is more common in strategic managemen<sup>t</sup> or marketing rather than for risk assessment (for an exception, see [49]). This is because the PEST(LE) analysis helps to identify factors in the market that affect the development and viability of an organisation. However, these factors do not necessarily have to be risks or threats, but can also be opportunities. It is evident that many of the above categorisations have strong similarities with the PESTLE framework.

### 2.3.2. Threat and Root Cause Categorisations

In computer systems, threat can be classified into physical damage, technical failure, natural event, compromise of information, compromise of functions, and loss of essential service [50]. Jouini et al. [51] introduced another classification for threats in information systems. The two main categories are external and internal threats, with both having sub-categories of human, environmental and technological threats.

In Bowtie, the term threat is used to describe root causes. Taproot is a root cause tree dictionary that classifies causes into eight categories, namely equipment difficulty, managemen<sup>t</sup> system, quality control, procedures, human engineering, communications, training, and work direction [52]. The International Air Transport Association (IATA) uses five categories for the accident root cause classification system including human, organisational, environmental, technical, and insufficient data [53]. This approach covers human factors only in the form of human engineering. Furthermore, equipment difficulty and insufficient data work well for categorising threats or accidents, for which the categorisation from

Taproot and IATA was developed. However, it may not work for barriers, since they should prevent or mitigate any negative outcome.

The most common categorisation for root causes originates from the cause and e ffect diagram, also referred to as 'Ishikawa' or fishbone diagram [23,47]. To help identifying the root causes in a manufacturing environment and to break them down, Ishikawa identified six categories starting with the letter M, hence the 6M method. The Ms stand for man (or mind power), machinery, materials, methods, and Mother Nature (or milieu) [47]. Variations exist on the basic idea, using di fferent terminologies [54]. For instance, some used the term 'environment' instead of 'Mother Nature' or 'equipment' instead of 'machinery', hence leading to the 5M and 1E categorization [55,56], while others replaced the term 'manpower' with 'people' resulting in the 5M and 1P approach [57]. Some extended the categorisation to eight Ms by adding 'management', 'money', and 'maintenance' [58]. This categorisation originates from manufacturing and is therefore somewhat limited to its industry. However, the categories can be adjusted as needed.

Di fferent categorisations have been developed to make the cause and e ffect diagram applicable to other industries. The 8P method (procedures, product, price, people, place, processes, policies, and promotion), for instance, is a common cause categorisation used in the marketing sector, while the 4S (surroundings, suppliers, systems, and skills) is well established in the service sector [55,56,59]. Both imply that a contextualisation may be required to apply a categorisation broadly.
