In This Guide
- Asset criticality assessment is foundational to ISO 55001 — it determines how resources, maintenance strategies, and investment are allocated across the asset portfolio
- Criticality is measured as Consequence of Failure × Likelihood of Failure, evaluated across safety, environmental, operational, financial, and reputational dimensions
- A risk register for assets must be a living document — regularly updated with condition data, incident records, and changing risk profiles
- Condition monitoring provides the objective data needed to move from time-based to risk-based maintenance strategies
- Auditors expect to see evidence that criticality and risk information directly influences investment decisions, maintenance priorities, and resource allocation
Risk in ISO 55001 Context
Risk-based thinking is a fundamental principle of ISO 55001. Clause 6.1 requires organisations to determine the risks and opportunities that need to be addressed to give assurance that the asset management system can achieve its intended outcomes, prevent or reduce undesired effects, and achieve continual improvement. Unlike some management system standards where risk management is one element among many, in ISO 55001 risk permeates every aspect of the asset management system.
In the context of asset management, risk has a specific and practical meaning. It is the effect of uncertainty on the achievement of asset management objectives. This encompasses not only the risk of asset failure (the most obvious concern) but also the risk of over-investing in assets that do not need it, the risk of under-investing in critical assets, the risk of regulatory non-compliance, and the risk of not achieving sustainability objectives.
Why Risk-Based Asset Management Matters
Every organisation has finite resources — budget, people, equipment, time. Risk-based asset management ensures these resources are directed where they create the most value and mitigate the most significant threats. Without a systematic approach to risk:
- Resources are misallocated: Money spent maintaining low-criticality assets at the same intensity as high-criticality ones
- Failures are reactive: Without risk assessment, organisations respond to failures rather than preventing them
- Investment is uninformed: Capital investment decisions lack the risk evidence needed to prioritise effectively
- Compliance gaps emerge: Without risk-based prioritisation, regulatory requirements for critical assets may not receive adequate attention
- Stakeholder confidence erodes: Regulators, investors, and customers expect organisations to demonstrate that they understand and manage asset-related risks
ISO 55001 Risk Requirements
ISO 55001 addresses risk in several clauses:
- Clause 4.1: Understanding internal and external issues that create risk
- Clause 4.2: Understanding stakeholder needs and expectations that create risk requirements
- Clause 6.1: Actions to address risks and opportunities
- Clause 6.2: Asset management objectives must be consistent with the organisation's approach to managing risk
- Clause 8.1: Operational planning and control must manage operational risks
- Clause 9.1: Monitoring, measurement, analysis, and evaluation must cover risk performance
- Clause 9.3: Management review must consider risk-related information
Asset Criticality Framework
An asset criticality framework provides a structured, repeatable method for evaluating the importance of each asset or asset group to the organisation. Criticality determines the level of management attention, resources, and rigour applied to each asset.
The Criticality Matrix
The most widely used approach is a criticality matrix that combines two dimensions:
- Consequence of failure: What happens when the asset fails? Evaluated across multiple dimensions.
- Likelihood of failure: How probable is the failure? Based on age, condition, operating environment, and maintenance history.
Criticality = Consequence × Likelihood
Consequence Dimensions
An effective criticality framework evaluates consequence across multiple dimensions. Each dimension should have defined severity levels:
| Dimension | Low (1) | Medium (2) | High (3) | Critical (4) | Catastrophic (5) |
|---|---|---|---|---|---|
| Safety | No injury risk | Minor first aid | Medical treatment | Serious injury / hospitalisation | Fatality or permanent disability |
| Environment | No environmental impact | Minor contained release | Reportable release, limited impact | Significant environmental damage | Major pollution, long-term damage |
| Operations | No service impact | Minor service degradation (<4 hrs) | Moderate disruption (4–24 hrs) | Major disruption (1–7 days) | Extended outage (>7 days) |
| Financial | <$10K | $10K–$100K | $100K–$1M | $1M–$10M | >$10M |
| Reputation | No external awareness | Local media / complaints | Regional media attention | National media / regulatory scrutiny | International coverage, licence at risk |
The highest consequence score across all dimensions determines the overall consequence rating for the asset. This ensures that a safety-critical asset is treated as critical even if its financial consequence is low.
Likelihood Assessment
Likelihood of failure is assessed using available data and engineering judgement:
| Rating | Description | Indicative Probability | Supporting Evidence |
|---|---|---|---|
| 1 — Rare | Unlikely to occur during asset life | <1% per year | New asset, good condition, robust design |
| 2 — Unlikely | Could occur but not expected | 1–5% per year | Moderate age, adequate maintenance, minor degradation |
| 3 — Possible | Might occur during normal operations | 5–20% per year | Aging asset, moderate degradation, some failure history |
| 4 — Likely | Will probably occur within planning period | 20–50% per year | Significant degradation, approaching end of life, recurring issues |
| 5 — Almost Certain | Expected to occur, possibly multiple times | >50% per year | Beyond useful life, known defects, imminent failure indicators |
Criticality Levels and Management Actions
The criticality score (Consequence × Likelihood) maps to criticality levels that determine the management approach:
| Criticality Level | Score Range | Management Approach | Typical Actions |
|---|---|---|---|
| Critical | 16–25 | Intensive management, immediate attention | Continuous condition monitoring, predictive maintenance, redundancy planning, detailed risk treatment plan, frequent inspection, capital renewal priority |
| High | 10–15 | Active management, prioritised resources | Regular condition monitoring, preventive maintenance, risk treatment actions, periodic inspection, capital planning |
| Medium | 5–9 | Planned management, standard procedures | Scheduled preventive maintenance, periodic inspection, standard operating procedures, routine monitoring |
| Low | 1–4 | Minimal management, basic oversight | Run-to-failure acceptable, reactive maintenance, basic inspection, minimal monitoring |
In a mature asset management system, criticality assessment is the foundation for maintenance strategy selection, capital investment prioritisation, inspection frequency, spare parts stockholding, training priorities, and performance monitoring intensity. If you get criticality right, many other decisions follow naturally.
Criticality Assessment Methodology
A robust criticality assessment methodology must be documented, repeatable, and auditable. Here is a practical step-by-step approach:
Step 1: Define the Assessment Scope
Determine which assets will be assessed. For large portfolios, you may assess at the asset system or asset class level rather than individual components. Define clear boundaries — what constitutes a single "asset" for assessment purposes. For example, is a pumping station one asset or is each pump, motor, valve, and control system assessed separately? The level of granularity should be driven by the criticality of the system and the value of additional detail.
Step 2: Establish Consequence and Likelihood Scales
Define the consequence dimensions, severity levels, and likelihood scales appropriate to your organisation. The scales provided above are illustrative — they must be calibrated to your organisational context. Financial thresholds, for example, should reflect your organisation's size and risk appetite. Involve senior management in validating the scales to ensure they reflect organisational values and priorities.
Step 3: Gather Data
Effective criticality assessment requires data. Collect:
- Asset register data: Type, age, location, replacement value, remaining useful life
- Condition data: Inspection results, monitoring data, defect records
- Performance data: Failure history, downtime records, reliability data
- Consequence data: Impact assessments, incident records, safety reports
- Design data: Design specifications, redundancy, safety margins
- Environmental data: Operating environment, exposure to corrosion, weather, temperature
Step 4: Conduct Assessments
Assessments should be conducted by cross-functional teams including operations, maintenance, engineering, safety, and environmental personnel. Use structured workshops with the following process:
- Identify the asset or asset group being assessed
- Identify credible failure modes (how could the asset fail?)
- For each failure mode, assess consequence across all dimensions
- Assess likelihood based on current condition, age, and operating environment
- Calculate criticality score
- Determine criticality level
- Document rationale and evidence supporting the assessment
Step 5: Validate and Review
Validate assessment results with asset owners and senior management. Check for consistency across asset groups and locations. Ensure that critical and high-criticality assets are flagged for enhanced management. Document the assessment results and the review/approval process.
Step 6: Maintain and Update
Criticality assessments must be updated when conditions change: after significant maintenance or renewal, after failure events, when condition monitoring reveals degradation, when operating conditions change, when regulatory requirements change, and as part of the regular review cycle (at least annually for critical assets).
Risk Registers for Assets
An asset risk register is the central record of identified risks to the asset portfolio, their assessment, and the actions being taken to manage them. It is a mandatory component of a compliant ISO 55001 system and one of the first documents auditors will request.
What to Include in the Risk Register
An effective asset risk register includes:
- Risk ID: Unique identifier for tracking and cross-referencing
- Risk description: Clear statement of what could go wrong, including the cause, event, and consequence
- Asset(s) affected: Which asset(s) or asset group(s) are at risk
- Risk category: Safety, environmental, operational, financial, regulatory, reputational
- Inherent risk score: Consequence × Likelihood before any controls or mitigations
- Existing controls: What measures are currently in place to manage the risk
- Residual risk score: Consequence × Likelihood after existing controls
- Risk treatment plan: What additional actions are planned to reduce the risk
- Risk owner: The person accountable for managing the risk
- Action due dates: When treatment actions will be completed
- Status: Current status of risk treatment actions
- Review date: When the risk will next be reviewed
Risk Register Best Practices
- Keep it alive: A risk register created for certification and never updated is worse than no register at all. Establish regular review cycles — monthly for critical risks, quarterly for others.
- Link to condition data: Risk assessments should be informed by condition monitoring data. As asset condition changes, risk scores should be updated.
- Aggregate and escalate: Individual asset risks should be aggregated to portfolio-level views for senior management. Risks exceeding tolerance thresholds must be escalated.
- Connect to decisions: The risk register should directly inform investment prioritisation, maintenance planning, and resource allocation. If the register exists independently of decision-making, it adds no value.
- Include opportunities: ISO 55001 requires organisations to address opportunities as well as risks. Include positive risks (opportunities) in the register — for example, opportunities to extend asset life through technology upgrades or to reduce costs through optimised maintenance strategies.
Condition Monitoring & Data
Condition monitoring is the process of measuring, recording, and analysing parameters that indicate asset health. It provides the objective data needed to assess likelihood of failure, validate criticality assessments, and optimise maintenance strategies.
Types of Condition Monitoring
Different asset types require different monitoring approaches:
- Vibration analysis: For rotating equipment (motors, pumps, compressors, fans). Detects bearing wear, imbalance, misalignment, and structural defects.
- Thermography: Infrared imaging for electrical equipment, mechanical systems, and building envelopes. Detects hot spots indicating impending failure, energy loss, or insulation degradation.
- Oil analysis: For lubricated equipment (gearboxes, hydraulic systems, engines). Detects wear metals, contamination, and lubricant degradation.
- Ultrasonic testing: For pressure vessels, pipelines, and structural components. Measures wall thickness and detects corrosion, cracking, and lamination.
- Electrical testing: For transformers, cables, switchgear, and motors. Includes insulation resistance, partial discharge, and power quality monitoring.
- Visual inspection: Structured visual assessment using defined condition grading scales. The most basic but often most overlooked form of monitoring.
- IoT sensors: Continuous, automated monitoring using connected sensors for temperature, humidity, pressure, flow, vibration, and other parameters. Enables real-time alerting and trend analysis.
Condition Grading
A standardised condition grading system ensures consistency in condition assessment across the asset portfolio. A typical five-grade system:
| Grade | Condition | Description | Indicative Action |
|---|---|---|---|
| 1 | Very Good | As new, no visible defects, full performance capability | Continue routine maintenance |
| 2 | Good | Minor deterioration, cosmetic defects only, no performance impact | Continue planned maintenance, monitor degradation |
| 3 | Fair | Moderate deterioration, some performance impact, intervention needed within planning period | Plan intervention (refurbishment, component replacement) |
| 4 | Poor | Significant deterioration, performance impaired, intervention needed soon | Prioritise intervention, increase monitoring frequency |
| 5 | Very Poor | Severe deterioration, at or beyond end of life, failure imminent or occurring | Immediate intervention, consider emergency replacement, implement risk mitigation |
Using Condition Data in Risk Assessment
Condition monitoring data feeds directly into the risk assessment process. As condition deteriorates, the likelihood of failure increases, raising the risk score. This dynamic relationship between condition and risk is central to risk-based asset management. Organisations should define trigger points — condition thresholds that automatically trigger risk review, increased monitoring, or maintenance intervention.
Failure Mode Analysis
Failure Mode and Effects Analysis (FMEA) and similar techniques help organisations understand how assets can fail, the consequences of each failure mode, and the most effective strategies for prevention or mitigation. This analysis is essential for developing risk-based maintenance strategies.
FMEA Process for Asset Management
- Identify functions: What does the asset do? What is its required performance level?
- Identify functional failures: How can the asset fail to perform its function?
- Identify failure modes: What specific mechanisms cause the functional failure? (e.g., bearing seizure, corrosion, electrical short circuit, structural fatigue)
- Assess failure effects: What happens when each failure mode occurs? Consider safety, environmental, operational, and financial effects.
- Determine failure causes: Why does each failure mode occur? Consider wear, environmental exposure, operating conditions, design limitations.
- Assess current controls: What maintenance, monitoring, or operational controls currently prevent or detect the failure mode?
- Calculate Risk Priority Number (RPN): Severity × Occurrence × Detection = RPN. Higher RPNs indicate failure modes requiring priority attention.
- Develop improvement actions: For high-RPN failure modes, define actions to reduce severity, occurrence, or improve detection.
When to Use FMEA
FMEA is particularly valuable for:
- Critical and high-criticality assets where failure consequences are severe
- New asset types being introduced to the portfolio
- Assets with unexplained or recurring failures
- Developing or optimising maintenance strategies
- Supporting capital investment business cases
For large asset populations, FMEA can be conducted at the asset type level rather than for every individual asset. The results inform the maintenance strategy for the entire asset class.
Risk Appetite & Tolerance
ISO 55001 requires organisations to define and apply their approach to managing risk. This involves two related but distinct concepts: risk appetite and risk tolerance.
Risk Appetite
Risk appetite is the broad level of risk that an organisation is willing to accept in pursuit of its objectives. It is a strategic statement, typically approved by the board or senior management, that guides decision-making across the organisation. Risk appetite statements for asset management might include:
- "We have zero appetite for risks that could result in a fatality or serious injury"
- "We accept moderate operational risk where the cost of mitigation significantly exceeds the expected impact"
- "We have low appetite for environmental risk and will invest in controls to prevent environmental harm"
- "We accept short-term financial risk where it supports long-term asset sustainability"
Risk Tolerance
Risk tolerance is the specific, measurable threshold for acceptable risk on individual assets or asset groups. It translates the strategic risk appetite into operational criteria. Examples of risk tolerance thresholds:
- "No individual asset shall have a residual risk score exceeding 15 (on a 1–25 scale) without an approved risk treatment plan and executive sign-off"
- "Critical asset availability must remain above 99.5% — any asset risk that threatens this threshold requires immediate treatment"
- "No asset in Condition Grade 5 shall continue operating without a documented risk acceptance or emergency replacement plan"
Applying Risk Appetite to Decisions
Risk appetite and tolerance should be embedded in decision-making frameworks. When a proposed action (or inaction) would result in risk exceeding the defined tolerance, escalation and formal risk acceptance processes should be triggered. This creates a governance framework that ensures risk-informed decisions at all levels of the organisation.
Linking Risk to Investment
One of the most powerful applications of asset criticality and risk management is informing investment decisions. Organisations must demonstrate to auditors — and more importantly, to themselves — that their capital and maintenance investment is directed by risk.
Risk-Based Prioritisation
When investment demands exceed available budget (as they always do), risk-based prioritisation ensures that the most critical investments are funded first:
- Categorise investment proposals by criticality level and risk reduction potential
- Quantify risk reduction — how much does the residual risk score decrease if the investment is made?
- Calculate risk-cost ratio — the risk reduction achieved per dollar invested
- Prioritise by risk-cost ratio — investments that deliver the most risk reduction per dollar are funded first
- Apply constraints — mandatory regulatory investments may override risk-cost ranking
Total Cost of Ownership
Risk-based investment also considers total cost of ownership (TCO) across the asset lifecycle. A low-cost asset with high failure risk may have a higher TCO than a more expensive but reliable alternative. Investment decisions should consider:
- Acquisition cost
- Installation and commissioning cost
- Operating cost over the expected life
- Maintenance cost (preventive and corrective)
- Expected failure costs (consequence × likelihood × frequency)
- Disposal and decommissioning cost
- Environmental cost (carbon, energy, waste)
Documenting Investment Rationale
For ISO 55001 compliance, investment decisions must be traceable to risk and criticality assessments. Auditors will look for business cases that reference risk data, capital plans that align with criticality priorities, and management review records that show investment decisions informed by risk information.
Evidence for Auditors
Understanding what auditors look for helps organisations prepare for certification and surveillance audits. Here is a comprehensive list of evidence that demonstrates effective criticality and risk management:
Documentation Evidence
- Documented criticality assessment methodology with defined consequence and likelihood scales
- Completed criticality assessments for the asset portfolio with evidence of cross-functional input
- Risk register(s) with identified risks, assessments, treatment plans, and owners
- Risk appetite and tolerance statements approved by senior management
- Condition monitoring procedures and schedules
- FMEA or equivalent analysis for critical assets
- Investment prioritisation methodology referencing risk
Implementation Evidence
- Evidence that criticality drives maintenance strategy (different strategies for different criticality levels)
- Condition monitoring records and trend analysis
- Risk treatment action completion records
- Capital investment business cases referencing risk data
- Escalation records for risks exceeding tolerance thresholds
- Training records for personnel conducting criticality and risk assessments
Performance Evidence
- KPIs related to risk management (e.g., percentage of risks within tolerance, treatment plan completion rates)
- Management review records covering risk performance
- Internal audit findings related to risk management and their closure
- Trend analysis showing risk profile changes over time
- Evidence that risk information influences decisions (meeting minutes, approval records)
Auditors will often use sampling to verify that your criticality and risk framework is consistently applied. They may select a critical asset and trace through the evidence: criticality assessment → risk register entry → maintenance strategy → condition monitoring records → investment decisions. Ensure this trail is complete and consistent for your highest-criticality assets.
Common Pitfalls
Based on our extensive audit experience, here are the most common pitfalls organisations encounter with asset criticality and risk management:
1. Inconsistent Application
The problem: Different teams or locations apply the criticality framework differently. One site rates an asset as "critical" while another rates the same asset type as "medium." Without calibration, the framework loses credibility and cannot support consistent decision-making.
The fix: Conduct calibration workshops with representatives from all sites/teams. Use worked examples to establish consistent interpretation. Include calibration checks in the internal audit programme.
2. Static Risk Registers
The problem: The risk register is created during implementation and never updated. Risks change — new risks emerge, existing risks may reduce or increase, treatment actions are completed but the register is not updated.
The fix: Establish formal review cycles (monthly for critical risks, quarterly for others). Assign risk owners who are accountable for keeping their risks current. Include risk register review in management meetings.
3. Risk Assessment Without Action
The problem: Risks are identified and assessed but no treatment actions are taken. The register becomes a list of problems rather than a management tool. High-risk assets receive the same maintenance as low-risk assets.
The fix: Every risk above the tolerance threshold must have a treatment plan with specific actions, owners, and due dates. Track treatment plan completion as a KPI. Escalate overdue actions.
4. Over-Reliance on Subjective Assessment
The problem: Criticality assessments are based entirely on opinion without supporting data. This makes assessments difficult to defend and inconsistent across assessors.
The fix: Use available data to support assessments — condition monitoring results, failure history, maintenance records, incident data. Where data is limited, document assumptions and plan data collection to improve future assessments.
5. Failure to Connect Risk to Investment
The problem: Capital investment and maintenance budgets are allocated based on historical spending, political influence, or urgency rather than risk. The risk register and criticality assessments exist but do not influence resource allocation.
The fix: Embed risk-based prioritisation in the investment planning process. Require all capital requests to reference the risk register and criticality assessment. Report investment alignment with risk priorities to senior management.
6. Ignoring Low-Probability, High-Consequence Risks
The problem: Organisations focus on high-frequency, low-consequence failures (because they are visible and annoying) while ignoring rare but catastrophic risks. A $500 pump failure that happens monthly gets more attention than a $5M failure that has never happened.
The fix: Ensure the criticality framework gives appropriate weight to consequence severity, not just likelihood. Use scenario planning and "what if" analysis for high-consequence risks. Consider Black Swan events in your risk assessment.
Frequently Asked Questions
What is asset criticality in the context of ISO 55001?
Asset criticality is a measure of how important an asset is to the organisation based on the consequence of its failure. It combines the likelihood of failure with the severity of consequences across multiple dimensions — safety, environmental, operational, financial, and reputational. Criticality determines the level of attention, resources, and management rigour applied to each asset.
How do you determine asset criticality?
Asset criticality is determined using a structured framework that evaluates consequence of failure across multiple dimensions (safety, environment, operations, cost, reputation) and likelihood of failure based on age, condition, operating environment, and maintenance history. The criticality score is Consequence × Likelihood, resulting in a rating (Critical, High, Medium, Low) that drives management strategies.
What is the difference between risk appetite and risk tolerance?
Risk appetite is the broad level of risk an organisation is willing to accept in pursuit of its objectives — it is a strategic statement. Risk tolerance is the specific, measurable threshold for acceptable risk on individual assets or asset groups. For example, an organisation's risk appetite might be "low tolerance for safety risk" while its risk tolerance might be "no single asset with a residual risk score exceeding 15 without executive sign-off."
What evidence do auditors look for regarding risk management?
Auditors look for a documented criticality assessment methodology, completed assessments for the asset portfolio, risk registers with treatment actions, evidence that criticality drives management strategies (e.g., different maintenance approaches for different criticality levels), condition monitoring data, management review records covering risk, and evidence that risk information influences investment and maintenance decisions.
Do I need to assess every single asset for criticality?
Not necessarily every individual asset, but every asset class or group must be assessed. For large asset populations of identical components, you can assess at the asset type or system level. For unique or high-value assets, individual assessment is appropriate. The key is that your approach is systematic, documented, and covers the entire asset portfolio without gaps.