Having identified our risks we then proceed to characterise the source, the causal mechanisms, the consequences, identify controls and finally apply some sort of ranking to the risk. Sounds fairly straightforward and objective doesn’t it…
and
Although dangers are real, there is no such thing as objective risk or real risk. Even the simplest, most straightforward risk assessments are based on theoretical models, whose structure is subjective and assumption laden and whose inputs are dependent on judgement
From Matthew Squair’s excellent “System Safety” lecture slides.