Risk analysis

NASA's illustration showing high impact risk areas for the International Space Station

Risk analysis can be defined in many different ways, and much of the definition depends on how risk analysis relates to other concepts. Risk analysis can be "broadly defined to include risk assessment, risk characterization, risk communication, risk management, and policy relating to risk, in the context of risks of concern to individuals, to public- and private-sector organizations, and to society at a local, regional, national, or global level."[1] A useful construct is to divide risk analysis into two components: (1) risk assessment (identifying, evaluating, and measuring the probability and severity of risks) and (2) risk management (deciding what to do about risks).[2] Some books[3] take a slightly different approach and define risk management as the overarching concept, where risk analysis is the component that seeks to identify and measure the risks and risk mitigation is determining what to do about the risks.

Risk analysis can be qualitative or quantitative.[4] Qualitative risk analysis uses words or colors to identify and evaluate risks or presents a written description of the risk, and quantitative risk analysis (QRA) calculates numerical probabilities over the possible consequences.

Quantitative risk analysis

QRA seeks to numerically assess probabilities for the potential consequences of risk, and is often called probabilistic risk analysis or probabilistic risk assessment (PRA). The analysis often seeks to describe the consequences in numerical units such as dollars, time, or lives lost. PRA often seeks to answer three questions:[5]

1. What can happen? (i.e., what can go wrong?)
2. How likely is it that it will happen?
3. If it does happen, what are the consequences?

Thus, risk R can be described as a set of triplets, R={<si,pi,ci>}, i=1,2,...,N where si is scenario i, pi is the probability of scenario i, ci are the consequences if scenario i occurs, and N is the total number of scenarios. This type of analysis typically results in a probability distribution over the consequences.

Although actuarial science has used probabilities to measure risk for more than a hundred years,[6] PRA as a specific mode of inquiry was initially developed to analyze engineering risks such as nuclear power plants and the space shuttle.[7] More recently, it has also been applied to other areas, such as business, climate change, health risks, food safety and security. Especially with the increasing importance of terrorism, game theory has become a quantitative tool to analyze the risks of intelligent adversaries who seek to do harm against a system or people. These game-theoretic techniques may be probabilistic or deterministic.

Pseudo-quantitative risk assessment

Pseudo-quantitative risk assessments generally assign numbers to the likelihood and consequences for a risk but do not build a mathematical model of the risk as suggested by PRA. The most popular pseudo-quantitative method is probably the risk matrix, which classifies the likelihood of a risk in one category and the consequences in another category. The combination of the likelihood and consequence categories corresponds to a risk level, usually a color such as red, orange, yellow, and green. A risk matrix is sometimes called a pseudo-quantitative method because the categories may be determined from numbers.[8] For example, the likelihood category Unlikely may correspond to a probability of occurrence between 0.1 and 0.3.

These pseudo-quantitative or scoring methods have been heavily criticized because they do not obey mathematical rules and may not correctly rank risks.[9] They have the appearance of being rigorous but provide a false sense of security to those organizations that rely on them to manage risks.[10] Undertaking a full QRA provides a more rigorous analysis and a better foundation for making good risk management decisions than relying on pseudo-quantitative methods.

References

1. Y. Y. Haimes, Risk Modeling, Assessment, and Management (2004).
2. D. W. Hubbard, The Failure of Risk Management: Why It's Broken and How to Fix It (2009).
3. M. Rausand, Risk Assessment: Theory, Methods, and Applications (2011).
4. S. Kaplan and B. J. Garrick, 'On the quantitative definition of risk,' Risk Analysis, Vol. 1, No. 1, 1981, doi/10.1111/j.1539-6924.1981.tb01350.x
5. P. L. Against the Gods: The Remarkable Story of Risk (1998)
6. T. Bedford and R. Cooke, Probabilistic Risk Analysis: Foundations and Methods (2001)
7. 'System and method for risk assessment and management,' U.S. Patents.
8. Cox, L.A. Jr., 'What's Wrong with Risk Matrices?,' Risk Analysis, Vol. 28, No. 2, 2008, doi:10.1111/j.1539-6924.2008.01030.x
9. D. W. Hubbard, The Failure of Risk Management: Why It's Broken and How to Fix It (2009).