Japan

Risk and Risk Management

Risk pervades nearly everything that engineers do, and appears continually in the engineering literature and conversations. However, most engineers do not understand it. Safety legislation now exists with a risk framework. Engineers practise risk management as a way of reducing their legal liabilities, amongst other reasons.

Risk Risk only exists in the presence of uncertainty. Definition of risk: An exposure, expressed in terms of both likelihood (frequency or probability - as a result of uncertainty) and magnitude of an output (consequence), and resulting from inputs (risk source(s)) (some with uncertainty, some without). Risk is a function of output likelihood and output magnitude. eg. safety – injury probability and severity Eg. projects – cost or time overrun probability and magnitude

Dictionary definitions of risk (possibility, chance, probability, hazard, uncertainty) are not helpful in an engineering context. The term is frequently used when there are more appropriate terms available, to impress, or to disguise a speaker's or writer's lack of understanding of a situation. This has the potential to cause much confusion. Cliched expressions involving risk are many, and usually wrongly used. For example: no risk; to take or run a risk; a calculated risk; at risk; risky; riskiness; risk versus reward; risk:reward ratio; and to take unnecessary risks. Adages similarly use the term risk wrongly. For example, Only those who will risk going too far can possibly find out how far it is possible to go Advertisements similarly. For example, a recent advertisement on how alcohol affects driving skills, gives: for a human body containing 0.05 grams of alcohol per 100 ml of blood, there is double the risk of having an accident [over having no alcohol in the blood]; for 0.10 grams, there is 7 times the risk of having an accident; for 0.15 grams, there is 26 times the risk of having an accident.

International Standards Office (ISO) also gets it wrong. ISO (2009), ISO Guide 73 Risk Management – Vocabulary, International Standards Office, Geneva. ISO (2009), ISO 31000 Risk Management – Principles and Guidelines, International Standards Office, Geneva. ISO (2009), ISO 31010 Risk Management – Risk Assessment Techniques, International Standards Office, Geneva. ISO (2009), Risk Management – Guidance for the Implementation of ISO 31000, International Standards Office, Geneva.

In project management: PMBOK (Project Management Body of Knowledge, PMI 2013) gets it wrong. PRINCE2 gets it wrong. The usage of the term risk in the finance literature takes on multiple meanings, and can be incompatible with usages in other disciplines.

Risk Management

The popular approach to risk management is to go through a number of steps: Definition/Context Identification Analysis/Evaluation Response/Treatment Approached iteratively, with feedback between steps.

Mistakes in implementing risk management are common, primarily because people don't fully appreciate the underlying structure. Most people who use risk management in the workplace just go through the motions, cookbook style, according to the earlier steps listed. People get numbers and take actions and make decisions, but don't understand the underlying problem-solving nuances of what they are doing.

Definition/context step

(i) the measurement scale – related to {output likelihood, output magnitude} pairs - for risk, for example, {low, medium, high}, or numbers

(ii) the objective function(s) by which the feedback adjustments are selected in the response step – for example, lowest risk, minimum cost (iii) the constraints restricting possible adjustments - for example, some outputs may be totally unacceptable. Different attitudes to risk (including what are popularly called 'aversion', 'neutral' and 'seeking' or similar terms) will lead to different measurement scales for risk.

The identification step

Identifying inputs (risk sources) requires the same type of thinking as generating ideas/alternatives in problem solving. Some creative thinking is required in this step for all but the most straightforward situations; idea generating techniques common to problem solving can be used here. Many people use checklists – dangerous.

This step is wrongly called ‘risk identification’ by most people. The step actually established ‘risk sources’ (inputs) not ‘risks’ (outputs).

For example, in health and safety, risk relates to injury, illness or death, while risk source relates to whatever initiates this. Risk is not the initiator (even though loose lay usage may have people think it is).

Magnitudes of inputs might be established through judgement, experience, expertise, education, interviews, idea generation techniques, and/or historical or collected data. Likelihoods or frequencies of occurrence of inputs may come from observed frequencies, deductions from mathematical models, and/or measures of a person's subjective degree of belief or relative likelihoods upon which the engineer is prepared to base a decision. If a qualitative approach is adopted, words and descriptive explanations are used along with a likelihood measurement scale such as {improbable, remote, occasional, possible, frequent}, and a magnitude scale such as {insignificant, minor, moderate, major, catastrophic}. If a quantitative approach is adopted, numbers are used along with a likelihood measurement scale of probabilities, while magnitudes might be, for example, in dollars or durations.

If an input is not identified, then risk management related to that input cannot proceed. This is the Achilles heel of risk management. The one input which has failed to be identified may bring about downfall. Some well-documented historical failures example this.

The analysis/evaluation step

Analysis takes the inputs (likelihood and magnitude) and converts these into outputs (likelihood and magnitude). The analysis may be carried out qualitatively or quantitatively. If a qualitative analysis, a likelihood measurement scale such as {rare, unlikely, moderate, likely, almost certain} and a magnitude scale such as {disruption, damage, loss of property, injury, death} or {negligible, minor, serious, severe, catastrophic} might be used, along with descriptive explanations. If a quantitative analysis, a likelihood measurement scale of probabilities is used, while magnitudes might be, for example, in dollars or durations.

The {likelihood, magnitude} pairs are located on the measurement scale for risk appropriate to the stakeholder(s) for whom the risk study is being done. Each pair could be anticipated to be located or mapped differently for different people/organisations because of their different value systems and situations. The use of tables, matrices or plots with axes of consequence likelihood and consequence magnitude, and entries of risk levels, might be used to simplify this.

Example:

The response/treatment step

The response/treatment step deals with influencing the inputs (magnitude and likelihood), or transformations from input to output (and hence the magnitude and likelihood of outputs), through actions/decisions, by feedback, in order to address the risks detected. Adjustments are examined in terms of the earlier stated objective function(s) and constraints. (Common practice does not understand this.)

Adjustments may occur at different points in time. Two timings of the adjustments may be recognised: Immediate responding. Adjustments are introduced in order to address the risk now. Contingency responding. Adjustments are developed to deal with any possible adverse risks, but are only implemented should a prescribed input occur. Trade- offs may be considered in terms of making adjustments at different points in time and the different outputs associated with making adjustments at different times.

Adjustment choices might be categorized according to whether they involve (related choices apply for upsides): Elimination (including: removal, avoidance, transference*); the value of a (minimum) risk objective function goes to zero. Reduction (including: mitigation, part-transference*, sharing*); this leads to a lower value for a (minimum) risk objective function. Leaving unchanged (including: acceptance, retention, assuming); the value of a (minimum) risk objective function remains the same.

Iterations of the risk management steps may follow until you are happy.

Example – safety Risk source – workplace hazards (falls, trips, electrocution, …). Identify these. Estimate likelihood of occurrence. Analysis – usually done qualitatively à leads to injury (various) / death likelihood and severity. Response – (usually for safety) take measures to remove the risk source (hazard), safety induction of workers, workplace regulations, workplace redesign. That is, the risk associated with accidents is eliminated. Note: Risk is {magnitude; likelihood} of injuries/death. Hazards are not the risks.

Example – extreme weather (eg cyclone) Risk source – extreme winds from a cyclone. Estimate likelihood of occurrence and magnitude. Analysis – structural analysis for wind loading à building damage likelihood and severity. Response – redesign structure. That is, the risk associated with high wind damage is reduced to an acceptable level. Note: Risk is {magnitude; likelihood} of building damage. The cyclone is not the risk.

Example – project cost and duration Risk source – late deliveries, design changes, bad weather, ... Estimate likelihood of occurrence and magnitude of each of these. Analysis – network (CPM) analysis à cost and time overruns likelihoods and magnitudes. Response – redesign work, change resourcing. That is, the risks associated with cost and time overruns are reduced to acceptable levels. Note: Risk is {magnitude; likelihood} of cost and time overruns. The late delivery, design change etc are not the risks.