Risk assessment Tor Stålhane NTNU / IDI. What is risk - 1 Risks are characterized by three factors:...

Risk assessment

Tor Stålhane

NTNU / IDI

What is risk - 1

Risks are characterized by three factors:

• They are concerned with events that may – or may not – happen in the future.

• The events are identifiable but their effect and probability are uncertain.

• The outcome of the events can be influenced by our actions

What is risk - 2

A risk is something that can be a problem in the future. It is defined by two parameters

• The probability - p. What is the probability that the risk will become a problem?

• The consequences - C. What will happen if the risk becomes a problem?

The risk – R – is defined as R = C*p

How large is the risk - 1

In order to find the size of a risk, we need values for p and C.

In some cases we can estimate these values from historical data but in most cases we will have to use expert opinions or other subjective data sources.

It is not always possible – or meaningful – to assign a numerical value to a consequence, e.g. loss of lives.

How large is the risk - 2

Even though assessment is a subjective activity it is not about throwing out any number that you like.

To be useful, an assessment must be• Based on relevant experience.• Anchored in real world data, e.g. “How bad can it

get?”• The result of a documented and agreed-upon

process. Having a process makes it possible to later improve the process based on experiences.

Assessing risk

The quality of an assessment increases when the background info gets more specific.

Don’t ask: “What is the consequence of X?” or “What is the probability of Y?”

It is better to ask: “What is the consequence of X in scenario S?” or “What is the probability of Y in scenario S?”

Assessment and scenarios - 1

If the probability of scenario Si is p(Si), and pi and Ci are the probability and consequence of an accident in scenario Si, we have that:

iii CpSpR )(

The method is critically dependent on the • Quality of the scenario descriptions• Independence of the scenarios

Assessment and scenarios - 2

We can improve our assessments even more if we do not ask for consequences in general but for consequences for one particular asset. Thus, in scenario i we have consequence Cj,i for asset j.

jijii CpSpR ,)(

Assessing C and p

We can assess consequences and probabilities in several ways:

• Textual categories – e.g. High, Medium, Low.• Numerical categories – e.g. values from 1 to 10. • Value intervals.• Statistical distributions.

Textual categories – 1

When using categories, it is important to give a short description as to what each category implies. E.g. it is not enough to say “High consequences”. We must relate it to something already known, e.g.

• Project size

• Company turn-over

• Company profit

Textual categories – 2

Two simple examples:

• Consequences: we will use the category “High” if the consequence will gravely endanger the profitability of the project.

• Probability: we will use the category “Low” if the event can occur but only in extreme cases.

The CORAS consequence table

Consequence values

Category Insignificant Minor Moderate Major Catastrophic

Measuredrelated toincome

0.0 – 0.1% 0.1 – 1.0% 1 – 5% 5 – 10% 10 – 100%

Measuredloss due toimpact onbusiness

No impact onbusiness. Minor delays

Lost profits

Reduce theresources of oneor moredepartmentsLoss of a coupleof customers

Close downdepartments orbusinesssectors

Out ofbusiness

The CORAS frequency tableFrequency values

Category Rare Unlikely Possible LikelyAlmostcertain

Number ofUnwantedincidents perYear

1/100 1/100 – 1/50 1/50 - 1 1 - 12 > 12

Number ofUnwantedincidents perDemand

1/1000 (1/500) 1/50 (1/25) 1/1

Interpretationof number ofdemands

UnwantedincidentneverOccurs

Eachthousandtime thesystem isused

Each fivetimes thesystem isused

Each tenthtime thesystem isused

Everysecondtime thesystem isused

Consequence and probability - 1

Consequence

Probability H M L

H H H M

M H M L

L M L L

Consequence and probability - 2

The multiplication table is used to rank risks. It can not tell us how large they are.

We should only use resources on risk that are above a certain, predefined level.

Numerical categories -1

We can use numbers instead of names. This does not make the assessment more precise but will free us from the need to define a multiplication table in order to identify risks.

In principle we can use any numbers. The best solution is, however, to just assign number to the three aforementioned categories

Numerical categories – 2

The following values are often used in practice, both for consequences, benefits and probabilities:

• 10 – high

• 4 – medium

• 1 – low

Thus, a medium consequence and a low probability will give a risk of 4*1 = 4.

Numerical categories – 3

Consequence

Probability H / 10 M / 3 L / 1

H / 10 H / 100 H / 30 M / 10

M / 3 H / 30 M / 9 L / 3

L / 1 M / 10 L / 3 L / 1

Value intervals

If we have more info available we can give better estimates. Even though we cannot give exact values, we can give our assessments as intervals.

An interval has a start and an end value – denoted a and b. We denote the interval I as I = [a, b]

In our case, the width of the interval is a measure of our uncertainty.

Simple interval arithmetic

As long as all interval limits are positive, we can write:

• I = I1 * I2, I = [a1*a2, b1*b2] • I = I1 + I2, I = [a1 + a2, b1 + b2] • I = I1 - I2, I = [a1 - a2, b1 - b2] • I = I1 / I2, I = [a1*b2, b1/a2]

If we use intervals for consequence (C) and probability (p) we get

R = [C1*p1,C2*p2]

Statistical distributions - 1

We can use statistical distribution for C and p. In this case, the distributions are used to show our uncertainty.

Practical solutions could be:

• Beta distribution for p

• Gamma distribution for C


Based on the distributions of p and C, we can compute the distribution of the risk in three ways:

• Mellin transforms

• Monte Carlo simulation

• Approximation methods

We will only look at the third alternative.


The following approximation holds:

)()(

)(),...(),()(

),,...,(

1

2

21

21

i

n

i i

n

jin

xVarx

fYVar

xExExEfYE

xindxxxxfY

Risk approximation

Using the expressions from the previous slide we get the following approximations:

)()()()()(

)()()(22 CVarpEpVarCERVar

CEpERE

It is now straight forward to find the expected value and variance for R

Simple risk assessment

In order to a simple risk assessment we need to identify:

• Dangerous events

• Each event’s – consequence – C– probability – p

• Possible barriers – changes or controls

• Person responsible for each risk - Resp.

Simple risk table

Event C p R Barriers Resp

Events

We start by identifying dangerous events. The simple way to do this is to use brainstorming – just sit down and envisage your worst nightmares related to the activities under consideration.

Be realistic – only consider things that you believe can happen.

Barriers

Barriers can be realized through:

• Prevention – we change the system so that the event cannot occur.

• Mitigation – we can– change the system in order to reduce the

event’s probability or consequences.– define activities that will reduce the problems

if the event occurs.

Bar

rier

1 Bar

rier

2 Bar

rier

3 Bar

rier

4 Bar

rier

5 Bar

rier

6

Risk Prob. Event

Prevention barriersPrevent risk from becoming a problem

Handling barriersPrevent event from having bad consequences

Reduction barriersReduce effect of event

Benefits

It is important to bear in mind that:

• We usually expect to gain something through change – new products, new ways to work etc.

• Risks stem from changes.

• Reducing risk is a cost factor

We need to look at the total picture.

The total picture - 1

The total picture of the situation shows the risks and the benefits that stem from a planned change.

This is not a mechanism that can be used to identify the best solution.

It is, however, an important input when we want to make a decision.

The total picture - 2

The total picture shows risks and benefits. Risk can be shown in two ways:

1. Unmitigated risks

2. Mitigated risks – include the effect of risk reduction activities, e.g. barriers. This can be done by

– Modifying the risk assessment– Indicate how the risk will move in the

diagram

Consequences and benefits

B

HReduced number of MMI-related defects

M

L

p L M H

C

LExtra work needed for MMI-specification

M

H

Unmitigated risks

B


M

L

p L M H

C


M

HLarge disagreements between designers and MMI experts

Partnership does not work

The mitigation effect

B


M

L

p L M H

C


M



1

2

Including benefits

B


Better MMI for existing products

Better MMI requirements will reduce imp. costs

M

L

p L M H

C

L Extra work needed for MMI-specification

M



1

2

C and p as intervals - 1Benefit

Consequence

p

C and p as intervals - 2Benefit

Consequence

p

Mitigation effectCost of mitigationand benefits’ value and probability

Increased value or probability

The tyranny of “either – or”

All too often we are confronted by the statement that we can get only get X if we are willing to suffer Y.

This is the wrong attitude. The right attitude is that we will

1. Do what is needed to get X

2. Perform activities that will remove or reduce the bad effects of Y.

Leverage

Leverage is a prioritizing mechanism:

Leverage = (Benefit – Cost) / Cost

Leverage will prioritize activities with

• Large net benefits

• Small costs

Extended risk table -1

We can use cause – consequence chains or event trees for a risk to identify the best place to insert a barrier.

For each barrier, we need to assess:

• Cost - the cost of implementing it. We will use the scale H = 10, M = 3 and L = 1.

• E – how effective is the barrier? We will use the scale h = 1.0, m = 0.5 and l = 0.2

Extended risk table - 2

Event C p R Barrier Cost E L Resp.

Barrier leverage

Leverage = (C*p*E – Cost) / Cost

The leverage will prioritize barriers which:

• Have low costs – Cost is small

• Have high efficiency – E is large

• Attack important risks – C*p is high

Barrier – example Event Cons

.p R Mitigation E Cost

LResp

Partnership doesnot work – businessconflicts

10 3 30

Do a thorough researchon selected partner’sbusiness goals

0.5 10 0.5

John

Customers do notprioritize projectparticipation 10 3 30

State the conditions andconsequences of customerparticipation in thecontract

1.0 3 9.0

Pete

Some comments on barriers

It is important to remember that:• Each risk will usually need a different barrier – a

barrier that works against one risk can be valueless against another risk.

• It is important to consider the three main barrier strategies:– Prevent the risk from becoming a problem– Control the problem to avoid the consequences– Reduce the consequences

ALARP and GALE

There are two competing principles in the assessment of risk:

• ALARP – As Low As Reasonably Possible- We have done all that is reasonable to prevent problems and dangers.

• GALE – Globally At Least Equivalent. E.g. introducing a new process will not increase the risks compared to what it is today.

ALARP

ALARP requires that we analyze each risk separately and then implement mitigation activities.

A reasonable goal is to reduce each risk until the extra mitigation costs exceed the value of the risk reduction achieved.

All that we have seen up till now fits into an ALARP policy .

GALE

GALE requires us to look at the total risk of a change. In this way we can start by attacking the cheapest risk or the risk with the largest leverage.

The problem with the GALE principle is that we need to perform arithmetic on risks. E.g. we need to decide how many medium risks we need before we have a large risk

ALARP vs. GALE

The one important thing with using the GALE principle is that it forces us to ask “What is the current risk level?”

All too often we act as it the current way of doing things is risk free and all risk stems from changes.

This stance is enforced by the human tendency to underestimate the risk of status quo.

Using GALE

Important points

• GALE is a method for risk analysis. Benefits must be included elsewhere

• We need to look at both our current risk and the risk resulting from the proposed changes.

• Always perform a sensitivity analyses.

Risk – status quo vs. change

In many cases, maybe even in most of them, we do risk assessment because we want to compare two or more alternatives, e.g.:

• Status quo – no changes

• One or more changes - improvements

Event identification

• All significant dangerous events must have been identified.

• There must be a minimal overlap between the dangerous events .

• There must be a maximum of commonality between the dangerous events considered for the status quo and for the system after the proposed changes

The three event sets

The previous rules split the dangerous events into three sets – dangerous events that:

• Apply both to the status quo and to the new system.

• Are unique to the status quo

• Are unique to the new system

GALE and risk assessment - 1

GALE uses the following parameters for risk assessment:

• FE – the event frequency

• PE – the probability that the event will lead to an accident

• S – the severity score of an event

GALE and risk assessment - 2

We can compute individual and accumulated risk indices:

IE = FE + PE + S

IGR = log Sumi(10I)

IE is the risk index for a hazardous event

IGR is the global risk index

The GALE scoring scheme

The scoring scheme of GALE • Focuses on deviations from current

average. This is reasonable, given that it is mainly concerned with comparing status quo to a new situation.

• Must be tailored to each situation. The next slide shows an example from road safety. We need a scheme adapted to SPI.

Road safety - frequency score for event

Frequency classification

Occurrences / year on M42 ATM section FE

Very frequent 10000 Hourly 6

Frequent 1000 A few times a day 5

Probable 100 Every few days 4

Occasional 10 Monthly 3

Remote 1 Annually 2

Improbable 0.1 Every 10 years 1

Incredible 0.01 Every 100 years 0

Frequency score for event Frequency

classificationOccurrences per project FE

Very frequent 200 Every project 6

Frequent 100 Every few projects 5

Probable 40 Every 10th project 4

Occasional 10 Every 100th project 3

Remote 1 A few times in the company’slifetime

2

Improbable 0.2 One or two times during thecompany’s lifetime

1

Incredible 0.01 Once in the company’slifetime

0

Probability score for event

Classification Interpretation PE

Probable It is probable that this event, if it occurs, will cause a problem 3

Occasional The event, if it occurs, will occasionally cause a problem 2

Remote There is a remote chance that this event, if it occurs, will cause a problem

1

Improbable It is improbable that this event, if it occurs, will cause a problem 0

Severity score for event

Severityclassification

Interpretation S

Severe The portion of occurring problems thathave serious consequences is muchlarger than average

2

Average The portion of occurring problems thathave serious consequences is similarto our average

1

Minor The portion of occurring problems thathave serious consequences is muchlower than average

0

Sensitivity analysis

The global risk index is made of many indices. Each index will have a certain degree of uncertainty connected to it.

Usually, a few indices will have a large influence on the result while the rest will have but little influence.

Pareto’s rule applies - we need to identify the few important indices.

Important things to remember - 1The most important things to remember:• Risk assessment is by its nature subjective. • Use group techniques and include all

stakeholders• Use simple techniques so that you do not

exclude one or more stakeholders• Anchor it in experience and available data will,

however, improve the quality• Subjective values like “High” must be anchored

in each company’s reality. One company’s “High” may be another company’s “Low”.

Important things to remember - 2

• Include the effect of choosing status quo in all risk analyses.

• Always include opportunities• Consider the three barrier categories –

prevention, handling and reduction• Rank risks and opportunities according to

their leverage• The results from a risk assessment is just

one of several inputs to a decision

Risk assessment Tor Stålhane NTNU / IDI. What is risk - 1 Risks are characterized by three factors:...

Documents

Transcript of Risk assessment Tor Stålhane NTNU / IDI. What is risk - 1 Risks are characterized by three factors:...