> home
> About
> Contact Us
> Editorial Info
> IEEE-USA

08.11

Risk-Based Decision Making

Recent events have highlighted the importance of risk-based decision making. Modern systems are becoming more complex, and the economic, safety and other consequences of a system failure more serious. Ignoring risks because they are improbable and not worth analysis has proven to be highly risky in itself. Managing the risks of disruptive events is becoming a critical focus for business and society. Risk is coupled with reliability.

Why are disruptive events a concern? For example, the probability of a 100-year event occurring in any one year is 1 percent, but the probability that a 100-year event will occur twice in 100 years is 18.5 percent[1]. And the probability of the 100-year event occurring during any 100 years is 63 percent[2]. Thus, to say that the likelihood of a 100-year event can be ignored since it won't occur for 100 years is false.

Why is risk a concern? When systems were simpler, there was less that could go wrong, and when something did, it was usually easy to determine the cause and take action. Consider the automobile. Cars used to have simple ignition systems, with a distributor driven from the engine, the accelerator was a linkage from the pedal to the carburetor, the mixture determined by set screws. If the car was not running right, or there was another problem, it was simple to assess and repair. To meet emissions and mileage requirements, today's ignition systems are computer controlled, with many sensors and actuators, the linkage from the gas pedal has been replaced with a computer, and the carburetor has been replaced by a fuel injection module. If something goes wrong, you read out a diagnostic code and try to determine which of the components and interconnections is the cause.

The automotive example illustrates the need for a more formal approach to risk-based decision making and risk management. Recent events, such as the Gulf of Mexico oil spill, Toyota’s hybrid vehicle acceleration issue, and the Japanese earthquake and nuclear plant disaster have highlighted the necessity to understand inherent risks in actions undertaken to achieve desired objectives and rewards. Said IEEE Spectrum's Bill Sweet in a recent energywise  blog post on the Fukushima disaster: "Worst-case scenario builders consistently underestimate the statistical probability of separate bad things happening simultaneously, as the result of the same underlying causes." [3]

What do we mean by risk management? Risk management has several characteristics: it is preemptive, proactive, not reactive. In other words, risks are identified and assessed up front, and mitigation strategies developed, so that the likelihood of the risk is reduced and its consequence(s) minimized.

What do we mean by risk? There are a number of definitions[4], but the common theme is something — an event or condition — which, if it occurs, will have an  effect (usually negative) on achieving desired objective(s). Risk is measured in terms of likelihood and consequence, and hence is related to probability.

What are the types of risk?

The three major risk types are:

• Enterprise risk – Risk related to the operation of a business, execution strategy, systemic issues, material issues, etc.

• Project risk – Risk related to the planning and delivery of a product or service and not being able to meet project ‘triple constraints’ — scope/quality, schedule, cost (including technology)

• Process risk – Risk relating directly to planning and delivery of a product or service and not being able to meet 1. stability, 2. capability, 3. improvement criteria, also the inability to achieve consistent outcomes.

What are Risk Standards?

To formalize the process of risk management, and to make it more objective and data-driven, risk standards have been developed and more are planned. These standards apply to specific sectors or domains (e.g., supply chain, information security, food safety). They have been developed by teams of subject matter experts, and they enumerate requirements and best practices for mitigating risk. The standards commonly cover: risk sources identification, risk analysis (likelihood and consequence), risk evaluation and ranking, and risk control and mitigation. By identifying and analyzing risks, informed risk-based decisions can be made. Examples of risk standards include the American Society of Mechanical Engineers Innovative Technologies Institute LLC (ASME ITI)-developed Risk Analyses and Management for Critical Asset Protection (RAMCAP) for the U.S. Department of Homeland Security; this is a guidance document for assessing risk analysis and risk management for critical infrastructure assets. Other standards include: NIST 800-39 — “Managing Information Security Risk,” ISO 28000 — “Specification for security management systems for the supply chain;” ISO/IEC 27001 — “Information technology—Security techniques—Information security management systems—Requirements;” and ISO 31000 “Risk management—Principles and guidelines” have been developed. For the electrical power industry, risk management requirements are set forth in the NERC CIP Standards (North American Electric Reliability Corp. Critcial Infrastructure Protection).

How are risk standards applied?

A simple example of effective application of risk standards is electrical wiring [5]. At one point, parallel wires were run mounted on insulators (knob and tube). There was risk of electrocution or fire, so the wires were coated with rubber and put into a cable. The rubber would become brittle so eventually plastic (PVC) insulation for wires and cover were employed (e.g. Romex™). Risk of shock led to inclusion of a ground wire. To promote public safety and reduce electrocution and fire risks, electrical codes were developed. A code specifies wire sizes, installation practices and circuit protection. The U.S. National Electrical Code (NEC), first published in 1897 by the National Fire Protection Association, is required by state and city building codes. Electrical wiring must be inspected for compliance to code before a building can be occupied. The practices called out in the NEC, as developed by engineers, electricians, manufacturers, fire fighters and other interested parties, are designed to reduce risks.

How does risk factor into decision making?

There are two aspects of risk that must be considered when making a decision[6] — those that can be controlled, and those that cannot be controlled, but which can materially affect the outcome of the decision or choice. The uncontrolled aspects are usually related to the decision environment. Added to this are constraints which exist on both aspects. The uncontrolled aspects represent risks and the constraints can include consequences. An added complication are unexpected aspects (that are unknown or are “ignored as not a factor” — hidden risks, such as concurrently occurring aspects). If the uncontrolled aspect risks are not assessed, the quality of the resulting decision is inadequate (high risk). By performing a risk assessment the resulting decision will be of much higher quality (low or acceptable risk). By adding the unexpected aspects (such as by brainstorming a “what is the worst that could happen” analysis) the risk can be reduced even further.

What are the benefits of risk management and risk-based decision making? Today’s business environment can be described as “VUCA” — volatility, uncertainty, complexity and ambiguity. Risk management permits organizations to manage under VUCA, enjoying a reduction in unpleasant product “surprises,” more satisfied customers, improved compliance with regulations, assurance (“sleep at night”) and enhanced decisions.

The 21 September IEEE-USA webinar, “Risk Management Standards and Decision-making,” will explore this subject in more detail. “

References

[1] Probability of event occurring Y times in n periods:

Pr_Y:n =  n!        P^Y (1-P)^(n-Y)
             (Y!)(n-Y)!

Pr_2:100 = 100! (0.01)² (0.99)⁹⁸ = 99*100 (0.01)² (0.99)⁹⁸ = 0.185 = 18.5%
                  (2!)(98!)                                    2

[2] Probability of event occurring during n periods:

P =1-(1-Pr)ⁿ

P = 1- (0.99)¹⁰⁰ = 1-0.366 =0.634 = 63.4%

 [3] “Japan Nuclear Accident: Worse than Worst, Again”;  http://spectrum.ieee.org/energywise/energy/nuclear/
japan-nuclear-accident-worse-than-worst-again

[4] Risk definitions

• Risk of something happening that will have an effect on objectives. It is measured in terms of consequences and likelihood; (AS/NZS 4360:1999—“Risk Management,” see www.wales.nhs.uk)

•  Risk of a situation or circumstance that creates uncertainties about achieving program objectives; (FAA System Engineering Manual, see www.faa.gov/about/officeorg/headquarters_offices/ato/
  service_units/operations/sysengsaf/seman/ )

•  Risk of an event occurring that will adversely affect the achievement of objectives; (Enterprise Risk Management—Integrated Framework, COSO, 2004, see www.coso.org/Publications/ERM/
  COSO_ERM_ExecutiveSummary.pdf)

[5] Electrical Wiring, see Wikipedia: http://en.wikipedia.org/wiki/Electrical_wiring.

[6] Russell Ackoff, , “Ackoff’s Best: His Classic Writings on Management,” Wiley, NYC, 1999

IEEE-USA's six-part webinar series on risk management continues on 21 September with a presentation by Ed Perkins on "Risk Management Standards and Decision Making." Speaker: Ed Perkins When: 21 September 2011, 2:00-3:00 PM ET About: This webinar will discuss risk management, provide an overview of some of the risk domains and the risk standards that have been or are being developed, and present options for attendees on how they can apply risk management and risk-based decision-making in their careers. Rates IEEE Members $19 for individual webinar; $89 for series Non-Members $38 for individual webinar; $189 for series

Ed Perkins is IEEE's Region 6 director.

Comments may be submitted to todaysengineer@ieee.org.