Assessment and Management of Risks
Assessment and Management of Risks
Risk is a situation involving exposure to danger. It implies that there is the possibility that something unpleasant is going to happen. The idea of risk embodies uncertainty about how the future is going to unfold in an increasingly complex, dynamic, and fast-changing environment. All technological developments have hazards associated with them. A hazard is an implied threat or danger of possible harm. It is a potential condition to become a loss.
Modern technological developments not only promise great hope for progress, but also bring to mind great fears of unknown threats. It is exactly this twofold nature of risks namely the potential threat and the opportunity linked to it which makes the technological innovations so challenging to manage. In fact, all the technological developments in the history of mankind had risks associated with them. Hence, it is necessary to look into the benefits accruing from these developments and the risks that go with the use of such technological advancements.
Risk is a measure of the probability and consequence of uncertain future events. It is the probability multiplied by the consequence. In industrial environment risk is the likelihood of an undesirable event happening multiplied by the severity of the event. The important aspect of an undesirable event is its exposure (frequency, duration, magnitude, pathway / route) and its adverse effects on people, environment, or other endpoints.
Eliminating risks completely is neither feasible nor desirable for at least three reasons namely (i) there is no absolute control as such for people in dealing with the future, (ii) the resources (mainly financial) available for prevention and precaution are always limited, and (iii) taking risks is at the heart of the innovation process and a necessary condition for the progress and the growth. The challenge of carefully and successfully steering the course of risks between opportunity and threat has brought risk assessment and management as ‘the single most important analytical tool’ for the organizational management in determining the core of the organizational policy for the organizational management in the present day environment.
Industrial plants such as iron and steel plants deal with the processes or materials, which are normally hazardous in nature by virtue of their operating temperatures or pressures or their intrinsic properties or a combination of these. Fire, explosion, toxic release or combinations of these are the hazards associated with the industrial plants using hazardous processes. Hence, management of these plants need comprehensive, systematic, and sophisticated methods of risk assessment and management. Successful management of industrial plants need development of procedures for hazard analysis and quantitative risk assessment for improving upon the integrity, and reliability of the industrial plants.
The primary objective of the risk assessment and management is always to reduce risk to human life, property, and environment. The quantitative risk analysis provides a relative measure of the likelihood and severity of various possible hazardous events by critically examining the plant processes including their design.
The necessary capacities for risk and crisis management are needed to be in place well before an acute incident occurs. Precautions against risks which affect the preparations for crisis management are normally frequently opposed by some people as a waste of valuable resources which are needed elsewhere in the organization. Commitment of the organizational management is needed for ensuring that such measures are given priority among many competing claims for time and other scarce resources.
The timely management of risk and crisis is determined by the organizational management. Wise management, who eventually deals successfully with a major crisis, makes early investments in risk assessment capacity and in tools to help minimize the consequences of the risks. Such a management deals with unavoidable crises with cost effective measures. The management makes investments in training of the employees in dealing with the risks when they materialize. It trains the employees not only in adequate prevention and preparedness measures but also in dealing with the acute phases of response and recovery. Although there is no guarantee that such capacities are sufficient against all contingencies, their absence surely reduces the capability of the organization to deal with the risks. Fig 1 shows fundamental steps of risk management.
Fig 1 Fundamental steps of risk management
Risks are indirect, unintended, uncertain, and are by definition located in the future, since they only materialise when they are manifested as real events. In other words, the essence of risk is not that it is happening, but that it can happen. Likewise, security under the condition of uncertainty does not ‘occur’. Rather it becomes ‘produceable’ through risk management. Risk management decisions in the security-policy field can respond to some uncertainties by applying appropriate safety margins which take variation into account. Uncertainties can also be addressed by including resilience to potential crises through contingency planning. However, the implementation of effective risk management needs a thorough understanding of the character and dynamics of the new risks and vulnerabilities. Effective counter-measures can be undertaken only if potentially hazardous developments are identified at an early stage. Confronted with such challenges, analysts and decision makers look for reliable conceptual and methodological approaches to risk assessment and management
Risk is an almost ever-present term. It has many terminological and conceptual implications, and it is used in very diverse organizational, disciplinary, or methodological settings. While normally no accepted approach exists, there are a few characteristics which are shared by all risk concepts. The first is uncertainty about how the future is going to develop. The historic turn from a circular to a linear perception of time has led to the insight that the future is not simply the repetition of the past and that the present reality is not the only reality. In fact, there is a difference between what is, what can be, and what is going to be. This insight gives rise to thinking in terms of probabilities, which is typical for risk issues. Hence, not coincidentally, the most common definition of the risk identifies risk as the product of the damage potential and the probability that an uncertain future event is going to occur.
An undetermined and non-linear development over time further implies that the future is subject to human agency and hence can be shaped by people. People are able (i) to actively steer the course for the organizational future, (ii) to make decisions, (iii) to shape the conditions of the environment in which they live, and (iv) to create the future they desire. Uncertainty about the future is thus strongly linked to the capacity for self-determined action, and people are able to establish causal links between actions and their possible outcomes. These outcomes are not fatalistically perceived as predetermined, but they can be influenced by either changing the initiating events or by reducing the resulting negative effects.
As a result, the present which is being experienced at any given point in time is only one of many possible futures people might have imagined in the past, and it is impossible to state with certainty what the situation is going to be in the coming period. Hence the risk is only a meaningful concept for those organizational managements who are future oriented and who actively wants to break away from the past. It necessitates a ‘goal-oriented system’ in which decisions are associated with certain goals, interests, and values, so that it is possible to establish criteria against which degrees of risk can be ‘measured’.
Risk assessment can be defined as a body of knowledge (methodology) which evaluates and derives a probability of an adverse effect of an agent (chemical, physical, or other), industrial process, technology, or natural process. Definition of an ‘adverse effect’ is a value judgement. It can be defined as danger to the people’s health, or it can be a failure of a plant process or equipment, or a severe plant accident, or a loss of invested money etc. Various terms associated with ‘risk’ are defined in ISO 31010. Some of the terms relating to the risk are described below.
Risk – It is a combination of the consequences of an event (hazard) and the associated likelihood / probability of its occurrence. It is the possibility of a hazardous event occurring which is going to have an impact on the achievement of the objectives. Risk is measured in terms of outcome (or impact) and likelihood of the event. Qualitatively, risk is considered proportional to the expected losses which can be caused by an event and to the probability of this event. Quantatively, it is the product of probability of hazardous event and the outcomes.
Hazard identification – It is the identification of the hazard (something potentially harmful) in the given context. It can be directly included in the risk assessment.
Risk assessment – It is the process of evaluating the risk resulting from a hazard. It is the overall process of risk identification, risk analysis, and risk evaluation.
Risk identification – It is the process of finding, recognizing, and describing risks.
Risk analysis – It is the process to comprehend the nature of risk and to determine the level of risk. It is a framework for decision making under uncertainty. Risk analysis methods and tools are important resources for articulating scientific knowledge to those who make decisions.
Risk evaluation – It is the process of comparing the results of risk analysis with risk criteria to determine whether the risk and / or its magnitude are acceptable or tolerable. Risk evaluation is used to make decisions about the significance of risks whether each specific risk is to be accepted or treated.
Risk criteria – These are the terms of reference against which the significance of a risk is evaluated. The risk criteria can include associated costs and benefits, statutory requirements, economic and environmental factors, and concerns of stakeholders etc.
Risk map – It is a map which portrays levels of risk across a geographical area. Such maps can focus on one risk only or include different types of risks. Risk maps generate a level of transparency which can help engage all interested stakeholders of the organization.
Risk pathway – A risk pathway is the framework on which to base the risk assessment. Risk pathways describe all stages in the process which lead to the outcome of interest.
Risk scenario – It is a representation of one single-risk or multi-risk situation leading to significant impacts. Selected for the purpose of assessing in more detail is normally a particular type of risk which it is representative, or constitutes an informative example or illustration.
Risk management – It is based on the results of the risk assessment and the preferences and the judgement of the management. It consists of taking decisions and formulating of the policies. It is the process of weighing policy alternatives in consultation with all the stakeholders considering risk assessment and other factors.
Risk communication – It is the information exchange between risk assessors, risk managers, and those affected by both the risk and the decisions taken before the final policy decisions are taken.
Risk assessment process is analytically based and constitutes (i) estimation of the overall likelihood of occurrence of an adverse event, and (ii) identification of the steps of the pathways having high risk of occurrence or high impact on overall risk estimate. It is worth doing monitoring, and if so, it is necessary to find where (on what steps / processes) to focus the efforts.
Risk assessment (i) provides the organizational management with a risk management instrument for disaster management and for the management and reduction of disaster risks, (ii) contributes to the development of knowledge-based disaster prevention policies at different levels of organization, (iii) helps in taking informed decisions on how to prioritise and allocate resources in prevention, preparedness, and reconstruction measures, and (iv) contributes to the increasing of employees’ awareness on disaster prevention measures. Fig 2 shows phases of risk assessment process.
Fig 2 Phases of risk assessment process
Risk assessment is the critical foundation for risk management and for building resilience. It is the important first step towards obtaining a shared vision of the wider risk landscape and to help determine which risks are to be accepted, mitigated and / or transferred. It is the reference guide for prioritizing where the resilience of the employees and the organization need to be reinforced.
Risk assessment is the process of assessing the probabilities and consequences of risk events if they are realized. The results of this assessment are then used to prioritize risks to establish a most-to-least-critical importance ranking. Ranking risks in terms of their criticality or importance provides insights to the organizational management on where resources are needed to manage or mitigate the realization of high probability / high outcome risk events.
In some recent cases of risk assessment, even vaguely defined terms such as ‘quality of life’ or ‘sense of community’ have been evaluated using risk analysis. Traditionally, most risk assessments (risk analysis applied in a particular situation) deal with health effects or, with the environmental health, or economic well-being (in case of business risk analysis). Although there are many types of risk assessment, some common elements are essential to qualify the process as risk assessment. These elements are (i) hazard (agent) identification, (ii) amount-response relationship (how is quantity, intensity, or concentration of a hazard is related to the adverse effect), (iii) exposure analysis (who is exposed, to what and how much, how long, and other exposures), and (iv) risk characterization (reviews all of the previous items and makes calculations based on data, with all the assumptions clearly stated. However frequent conclusions are that more data and / or improvement in methodology are needed, and that no numerical risk number can be derived to express accurately the magnitude of risk.
Deciding ‘what’ is an adverse effect (and to some extent hazard identification) is a value judgment which can be made by well-informed employees. The consideration of other components of risk assessment is a complex process, which in order to be properly conducted needs extensive training.
Risk assessment can help manage technology in a more rational way and promote sustainability of desirable conditions for the organization and eliminate conditions which are detrimental to the well-being of people and environment. However, in each particular case of risk assessment, the assumptions and uncertainties have to be clearly spelled out. All the models used in performing risk assessment have to indicate assumptions and uncertainties in conclusions.
Risk assessment can be a risky if done by untrained people. Because of its interdisciplinary nature and complexity, risk assessment needs an appropriate amount of time to evaluate all pertinent data, even when one deals with problems of lesser complexity. People are constantly performing risk assessment and risk management in everyday situations, such as observing traffic when planning to cross the street or when driving. However, in more complex situations where people can be exposed to serious hazards, or the possibility of a plant disaster, formal risk assessment is necessary in order to derive reasonable (and sometimes optimal) recommendations for the most appropriate risk management.
Risk assessment needs to be comprehensive, and needs a robust governance framework with agreed definitions and rules, to ensure consistent and reliable outcomes. It also needs to be simple and appropriate especially in those areas of the organization, where complete information and credible data sources are more difficult to get. Effective risk assessment is required to provide the incentive for development partners to align their efforts towards addressing high priority risks (those which have high probability and high likely impact on the things that employees and the organization value) whether they are caused by one off big events, or smaller, more regular occurrences. To do this, risk assessment outcomes need to be effectively communicated to key policy and programming decision makers, and to the employees who are at risk.
Low-frequency events with catastrophic outcomes are particularly challenging for the methodology and organization of risk management. Both the management and the employees are to be able to keep both eyes and minds open without falling into the mental trap of scanning the horizon for endless negative possibilities. Lack of good management, failure of imagination, and inadequate investment in training contribute to the occurrence of avoidable catastrophic events. An event which gets publicity as a sudden flash of lightning from the clear blue sky is frequently the result of a longer, but undetected process of transformation. A creeping crisis develops over time. A chain of small, but detectable anomalies or changes leads up to a fatal collapse or catastrophic event. An example is metal fatigue, which has caused numerous catastrophes in several industries.
Risks which arise on a macro-level in the sense are those which potentially affect entire organization, department, operational results, or people at large. These risks are particularly relevant in security policy, as they normally constitute major events with heavy consequences and transnational impacts. These risks can also be characterized as systemic risks since their potential impact challenges the integrity of entire systems such as economical, organizational, technological, or environmental. Such systemic risks are defined by ‘extreme uncertainty and a potential for extensive and perhaps irreversible harm’. They can arise from changes in the socio-economic or socio-political environments of the organization, and the systems can be damaged by single catastrophic events or the cascading effect of a complex chain of events.
The use of risk analysis methodology facilitates consistent and orderly decision making. Risk analysis has been defined as ‘a process consisting of three components namely (i) risk assessment, (ii) risk management, and (ii) risk communication. Risk assessment is a scientifically based process consisting of the steps namely (i) hazard identification, (ii) hazard characterization, (iii) exposure assessment, and, (iv) risk characterization. Risk management is the process (distinct from risk assessment) of weighing policy alternatives, in consultation with all interested parties, considering risk assessment and other factors relevant for the organization, and, if needed, selecting appropriate prevention and control options. Risk communication is the interactive exchange of information and opinions throughout the risk analysis process concerning risk, risk-related factors and risk perceptions, among risk assessors, risk managers, and other interested parties. Risk communication includes the explanation of risk assessment findings and the basis of risk management decisions.
The risk analysis paradigm is a formal representation of the risk analysis process in which it is made clear that there is both functional separation of the three components and at the same time a requirement for communication and interaction between those with responsibility for each of the three components. Within risk analysis, a functional separation between risk assessors and risk managers is necessary to ensure scientific objectivity of the risk assessment process. Fig 3 shows components of risk analysis.
Fig 3 Components of risk analysis
There are two approaches to risk assessment. These are (i) qualitative approach, and (ii) quantitative approach. In the qualitative approach, the evaluated risk is described in words. The estimate of risk is ranked or separated into descriptive categories. In the quantitative approach, the evaluated risk is estimated numerically and the numerical expressions of risk are provided. Qualitative approach is used (i) when numerical data is not available, and (ii) when risks perceived do not justify time and effort needed with the quantitative approach.
Qualitative risk assessment identifies all hazards. It is carried out selecting a large set of scenarios. During the assessment the expected frequency (likelihood) of all the scenarios and the consequences of all these scenarios are determined. All these results are combined to calculate the risk around the plant. This risk is put on the map and is compared with the acceptance criteria. The advantages of the qualitative risk assessment are (i) assessment is (relatively) easy and fast, (ii) decision process is simple, and (iii) results are easy to communicate. The disadvantages of the qualitative risk assessment are (i) selection of scenarios and assessment of ‘improbable risks’ is frequently tacit or implicit, (ii) can give a wrong impression of precision and safety, (iii) use of ‘worst case’ scenarios leads to conservative results, and (iv) tendency to ‘forget’ less severe scenarios in risk control and risk management.
Quantitative risk assessment is a probability based assessment and it also identifies all the hazards. It selects a small set of scenarios with the largest consequences. It obtains some ‘feel’ for the likelihood of these scenarios. During the assessment, the consequences of these scenarios are determined and drawn on a map. Quantitative risk assessment is a probability assessment of the scenarios. The loss of containment events (each of them happening with certain likelihood) are developed into event trees (scenarios). Event trees identify the conditional probability of important conditions. For each scenario, consequences are quantified (e.g. fatality rate foot print of a toxic cloud, i.e. probability of fatality at a position (x, y) for that scenario) and for every point on the map (x, y), sum of the contribution of all the scenarios indicates the risk at that point.
The advantages of the quantitative risk assessment are (i) complete analysis, opportunity for setting priorities, and focus on most ‘risky’ items, (ii) transparent, both the probabilities and consequences are included explicitly, (iii) results can be compared with criteria for risk acceptance, (iv) results for different types of facilities can easily be compared, and (v) not dominated by a single risk scenario and not sensitive for selection of scenarios. The disadvantages of the quantitative risk assessment are (i) the ‘probabilistic’ element in the result is hard to communicate, (ii) result suggests large accuracy, but it includes large uncertainty, (iii) the presence of acceptance criteria (hard decision) is necessary before hand, and (iv) expensive and cumbersome analysis which needs expert knowledge .
Process of risk assessment
The two requirements for risk assessment are (i) clear definition of terms, and (ii) transparency. The clear definition of terms includes (i) risk question, (ii) hazard identification, and (iii) qualitative risk assessment consisting of risk categories and combination matrix. Transparency means that the risk assessment is to be clearly set out, transparent and fully referenced in the resulting report.
The main steps of a risk assessment are (i) framing the risk question, (ii) identification of the hazard(s), (iii) outlining of the risk pathways, (iv) identification of the data needs, (v) collection of the data, and (v) assessment of the risk.
If the risk question is not specific enough, it can be interpreted in different ways. Hence, during the framing of the risk question, it is necessary that the risk to be assessed is clearly defined. The points to consider during the framing of the risk question include (i) the specific hazard of concern, (ii) the vector / vehicle of the hazard of concern, (iii) the specific risk which is required to be assessed, and (iv) the particular time frame in which the risk is to be assessed.
During the step of the Identification of the hazard(s), it can be possible that the hazard is explicit in risk question. Otherwise full hazard identification is needed to be undertaken.
During the outlining the risk pathways, all the steps needed for the risk to occur are listed and the release, exposure and consequence are differentiated. Estimation of the overall likelihood of occurrence of the adverse event is to be considered. Identification of the steps of the pathways having high risk of occurrence or high impact on overall risk estimate is to be carried out. It is worth doing surveillance, and if so, where (on what steps / processes) to focus efforts. It is important to report the underlying assumptions.
During the identification of data needs, it is necessary that the data needed to assess the likelihood of occurrence of each step of the pathway is identified.
The data collection is to be carried out through a number of sources such as literature, experimentation, records, and expert opinion etc. The data is to be valid and most up-to-date. Estimates of prevalence from surveillance systems and expert opinion are to be considered. Best available data is to be used. The data is to be fully referenced for the transparency. For qualitative approach, no new data is normally collected except gaps in knowledge / data are identified and made up.
Once the relevant information for the different steps is collected, the overall risk is assessed in terms of the probability of occurrence of the unwanted outcome. In case of qualitative risk assessments, a logical overall conclusion is reached based on the probability of occurrence of each of the individual steps. The final risk estimate is expressed in words. In case of quantitative risk assessments, an overall probability of the unwanted outcome is given in mathematical terms.
In the case of the qualitative risk assessment, the available information is reviewed and the risk is estimated for risk for each step. After this, the risk estimates are combined using pre-defined combination matrix and the overall probability of occurrence of the risk of interest and of unwanted consequences are deducted. The plus /minus decides whether this risk is acceptable or not. Low or negligible risk does not imply acceptable risk (e.g. when severe consequences for people).