Jostein Lillestøl,NHH: 2012/2016RISK MANAGEMENT AND SAFETY- An introduction“Risk"To laugh, is to risk playing the foolTo weep, is to risk appearing sentimentalTo reach out for another, is to risk involvementTo expose feelings, is to risk exposing our true selvesTo put your ideas, your dreams, before the crowd is to risk lossTo love, is to risk not being loved in returnTo live, is to risk dyingTo hope, is to risk despairTo try at all, is to risk failure But risk must be takenBecause the greatest hazard in life is to risk nothingThe person who risks nothing, does nothing, has nothing, is nothingThey may avoid suffering and sorrow, but they simply cannot learn, change, feel, grow, love, live.Chained by their attitudes they are slavesOnly the person who risks is free!(Hugh Prather)
Contents1Concepts, framework and overview . 188.8.131.52.184.108.40.206.220.127.116.11Approaches and tools for risk management . 418.104.22.168.22.214.171.124.82.93The risk management process . 47Risk assessment: Methods and tools . 52Risk description and modelling . 63Risk treatment . 69Strategies for risk management . 75Non-monetary risks and economics. 80Expert group assessment . 85Environmental risk strategies . 96Probability and risk literacy . 100Special analytic topics . 1063.13.23.33.126.96.36.199.188.8.131.525What is risk management?. 1Some risk terminology . 3Uncertainty and probability: Choice of paradigm . 6Human hazards: Some principles . 10Ethics and risk assessment . 16Health, Environment and Safety (HES) at the workplace . 18Some risk statistics . 24Accident investigations . 28Risk control in municipalities . 31Societal security . 36Risk and the public – perception and communication . 43Classes of useful distributions . 106Sampling inspection . 110Statistical process control . 113Active monitoring of accident data . 116Explaining adverse events: Categorical regression . 119Extreme value analysis . 125Survival models and processes . 131Risk simulation . 137Statistics and the scientific process. 144Causality and risk. 149Bayesian belief methods . 160Cases . 166Literature . 166ii
Concepts, framework and overview1This chapter tries to explain what risk management is all about, providing framework and concepts.1.1What is risk management?Risk management in some sense is part of most human activities, often more or less unconsciousand without giving it a name. For those who say they are doing risk management in their job, theremay be huge differences between them, both conceptually and in the task they face and themethods they use. This depends largely on the actual type of business and the context within thebusiness. There may also be differences as to what degree risk management is vital, encompassingand systematic, and whether the activity is there to fulfil some regulatory requirement.Risk and opportunity go hand in hand, and most often an individual, an enterprise or a nationcannot achieve anything without taking some risks: "Risk in itself is not bad; risk is essential toprogress, and failure is sometimes a key part of learning. But we must learn to balance thepossible negative consequences of risk against the potential benefits of its associatedopportunity" (Van Scoy, 1992).Two historically important contexts for risk management are: Project/industrial risk management.Business/finance risk management.Risk management requires risk analysis. Within each context there are theories and methods for riskanalysis, with different origin and developed largely separately by engineers and economists.Concepts, ideas and methods from probability and statistics have to some extent contributed to bothareas. There is a lot of common ground in the developments, and in later years we see moretendencies to learn from each other. While earlier theories and methods focused mainly on thenegative side of risk, the emphasis is now more on the balance between risk and opportunity.We may also find risk analysis in other specific contexts, for instance in insurance when judgingand pricing different types of contracts, and in medicine when choosing between treatmentmethods (survival, side effects etc). These are fields requiring a good analytical expertise, offeredby actuaries and biostatisticians respectively. They also share some ground with common riskmanagement theories. Again probability calculus and (mathematical) statistics may be put touse. Other fields of potential application are on the national level in services like transport,utilities and public services. On the international level, we have the handling of emissions andother environmental risks. Typical questions asked, in general, are:––––––What are the risks (and opportunities)?Is it possible to manage the uncovered risks?How to describe and communicate these risks?How to describe the uncertainties?How to weigh the uncertainties?How to determine acceptable risk?1
A good balanced introduction to risk management in the industrial context, with some side viewsto business and finance are given by Aven (2002) and Aven & Vinnem (2007)1The risks facing a business enterprise may be of many kinds, among them:-Strategic risk, financial risk, market risk, operational risk, business continuity and recoveryrisk, product risk, technical risk, marketing risk, project risk, human safety risk, legal andcontract risk, loss of reputation risk, fraud risk, IT risk, counter-spy risk, terrorism risk.Of course, most risks studied from the operational viewpoint, like they do in an industrial/projectsetting, may affect the bottom line. Some have traditionally been handled by other than businessmanagers, even if they are key issues in business decisions. They may range from the risk ofprojects not being finished in time to pollution risks. Until recently, business managers may havethought of risk management as merely a monetary matter. However, the management have toweigh non-monetary issues with economics, and they also have the responsibility to create anenvironment where this is likely to happen. For people trained in economics, facing other risksthan the ones they have learned to state in monetary terms, the questions to be asked may be:––––Do our models take non-monetary risks into account?Is it possible to bring such risks into focus, and deal with it rationally?How should we balance these risks and economy?Can tools like cost-benefit analysis, utility theory and multi-criteria decision theory help?To be successful, risk management needs to be handled like another management process andbe given its place in the strategy of the company, with the full attention of top management. Keyoperational indicators (metrics) should be used to track and improve performance by managingthe aspects of risk that affect employees, associates, customers and shareholders. In recentyears the term enterprise risk management (ERM) has emerged, and many organizations haveincorporated ERM into a new governance paradigm, in which risk exposure is better understoodand managed. They may even have a chief risk officer (CRO) responsible for the whole ERMprocess of the company, having separate processes for each risk category. Broad categoriescommon to many are: Market risk, operational risk and financial risk.Risk management has also come to the forefront in the public sector, e.g. in health care and intransportation. Municipalities, counties and national authorities make regulations involving risk,approve and control risk activities and act when serious adverse events to individuals or thepublic occur. Some of the risk types listed above for private enterprises are also relevant in thepublic sector, but here more emphasis is on health, environment and safety, and societal risks.We cannot deal with all of this in these lectures, but will limit ourselves to1Risk management and safety in general: Concepts, framework and overview (Part 1)Approaches and tool for risk management (Part 2)Special topics and cases from specific areas (Part 3 and 4)Aven: Foundations of Risk Analysis, Wiley 2002.Aven & Vinnem: Risk management with Applications from the Offshore Petroleum Industry, Springer 2007.2
1.2Some risk terminologyRiskDifferent fields may have adopted different definitions. This one captures fairly well what wehave in mind in general:Definition: The risk of an activity is the combination of possible consequences and associateduncertainties i.e.Risk (C, U)where C Consequences of the activity, U Uncertainties about C.This definition is not limited to negative consequences, but encompass potential creation ofvalue by risk taking. Risk management is then to balance between creating value and preventingsetbacks.Remarks. Be aware that there may be differences in the choice of words. Some use Outcomeinstead of Consequences. However, this may give the impression of just the final result, while allthat happens in the chain leading to this is left out. Some use Exposure instead, since you may beexposed to a risk without knowing it, and maybe never get to know that you have been.A possible definition that widens the scope further is:Risk (B, U) (C B, U)where B Possible incidence or initiating events, U Uncertainty andC B Possible consequences, given initiating events. Here we may name the second sum-termVulnerability, in particular when we have mostly negative consequences in mind.There is a difference between how engineers and economists have used the notion risk in thepast. Engineers have typically imagined risk as consequence multiplied by probability, i.e. relatedto expected value, while economists typically image risk as the departure from expected value.Note also that economists, in some contexts, have used the notion risk in situations whereprobabilities are known (or estimated) and uncertainty when probabilities (“state of the world”)are unknown, in order to distinguish the two situations. These notions of risk are too limited toprovide a common useful framework for enterprise risk management. How to quantify andinterpret risk and uncertainty is a question of choice of a useful paradigm, and we will return tothat in the next section.Risk managementA possible definition of risk management is: The systematic application of managerial policies, procedures and practices to the task ofanalysing, evaluating, controlling and communicating about risk issues.3
Here is a formulation of a nationally preferred strategy and approach to risk issues, the Smartregulation - A regulatory strategy for Canada (2004):“Risk management is a systematic approach to set the best course of action underuncertainty by identifying, understanding, assessing, prioritizing, acting on andcommunication about potential threats, whether they affect the public’s social, financial oreconomic well-being, health and safety or the environment”.Risk management is, like most management processes, characterized by steps like:184.108.40.206.5.6.7.Describe the situation (formulate the problem)Determine goalsSeek (alternative) solutionsAnalysis and judgement of consequencesChoice of solutionRealizationEvaluationISO terminologyThe terminology used in risk contexts has differed considerably among fields and professions,and have often led to misunderstanding (and added risk). In order to avoid this, the InternationalStandards Organization (ISO) has provided a guide on terminology: ISO Guide 73: 2009 Riskmanagement – Vocabulary (an update of the 2002 version). Here about 40 terms related to riskare defined. This is helpful to prevent confusion among the many stakeholders affected by risk.The terms are the basis for the development of a general risk management standard, as well asbeing input to standards for specific areas, under way or revision.The general ISO risk management standard named “ISO 31000: 2009 Risk management –Principles and guidelines” existed as first draft in 2005 and was planned voted on and finalized by2009. The three main sections of the standard are:
Two historically important contexts for risk management are: Project/industrial risk management. Business/finance risk management. Risk management requires risk analysis. Within each context there are theories and methods for risk analysis, with different origin and developed largely separately by engineers and economists.