Risk assessment

Risk assessment is a common first step in a risk management process. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat. "Quantitative risk assessment" requires calculations of two components of

Explanation

weaselDefined as a formalized basis for the objective evaluation of risk in a manner in which assumptions and uncertainties are clearly considered and presented.Risk assessment is an important, yet difficult, step in the risk management process. Once risks have been identified and assessed, the steps to properly deal with these risks are more formulaic.Part of the difficulty of risk management is that measurement of both of the quantities in which risk assessment is concerned- potential loss and probability of occurrence- can be very difficult to measure. The chance of error in the measurement of these two concepts is large. A risk with a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring. In theory, both are of nearly equal priority in dealing with first, but in practice it can be very difficult to manage when faced with the scarcity of resources, especially time, in which to conduct the risk management process. Expressed mathematically,
$R\_i=L\_i\; p(L\_i),!$$R\_\{total\}=sum\_i\; L\_i\; p(L\_i),!$
Financial decisions, such as insurance, express loss in terms of dollar amounts. When risk assessment is used for public health or environmental decisions, loss can be quantified in a common metric,such as a country's currency, or some numerical measure of a location's quality of life. For public health and environmental decisions, loss is simply a verbal description of the outcome, such as increased cancer incidence or incidence of birth defects. In that case, the "risk" is expressed as:
$R\_i=\; p(L\_i),!$
If the risk estimate takes into account information on the number of individuals exposed, it is termed a "population risk" and is in units of expected increased cases per a time period. If the risk estimate does not take into account the number of individuals exposed, it is termed an "individual risk" and is in units of incidence rate per a time period. Population risks are of more use for cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals are "acceptable".

Risk assessment in public health

In the context of public health, risk assessment is the process of quantifying the probability of a harmful effect to individuals or populations from certain human activities. In most countries, the use of specific chemicals, or the operations of specific facilities (e.g. power plants, manufacturing plants) is not allowed unless it can be shown that they do not increase the risk of death or illness above a specific threshold. For example, the American Food and Drug Administration (FDA) regulates food safety through risk assessment. [Merrill, Richard A. "Food Safety Regulation: Reforming the Delaney Clause" in "Annual Review of Public Health", 1997, 18:313-40. This source includes a useful historical survey of prior food safety regulation.] The FDA required in 1973 that cancer-causing compounds must not be present in meat at concentrations that would cause a cancer risk greater than 1 in a million lifetimes.

How the risk is determined

In the estimation of the risks, three or more steps are involved, requiring the inputs of different disciplines. The first step, "Hazard Identification", aims to determine the qualitative nature of the potential adverse consequences of the contaminant (chemical, radiation, noise, etc.) and the strength of the evidence it can have that effect. This is done, for chemical hazards, by drawing from the results of the sciences of toxicology and epidemiology. For other kinds of hazard, engineering or other disciplines are involved. The second step for chemical risk assessment, "Dose-Response Analysis", is determining the relationship between dose and the probability or the incidence of effect (dose-response assessment). The complexity of this step in many contexts derives mainly from the need to extrapolate results from experimental animals (e.g. mouse, rat) to humans, and/or from high to lower doses. In addition, the differences between individuals due to genetics or other factors mean that the hazard may be higher for particular groups, called susceptible populations. An alternative to dose-response estimation is to determine an effect unlikely to yield observable effects. In developing such a dose, to account for the largely unknown effects of animal to human extrapolations, increased variability in humans, or missing data, a prudent approach is often adopted by including safety factors in the estimate of the "safe" dose, typically a factor of 10 for each unknown step.The third step, "Exposure Quantification", aims to determine the amount of a contaminant (dose) that individuals and populations will receive. This is done by examining the results of the discipline of exposure assessment. As different location, lifestyles and other factors likely influence the amount of contaminant that is received, a range or distribution of possible values is generated in this step. Particular care is taken to determine the exposure of the susceptible population(s).Finally, the results of the three steps above are then combined to produce an estimate of risk. Because of the different susceptibilities and exposures, this risk will vary within a population. The decisions based on the application of risk assessment are sometimes based on a standard of protecting those most at risk. This problem raises the question of how small a segment of a population must be protected. What if a risk is very low for everyone but 0.1% of the population? A difference exists whether this 0.1% is represented by *all infants younger than "X" days or *recreational users of a particular product. If the risk is higher for a particular sub-population because of abnormal exposure rather than susceptibility, there is a potential to consider strategies to further reduce the exposure of that subgroup. If an identifiable sub-population is more susceptible due to inherent genetic or other factors, there is a policy choice whether to set policies for protecting the general population that are protective of such groups (as is currently done for children when data exists, or is done under the Clean Air Act for populations such as asthmatics) or whether if the group is too small, or the costs to high. Sometimes, a suitable position is to at least limit the risk of the more susceptible to some risk level above which it seems too inequitable to leave them out of the risk

Acceptable risk increase

The idea of not increasing lifetime risk by more than one in a million has become common place in public health discourse and policy. How consensus settled on this particular figure is unclear. In some respects, this figure has the characteristics of a mythical number. In another sense, the figure provides a numerical basis for what to consider a negligible increase in risk. In part, the one in a million benchmark arose early in public health risk assessment history when risk assessment was a tempering analysis to existing statutory language such as the Delaney Clause prohibition on any use of introduced carcinogens or where environmental statutes were using a "best technology" decision rule. Some current environmental decision making allows some discretion to deem individual risks potentially "acceptable" if below one in ten thousand increased lifetime risk. Low risk criteria such as these do provide some protection for the case that individuals may be exposed to multiple chemicals (whether pollutants or food additives, or other chemicals). But both of these benchmarks are clearly small relative to the typical one in four lifetime risk of death by cancer (due to all causes combined) in developed countries. Individuals may be tempted to advocate the adoption of a zero-risk policy. After all the 1 in a million policy would still cause the death of hundreds or thousands, of people in a large enough population. In practice however, a true zero-risk is possible only with the suppression of the risk-causing activity. More stringent requirements, or even the 1 in a million one, may not be technologically feasible at a given time, or so expensive as to render the risk-causing activity unsustainable. In the interest of public health, the risks vs. benefits of the possible alternatives must be carefully considered. For example, it might well be that the emissions from hospital incinerators result in a certain number of deaths per year. However, this risk must be balanced against the available alternatives. In some unusual cases, there are significant public health risks, as well as economic costs, associated with all options. For example, there are risks associated with no incineration (with the potential risk for spread of infectious diseases) or even no hospitals. But, often further investigation identifies further options, such as separating noninfectious from infectious wastes, or air pollution controls on a medical incinerator, that provide a broad range of options of acceptable risk - though with varying practical implications and varying economic costs. Intelligent thought about a reasonably full set of options is essential. Thus, it is not unusual for there to be an iterative process between analysis, consideration of options, and then further analysis.

Risk assessment in auditing

In auditing, risk assessment is a very crucial stage before accepting an audit engagement. According to ISA315 "Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement", "the auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control." [AICPA Statement on Auditing Standards No. 109 [http://www.aicpa.org/download/members/div/auditstd/SAS109.PDF] ] The main purpose of risk assessment procedures is to help the auditor understand the audit client. Aspects like client's business nature, management structure and internal control system are good examples. The procedures will provide audit evidence relating to the auditor’s risk assessment of a material misstatement in the client’s financial statements. Then, auditor obtains initial evidence regarding the classes of transactions at the client and the operating effectiveness of the client’s internal controls.In auditing, audit risk includes inherent risk, control risk and detection risk.

Risk assessment in information security

There are two methods of risk assessment in information security field, qualitative and quantitative.cite book | title=Official (ISC)2 Guide to CISSP CBK | publisher=Auerbach Publications | year=2007 | pages=1065 | location=Risk Management] Purely quantitative risk assessment is a mathematical calculation based on security metrics on the asset (system or application). Qualitative risk assessment is performed when the organization requires a risk assessment be performed in a relatively short time or to meet a small budget, a significant quantity of relevant data is not available, or the persons performing the assessment don't have the sophisticated mathematical, financial, and risk assessment expertise required. Quantitative risk assessment can be performed in a shorter period of time and with less data. Quantitative risk assessments are typically performed through interviews of a sample of personnel from all relevant groups within an organization charged with the security of the asset being assessed. Quantitative risk assessments are descriptive versus measurable.

Quantitative risk assessment

Quantitative risk assessments include a calculation of the single loss expectancy (SLE) of an asset. The single loss expectancy can be defined as the loss of value to asset based on a single security incident. The team then calculates the annualized rate of occurrence (ARO) of the threat to the asset. The ARO is an estimate based on the data of how often a threat would be successful in exploiting a vulnerability. From this information, the annualized loss expectancy (ALE) can be calculated. The annualized loss expectancy is a calculation of the single loss expectancy multiplied the annual rate of occurrence, or how much an organization could estimate to lose from an asset based on the risks, threats, and vulnerabilities. It then becomes possible from a financial perspective to justify expenditures to implement countermeasures to protect the asset.

Criticisms of quantitative risk assessment

Barry Commoner and other critics have expressed concerns that risk assessment tends to be overly quantitative and reductive. For example, they argue that risk assessments ignore qualitative differences among risks. Some charge that assessments may drop out important non-quantifiable or inaccessible information, such as variations among the classes of people exposed to hazards. O'Brien further claims that quantitative approaches divert attention from precautionary or preventative measures. [Commoner, Barry. O'Brien, Mary. Shrader-Frechette and Westra 1997.] Others, like Nassim Nicholas Taleb consider risk managers little more than "blind users" of statistical tools and methods. [THE FOURTH QUADRANT: A MAP OF THE LIMITS OF STATISTICS [9.15.08] Nassim Nicholas Taleb An Edge Original Essay]

ee also

* Benefit risk
* Cost risk
* Flood risk assessment
* Health Impact Assessment
* Information assurance
* List of auditing topics
* Megaprojects and risk
* Optimism bias
* Reference class forecasting
* Risk management
* Strategic misrepresentation

External links

* [http://www.epa.gov/risk/ EPA's Risk Assessment Portal] - with links to guidance documents, applicable laws, and US EPA Risk Assessments* [http://www.vega.org.uk/video/programme/5 'Realities of Risk'] Freeview video by the Vega Science Trust and the BBC/OU
* [http://www.riskanalytica.com/Solutions/LifeAtRisk.aspx 'Population-based Management of Disease'] Example of risk management in health care
* [http://hwi.osha.europa.eu/ra_tools_generic/ 'HWI RAT'] Risk Assessment Tools for different sectors. European Agency for Safety and Health at Work (OSHA).
* [http://gunston.gmu.edu/healthscience/730/default.asp Decision Analysis in Health Care] Online course from George Mason University providing lectures and tools for risk assessment in health care scenarios.
* Graham, John. "Improving chemical risk assessment" in Regulation: The Cato Review of Business & Government [http://www.cato.org/pubs/regulation/reg14n4-graham.html]
* [http://www.sei.cmu.edu/publications/documents/08.reports/08tr005.html Mission Diagnostic Protocol, Version 1.0: A Risk-Based Approach for Assessing the Potential for Success] is a technical report that defines a new management approach for assessing risk in complex settings. Published March 2008, Software Engineering Institute.

References

Footnotes

General references

* Anderson, K. " [http://www.aracnet.com/~kea/Papers/threat_white_paper.pdf Intelligence-Based Threat Assessments for Information Networks and Infrastructures: A White Paper] ", 2005.
* Barry Commoner. “Comparing apples to oranges: Risk of cost/benefit analysis” from "Contemporary moral controversies in technology", A. P. Iannone, ed., pp. 64-65.
* [http://flyvbjerg.plan.aau.dk/Publications2006/Nobel-PMJ2006.pdf Flyvbjerg, Bent, "From Nobel Prize to Project Management: Getting Risks Right." "Project Management Journal", vol. 37, no. 3, August 2006, pp. 5-15.]
* Harremoës, Poul, ed. "Late lessons from early warnings: the precautionary principle 1896–2000".
* Mary O’Brien. "Making better environmental decisions: an alternative to risk assessment".
* Deborah G. Mayo. “Sociological versus metascientific views of technological risk assessment” in Shrader-Frechette and Westra.
* Shrader-Frechette, Kristin and Laura Westra. "Technology and values".
* Hallenbeck, William H. "Quantitative risk assessment for environmental and occupational health." Chelsea, Mich.: Lewis Publishers, 1986
* Lerche, I. (Ian) Environmental risk assessment : quantitative measures, anthropogenic influences, human impact. Berlin: Springer, 2006.
* "A Review of risk assessment methodologies" by the Congressional Research Service, Library of Congress for the Subcommittee on Science, Research, and Technology. Washington: U.S. GPO, 1983.
* John M. Lachin. "Biostatistical methods: the assessment of relative risks".
* "Science and judgment in risk assessment." Committee on Risk Assessment of Hazardous Air Pollutants, Board on Environmental Studies and Toxicology, Commission on Life Sciences, National Research Council. Washington, D.C.: National Academy Press, 1994.