The Center for Risk Management of Engineering Systems >> Risk Defined

Home About People Publications Sponsors Risk Defined Contact

Risk Defined

What is Risk Assessment and Management?

Risk and uncertainty are fundamental elements of human life, affecting every aspect of society and world events. They must be managed effectively to protect people from injury and to allow society to develop and progress. Today, risk and uncertainty are frequently magnified in large-scale technological systems. Nations that successfully address such problems in future product designs, resource availability, natural forces, market changes, and in man/machine/software systems will dominate the technological world.

Risk is often defined as a measure of the probability and severity of adverse effects [Lowrance 1976]. An ever-increasing number of professionals and managers in industry, government, and academia are devoting a larger portion of their time and resources to the task of improving their understanding of risk-based decisionmaking and their approach to decisionmaking under uncertainty.

Risk management is commonly distinguished from risk assessment, even though some may use the term risk management to connote the entire process of risk assessment and management. In risk assessment, the analyst often attempts to answer the following set of triplet questions [Kaplan and Garrick 1981]: What can go wrong? What is the likelihood that it would go wrong? And, what are the consequences? Answers to these questions help risk analysts identify, measure, quantify, and evaluate risks and their consequences and impacts.

Risk management builds on the risk assessment process by seeking answers to a second set of three questions [Haimes 1991]: What can be done and what options are available? What are the associated tradeoffs in terms of all costs, benefits, and risks? And what are the impacts of current management decisions on future options? To be effective and meaningful, risk management must be an integral part of the overall management of a system. This is particularly important in the management of technological systems, where the failure of the system can be caused by the failure of the hardware, the software, the organization, or the human element.

Vulnerability, Threat, and Risk

Definitions of risk are often misleading, particularly when risk is defined as the "multiplication" of threat and vulnerability. The following definitions [Haimes 2004, 2006] provide better insight into a better representation of vulnerability, threat, and risk, which makes use of the building blocks of mathematical models, state variables.

Vulnerability is the manifestation of the inherent states of the system (e.g., physical, technical, organizational, cultural) that can be exploited to adversely affect (cause harm or damage to) that system.

Intent is the desire or motivation to attack a target and cause adverse effects.

Capability is the ability and capacity to attack a target and cause adverse effects.

Threat is the intent and capability to adversely affect (cause harm or damage to) the system by adversely changing its states.

Risk is the result of a threat with adverse effects to a vulnerable system.

Thus, it is clear that modeling risk as the probability and severity of adverse effects requires knowledge of the vulnerabilities (intents and capabilities) and threats to the infrastructure system. Vulnerability is multifaceted and can be represented only through multiple metrics.

If we accept the premise that a system’s vulnerability is a manifestation of the inherent states of that system, and that each state is dynamic and changes in response to the inputs and other building blocks, then two conclusions must ensue [Haimes 2006]:

The vulnerability of a system is multidimensional, a vector of state variables describing many facets of the system. Furthermore, each one of these state variables is not static in its operations and functionality—its levels of functionality change and evolve continuously.

There are two major considerations for the efficacy of risk management. One is the ability to control the states of the system. The second is to reduce the effectiveness of the threat by other actions that may or may not necessarily change the vulnerability of the system (i.e., do not necessarily change its state variables).

More information coming soon