If you know for sure that things will go wrong, there really is no risk. If you don’t know for sure that things will go wrong, then there is a risk. That’s the basic assumption in a paper I just read, titled Identification of safety and security critical systems and activities and written by Terje Aven in 2009. It may sound like a bold statement, but technically speaking, it is a true statement. It is only when the consequences of actions and events are uncertain that these actions and events are truly risky. Agree?
Terje Aven
I have said it time and again, and followers of this blog will know that I am a qualitative, not a quantitative researcher, and I have always looked at risk and vulnerability from a qualitative perspective, which is why I like Kaplan’s definition of risk better than any other. That is why I have never paid much attention to Terje Aven, a professor from the University of Stavanger, Norway, who I first met some 15 years ago and who I have always regarded as a quantitative researcher. He is a frequent author and co-author of articles in the Reliability Engineering and System Safety, a journal I only look into now and then, and there’s hardly an issue without Aven in it. His most recent contribution, Identification of safety and security critical systems and activities, has made me question my discarding of the quantitative risk and vulnerability perspective.
Risk – traditionally defined
Traditonally, risk is defined as a function of probability and consequences, where the the probability of and event occurring is linked to the expected consequences if the event occurs (as predicted). This way of thinking only considers a certain set of events; it does not consider the full spectre of possible outcomes. This means that the actual consequences may be very different from the calculated expected consequences.
Hence by focusing on the expected consequences given a failure mode, a strong element of arbitrariness in the classification scheme is introduced. This arbitrariness is due to the variation in possible outcomes integrated into the expected value, as well as the difficulty of assigning probabilities producing accurate predictions.
Another approach might be to replace expected consequence with expected loss:
Expected loss = E[C], given by p E [C|A], where C are the consequences of an event A with a probability of p.
This makes comparing different events easier, since one only needs to compare one number. The lesser the expected loss, the better? Not necessarily, since the preferences of the decision-maker are not accounted for. That is why a expected disutility approach should be used:
Expected disutility = Eu(C), where u is a utility function reflecting the preferences of the decision maker.
This too is troublesome, since there still is some arbitrariness as to defining the disutility function, which will have to be the same for all events/consequences, something that may not hold true for the decision-maker. Thus, in order to find which systems that are critical, neither expected loss nor expected disutility may be good approaches.
Risk – alternatively defined
Aven sees risk as composed of:
- Initiating events or triggers (A)
- Consequences of these events (C)
- The values (attributes) at stake
- Uncertainties and likelihoods about occurence of the events and the consequences
Conversely, he sees vulnerability as composed of:
- Consequences of the initiating events
- The values (attributes) at stake
- Uncertainties and likelihoods about occurence of the consequences, given the initiating events
See the differences? Risk looks primarily at the triggering event, vulnerability looks primarily at the resulting consequences.
High uncertainty = high risk
In order to account for uncertainties, Aven suggests the following method
Identify a list of systems for evaluation.
Identify possible initiating events A.
Define categories of consequences C (severity classification).
Rank thesystems according to vulnerability using E[C|A], i.e. the expected consequences given the occurrence of A.
Assign probabilities for the events A, calculate the unconditional expected consequences, EC,
by EC = P(A) x E[C|A], and rank the systems according to EC.Assess uncertainties in underlying phenomena and processes that could result in surprises relative to EC, and adjust the ranking based on this assessment.
Steps 4 and 5 are based on a traditional risk description. It is only when the uncertainties are added that “true” risk is revealed, e.g. an event with a presumed low risk based on EC, may be reclassified as high risk if the uncertainties regarding the underlying assumptions are high. Uncertainties may be related to e.g. new technology, future events, customer demand or political stability.
Conclusion
I think Aven is on the right track here. As he puts it himself,
…the idea that safety and security critical systems can be identified by considering […] the expected consequences given given system failures and malfunctions […] cannot be justified…
It is necessary to use a risk-informed approach, he claims, where calculated probabilities and expected values are enriched with the uncertainties of the underlying phenomena and processes.
Surprises may occur and by just addressing probabilities and and expected values, such surprises may be overlooked.
Surprises will of course occur, as Nassim Taleb notes in his book on Black Swan Events, and also described by Bazerman and Watkins in their book on Predictable Surprises: The Disasters You Should Have Seen Coming
Reference
AVEN, T. (2009). Identification of safety and security critical systems and activities Reliability Engineering & System Safety, 94 (2), 404-411 DOI: 10.1016/j.ress.2008.04.001
Author link
- linkedin.com: Terje Aven
Related
- husdal.com: Vulnerability and Criticality Assessment
- husdal.com: Black Swan Events
