# Risk assessment

(Redirected from Risk assessments)

Risk assessment is the determination of quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R): the magnitude of the potential loss (L), and the probability (p) that the loss will occur. An acceptable risk is a risk that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss.[1] "Health risk assessment" includes variations, such as the type and severity of response, with or without a probabilistic context.

In the engineering of complex systems, sophisticated risk assessments are often made within safety engineering and reliability engineering when it concerns threats to life, environment or machine functioning. The agriculture, nuclear, aerospace, oil, rail and military industries have a long history of dealing with risk assessment. Also, medical, hospital, social service[2] and food industries control risks and perform risk assessments on a continual basis. Methods for assessment of risk may differ between industries and whether it pertains to general financial decisions or environmental, ecological, or public health risk assessment.

## Concept

Risk assessment from a financial point of view.

Risk assessment consists of an objective evaluation of risk in which assumptions and uncertainties are clearly considered and presented. Part of the difficulty in risk management is that both the quantities by which risk assessment is concerned – potential loss and probability of occurrence – can be very difficult to measure. The chance of error in measuring these two concepts is high. Risk with a large potential loss and a low probability of occurrence is often treated differently from one with a low potential loss and a high likelihood of occurrence. In theory, both are of near equal priority, but in practice it can be very difficult to manage when faced with the scarcity of resources, especially time, in which to conduct the risk management process. To see this expressed mathematically, one can define total risk as the sum over individual risks, ${\displaystyle R_{i}}$, which can be computed as the product of potential losses, ${\displaystyle L_{i}}$, and their probabilities, ${\displaystyle p(L_{i})}$:

${\displaystyle R_{i}=L_{i}p(L_{i})\,\!}$
${\displaystyle R_{total}=\sum _{i}L_{i}p(L_{i})\,\!}$

Even though for some risks ${\displaystyle R_{i},R_{j}}$, we might have ${\displaystyle R_{i}=R_{j}}$, if the probability ${\displaystyle p(L_{j})}$ is small compared to ${\displaystyle p(L_{i})}$, its estimation might be based only on a smaller number of prior events, and hence, more uncertain. On the other hand, since ${\displaystyle R_{i}=R_{j}}$, ${\displaystyle L_{j}}$ must be larger than ${\displaystyle L_{i}}$, so decisions based on this uncertainty would be more consequential, and hence, warrant a different approach.

Financial decisions, such as insurance, express loss in terms of dollar amounts. When risk assessment is used for public health or environmental decisions, loss can be quantified in a common metric such as a country's currency or some numerical measure of a location's quality of life. For public health and environmental decisions, loss is simply a verbal description of the outcome, such as increased cancer incidence or incidence of birth defects. In that case, the "risk" is expressed as

${\displaystyle R_{i}=p(L_{i})\,\!}$

If the risk estimate takes into account information on the number of individuals exposed, it is termed a "population risk" and is in units of expected increased cases per a time period. If the risk estimate does not take into account the number of individuals exposed, it is termed an "individual risk" and is in units of incidence rate per a time period. Population risks are of more use for cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals are "acceptable".

## Dose dependent and single exposure risk

The consequences of exposure may depend on how much exposure occurs (dose dependent), such as noise or vibration exposure, where both the strength and duration of the exposure affect the severity of the consequence, or may be statistically independent of the amount of exposure, such as falling from a height, which either happens or does not. For the general case, the hazards may include both types of exposure, and the procedures for assessment of the associated risk differ in detail. Dose dependent risk tends to be classified as health risk and dose independent risk as safety risk.

## Assessment of risk

At the strategic level policies are made specifying acceptable levels of risk, procedures to be followed within the organisation, priorities and allocation of resources.[3]:10 At the systematic level, management involved with the project produce project level risk assessments with the assistance of the available expertise as part of the planning process, and set up systems to ensure that required actions to manage the assessed risk are in place. At the dynamic level, the personnel directly involved may be required to deal with unforeseen problems in real time. The tactical decisions made at this level should be reviewed after the operation to provide feedback on the effectiveness of both the planned procedures and decisions made in response to the contingency.

The first step in risk assessment is to establish the context This restricts the range of hazards to be considered.

This is followed by identification of visible and implied hazards that may threaten the project, and determining the qualitative nature of the potential adverse consequences of each hazard. Without a potential adverse consequence, there is no hazard.

It is also necessary to identify the potential parties or assets which may be affected by the threat, and the potential consequences to them if the hazard is activated.

If the consequences are dependent on dose, ie. the amount of exposure, the relationship between dose and severity of consequence must be established, and the risk depends on the probable dose, which may depend on concentration or amplitude and duration or frequency of exposure. This is the general case for many health hazards where the mechanism of injury is toxicity or repetitive injury, particularly where the effect is cumulative.

For other hazards, the consequences may either occur or not, and the severity may be extremely variable even when the triggering conditions are the same. This is typical of many biological hazards as well as a large range of safety hazards. Exposure to a pathogen may or may not result in actual infection, and the consequences of infection may also be variable. Similarly a fall from the same place may result in minor injury or death, depending on unpredictable details. In these cases estimates must be made of reasonably likely consequences and associated probability of occurrence.

In cases where statistical records are available they may be used to evaluate risk, but in many cases there are no data or insufficient data available to be useful. Mathematical or experimental models may provide useful input.

### Dose dependent risk

Food risk assessment nomogram
1. Dose-Response Analysis, is determining the relationship between dose and the type of adverse response and/or probability or the incidence of effect (dose-response assessment). The complexity of this step in many contexts derives mainly from the need to extrapolate results from experimental animals (e.g. mouse, rat) to humans, and/or from high to lower doses, including from high acute occupational levels to low chronic environmental levels. In addition, the differences between individuals due to genetics or other factors mean that the hazard may be higher for particular groups, called susceptible populations. An alternative to dose-response estimation is to determine a concentration unlikely to yield observable effects, that is, a no effect concentration. In developing such a dose, to account for the largely unknown effects of animal to human extrapolations, increased variability in humans, or missing data, a prudent approach is often adopted by including safety or uncertainty factors in the estimate of the "safe" dose, typically a factor of 10 for each unknown step.
2. Exposure Quantification, aims to determine the amount of a contaminant (dose) that individuals and populations will receive, either as a contact level (e.g., concentration in ambient air) or as intake (e.g., daily dose ingested from drinking water). This is done by examining the results of the discipline of exposure assessment. As different location, lifestyles and other factors likely influence the amount of contaminant that is received, a range or distribution of possible values is generated in this step. Particular care is taken to determine the exposure of the susceptible population(s).

The results of these steps are combined to produce an estimate of risk. Because of the different susceptibilities and exposures, this risk will vary within a population. An uncertainty analysis is usually included in a health risk assessment.

## Quantitative risk assessment

In quantitative risk assessment an annualized loss expectancy (ALE) may be used to justify the cost of implementing countermeasures to protect an asset. This may be calculated by multiplying the single loss expectancy (SLE), which is the loss of value based on a single security incident, with the annualized rate of occurrence (ARO), which is an estimate of how often a threat would be successful in exploiting a vulnerability.

### Criticisms of quantitative risk assessment

Barry Commoner, Brian Wynne and other critics have expressed concerns that risk assessment tends to be overly quantitative and reductive. For example, they argue that risk assessments ignore qualitative differences among risks. Some charge that assessments may drop out important non-quantifiable or inaccessible information, such as variations among the classes of people exposed to hazards, or social amplification.[4] Furthermore, Commoner and O'Brien claim that quantitative approaches divert attention from precautionary or preventative measures.[5] Others, like Nassim Nicholas Taleb consider risk managers little more than "blind users" of statistical tools and methods.[6]

## Dynamic risk assessment

During emergency response the situation and hazards are often inherently less predictable than for planned activities. In general, if the situation and hazards are predictable, standard operating procedures should deal with them adequately, and in some emergencies this holds true and the prepared and trained responses are adequate to manage the situation. These situations are usually those that the operator can deal with without outside assistance, or with the assistance of a backup team who are prepared and available to step in at short notice. Other emergencies occur where there is no previously planned protocol, or when an outsider group is brought in to handle the situation, and they are not specifically prepared for the scenario that exists, but must deal with it without undue delay. Examples include police, fire department, disaster response and other public service rescue teams. In these cases ongoing risk assessment by the involved personnel can advise appropriate action to reduce risk.[7] HM Fire Services Inspectorate has defined dynamic risk assessment (DRA) as:

The continuous assessment of risk in the rapidly changing circumstances of an operational incident, in order to implement the control measures necessary to ensure an acceptable level of safety.[7]

Dynamic risk assessment is the final stage of an integrated safety management system which can provide appropriate response during changing circumstances. It relies on experience, training and continuing education, including effective debriefing to analyse not only what went wrong, but also what went right, and why, and to share this with other members of the team and the personnel responsible for the planning level risk assessment.[7]

## Fields of application

Application of risk assessment procedures is common in a wide range of fields, and these may have specific legal obligations, codes of practice and standardised procedures. Some of these are listed here.

### General health

There are many resources that provide health risk information.

The National Library of Medicine provides risk assessment and regulation information tools for a varied audience.[8] These include:

The United States Environmental Protection Agency provides basic information about environmental health risk assessments for the public for a wide variety of possible environmental exposures.[11]

The Environmental Protection Agency began actively using risk assessment methods to protect drinking water in the United States after passage of the Safe Drinking Water Act of 1974. The law required the National Academy of Sciences to conduct a study on drinking water issues, and in its report the NAS described some methodologies for doing risk assessments for chemicals that were suspected carcinogens, recommendations that top EPA officials have described as perhaps the study’s most important part.[12]

Considering the increase in junk food and its toxicity, FDA required in 1973 that cancer-causing compounds must not be present in meat at concentrations that would cause a cancer risk greater than 1 in a million over a lifetime. The US Environmental Protection Agency provides extensive information about ecological and environmental risk assessments for the public via its risk assessment portal.[13] The Stockholm Convention on persistent organic pollutants (POPs) supports a qualitative risk framework for public health protection from chemicals that display environmental and biological persistence, bioaccumulation, toxicity (PBT) and long range transport; most global chemicals that meet this criteria have been previously assessed quantitatively by national and international health agencies.[14]

#### Small sub-populations

When risks apply mainly to small sub-populations, there is uncertainty at which point intervention is necessary. For example, there may be a risk that is very low for everyone, other than 0.1% of the population. It is necessary to determine whether this 0.1% is represented by:

• all infants younger than X days or
• recreational users of a particular product.

If the risk is higher for a particular sub-population because of abnormal exposure rather than susceptibility, strategies to further reduce the exposure of that subgroup are considered. If an identifiable sub-population is more susceptible due to inherent genetic or other factors, public policy choices must be made. The choices are:

• to set policies for protecting the general population that are protective of such groups, e.g. for children when data exists, the Clean Air Act for populations such as asthmatics or
• not to set policies, because the group is too small, or the costs too high.

#### Acceptable risk criteria

The idea of not increasing lifetime risk by more than one in a million has become commonplace in public health discourse and policy. It is a heuristic measure. It provides a numerical basis for establishing a negligible increase in risk.

Environmental decision making allows some discretion for deeming individual risks potentially "acceptable" if less than one in ten thousand chance of increased lifetime risk. Low risk criteria such as these provide some protection for a case where individuals may be exposed to multiple chemicals e.g. pollutants, food additives or other chemicals.

In practice, a true zero-risk is possible only with the suppression of the risk-causing activity.

Stringent requirements of 1 in a million may not be technologically feasible or may be so prohibitively expensive as to render the risk-causing activity unsustainable, resulting in the optimal degree of intervention being a balance between risks vs. benefit. For example, emissions from hospital incinerators result in a certain number of deaths per year. However, this risk must be balanced against the alternatives. There are public health risks, as well as economic costs, associated with all options. The risk associated with no incineration is potential spread of infectious diseases, or even no hospitals. Further investigation identifies options such as separating noninfectious from infectious wastes, or air pollution controls on a medical incinerator.

Intelligent thought about a reasonably full set of options is essential. Thus, it is not unusual for there to be an iterative process between analysis, consideration of options, and follow up analysis.

### Auditing

For audits performed by an outside audit firm, risk assessment is a crucial stage before accepting an audit engagement. According to ISA315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, "the auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control". Evidence relating to the auditor’s risk assessment of a material misstatement in the client’s financial statements. Then, the auditor obtains initial evidence regarding the classes of transactions at the client and the operating effectiveness of the client’s internal controls. Audit risk is defined as the risk that the auditor will issue a clean unmodified opinion regarding the financial statements, when in fact the financial statements are materially misstated, and therefore do not qualify for a clean unmodified opinion. As a formula, audit risk is the product of two other risks: Risk of Material Misstatement and Detection risk. This formula can be further broken down as follows: inherent risk × control risk × detection risk.

### Public health

In the context of public health, risk assessment is the process of characterizing the nature and likelihood of a harmful effect to individuals or populations from certain human activities. Health risk assessment can be mostly qualitative or can include statistical estimates of probabilities for specific populations. In most countries the use of specific chemicals or the operations of specific facilities (e.g. power plants, manufacturing plants) is not allowed unless it can be shown that they do not increase the risk of death or illness above a specific threshold. For example, the American Food and Drug Administration (FDA) regulates food safety through risk assessment.[15]

### Project management

In project management, risk assessment is an integral part of the risk management plan, studying the probability, the impact, and the effect of every known risk on the project, as well as the corrective action to take should an incident implied by a risk occur.[16] Of special consideration in this area are the relevant codes of practice that are enforced in the specific jurisdiction. Understanding the regime of regulations that risk management must abide by is integral to formulating safe and compliant risk assessment practices.

### Information security

Information technology risk assessment can be performed by a qualitative or quantitative approach, following different methodologies. One important difference[clarification needed] in risk assessments in information security is modifying the threat model to account for the fact that any adversarial system connected to the Internet has access to threaten any other connected system.[17] Risk assessments may therefore need to be modified to account for the threats from all adversaries, instead of just those with reasonable access as is done in other fields.

Another notable difference is the strategic nature of IT risk assessments. Unlike tactical vulnerability assessments and penetration testing which aim to identify and close specific gaps in security, IT risk assessments are functional at the executive level to examine the broader picture of IT risk management.[clarification needed][18]

### Megaprojects

Megaprojects (sometimes also called "major programs") are extremely large-scale investment projects, typically costing more than US\$1 billion per project. They include bridges, tunnels, highways, railways, airports, seaports, power plants, dams, wastewater projects, coastal flood protection, oil and natural gas extraction projects, public buildings, information technology systems, aerospace projects, and defence systems. Megaprojects have been shown to be particularly risky in terms of finance, safety, and social and environmental impacts.

### Software evolution

Studies have shown that early parts of the system development cycle such as requirements and design specifications are especially prone to error. This effect is particularly notorious in projects involving multiple stakeholders with different points of view. Evolutionary software processes offer an iterative approach to requirement engineering to alleviate the problems of uncertainty, ambiguity and inconsistency inherent in software developments.[clarification needed]

### Shipping industry

In July 2010, shipping companies agreed to use standardized procedures in order to assess risk in key shipboard operations. These procedures were implemented as part of the amended ISM Code.[19]

### Underwater diving

Formal risk assessment is a required component of most professional dive planning, but the format and methodology may vary. Consequences of an incident due to an identified hazard are generally chosen from a small number of standardised categories, and probability is estimated based on statistical data on the rare occasions when it is available, and on a best guess estimate based on personal experience and company policy in most cases. A simple matrix is often used to transform these inputs into a level of risk, generally expressed as unacceptable, marginal or acceptable. If unacceptable, measures must be taken to reduce the risk to an acceptable level, and the final outcome of the risk assessment must be accepted by the affected parties before a dive commences. Higher levels of risk may be acceptable in special circumstances, such as military or search and rescue operations when there is a chance of recovering a survivor. Diving supervisors are trained in the procedures of hazard identification and risk assessment, and it is part of their planning and operational responsibility. Both health and safety hazards must be considered. Several stages may be identified. There is risk assessment done as part of the diving project planning, on site risk assessment which takes into account the specific conditions of the day, and dynamic risk assessment which is ongoing during the operation by the members of the dive team, particularly the supervisor and the working diver.[20][21]

In recreational scuba diving, the extent of risk assessment expected of the diver is relatively basic, and is included in the pre-dive checks. Several mnemonics have been developed by diver certification agencies to remind the diver to pay some attention to risk, but the training is rudimentary. Diving service providers are expected to provide a higher level of care for their customers, and diving instructors and divemasters are expected to assess risk on behalf of their customers and warn them of site-specific hazards and the competence considered appropriate for the planned dive. Technical divers are expected to make a more thorough assessment of risk, but as they will be making an informed choice for a recreational activity, the level of acceptable risk may be considerably higher than that permitted for occupational divers under the direction of an employer.[22][23]

### Environment

Environmental Risk Assessment (ERA) aims at assessing the effects of stressors, often chemicals, on the local environment. A risk is an integrated assessment of likelihood and severity of an undesired event. In ERA, the undesired event often depends on the chemical of interest and on the risk assessment scenario.[24] This undesired event is usually a detrimental effect on organisms, populations or ecosystems. Current ERAs usually compare an exposure to a no-effect level, such as the Predicted Environmental Concentration/Predicted No-Effect Concentration (PEC/PNEC) ratio in Europe. Although this type of ratio is useful and often used in regulation purposes, it is only an indication of an exceeded apparent threshold.[25] New approaches start to be developed in ERA in order to quantifiy this risk and to communicate effectively on it with both the managers and the general public.[24]

## References

### Footnotes

1. ^ RFC 4949
2. ^ Lacey, Peter (2011). "An Application of Fault Tree Analysis to the Identification and Management of Risks in Government Funded Human Service Delivery". Proceedings of the 2nd International Conference on Public Policy and Social Sciences (pdf). SSRN .
3. ^ Cite error: The named reference Lock_2016 was invoked but never defined (see the help page).
4. ^ Kasperson, R.E., Renn, O., Slovic, P., Brown, H.S., Emel, J., Goble, R., Kasperson, J.X., Ratick, S. (1988). "The social amplification of risk: A conceptual framework". Risk Analysis. 8 (2): 177–187. doi:10.1111/j.1539-6924.1988.tb01168.x.
5. ^ Commoner, Barry. O'Brien, Mary. Shrader-Frechette and Westra 1997.
6. ^ The fourth quadrant: a map of the limits of statistics [9.15.08] Nassim Nicholas Taleb An Edge Original Essay
7. ^ a b c Lock, Gareth (June 2017). Phillips, Mark, ed. "Public Safety Diving-Dynamic Risk Assessment" (PDF). PS Diver Magazine. PSDiver.com (116): 9. Retrieved 20 June 2017.
8. ^ "Risk Assessment and Regulation Information from the NLM". NLM. Retrieved 9 June 2013.
9. ^ "Databases on toxicology, hazardous chemicals, environmental health, and toxic releases". TOXNET. NLM. May 2012. Retrieved 9 June 2013.
10. ^ "Household Products Database". U.S. Dept. of Health & Human Services. January 2013. Retrieved 9 June 2013.
11. ^ "Risk Assessment Portal". EPA. 13 May 2013. Retrieved 9 June 2013.
12. ^ EPA Alumni Association: Senior EPA officials discuss early implementation of the Safe Drinking Water Act of 1974, Video, Transcript (see pages 11,14).
13. ^ EPA,ORD,NCEA, US. "Risk Assessment". www.epa.gov. Retrieved 2016-04-07.
14. ^ Szabo DT, Loccisano AE (March 30, 2012). "POPs and Human Health Risk Assessment". Dioxins and Persistent Organic Pollutants. 3rd (Edition): John Wiley & Sons. doi:10.1002/9781118184141.ch19.
15. ^ Merrill, Richard A. "Food Safety Regulation: Reforming the Delaney Clause" in Annual Review of Public Health, 1997, 18:313-40. This source includes a useful historical survey of prior food safety regulation.
16. ^ Managing Project Risks - Retrieved May 20th, 2010
17. ^ Spring, J.; Kern, S.; Summers, A. (2015-05-01). "Global adversarial capability modeling". 2015 APWG Symposium on Electronic Crime Research (eCrime): 1–21. doi:10.1109/ECRIME.2015.7120797.
18. ^ Arnold, Rob. "3 Types of Security Assessments". Threat Sketch. Threat Sketch. Retrieved 17 November 2016.
19. ^
20. ^ "Diving Regulations 2009". Occupational Health and Safety Act 85 of 1993 – Regulations and Notices – Government Notice R41. Pretoria: Government Printer. Retrieved 3 November 2016 – via Southern African Legal Information Institute.
21. ^ Staff (August 2016). "15 - General safety requirements". Guidance for diving supervisors IMCA D 022 (Revision 1 ed.). London, UK: International Marine Contractors Association. pp. 15-5.
22. ^ Staff (1977). "The Diving at Work Regulations 1997". Statutory Instruments 1997 No. 2776 Health and Safety. Kew, Richmond, Surrey: Her Majesty's Stationery Office (HMSO). Retrieved 6 November 2016.
23. ^ Gurr, Kevin (August 2008). "13: Operational Safety". In Mount, Tom; Dituri, Joseph. Exploration and Mixed Gas Diving Encyclopedia (1st ed.). Miami Shores, Florida: International Association of Nitrox Divers. pp. 165–180. ISBN 978-0-915539-10-9.
24. ^ a b Goussen, Benoit; Price, Oliver R.; Rendal, Cecilie; Ashauer, Roman (2016-10-26). "Integrated presentation of ecological risk from multiple stressors". Scientific Reports. 6. ISSN 2045-2322. PMC . PMID 27782171. doi:10.1038/srep36004.
25. ^ Jager, Tjalling; Heugens, Evelyn H. W.; Kooijman, Sebastiaan A. L. M. (2006-04-20). "Making Sense of Ecotoxicological Test Results: Towards Application of Process-based Models". Ecotoxicology. 15 (3): 305–314. ISSN 0963-9292. doi:10.1007/s10646-006-0060-x.