Some Limitations of Qualitative Risk Rating Systems

Qualitative systems for rating animal antimicrobial risks using ordered categorical labels such as “high,”“medium,” and “low” can potentially simplify risk assessment input requirements used to inform risk management decisions. But do they improve decisions? This article compares the results of qualitative and quantitative risk assessment systems and establishes some theoretical limitations on the extent to which they are compatible. In general, qualitative risk rating systems satisfying conditions found in real‐world rating systems and guidance documents and proposed as reasonable make two types of errors: (1) Reversed rankings, i.e., assigning higher qualitative risk ratings to situations that have lower quantitative risks; and (2) Uninformative ratings, e.g., frequently assigning the most severe qualitative risk label (such as “high”) to situations with arbitrarily small quantitative risks and assigning the same ratings to risks that differ by many orders of magnitude. Therefore, despite their appealing consensus‐building properties, flexibility, and appearance of thoughtful process in input requirements, qualitative rating systems as currently proposed often do not provide sufficient information to discriminate accurately between quantitatively small and quantitatively large risks. The value of information (VOI) that they provide for improving risk management decisions can be zero if most risks are small but a few are large, since qualitative ratings may then be unable to confidently distinguish the large risks from the small. These limitations suggest that it is important to continue to develop and apply practical quantitative risk assessment methods, since qualitative ones are often unreliable.     

Public Values in Risk Debates

Both the issues inherent in regulation of specific risks and the contexts in which such regulatory processes occur are often characterized by confusion and controversy. Tools based on multiattribute utility measurement (MAUT) can help to clarify public values in risk debates and thus to facilitate option invention and decision making. Stakeholder group representatives, in interaction with an analyst, structure their values relevant to the problem into a value tree. The analyst prepares a common tree, iterating until all stakeholder representatives accept it. Stakeholders express their values as weights on the common tree. This provides a basis for option invention and negotiation. The paper presents three illustrative applications.     

Managing diverse risks: An integrative framework

Risk is a crucial part of any business and managing risk is an essential function for management. This paper reviews current managerial practice and academic research in managing diverse risks. There are numerous elements of risk, some exogenous to the firm and others that are endogenous. In recent years exogenous elements of risk have increased both in number and complexity, and distinctions have blurred between national and international elements of risks because of the integration across borders of markets, institutions, and political and operational risks. An explicit classification of risks as exogenous and endogenous will focus managerial attention to the changing exogenous elements, to the often ignored endogenous elements, and to the needed integration of managing exogenous and endogenous risks. While there is an increasing body of research examining risk, there is a need to examine exogenous risk elements as systems of risk rather than as independent elements and integrate endogenous elements including behavioral and incentive-related aspects with the systems of exogenous risks. Additionally, international case studies and surveys about risk perceptions and attitudes of managers across different organizations and within levels of organizations will improve our understanding of the diverse risks faced by multi-national corporations.     

Managing Disruption Risks in Supply Chains

There are two broad categories of risk affecting supply chain design and management: (1) risks arising from the problems of coordinating supply and demand, and (2) risks arising from disruptions to normal activities. This paper is concerned with the second category of risks, which may arise from natural disasters, from strikes and economic disruptions, and from acts of purposeful agents, including terrorists. The paper provides a conceptual framework that reflects the joint activities of risk assessment and risk mitigation that are fundamental to disruption risk management in supply chains. We then consider empirical results from a rich data set covering the period 1995–2000 on accidents in the U. S. Chemical Industry. Based on these results and other literature, we discuss the implications for the design of management systems intended to cope with supply chain disruption risks.     

Municipal Waste Management: Inequities and the Role of Deliberation

Like radioactive waste, municipal solid waste (MSW) requires consideration of a complex mix of intergenerational and intragenerational risks surrounded by uncertain science. Unlike radioactive waste, MSW is a common problem and hence one often perceived to be controllable, at least until a required facility is proposed in a particular community. The intragenerational risks focused on local communities rouse intense public pressures for management. Although some of the risks can be quantified, the risk assessment process cannot deal with all questions. This article examines the multiple dimensions of the decisions required to be made and the weaknesses of a number of decision tools traditionally used. A case is made for the need to integrate decision tools appropriate to the risks into reflexive and iterative decision processes open to public involvement. It is argued that this presents the best hope of both optimizing decisions about the intragenerational risks as well as raising public debate about the importance of sustainable waste management in transgenerational terms.     

Using the CAUSE Model to Understand Public Communication about Water Risks: Perspectives from Texas Groundwater District Officials on Drought and Availability

Public communication about drought and water availability risks poses challenges to a potentially disinterested public. Water management professionals, though, have a responsibility to work with the public to engage in communication about water and environmental risks. Because limited research in water management examines organizational communication practices and perceptions, insights into research and practice can be gained through investigation of current applications of these risk communication efforts. Guided by the CAUSE model, which explains common goals in communicating risk information to the public (e.g., creating Confidence, generating Awareness, enhancing Understanding, gaining Satisfaction, and motivating Enactment), semistructured interviews of professionals (N = 25) employed by Texas groundwater conservation districts were conducted. The interviews examined how CAUSE model considerations factor in to communication about drought and water availability risks. These data suggest that many work to build constituents’ confidence in their districts. Although audiences and constituents living in drought‐prone areas were reported as being engaged with water availability risks and solutions, many district officials noted constituents’ lack of perceived risk and engagement. Some managers also indicated that public understanding was a secondary concern of their primary responsibilities and that the public often seemed apathetic about technical details related to water conservation risks. Overall, results suggest complicated dynamics between officials and the public regarding information access and motivation. The article also outlines extensions of the CAUSE model and implications for improving public communication about drought and water availability risks.     

Risk Management for Development—Assessing Obstacles and Prioritizing Action

Throughout the process of economic and social development, decisionmakers from the household to the state level are confronted with a multitude of risks: from health and employment risks, to financial and political crises, as well as environmental damages and from the local to global level. The World Bank's 2014 World Development Report (WDR) provides an in‐depth analysis of how the management of such risks can be improved. In particular, it argues that a proactive and integrated approach to risk management can create opportunities for fighting poverty and achieving prosperity—but also acknowledges substantial obstacles to its implementation in practice. This article presents and discusses these obstacles with respect to their causes, consequences, interlinkages, and solutions. In particular, these include obstacles to individual risk management, the obstacles that are beyond the control of individuals and thus require collective action, and, finally, the obstacles that affect the ability of governments and public authorities to manage risks. From these obstacles, this article derives a policy roadmap for the development of risk management strategies that are designed not only around the risk they have to cope with, but also around the practical obstacles to policy implementation.     

What's Wrong with Risk Matrices?

Risk matrices—tables mapping "frequency" and "severity" ratings to corresponding risk priority levels—are popular in applications as diverse as terrorism risk analysis, highway construction project management, office building risk analysis, climate change risk management, and enterprise risk management (ERM). National and international standards (e.g., Military Standard 882C and AS/NZS 4360:1999) have stimulated adoption of risk matrices by many organizations and risk consultants. However, little research rigorously validates their performance in actually improving risk management decisions. This article examines some mathematical properties of risk matrices and shows that they have the following limitations. (a) Poor Resolution . Typical risk matrices can correctly and unambiguously compare only a small fraction (e.g., less than 10%) of randomly selected pairs of hazards. They can assign identical ratings to quantitatively very different risks ("range compression"). (b) Errors . Risk matrices can mistakenly assign higher qualitative ratings to quantitatively smaller risks. For risks with negatively correlated frequencies and severities, they can be "worse than useless," leading to worse-than-random decisions. (c) Suboptimal Resource Allocation . Effective allocation of resources to risk-reducing countermeasures cannot be based on the categories provided by risk matrices. (d) Ambiguous Inputs and Outputs . Categorizations of severity cannot be made objectively for uncertain consequences. Inputs to risk matrices (e.g., frequency and severity categorizations) and resulting outputs (i.e., risk ratings) require subjective interpretation, and different users may obtain opposite ratings of the same quantitative risks. These limitations suggest that risk matrices should be used with caution, and only with careful explanations of embedded judgments.     

Why aren't managers concerned about occupational stress?

Abstract

To explain the rarity of workplace stress management interventions, it is thought that managers are not concerned with the risks of occupational stress to health and job performance. Some writers consider either (1) deficiencies in theory, and/or (2) deficiencies in methodology to be the cause of this apparent lack of concern. The aim of this paper is to illustrate another perspective on this issue; that of risk perception. Two perspectives on risk perception are discussed; the psychometric view and the cultural view. The psychometric view suggests that senior managers may underestimate the risks associated with stress. The cultural view suggests that managers may consider stress management to be inappropriate, since individuals, not organizations, should be responsible for coping with stress. Both perspectives indicate that very few managers may consider stress to be a risk that should be actively managed by the organization. The associated disciplines of risk management and particularly risk communication are discussed to suggest ways to overcome lack of managerial interest in stress management.     

Why aren't managers concerned about occupational stress?

To explain the rarity of workplace stress management interventions, it is thought that managers are not concerned with the risks of occupational stress to health and job performance. Some writers consider either (1) deficiencies in theory, and/or (2) deficiencies in methodology to be the cause of this apparent lack of concern. The aim of this paper is to illustrate another perspective on this issue; that of risk perception. Two perspectives on risk perception are discussed; the psychometric view and the cultural view. The psychometric view suggests that senior managers may underestimate the risks associated with stress. The cultural view suggests that managers may consider stress management to be inappropriate, since individuals, not organizations, should be responsible for coping with stress. Both perspectives indicate that very few managers may consider stress to be a risk that should be actively managed by the organization. The associated disciplines of risk management and particularly risk communication are discussed to suggest ways to overcome lack of managerial interest in stress management.     

Embracing risk as a core competence: The case of CEMEX

In this paper we argue that risk management can be an important source of competitive advantage for firms. For this to happen, managers must overcome four deep-seated notions about the management of risk: the myopic conception that risk is a collection of unconnected threats to the survival of a firm, the belief that risk management is largely a financial activity, the idea that risk management is solely a top management team task, and a blind faith that CEOs can continuously anticipate the risks that firms must address on an ongoing basis. Challenging these four misconceptions reveals that risk management can be an activity that is value creating, not just value preserving. Indeed, rather than indiscriminately shedding all types of risks, companies can develop new sources of competitive advantage by embracing those risks that they are relatively better at managing than their rivals. We illustrate our arguments by analyzing the risk management practices at CEMEX, the Mexican cement manufacturer.     

Flood Risk Management: US Army Corps of Engineers and Layperson Perceptions

Recent severe storm experiences in the U.S. Gulf Coast illustrate the importance of an integrated approach to flood preparedness planning that harmonizes stakeholder and agency efforts. Risk management decisions that are informed by and address decision maker and stakeholder risk perceptions and behavior are essential for effective risk management policy. A literature review and two expert models/mental models studies were undertaken to identify areas of importance in the flood risk management process for layperson, non‐USACE‐expert, and two USACE‐expert groups. In characterizing and mapping stakeholder beliefs about risks in the literature onto current risk management practice, recommendations for accommodating and changing stakeholder perceptions of flood risks and their management are identified. Needs of the U.S. Army Corps of Engineers (USACE) flood preparedness and response program are discussed in the context of flood risk mental models.     

Use of Quality-Adjusted Life Year Weights with Dose-Response Models for Public Health Decisions: A Case Study of the Risks and Benefits of Fish Consumption

Risks associated with toxicants in food are often controlled by exposure reduction. When exposure recommendations are developed for foods with both harmful and beneficial qualities, however, they must balance the associated risks and benefits to maximize public health. Although quantitative methods are commonly used to evaluate health risks, such methods have not been generally applied to evaluating the health benefits associated with environmental exposures. A quantitative method for risk-benefit analysis is presented that allows for consideration of diverse health endpoints that differ in their impact (i.e., duration and severity) using dose-response modeling weighted by quality-adjusted life years saved. To demonstrate the usefulness of this method, the risks and benefits of fish consumption are evaluated using a single health risk and health benefit endpoint. Benefits are defined as the decrease in myocardial infarction mortality resulting from fish consumption, and risks are defined as the increase in neurodevelopmental delay (i.e., talking) resulting from prenatal methylmercury exposure. Fish consumption rates are based on information from Washington State. Using the proposed framework, the net health impact of eating fish is estimated in either a whole population or a population consisting of women of childbearing age and their children. It is demonstrated that across a range of fish methylmercury concentrations (0-1 ppm) and intake levels (0-25 g/day), individuals would have to weight the neurodevelopmental effects 6 times more (in the whole population) or 250 times less (among women of child-bearing age and their children) than the myocardial infarction benefits in order to be ambivalent about whether or not to consume fish. These methods can be generalized to evaluate the merits of other public health and risk management programs that involve trade-offs between risks and benefits.     

Human Health Risks Associated with Asbestos Abatement

Upperbound lifetime excess cancer risks were calculated for activities associated with asbestos abatement using a risk assessment framework developed for EPA's Superfund program. It was found that removals were associated with cancer risks to workers which were often greater than the commonly accepted cancer risk of 1 x 10(-6), although lower than occupational exposure limits associated with risks of 1 x 10(-3). Removals had little effect in reducing risk to school populations. Risks to teachers and students in school buildings containing asbestos were approximately the same as risks associated with exposure to ambient asbestos by the general public and were below the levels typically of concern to regulatory agencies. During abatement, however, there were increased risks to both workers and nearby individuals. Careless, everyday building maintenance generated the greatest risk to workers followed by removals and encapsulation. If asbestos abatement was judged by the risk criteria applied to EPA's Superfund program, the no-action alternative would likely be selected in preference to removal in a majority of cases. These conclusions should only be interpreted within the context of an overall asbestos risk management program, which includes consideration of specific fiber types and sizes, sampling and analytical limitations, physical condition of asbestos-containing material, episodic peak exposures, and the number of people potentially exposed.     

Game Theory and Risk Analysis

Risk analysts often analyze adversarial risks from terrorists or other intelligent attackers without mentioning game theory. Why? One reason is that many adversarial situations—those that can be represented as attacker‐defender games, in which the defender first chooses an allocation of defensive resources to protect potential targets, and the attacker, knowing what the defender has done, then decides which targets to attack—can be modeled and analyzed successfully without using most of the concepts and terminology of game theory. However, risk analysis and game theory are also deeply complementary. Game‐theoretic analyses of conflicts require modeling the probable consequences of each choice of strategies by the players and assessing the expected utilities of these probable consequences. Decision and risk analysis methods are well suited to accomplish these tasks. Conversely, game‐theoretic formulations of attack‐defense conflicts (and other adversarial risks) can greatly improve upon some current risk analyses that attempt to model attacker decisions as random variables or uncertain attributes of targets (“threats”) and that seek to elicit their values from the defender's own experts. Game theory models that clarify the nature of the interacting decisions made by attackers and defenders and that distinguish clearly between strategic choices (decision nodes in a game tree) and random variables (chance nodes, not controlled by either attacker or defender) can produce more sensible and effective risk management recommendations for allocating defensive resources than current risk scoring models. Thus, risk analysis and game theory are (or should be) mutually reinforcing.     

An Analysis of the de minimis Strategy for Risk Management

A de minimis risk management strategy sets a threshold so that risks below the specified level are defined as trivial and exempted from further consideration. The intended purpose is to help avoid inappropriate and wasteful concern with insignificant low-level risks. In most instances a de minimis strategy is likely to have beneficial or innocuous effects, but under certain circumstances large differences may develop between nominal and actual de minimis levels. The potential for such discrepancies illustrates why de minimis (and all other risk management) strategies should be evaluated on the basis of the portfolio of risks that would accumulate from applying such strategies over time, rather than on the apparent reasonableness of any single instance of application.     

Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions

Firms are increasingly outsourcing information security operations to managed security service providers (MSSPs). Cost reduction and quality (security) improvement are often mentioned as motives for outsourcing information security, and these are also the frequently cited reasons for outsourcing traditional information technology (IT) functions, such as software development and maintenance. In this study, we present a different explanation—one based on interdependent risks and competitive externalities associated with IT security—for firms' decisions to outsource security. We show that in the absence of competitive externalities and interdependent risks, a firm will outsource security if and only if the MSSP offers a quality advantage over in‐house operations, which is consistent with the conventional explanation for security outsourcing. However, when security risks are interdependent and breaches impose competitive externalities, although firms still have stronger incentive to outsource security if the MSSP offers a higher quality in terms of preventing breaches than in‐house management, a quality advantage of MSSP over in‐house management is neither a prerequisite for a firm to outsource security nor a guarantee that a firm will. In addition to MSSP quality, the type of externality (positive or negative), the degree of externality, whether outsourcing increases or decreases risk interdependency, and the breach characteristics determine firms' sourcing decisions. When security breaches impose a positive externality, the incentive to outsource is enhanced if the MSSP decreases the risk interdependency and diminished if the MSSP increases this interdependency. A negative externality has the opposite effect on firms' incentives to outsource. A high demand spillover to a competitor, together with a high loss in industry demand because of a security breach, enhances these incentives to outsource security operations when the externality is negative. Finally, we extend our base model in several dimensions and show that our main results regarding the impact of interdependent risks and competitive externalities on sourcing decisions are robust and generalizable to different specifications.     

Managing “forced” technology transfer in emerging markets: The case of China

This paper explores how foreign multinational corporations (MNCs) manage risks associated with “forced” technology transfer (“FTT”) policies in emerging markets. Although MNCs are increasingly exposed to appropriability risks from these policies, how they respond is relatively understudied in international business (IB) research. We explore this topic based upon a survey and interviews with Western MNCs doing business in China, as well as a discussion about the recent US-China trade war. We find that, as traditional IB theory would predict, internally-oriented strategies (e.g., internalization, maintenance of informal intellectual property (IP), and control of technological centrality and sophistication) are often used to respond to FTT policies; however, the risks from such policies can sometimes be more efficiently managed by externally-oriented strategies (e.g., non-market activities and reliance on formal IP). We discuss how the co-evolution of MNCs' risk management strategies alongside changing value chains, IP institutions, and conditions determining the leverage of FTT policies appear to contribute to this phenomenon. We argue that IB research should more prominently recognize the role of externally-oriented strategies, not only internally-oriented ones, in managing the complex IP-related institutional challenges present in emerging markets today.     

A Risk Analysis Model in Concurrent Engineering Product Development

Concurrent engineering has been widely accepted as a viable strategy for companies to reduce time to market and achieve overall cost savings. This article analyzes various risks and challenges in product development under the concurrent engineering environment. A three‐dimensional early warning approach for product development risk management is proposed by integrating graphical evaluation and review technique (GERT) and failure modes and effects analysis (FMEA). Simulation models are created to solve our proposed concurrent engineering product development risk management model. Solutions lead to identification of key risk controlling points. This article demonstrates the value of our approach to risk analysis as a means to monitor various risks typical in the manufacturing sector. This article has three main contributions. First, we establish a conceptual framework to classify various risks in concurrent engineering (CE) product development (PD). Second, we propose use of existing quantitative approaches for PD risk analysis purposes: GERT, FMEA, and product database management (PDM). Based on quantitative tools, we create our approach for risk management of CE PD and discuss solutions of the models. Third, we demonstrate the value of applying our approach using data from a typical Chinese motor company.     

Cyber risk assessment in small and medium-sized enterprises: A multilevel decision-making approach for small e-tailors

The role played by information and communication technologies in today's businesses cannot be underestimated. While such technological advancements provide numerous advantages and opportunities, they are known to thread organizations with new challenges such as cyberattacks. This is particularly important for small and medium-sized enterprises (SMEs) that are deemed to be the least mature and highly vulnerable to cybersecurity risks. Thus, this research is set to assess the cyber risks in online retailing SMEs (e-tailing SMEs). Therefore, this article employs a sample of 124 small e-tailers in the United Kingdom and takes advantage of a multi-criteria decision analysis (MCDA) method. Indeed, we identified a total number of 28 identified cyber-oriented risks in five exhaustive themes of “security,” “dependency,” “employee,” “strategic,” and “legal” risks. Subsequently, an integrated approach using step-wise weight assessment ratio analysis (SWARA) and best–worst method (BWM) has been employed to develop a pathway of risk assessment. As such, the current study outlines a novel approach toward cybersecurity risk management for e-tailing SMEs and discusses its effectiveness and contributions to the cyber risk management literature.