Intelligent Adversary Risk Analysis: A Bioterrorism Risk Management Model

The tragic events of 9/11 and the concerns about the potential for a terrorist or hostile state attack with weapons of mass destruction have led to an increased emphasis on risk analysis for homeland security. Uncertain hazards (natural and engineering) have been successfully analyzed using probabilistic risk analysis (PRA). Unlike uncertain hazards, terrorists and hostile states are intelligent adversaries who can observe our vulnerabilities and dynamically adapt their plans and actions to achieve their objectives. This article compares uncertain hazard risk analysis with intelligent adversary risk analysis, describes the intelligent adversary risk analysis challenges, and presents a probabilistic defender–attacker–defender model to evaluate the baseline risk and the potential risk reduction provided by defender investments. The model includes defender decisions prior to an attack; attacker decisions during the attack; defender actions after an attack; and the uncertainties of attack implementation, detection, and consequences. The risk management model is demonstrated with an illustrative bioterrorism problem with notional data.     

How Probabilistic Risk Assessment Can Mislead Terrorism Risk Analysts

Traditional probabilistic risk assessment (PRA), of the type originally developed for engineered systems, is still proposed for terrorism risk analysis. We show that such PRA applications are unjustified in general. The capacity of terrorists to seek and use information and to actively research different attack options before deciding what to do raises unique features of terrorism risk assessment that are not adequately addressed by conventional PRA for natural and engineered systems—in part because decisions based on such PRA estimates do not adequately hedge against the different probabilities that attackers may eventually act upon. These probabilities may differ from the defender's (even if the defender's experts are thoroughly trained, well calibrated, unbiased probability assessors) because they may be conditioned on different information. We illustrate the fundamental differences between PRA and terrorism risk analysis, and suggest use of robust decision analysis for risk management when attackers may know more about some attack options than we do.     

Improving Risk Communication

This paper explores reasons for difficulties in communicating risks among analysts, the laypublic, media, and regulators. Formulating risk communication problems as decisions involving objectives and alternatives helps to identify strategies for overcoming these difficulties. Several strategies are suggested to achieve risk communication objectives like improving public knowledge about risks and risk management, encouraging risk reduction behavior, understanding public values and concerns, and increasing trust and credibility.     

Nano Risk Analysis: Advancing the Science for Nanomaterials Risk Management

Scientists, activists, industry, and governments have raised concerns about health and environmental risks of nanoscale materials. The Society for Risk Analysis convened experts in September 2008 in Washington, DC to deliberate on issues relating to the unique attributes of nanoscale materials that raise novel concerns about health risks. This article reports on the overall themes and findings of the workshop, uncovering the underlying issues for each of these topics that become recurring themes. The attributes of nanoscale particles and other nanomaterials that present novel issues for risk analysis are evaluated in a risk analysis framework, identifying challenges and opportunities for risk analysts and others seeking to assess and manage the risks from emerging nanoscale materials and nanotechnologies. Workshop deliberations and recommendations for advancing the risk analysis and management of nanotechnologies are presented.     

Major Hazard Information Policy in the European Community: Implications for Risk Analysis

The main impetus to the development of information about major industrial hazards in the European Community comes from the so-called Seveso Directive, which defines an information network and requires the generation and transmission of information as the basis for accident prevention and risk management. This important policy development, which calls for the formal identification and analysis of major hazards and the communication of risk information to members of the public, presents new opportunities and challenges to risk analysis and research in Europe. This paper briefly reviews the accidents that gave rise to the Directive and shaped its content, and then summarizes its requirements. The status of its implementation in the EC Member States is discussed, with special emphasis given to the comparison of safety analysis practices, the Major Accident Reporting System (MARS), and risk communication. Some new research directions stimulated by the Directive are identified.     

Enhancing the Characterization of Epistemic Uncertainties in PM2.5 Risk Analyses

The Environmental Benefits Mapping and Analysis Program (BenMAP) is a software tool developed by the U.S. Environmental Protection Agency (EPA) that is widely used inside and outside of EPA to produce quantitative estimates of public health risks from fine particulate matter (PM_2.5). This article discusses the purpose and appropriate role of a risk analysis tool to support risk management deliberations, and evaluates the functions of BenMAP in this context. It highlights the importance in quantitative risk analyses of characterization of epistemic uncertainty, or outright lack of knowledge, about the true risk relationships being quantified. This article describes and quantitatively illustrates sensitivities of PM_2.5 risk estimates to several key forms of epistemic uncertainty that pervade those calculations: the risk coefficient, shape of the risk function, and the relative toxicity of individual PM_2.5 constituents. It also summarizes findings from a review of U.S.‐based epidemiological evidence regarding the PM_2.5 risk coefficient for mortality from long‐term exposure. That review shows that the set of risk coefficients embedded in BenMAP substantially understates the range in the literature. We conclude that BenMAP would more usefully fulfill its role as a risk analysis support tool if its functions were extended to better enable and prompt its users to characterize the epistemic uncertainties in their risk calculations. This requires expanded automatic sensitivity analysis functions and more recognition of the full range of uncertainty in risk coefficients.     

Decision Analysis and Risk Management Decision Making: Issues and Methods

This paper provides an overview of decision analysis and its use in risk management decision making. The paper discusses the distinctive characteristics of decision analysis and compares these characteristics with those of its principal alternative—cost–benefit analysis. The paper also discusses each of the steps in a decision analysis and the strengths and limitations of the method.     

企业风险管理与经营效率:来自中国保险业的经验证据

本文从风险管理的视角对企业效率评估的数据包络分析技术进行了改进,探讨了风险管理与经营效率的内在关联,并以中国保险业为例,对1999年以来企业真实的经营效率水平进行了评估。结果表明:企业内部的风险管理能力对其经营效率水平的提升具有明显的影响,而且这种影响力正在逐渐加强。不考虑企业内部的风险管理水平将直接导致其经营效率的测算结果出现低估,2002年以后这种低估的程度越发明显,这可归因于同期保险企业开始逐渐重视提高自身的风险管理能力。以上结论也为企业如何在管控风险的同时提升经营效率水平提供了有价值的指导。     

Integrated Analysis: Combining Risk and Economic Assessments While Preserving the Separation of Powers

This article presents a process for an integrated policy analysis that combines risk assessment and benefit-cost analysis. This concept, which explicitly combines the two types of related analyses, seems to contradict the long-accepted risk analysis paradigm of separating risk assessment and risk management since benefit-cost analysis is generally considered to be a part of risk management. Yet that separation has become a problem because benefit-cost analysis uses risk assessment results as a starting point and considerable debate over the last several years focused on the incompatibility of the use of upper bounds or "safe" point estimates in many risk assessments with benefit-cost analysis. The problem with these risk assessments is that they ignore probabilistic information. As advanced probabilistic techniques for risk assessment emerge and economic analysts receive distributions of risks instead of point estimates, the artificial separation between risk analysts and the economic/decision analysts complicates the overall analysis. In addition, recent developments in countervailing risk theory suggest that combining the risk and benefit-cost analyses is required to fully understand the complexity of choices and tradeoffs faced by the decisionmaker. This article also argues that the separation of analysis and management is important, but that benefit-cost analysis has been wrongly classified into the risk management category and that the analytical effort associated with understanding the economic impacts of risk reduction actions need to be part of a broader risk assessment process.     

Perceived Risk, Trust, and Democracy

Risk management has become increasingly politicized and contentious. Polarized views, controversy, and overt conflict have become pervasive. Risk-perception research has recently begun to provide a new perspective on this problem. Distrust in risk analysis and risk management plays a central role in this perspective. According to this view, the conflicts and controversies surrounding risk management are not due to public ignorance or irrationality but, instead, are seen as a side effect of our remarkable form of participatory democracy, amplified by powerful technological and social changes that systematically destroy trust. Recognizing the importance of trust and understanding the "dynamics of the system" that destroys trust has vast implications for how we approach risk management in the future.     

Flood Risk Management: US Army Corps of Engineers and Layperson Perceptions

Recent severe storm experiences in the U.S. Gulf Coast illustrate the importance of an integrated approach to flood preparedness planning that harmonizes stakeholder and agency efforts. Risk management decisions that are informed by and address decision maker and stakeholder risk perceptions and behavior are essential for effective risk management policy. A literature review and two expert models/mental models studies were undertaken to identify areas of importance in the flood risk management process for layperson, non‐USACE‐expert, and two USACE‐expert groups. In characterizing and mapping stakeholder beliefs about risks in the literature onto current risk management practice, recommendations for accommodating and changing stakeholder perceptions of flood risks and their management are identified. Needs of the U.S. Army Corps of Engineers (USACE) flood preparedness and response program are discussed in the context of flood risk mental models.     

Improving Risk Management: From Lame Excuses to Principled Practice

The three classic pillars of risk analysis are risk assessment (how big is the risk and how sure can we be?), risk management (what shall we do about it?), and risk communication (what shall we say about it, to whom, when, and how?). We propose two complements as important parts of these three bases: risk attribution (who or what addressable conditions actually caused an accident or loss?) and learning from experience about risk reduction (what works, and how well?). Failures in complex systems usually evoke blame, often with insufficient attention to root causes of failure, including some aspects of the situation, design decisions, or social norms and culture. Focusing on blame, however, can inhibit effective learning, instead eliciting excuses to deflect attention and perceived culpability. Productive understanding of what went wrong, and how to do better, thus requires moving past recrimination and excuses. This article identifies common blame‐shifting “lame excuses” for poor risk management. These generally contribute little to effective improvements and may leave real risks and preventable causes unaddressed. We propose principles from risk and decision sciences and organizational design to improve results. These start with organizational leadership. More specifically, they include: deliberate testing and learning—especially from near‐misses and accident precursors; careful causal analysis of accidents; risk quantification; candid expression of uncertainties about costs and benefits of risk‐reduction options; optimization of tradeoffs between gathering additional information and immediate action; promotion of safety culture; and mindful allocation of people, responsibilities, and resources to reduce risks. We propose that these principles provide sound foundations for improving successful risk management.     

Game Theory and Risk Analysis

Risk analysts often analyze adversarial risks from terrorists or other intelligent attackers without mentioning game theory. Why? One reason is that many adversarial situations—those that can be represented as attacker‐defender games, in which the defender first chooses an allocation of defensive resources to protect potential targets, and the attacker, knowing what the defender has done, then decides which targets to attack—can be modeled and analyzed successfully without using most of the concepts and terminology of game theory. However, risk analysis and game theory are also deeply complementary. Game‐theoretic analyses of conflicts require modeling the probable consequences of each choice of strategies by the players and assessing the expected utilities of these probable consequences. Decision and risk analysis methods are well suited to accomplish these tasks. Conversely, game‐theoretic formulations of attack‐defense conflicts (and other adversarial risks) can greatly improve upon some current risk analyses that attempt to model attacker decisions as random variables or uncertain attributes of targets (“threats”) and that seek to elicit their values from the defender's own experts. Game theory models that clarify the nature of the interacting decisions made by attackers and defenders and that distinguish clearly between strategic choices (decision nodes in a game tree) and random variables (chance nodes, not controlled by either attacker or defender) can produce more sensible and effective risk management recommendations for allocating defensive resources than current risk scoring models. Thus, risk analysis and game theory are (or should be) mutually reinforcing.     

The [R]Evolving Relationship Between Risk Assessment and Risk Management

In Science and Decisions: Advancing Risk Assessment, the National Research Council recommends improvements in the U.S. Environmental Protection Agency's approach to risk assessment. The recommendations aim to increase the utility of these assessments, embedding them within a new risk‐based decision‐making framework. The framework involves first identifying the problem and possible options for addressing it, conducting related analyses, then reviewing the results and making the risk management decision. Experience with longstanding requirements for regulatory impact analysis provides insights into the implementation of this framework. First, neither the Science and Decisions framework nor the framework for regulatory impact analysis should be viewed as a static or linear process, where each step is completed before moving on to the next. Risk management options are best evaluated through an iterative and integrative procedure. The extent to which a hazard has been previously studied will strongly influence analysts’ ability to identify options prior to conducting formal analyses, and these options will be altered and refined as the analysis progresses. Second, experience with regulatory impact analysis suggests that legal and political constraints may limit the range of options assessed, contrary to both existing guidance for regulatory impact analysis and the Science and Decisions recommendations. Analysts will need to work creatively to broaden the range of options considered. Finally, the usefulness of regulatory impact analysis has been significantly hampered by the inability to quantify many health impacts of concern, suggesting that the scientific improvements offered within Science and Decisions will fill an crucial research gap.     

Risk management in plant investment decisions: risk typology,dimensions and process

Abstract

Managing risk associated with plant location decisions is a growing concern as companies seek to reassure investors about the robustness of their strategies. However, little attention has been paid to the systematic evaluation of risk associated with new plants. This paper investigates risk management practices in plant investment decisions through detailed case investigations in a cross section of industrial businesses at different levels of maturity in order to observe current practices, identify common principles and to synthesis systematic approaches to risk management. It identifies key risk categories and dimensions of risk management, building on three key bodies of literature – global manufacturing, investment and risk management     

One Agency's Use of Risk Assessment and Risk Communication1

Few organizations have the courage to evaluate their own use of risk assessment (identifying hazards and estimating their probability and magnitude) and risk communication (interacting with internal and external stakeholder groups about risks). The USDA Animal and Plant Health Inspection Service (APHIS) wants to enhance its overall risk analysis process for managing a wide range of risks to animals, plants, and human health. We gathered survey data for a baseline of APHIS professionals’ understanding and use of risk assessment and risk communication. APHIS professionals spend a surprisingly large share of their time communicating about risks. They perceive that risk estimates influence decisions, but that risk estimates should have more influence. Respondents reported little opposition to APHIS risk management decisions, and little use of channels such as USDA Extension Service for disseminating risk messages. Substantial variance across responses is explained mostly by differences in the roles of the 11 work units (now 10) within the agency. Location also contributes to the variance. Demographic variables seem less important.     

项目风险分析与管理

本文在分析比较传统风险分析方法的基础上,提出了一个更为有效的风险分析方法,即“交叉分析-蒙特卡罗模拟”综合模型。并利用此模型对H集团的某技改投资项目进行了案例分析。在此基础上,提出了建立项目风险防范预警系统的风险管理模式。     

Risk analysis under attack: How risk science can address the legal,social, and reputational liabilities faced by risk analysts

The role of the risk analyst is critical in understanding and managing uncertainty. However, there is another type of uncertainty that is rarely discussed: The legal, social, and reputational liabilities of the risk analyst. Recent events have shown that professionals participating in risk analysis can be held personally liable. It is timely and important to ask: How can risk science guide risk analysis with consideration of those liabilities, particularly in response to emerging and unprecedented risk. This paper studies this topic by: (1) Categorizing how professionals with risk analysis responsibilities have historically been held liable, and (2) developing a framework to address uncertainty related to those potential liabilities. The result of this framework will enable individual analysts and organizations to investigate and manage the expectations of risk analysts and others as they apply risk principles and methods. This paper will be of interest to risk researchers, risk professionals, and industry professionals who seek maturity within their risk programs.     

Incorporating Risk Assessment and Benefit-Cost Analysis in Environmental Management1

Using data from interviews with a key set of individuals at the U.S. Environmental Protection Agency, this study examines intraagency views about the incorporation of risk assessment and benefit-cost analysis in environment management.     

Efficacy Foundations for Risk Communication: How People Think About Reducing the Risks of Climate Change

Believing action to reduce the risks of climate change is both possible (self‐efficacy) and effective (response efficacy) is essential to motivate and sustain risk mitigation efforts, according to current risk communication theory. Although the public recognizes the dangers of climate change, and is deluged with lists of possible mitigative actions, little is known about public efficacy beliefs in the context of climate change. Prior efficacy studies rely on conflicting constructs and measures of efficacy, and links between efficacy and risk management actions are muddled. As a result, much remains to learn about how laypersons think about the ease and effectiveness of potential mitigative actions. To bring clarity and inform risk communication and management efforts, we investigate how people think about efficacy in the context of climate change risk management by analyzing unprompted and prompted beliefs from two national surveys (N = 405, N = 1,820). In general, respondents distinguish little between effective and ineffective climate strategies. While many respondents appreciate that reducing fossil fuel use is an effective risk mitigation strategy, overall assessments reflect persistent misconceptions about climate change causes, and uncertainties about the effectiveness of risk mitigation strategies. Our findings suggest targeting climate change risk communication and management strategies to (1) address gaps in people's existing mental models of climate action, (2) leverage existing public understanding of both potentially effective mitigation strategies and the collective action dilemma at the heart of climate change action, and (3) take into account ideologically driven reactions to behavior change and government action framed as climate action.