Foundational Issues in Risk Assessment and Risk Management

In spite of the maturity reached by many of the methods used in risk assessment and risk management, broad consensus has not been established on fundamental concepts and principles. The risk fields still suffer from a lack of clarity on many key scientific pillars. The purpose of this article is to point to this situation and through some illustrating examples discuss the challenges that the fields here face. Moreover, the purpose of the article is to reflect on how to improve the present situation and enhance the risk fields. We argue that the establishment of some common scientific pillars as well as a strong and continuous research focus on foundational issues are critical success factors. The article specifically addresses the role of the peer‐reviewed journals and the international standards in the fields. We hope that the article can contribute to a revitalization of the discussion of foundational issues in risk assessment and risk management.     

A Systems‐Based Risk Assessment Framework for Intentional Electromagnetic Interference (IEMI) on Critical Infrastructures

Modern infrastructures are becoming increasingly dependent on electronic systems, leaving them more vulnerable to electrical surges or electromagnetic interference. Electromagnetic disturbances appear in nature, e.g., lightning and solar wind; however, they may also be generated by man‐made technology to maliciously damage or disturb electronic equipment. This article presents a systematic risk assessment framework for identifying possible, consequential, and plausible intentional electromagnetic interference (IEMI) attacks on an arbitrary distribution network infrastructure. In the absence of available data on IEMI occurrences, we find that a systems‐based risk assessment is more useful than a probabilistic approach. We therefore modify the often applied definition of risk, i.e., a set of triplets containing scenario, probability, and consequence, to a set of quadruplets: scenario, resource requirements, plausibility, and consequence. Probability is “replaced” by resource requirements and plausibility, where the former is the minimum amount and type of equipment necessary to successfully carry out an attack scenario and the latter is a subjective assessment of the extent of the existence of attackers who possess the motivation, knowledge, and resources necessary to carry out the scenario. We apply the concept of intrusion areas and classify electromagnetic source technology according to key attributes. Worst‐case scenarios are identified for different quantities of attacker resources. The most plausible and consequential of these are deemed the most important scenarios and should provide useful decision support in a countermeasures effort. Finally, an example of the proposed risk assessment framework, based on notional data, is provided on a hypothetical water distribution network.     

GIS‐Based Integration of Social Vulnerability and Level 3 Probabilistic Risk Assessment to Advance Emergency Preparedness,Planning, and Response for Severe Nuclear Power Plant Accidents

In the nuclear power industry, Level 3 probabilistic risk assessment (PRA) is used to estimate damage to public health and the environment if a severe accident leads to large radiological release. Current Level 3 PRA does not have an explicit inclusion of social factors and, therefore, it is not possible to perform importance ranking of social factors for risk‐informing emergency preparedness, planning, and response (EPPR). This article offers a methodology for adapting the concept of social vulnerability, commonly used in natural hazard research, in the context of a severe nuclear power plant accident. The methodology has four steps: (1) calculating a hazard‐independent social vulnerability index for the local population; (2) developing a location‐specific representation of the maximum radiological hazard estimated from current Level 3 PRA, in a geographic information system (GIS) environment; (3) developing a GIS‐based socio‐technical risk map by combining the social vulnerability index and the location‐specific radiological hazard; and (4) conducting a risk importance measure analysis to rank the criticality of social factors based on their contribution to the socio‐technical risk. The methodology is applied using results from the 2012 Surry Power Station state‐of‐the‐art reactor consequence analysis. A radiological hazard model is generated from MELCOR accident consequence code system, translated into a GIS environment, and combined with the Center for Disease Control social vulnerability index (SVI). This research creates an opportunity to explicitly consider and rank the criticality of location‐specific SVI themes based on their influence on risk, providing input for EPPR.     

On the Complex Quantification of Risk: Systems‐Based Perspective on Terrorism

This article highlights the complexity of the quantification of the multidimensional risk function, develops five systems‐based premises on quantifying the risk of terrorism to a threatened system, and advocates the quantification of vulnerability and resilience through the states of the system. The five premises are: (i) There exists interdependence between a specific threat to a system by terrorist networks and the states of the targeted system, as represented through the system's vulnerability, resilience, and criticality‐impact. (ii) A specific threat, its probability, its timing, the states of the targeted system, and the probability of consequences can be interdependent. (iii) The two questions in the risk assessment process: “What is the likelihood?” and “What are the consequences?” can be interdependent. (iv) Risk management policy options can reduce both the likelihood of a threat to a targeted system and the associated likelihood of consequences by changing the states (including both vulnerability and resilience) of the system. (v) The quantification of risk to a vulnerable system from a specific threat must be built on a systemic and repeatable modeling process, by recognizing that the states of the system constitute an essential step to construct quantitative metrics of the consequences based on intelligence gathering, expert evidence, and other qualitative information. The fact that the states of all systems are functions of time (among other variables) makes the time frame pivotal in each component of the process of risk assessment, management, and communication. Thus, risk to a system, caused by an initiating event (e.g., a threat) is a multidimensional function of the specific threat, its probability and time frame, the states of the system (representing vulnerability and resilience), and the probabilistic multidimensional consequences.     

AbSRiM: An Agent‐Based Security Risk Management Approach for Airport Operations

Security risk management is essential for ensuring effective airport operations. This article introduces AbSRiM, a novel agent‐based modeling and simulation approach to perform security risk management for airport operations that uses formal sociotechnical models that include temporal and spatial aspects. The approach contains four main steps: scope selection, agent‐based model definition, risk assessment, and risk mitigation. The approach is based on traditional security risk management methodologies, but uses agent‐based modeling and Monte Carlo simulation at its core. Agent‐based modeling is used to model threat scenarios, and Monte Carlo simulations are then performed with this model to estimate security risks. The use of the AbSRiM approach is demonstrated with an illustrative case study. This case study includes a threat scenario in which an adversary attacks an airport terminal with an improvised explosive device. The approach provides a promising way to include important elements, such as human aspects and spatiotemporal aspects, in the assessment of risk. More research is still needed to better identify the strengths and weaknesses of the AbSRiM approach in different case studies, but results demonstrate the feasibility of the approach and its potential.     

Physiologically Based Liver Modeling and Risk Assessment

Because of the inherent complexity of biological systems, there is often a choice between a number of apparently equally applicable physiologically based models to describe uptake and metabolism processes in toxicology or risk assessment. These models may fit the particular data sets of interest equally well, but may give quite different parameter estimates or predictions under different (extrapolated) conditions. Such competing models can be discriminated by a number of methods, including potential refutation by means of strategic experiments, and their ability to suitably incorporate all relevant physiological processes. For illustration, three currently used models for steady-state hepatic elimination--the venous equilibration model, the parallel tube model, and the distributed sinusoidal perfusion model--are reviewed and compared with particular reference to their application in the area of risk assessment. The ability of each of the models to describe and incorporate such physiological processes as protein binding, precursor-metabolite relations and hepatic zones of elimination, capillary recruitment, capillary heterogeneity, and intrahepatic shunting is discussed. Differences between the models in hepatic parameter estimation, extrapolation to different conditions, and interspecies scaling are discussed, and criteria for choosing one model over the others are presented. In this case, the distributed model provides the most general framework for describing physiological processes taking place in the liver, and has so far not been experimentally refuted, as have the other two models. These simpler models may, however, provide useful bounds on parameter estimates and on extrapolations and risk assessments.     

Risk Modeling, Assessment, and Management of Lahar Flow Threat

The 1991 eruption of Mount Pinatubo in the Philippines is considered one of the most violent and destructive volcanic activities in the 20th century. Lahar is the Indonesian term for volcanic ash, and lahar flows resulting from the massive amount of volcanic materials deposited on the mountain's slope posed continued post-eruption threats to the surrounding areas, destroying lives, homes, agricultural products, and infrastructures. Risks of lahar flows were identified immediately after the eruption, with scientific data provided by the Philippine Institute of Volcanology, the U.S. Geological Survey, and other research institutions. However, competing political, economic, and social agendas subordinated the importance of scientific information to policy making. Using systemic risk analysis and management, this article addresses the issues of multiple objectives and the effective integration of scientific techniques into the decision-making process. It provides a modeling framework for identifying, prioritizing, and evaluating policies for managing risk. The major considerations are: (1) applying a holistic approach to risk analysis through hierarchical holographic modeling, (2) applying statistical methods to gain insight into the problem of uncertainty in risk assessment, (3) using multiobjective trade-off analysis to address the issue of multiple decisionmakers and stakeholders in the decision-making process, (4) using the conditional expected value of extreme events to complement and supplement the expected value in quantifying risk, and (5) assessing the impacts of multistage decisions. Numerical examples based on ex post data are formulated to illustrate applications to various problems. The resulting framework from this study can serve as a general baseline model for assessing and managing risks of natural disasters, which the Philippines' lead agency-the National Disaster Coordinating Council (NDCC)-and other related organizations can use for their decision-making processes.     

Development of a Public Participation and Communication Protocol for Establishing Fish Consumption Advisories

Enabling people to make an informed choice on whether to change consumption behavior is ultimately the objective of any fish consumption advisory. This will occur only if people are aware of the advisory, know and understand the advisory information, and believe the information to be true. Interactive, meaningful communication and the opportunity to participate in the process to develop and review advisories are key to achieving these attributes. A case study was undertaken in a community in Alberta, Canada (where an existing advisory was under consideration for review) to determine public awareness, knowledge, compliance, communication effectiveness, information needs, and desire for involvement related to the advisory. The information obtained from this case study was used to develop 14 guiding principles as a foundation for the incorporation of public participation and risk communication into the process of developing and reviewing fish consumption advisories.     

Modeling Receptor-Mediated Processes with Dioxin: Implications for Pharmacokinetics and Risk Assessment

Dioxin (2,3,7,8-tetrachlorodibenzo- p -dioxin; TCDD), a widespread polychlorinated aromatic hydrocarbon, caused tumors in the liver and other sites when administered chronically to rats at doses as low as 0.01 μg/kg/day. It functions in combination with a cellular protein, the Ah receptor, to alter gene regulation, and this resulting modulation of gene expression is believed to be obligatory for both dioxin toxicity and carcinogenicity. The U.S. EPA is reevaluating its dioxin risk assessment and, as part of this process, will be developing risk assessment approaches for chemicals, such as dioxin, whose toxicity is receptor-mediated. This paper describes a receptor-mediated physiologically based pharmacokinetic (PB-PK) model for the tissue distribution and enzyme-inducing properties of dioxin and discusses the potential role of these models in a biologically motivated risk assessment. In this model, ternary interactions among the Ah receptor, dioxin, and DNA binding sites lead to enhanced production of specific hepatic proteins. The model was used to examine the tissue disposition of dioxin and the induction of both a dioxin-binding protein (presumably, cytochrome P4501A2), and cytochrome P4501A1. Tumor promotion correlated more closely with predicted induction of P4501A1 than with induction of hepatic binding proteins. Although increased induction of these proteins is not expected to be causally related to tumor formation, these physiological dosimetry and gene-induction response models will be important for biologically motivated dioxin risk assessments in determining both target tissue dose of dioxin and gene products and in examining the relationship between these gene products and the cellular events more directly involved in tumor promotion.     

A Fuzzy‐Based Risk Assessment Framework for Autonomous Underwater Vehicle Under‐Ice Missions

The use of autonomous underwater vehicles (AUVs) for various scientific, commercial, and military applications has become more common with maturing technology and improved accessibility. One relatively new development lies in the use of AUVs for under‐ice marine science research in the Antarctic. The extreme environment, ice cover, and inaccessibility as compared to open‐water missions can result in a higher risk of loss. Therefore, having an effective assessment of risks before undertaking any Antarctic under‐ice missions is crucial to ensure an AUV's survival. Existing risk assessment approaches predominantly focused on the use of historical fault log data of an AUV and elicitation of experts’ opinions for probabilistic quantification. However, an AUV program in its early phases lacks historical data and any assessment of risk may be vague and ambiguous. In this article, a fuzzy‐based risk assessment framework is proposed for quantifying the risk of AUV loss under ice. The framework uses the knowledge, prior experience of available subject matter experts, and the widely used semiquantitative risk assessment matrix, albeit in a new form. A well‐developed example based on an upcoming mission by an ISE‐explorer class AUV is presented to demonstrate the application and effectiveness of the proposed framework. The example demonstrates that the proposed fuzzy‐based risk assessment framework is pragmatically useful for future under‐ice AUV deployments. Sensitivity analysis demonstrates the validity of the proposed method.     

Modeling Finite‐Time Failure Probabilities in Risk Analysis Applications

In this article, we introduce a framework for analyzing the risk of systems failure based on estimating the failure probability. The latter is defined as the probability that a certain risk process, characterizing the operations of a system, reaches a possibly time‐dependent critical risk level within a finite‐time interval. Under general assumptions, we define two dually connected models for the risk process and derive explicit expressions for the failure probability and also the joint probability of the time of the occurrence of failure and the excess of the risk process over the risk level. We illustrate how these probabilistic models and results can be successfully applied in several important areas of risk analysis, among which are systems reliability, inventory management, flood control via dam management, infectious disease spread, and financial insolvency. Numerical illustrations are also presented.     

Dynamic Supply Risk Management with Signal‐Based Forecast,Multi‐Sourcing,and Discretionary Selling

We examine the critical role of advance supply signals—such as suppliers’ financial health and production viability—in dynamic supply risk management. The firm operates an inventory system with multiple demand classes and multiple suppliers. The sales are discretionary and the suppliers are susceptible to both systematic and operational risks. We develop a hierarchical Markov model that captures the essential features of advance supply signals, and integrate it with procurement and selling decisions. We characterize the optimal procurement and selling policy, and the strategic relationship between signal‐based forecast, multi‐sourcing, and discretionary selling. We show that higher demand heterogeneity may reduce the value of discretionary selling, and that the mean value‐based forecast may outperform the stationary distribution‐based forecast. This work advances our understanding on when and how to use advance supply signals in dynamic risk management. Future supply risk erodes profitability but enhances the marginal value of current inventory. A signal of future supply shortage raises both base stock and demand rationing levels, thereby boosting the current production and tightening the current sales. Signal‐based dynamic forecast effectively guides the firm's procurement and selling decisions. Its value critically depends on supply volatility and scarcity. Ignoring advance supply signals can result in misleading recommendations and severe losses. Signal‐based dynamic supply forecast should be used when: (a) supply uncertainty is substantial, (b) supply‐demand ratio is moderate, (c) forecast precision is high, and (d) supplier heterogeneity is high.     

Tree‐Based Logistic Regression Approach for Work Zone Casualty Risk Assessment

This study presents a tree‐based logistic regression approach to assessing work zone casualty risk, which is defined as the probability of a vehicle occupant being killed or injured in a work zone crash. First, a decision tree approach is employed to determine the tree structure and interacting factors. Based on the Michigan M‐94I‐94I‐94BLI‐94BR highway work zone crash data, an optimal tree comprising four leaf nodes is first determined and the interacting factors are found to be airbag, occupant identity (i.e., driver, passenger), and gender. The data are then split into four groups according to the tree structure. Finally, the logistic regression analysis is separately conducted for each group. The results show that the proposed approach outperforms the pure decision tree model because the former has the capability of examining the marginal effects of risk factors. Compared with the pure logistic regression method, the proposed approach avoids the variable interaction effects so that it significantly improves the prediction accuracy.     

Multimedia Benchmarking Analysis for Three Risk Assessment Models: RESRAD, MMSOILS, and MEPAS

This paper is one in a series that describes results of a benchmarking analysis initiated by the Department of Energy (DOE) and the United States Environmental Protection Agency (EPA). An overview of the study is provided in a companion paper by Laniak et al. presented in this journal issue. The three models used in the study—RESRAD (DOE), MMSOILS (EPA), and MEPAS (DOE)—represent analytically-based tools that are used by the respective agencies for performing human exposure and health risk assessments. Both single media and multimedia benchmarking scenarios were developed and executed. In this paper, the multimedia scenario is examined. That scenario consists of a hypothetical landfill that initially contained uranium-238 and methylene chloride. The multimedia models predict the fate of these contaminants, plus the progeny of uranium-238, through the unsaturated zone, saturated zone, surface water, and atmosphere. Carcinogenic risks are calculated from exposure to the contaminants via multiple pathways. Results of the tests show that differences in model endpoint estimates arise from both differences in the models' mathematical formulations and assumptions related to the implementation of the scenarios.     

Trust in Risk Management: A Model‐Based Review of Empirical Research

This review of studies of trust in risk management was designed, in part, to examine the relations between the reviewed research and the consensus model of trust that has recently emerged in other fields of study. The review begins by briefly elaborating the consensus views on the dimensionality and function of trust. It then describes the various models of trust that have been developed in the field of risk management, comparing them with the consensus approach. The findings of previous reviews are outlined, followed by a delineation of the open questions addressed by the present review, the method used, and the results. Finally, the findings of the review are discussed in relation to the important issue of trust asymmetry, the role of trust in risk management, and directions for future research. The consensus model specifies two conceptualizations of trust, each linked to particular types of antecedents. Relational trust, which is called trust in this review, is based on the relations between the trusting person and the other. Calculative trust, which is called confidence, is based on past behavior of the other and/or on constraints on future behavior. Results of this review showed that most studies of trust in risk management, while exploring matters of particular concern to the risk management community, were at least in part consistent with the consensus model. The review concludes by urging greater integration between the concerns of the former and the insights of the latter.     

Context‐Specific,Scenario‐Based Risk Scales

Reacting to an emergency requires quick decisions under stressful and dynamic conditions. To react effectively, responders need to know the right actions to take given the risks posed by the emergency. While existing research on risk scales focuses primarily on decision making in static environments with known risks, these scales may be inappropriate for conditions where the decision maker's time and mental resources are limited and may be infeasible if the actual risk probabilities are unknown. In this article, we propose a method to develop context‐specific, scenario‐based risk scales designed for emergency response training. Emergency scenarios are used as scale points, reducing our dependence on known probabilities; these are drawn from the targeted emergency context, reducing the mental resources required to interpret the scale. The scale is developed by asking trainers/trainees to rank order a range of risk scenarios and then aggregating these orderings using a Kemeny ranking. We propose measures to assess this aggregated scale's internal consistency, reliability, and validity, and we discuss how to use the scale effectively. We demonstrate our process by developing a risk scale for subsurface coal mine emergencies and test the reliability of the scale by repeating the process, with some methodological variations, several months later.     

Risk Modeling of Interdependent Complex Systems of Systems: Theory and Practice

The emergence of the complexity characterizing our systems of systems (SoS) requires a reevaluation of the way we model, assess, manage, communicate, and analyze the risk thereto. Current models for risk analysis of emergent complex SoS are insufficient because too often they rely on the same risk functions and models used for single systems. These models commonly fail to incorporate the complexity derived from the networks of interdependencies and interconnectedness (I–I) characterizing SoS. There is a need to reevaluate currently practiced risk analysis to respond to this reality by examining, and thus comprehending, what makes emergent SoS complex. The key to evaluating the risk to SoS lies in understanding the genesis of characterizing I–I of systems manifested through shared states and other essential entities within and among the systems that constitute SoS. The term “essential entities” includes shared decisions, resources, functions, policies, decisionmakers, stakeholders, organizational setups, and others. This undertaking can be accomplished by building on state‐space theory, which is fundamental to systems engineering and process control. This article presents a theoretical and analytical framework for modeling the risk to SoS with two case studies performed with the MITRE Corporation and demonstrates the pivotal contributions made by shared states and other essential entities to modeling and analysis of the risk to complex SoS. A third case study highlights the multifarious representations of SoS, which require harmonizing the risk analysis process currently applied to single systems when applied to complex SoS.     

Culture, Cosmopolitanism, and Risk Management

Most cultural approaches to risk management deal with the connections between the forms of social relations within groups and the risk concerns of those groups. According to these theories, a certain limited set of different relational forms (usually three, four, or five) lead to specific, different and conflicting, risk concerns. In contrast to these theories, cosmopolitanism is an approach to culture that focuses, not on forms of sociality, but on changes among forms—expansions and contractions in the inclusivity of forms and movement by persons from one form of sociality to another. Relative to other cultural theories, cosmopolitanism thus is much more concerned with the solution of risk management problems than with their origins. Cosmopolitanism can be thought of as a cultural continuum, with cosmopolitanism at one end and pluralism at the other. Cosmopolitan persons are more open to cultural change—and thus the solution of risk management problems. In this article, we outline our new theory of cosmopolitanism, describe a method for measuring it and present an experimental study that tests some implications of the theory. Results from the study support the theory by showing that, compared to pluralistic respondents, cosmopolitan respondents are more inclusive in their risk management judgments—that is, they express equal concern for a local and a national issue, whereas the pluralistic respondents express greater concern in the local case. We discuss the risk management implications of a cosmopolitan approach to culture.     

Low‐Probability Flood Risk Modeling for New York City

The devastating impact by Hurricane Sandy (2012) again showed New York City (NYC) is one of the most vulnerable cities to coastal flooding around the globe. The low‐lying areas in NYC can be flooded by nor'easter storms and North Atlantic hurricanes. The few studies that have estimated potential flood damage for NYC base their damage estimates on only a single, or a few, possible flood events. The objective of this study is to assess the full distribution of hurricane flood risk in NYC. This is done by calculating potential flood damage with a flood damage model that uses many possible storms and surge heights as input. These storms are representative for the low‐probability/high‐impact flood hazard faced by the city. Exceedance probability‐loss curves are constructed under different assumptions about the severity of flood damage. The estimated flood damage to buildings for NYC is between US$59 and 129 millions/year. The damage caused by a 1/100‐year storm surge is within a range of US$2 bn–5 bn, while this is between US$5 bn and 11 bn for a 1/500‐year storm surge. An analysis of flood risk in each of the five boroughs of NYC finds that Brooklyn and Queens are the most vulnerable to flooding. This study examines several uncertainties in the various steps of the risk analysis, which resulted in variations in flood damage estimations. These uncertainties include: the interpolation of flood depths; the use of different flood damage curves; and the influence of the spectra of characteristics of the simulated hurricanes.     

Multicriteria Decision Framework for Cybersecurity Risk Assessment and Management

Risk assessors and managers face many difficult challenges related to novel cyber systems. Among these challenges are the constantly changing nature of cyber systems caused by technical advances, their distribution across the physical, information, and sociocognitive domains, and the complex network structures often including thousands of nodes. Here, we review probabilistic and risk-based decision-making techniques applied to cyber systems and conclude that existing approaches typically do not address all components of the risk assessment triplet (threat, vulnerability, consequence) and lack the ability to integrate across multiple domains of cyber systems to provide guidance for enhancing cybersecurity. We present a decision-analysis-based approach that quantifies threat, vulnerability, and consequences through a set of criteria designed to assess the overall utility of cybersecurity management alternatives. The proposed framework bridges the gap between risk assessment and risk management, allowing an analyst to ensure a structured and transparent process of selecting risk management alternatives. The use of this technique is illustrated for a hypothetical, but realistic, case study exemplifying the process of evaluating and ranking five cybersecurity enhancement strategies. The approach presented does not necessarily eliminate biases and subjectivity necessary for selecting countermeasures, but provides justifiable methods for selecting risk management actions consistent with stakeholder and decisionmaker values and technical data.