Posted inADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Admission ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Alumni ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Campus life ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Class study ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Design ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Design and Development ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Education ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Entrepreneur ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Examination ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) In China ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) In India ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) In UK ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) In USA ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Innovation ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Latest ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Placement ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Research ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Student corner ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) Technology ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) University ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM) White paper Vrindawan eUniversity

ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM)

ADVANCE DIPLOMA IN RISK AND SAFETY MANAGEMENT(ADRSM)

RSM provides practical education, training, advice, resources and networking to help people and organisations manage the challenges they face and appreciate the vital role risk management plays – from protecting profits and reputation, to more importantly lives.

RSM‘s global community of more than 8,000 work in a range of sectors and risk disciplines, such as business continuity and crisis management, compliance, emergency planning, environmental management, insurance, health and safety, project management, quality management, risk management, security and more.

Definitions of risk

Oxford English Dictionary

The Oxford English Dictionary (OED) cites the earliest use of the word in English (in the spelling of risque from its French original, ‘risque’) as of 1621, and the spelling as risk from 1655. While including several other definitions, the OED 3rd edition defines risk as

(Exposure to) the possibility of loss, injury, or other adverse or welcome circumstance; a chance or situation involving such a possibility.

The Cambridge Advanced Learner’s Dictionary gives a simple summary, defining risk as “the possibility of something bad happening”.

International Organization for Standardization

The International Organization for Standardization (ISO) Guide 73 provides basic vocabulary to develop common understanding on risk management concepts and terms across different applications. ISO Guide 73:2009 defines risk as:

effect of uncertainty on objectives

Note 1: An effect is a deviation from the expected – positive or negative.

Note 2: Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).

Note 3: Risk is often characterized by reference to potential events and consequences or a combination of these.

Note 4: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood.

This definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts. It was first adopted in 2002. Its complexity reflects the difficulty of satisfying fields that use the term risk in different ways. Some restrict the term to negative impacts (“downside risks”), while others include positive impacts (“upside risks”).

Other

Many other definitions of risk have been influential:“Source of harm”. The earliest use of the word “risk” was as a synonym for the much older word “hazard”, meaning a potential source of harm. This definition comes from Blount’s “Glossographia” (1661) and was the main definition in the OED 1st (1914) and 2nd (1989) editions. Modern equivalents refer to “unwanted events”  or “something bad that might happen”.“Chance of harm”. This definition comes from Johnson’s “Dictionary of the English Language” (1755), and has been widely paraphrased, including “possibility of loss”  or “probability of unwanted events”.“Uncertainty about loss”. This definition comes from Willett’s “Economic Theory of Risk and Insurance” (1901). This links “risk” to “uncertainty”, which is a broader term than chance or probability.“Measurable uncertainty”. This definition comes from Knight’s “Risk, Uncertainty and Profit” (1921). It allows “risk” to be used equally for positive and negative outcomes. In insurance, risk involves situations with unknown outcomes but known probability distributions.“Volatility of return”. Equivalence between risk and variance of return was first identified in Markovitz’s “Portfolio Selection” (1952). In finance, volatility of return is often equated to risk.“Statistically expected loss”. The expected value of loss was used to define risk by Wald (1939) in what is now known as decision theory. The probability of an event multiplied by its magnitude was proposed as a definition of risk for the planning of the Delta Works in 1953, a flood protection program in the Netherlands. It was adopted by the US Nuclear Regulatory Commission (1975), and remains widely used.“Likelihood and severity of events”. The “triplet” definition of risk as “scenarios, probabilities and consequences” was proposed by Kaplan & Garrick (1981). Many definitions refer to the likelihood/probability of events/effects/losses of different severity/consequence, e.g. ISO Guide 73 Note 4.“Consequences and associated uncertainty”. This was proposed by Kaplan & Garrick (1981). This definition is preferred in Bayesian analysis, which sees risk as the combination of events and uncertainties about them.“Uncertain events affecting objectives”. This definition was adopted by the Association for Project Management (1997). With slight rewording it became the definition in ISO Guide 73.“Uncertainty of outcome”. This definition was adopted by the UK Cabinet Office (2002) to encourage innovation to improve public services. It allowed “risk” to describe either “positive opportunity or negative threat of actions and events”.“Asset, threat and vulnerability”. This definition comes from the Threat Analysis Group (2010) in the context of computer security.“Human interaction with uncertainty”. This definition comes from Cline (2015) in the context of adventure education.

Some resolve these differences by arguing that the definition of risk is subjective. For example:

No definition is advanced as the correct one, because there is no one definition that is suitable for all problems. Rather, the choice of definition is a political one, expressing someone’s views regarding the importance of different adverse effects in a particular situation.

The Society for Risk Analysis concludes that “experience has shown that to agree on one unified set of definitions is not realistic”. The solution is “to allow for different perspectives on fundamental concepts and make a distinction between overall qualitative definitions and their associated measurements.”

Practice areas

The understanding of risk, the common methods of management, the measurements of risk and even the definition of risk differ in different practice areas. This section provides links to more detailed articles on these areas.

Business risk

Business risks arise from uncertainty about the profit of a commercial business due to unwanted events such as changes in tastes, changing preferences of consumers, strikes, increased competition, changes in government policy, obsolescence etc.

Business risks are controlled using techniques of risk management. In many cases they may be managed by intuitive steps to prevent or mitigate risks, by following regulations or standards of good practice, or by insurance. Enterprise risk management includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives; see also Financial risk management § Corporate finance.

Economic risk

Economics is concerned with the production, distribution and consumption of goods and services. Economic risk arises from uncertainty about economic outcomes. For example, economic risk may be the chance that macroeconomic conditions like exchange rates, government regulation, or political stability will affect an investment or a company’s prospects.

In economics, as in finance, risk is often defined as quantifiable uncertainty about gains and losses.

Environmental risk

Environmental risk arises from environmental hazards or environmental issues.

In the environmental context, risk is defined as “The chance of harmful effects to human health or to ecological systems”.

Environmental risk assessment aims to assess the effects of stressors, often chemicals, on the local environment.

Financial risk

Finance is concerned with money management and acquiring funds. Financial risk arises from uncertainty about financial returns. It includes market risk, credit risk, liquidity risk and operational risk.

In finance, risk is the possibility that the actual return on an investment will be different from its expected return. This includes not only “downside risk” (returns below expectations, including the possibility of losing some or all of the original investment) but also “upside risk” (returns that exceed expectations). In Knight’s definition, risk is often defined as quantifiable uncertainty about gains and losses. This contrasts with Knightian uncertainty, which cannot be quantified.

Financial risk modeling determines the aggregate risk in a financial portfolio. Modern portfolio theory measures risk using the variance (or standard deviation) of asset prices. More recent risk measures include value at risk.

Because investors are generally risk averse, investments with greater inherent risk must promise higher expected returns.

Financial risk management uses financial instruments to manage exposure to risk. It includes the use of a hedge to offset risks by adopting a position in an opposing market or investment.

In financial audit, audit risk refers to the potential that an audit report may fail to detect material misstatement either due to error or fraud.

Health risk

Epidemiology is the study and analysis of the distribution, patterns and determinants of health and disease. It is a cornerstone of public health, and shapes policy decisions by identifying risk factors for disease and targets for preventive healthcare.

In the context of public health, risk assessment is the process of characterizing the nature and likelihood of a harmful effect to individuals or populations from certain human activities. Health risk assessment can be mostly qualitative or can include statistical estimates of probabilities for specific populations.

A health risk assessment (also referred to as a health risk appraisal and health & well-being assessment) is a questionnaire screening tool, used to provide individuals with an evaluation of their health risks and quality of life

Health, safety, and environment risks

Health, safety, and environment (HSE) are separate practice areas; however, they are often linked. The reason is typically to do with organizational management structures; however, there are strong links among these disciplines. One of the strongest links is that a single risk event may have impacts in all three areas, albeit over differing timescales. For example, the uncontrolled release of radiation or a toxic chemical may have immediate short-term safety consequences, more protracted health impacts, and much longer-term environmental impacts. Events such as Chernobyl, for example, caused immediate deaths, and in the longer term, deaths from cancers, and left a lasting environmental impact leading to birth defects, impacts on wildlife, etc.

Information technology risk

Information technology (IT) is the use of computers to store, retrieve, transmit, and manipulate data. IT risk (or cyber risk) arises from the potential that a threat may exploit a vulnerability to breach security and cause harm. IT risk management applies risk management methods to IT to manage IT risks. Computer security is the protection of IT systems by managing IT risks.

Information security is the practice of protecting information by mitigating information risks. While IT risk is narrowly focused on computer security, information risks extend to other forms of information (paper, microfilm).

Insurance risk

Insurance is a risk treatment option which involves risk sharing. It can be considered as a form of contingent capital and is akin to purchasing an option in which the buyer pays a small premium to be protected from a potential large loss.

Insurance risk is often taken by insurance companies, who then bear a pool of risks including market risk, credit risk, operational risk, interest rate risk, mortality risk, longevity risks, etc.

The term “risk” has a long history in insurance and has acquired several specialised definitions, including “the subject-matter of an insurance contract”, “an insured peril” as well as the more common “possibility of an event occurring which causes injury or loss”.

Occupational risk

Occupational health and safety is concerned with occupational hazards experienced in the workplace.

The Occupational Health and Safety Assessment Series (OHSAS) standard OHSAS 18001 in 1999 defined risk as the “combination of the likelihood and consequence(s) of a specified hazardous event occurring”. In 2018 this was replaced by ISO 45001 “Occupational health and safety management systems”, which use the ISO Guide 73 definition.

Project risk

A project is an individual or collaborative undertaking planned to achieve a specific aim. Project risk is defined as, “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives”. Project risk management aims to increase the likelihood and impact of positive events and decrease the likelihood and impact of negative events in the project.

Safety risk

Safety is concerned with a variety of hazards that may result in accidents causing harm to people, property and the environment. In the safety field, risk is typically defined as the “likelihood and severity of hazardous events”. Safety risks are controlled using techniques of risk management.

A high reliability organisation (HRO) involves complex operations in environments where catastrophic accidents could occur. Examples include aircraft carriers, air traffic control, aerospace and nuclear power stations. Some HROs manage risk in a highly quantified way. The technique is usually referred to as Probabilistic Risk Assessment (PRA). See WASH-1400 for an example of this approach. The incidence rate can also be reduced due to the provision of better occupational health and safety programmes 

Security risk

A security risk is “any event that could result in the compromise of organizational assets i.e. the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities.”

Security risk management involves protection of assets from harm caused by deliberate acts.

Assessment and management of risk

Risk management

Risk is ubiquitous in all areas of life and we all manage these risks, consciously or intuitively, whether we are managing a large organization or simply crossing the road. Intuitive risk management is addressed under the psychology of risk below.

Risk management refers to a systematic approach to managing risks, and sometimes to the profession that does this. A general definition is that risk management consists of “coordinated activities to direct and control an organization with regard to risk”.

ISO 31000, the international standard for risk management, describes a risk management process that consists of the following elements:Communicating and consultingEstablishing the scope, context and criteriaRisk assessment – recognising and characterising risks, and evaluating their significance to support decision-making. This includes risk identification, risk analysis and risk evaluation.Risk treatment – selecting and implementing options for addressing risk.Monitoring and reviewingRecording and reporting

In general, the aim of risk management is to assist organizations in “setting strategy, achieving objectives and making informed decisions”. The outcomes should be “scientifically sound, cost-effective, integrated actions that [treat] risks while taking into account social, cultural, ethical, political, and legal considerations”.

In contexts where risks are always harmful, risk management aims to “reduce or prevent risks”. In the safety field it aims “to protect employees, the general public, the environment, and company assets, while avoiding business interruptions”.

For organizations whose definition of risk includes “upside” as well as “downside” risks, risk management is “as much about identifying opportunities as avoiding or mitigating losses”. It then involves “getting the right balance between innovation and change on the one hand, and avoidance of shocks and crises on the other”.

Risk assessment

Risk assessment is a systematic approach to recognising and characterising risks, and evaluating their significance, in order to support decisions about how to manage them. ISO 31000 defines it in terms of its components as “the overall process of risk identification, risk analysis and risk evaluation”.

Risk assessment can be qualitative, semi-quantitative or quantitative:Qualitative approaches are based on qualitative descriptions of risks and rely on judgement to evaluate their significance.Semi-quantitative approaches use numerical rating scales to group the consequences and probabilities of events into bands such as “high”, “medium” and “low”. They may use a risk matrix to evaluate the significance of particular combinations of probability and consequence.Quantitative approaches, including Quantitative risk assessment (QRA) and probabilistic risk assessment (PRA), estimate probabilities and consequences in appropriate units, combine them into risk metrics, and evaluate them using numerical risk criteria.

Risk identification

Risk identification is “the process of finding, recognizing and recording risks”. It “involves the identification of risk sources, events, their causes and their potential consequences.”

ISO 31000 describes it as the first step in a risk assessment process, preceding risk analysis and risk evaluation. In safety contexts, where risk sources are known as hazards, this step is known as “hazard identification”.

There are many different methods for identifying risks, including:Checklists or taxonomies based on past data or theoretical models.Evidence-based methods, such as literature reviews and analysis of historical data.Team-based methods that systematically consider possible deviations from normal operations, e.g. HAZOKKP, FMEA and SWIFT.Empirical methods, such as testing and modelling to identify what might happen under particular circumstances.Techniques encouraging imaginative thinking about possibilities of the future, such as scenario analysis.Expert-elicitation methods such as brainstorming, interviews and audits.

Sometimes, risk identification methods are limited to finding and documenting risks that are to be analysed and evaluated elsewhere. However, many risk identification methods also consider whether control measures are sufficient and recommend improvements. Hence they function as stand-alone qualitative risk assessment techniques.

Risk analysis

Risk analysis is about developing an understanding of the risk. ISO defines it as “the process to comprehend the nature of risk and to determine the level of risk”.[3] In the ISO 31000 risk assessment process, risk analysis follows risk identification and precedes risk evaluation. However, these distinctions are not always followed.

Risk analysis may include:Determining the sources, causes and drivers of riskInvestigating the effectiveness of existing controlsAnalysing possible consequences and their likelihoodUnderstanding interactions and dependencies between risksDetermining measures of riskVerifying and validating resultsUncertainty and sensitivity analysis

Risk analysis often uses data on the probabilities and consequences of previous events. Where there have been few such events, or in the context of systems that are not yet operational and therefore have no previous experience, various analytical methods may be used to estimate the probabilities and consequences:Proxy or analogue data from other contexts, presumed to be similar in some aspects of risk.Theoretical models, such as Monte Carlo simulation and Quantitative risk assessment software.Logical models, such as Bayesian networks, fault tree analysis and event tree analysisExpert judgement, such as absolute probability judgement or the Delphi method.

Risk evaluation and risk criteria

Risk evaluation involves comparing estimated levels of risk against risk criteria to determine the significance of the risk and make decisions about risk treatment actions.

In most activities, risks can be reduced by adding further controls or other treatment options, but typically this increases cost or inconvenience. It is rarely possible to eliminate risks altogether without discontinuing the activity. Sometimes it is desirable to increase risks to secure valued benefits. Risk criteria are intended to guide decisions on these issues.

Types of criteria include:Criteria that define the level of risk that can be accepted in pursuit of objectives, sometimes known as risk appetite, and evaluated by risk/reward analysis.Criteria that determine whether further controls are needed, such as benefit-cost ratio.Criteria that decide between different risk management options, such as multiple-criteria decision analysis.

The simplest framework for risk criteria is a single level which divides acceptable risks from those that need treatment. This gives attractively simple results but does not reflect the uncertainties involved both in estimating risks and in defining the criteria.

The tolerability of risk framework, developed by the UK Health and Safety Executive, divides risks into three bands:Unacceptable risks – only permitted in exceptional circumstances.Tolerable risks – to be kept as low as reasonably practicable (ALARP), taking into account the costs and benefits of further risk reduction.Broadly acceptable risks – not normally requiring further reduction.

Psychology of risk

Risk perception

Intuitive risk assessment

An understanding that future events are uncertain and a particular concern about harmful ones may arise in anyone living in a community, experiencing seasons, hunting animals or growing crops. Most adults therefore have an intuitive understanding of risk. This may not be exclusive to humans.

In ancient times, the dominant belief was in divinely determined fates, and attempts to influence the gods may be seen as early forms of risk management. Early uses of the word ‘risk’ coincided with an erosion of belief in divinely ordained fate.

Risk perception is the subjective judgement that people make about the characteristics and severity of a risk. At its most basic, the perception of risk is an intuitive form of risk analysis.

Heuristics and biases

Intuitive understanding of risk differs in systematic ways from accident statistics. When making judgements about uncertain events, people rely on a few heuristic principles, which convert the task of estimating probabilities to simpler judgements. These heuristics are useful but suffer from systematic biases.

The “availability heuristic” is the process of judging the probability of an event by the ease with which instances come to mind. In general, rare but dramatic causes of death are over-estimated while common unspectacular causes are under-estimated.

An “availability cascade” is a self-reinforcing cycle in which public concern about relatively minor events is amplified by media coverage until the issue becomes politically important.

Despite the difficulty of thinking statistically, people are typically over-confident in their judgements. They over-estimate their understanding of the world and under-estimate the role of chance. Even experts are over-confident in their judgements.

Psychometric paradigm

The “psychometric paradigm” assumes that risk is subjectively defined by individuals, influenced by factors that can be elicited by surveys. People’s perception of the risk from different hazards depends on three groups of factors:

  • Dread – the degree to which the hazard is feared or might be fatal, catastrophic, uncontrollable, inequitable, involuntary, increasing or difficult to reduce.
  • Unknown – the degree to which the hazard is unknown to those exposed, unobservable, delayed, novel or unknown to science.
  • Number of people exposed.

Hazards with high perceived risk are in general seen as less acceptable and more in need of reduction.

Cultural theory of risk

Cultural Theory views risk perception as a collective phenomenon by which different cultures select some risks for attention and ignore others, with the aim of maintaining their particular way of life.[57] Hence risk perception varies according to the preoccupations of the culture. The theory distinguishes variations known as “group” (the degree of binding to social groups) and “grid” (the degree of social regulation), leading to four world-views:

  • Hierarchists (high group /high grid), who tend to approve of technology providing its risks are evaluated as acceptable by experts.
  • Egalitarians (high group/low grid), who tend to object to technology because it perpetuates inequalities that harm society and the environment.
  • Individualists (low group/low grid), who tend to approve of technology and see risks as opportunities.
  • Fatalists (low group/high grid), who do not knowingly take risks but tend to accept risks that are imposed on them

Cultural Theory helps explain why it can be difficult for people with different world-views to agree about whether a hazard is acceptable, and why risk assessments may be more persuasive for some people (e.g. hierarchists) than others. However, there is little quantitative evidence that shows cultural biases are strongly predictive of risk perception.

Risk and emotion

The importance of emotion in risk

While risk assessment is often described as a logical, cognitive process, emotion also has a significant role in determining how people react to risks and make decisions about them. Some argue that intuitive emotional reactions are the predominant method by which humans evaluate risk. A purely statistical approach to disasters lacks emotion and thus fails to convey the true meaning of disasters and fails to motivate proper action to prevent them. This is consistent with psychometric research showing the importance of “dread” (an emotion) alongside more logical factors such as the number of people exposed.

The field of behavioural economics studies human risk-aversion, asymmetric regret, and other ways that human financial behaviour varies from what analysts call “rational”. Recognizing and respecting the irrational influences on human decision making may improve naive risk assessments that presume rationality but in fact merely fuse many shared biases.

The affect heuristic

The “affect heuristic” proposes that judgements and decision-making about risks are guided, either consciously or unconsciously, by the positive and negative feelings associated with them.  This can explain why judgements about risks are often inversely correlated with judgements about benefits. Logically, risk and benefit are distinct entities, but it seems that both are linked to an individual’s feeling about a hazard.

Fear, anxiety and risk

Worry or anxiety is an emotional state that is stimulated by anticipation of a future negative outcome, or by uncertainty about future outcomes. It is therefore an obvious accompaniment to risk, and is initiated by many hazards and linked to increases in perceived risk. It may be a natural incentive for risk reduction. However, worry sometimes triggers behaviour that is irrelevant or even increases objective measurements of risk.

Fear is a more intense emotional response to danger, which increases the perceived risk. Unlike anxiety, it appears to dampen efforts at risk minimisation, possibly because it provokes a feeling of helplessness.

Dread risk

It is common for people to dread some risks but not others: They tend to be very afraid of epidemic diseases, nuclear power plant failures, and plane accidents but are relatively unconcerned about some highly frequent and deadly events, such as traffic crashes, household accidents, and medical errors. One key distinction of dreadful risks seems to be their potential for catastrophic consequences, threatening to kill a large number of people within a short period of time. For example, immediately after the 11 September attacks, many Americans were afraid to fly and took their car instead, a decision that led to a significant increase in the number of fatal crashes in the time period following the 9/11 event compared with the same time period before the attacks.

Different hypotheses have been proposed to explain why people fear dread risks. First, the psychometric paradigm suggests that high lack of control, high catastrophic potential, and severe consequences account for the increased risk perception and anxiety associated with dread risks. Second, because people estimate the frequency of a risk by recalling instances of its occurrence from their social circle or the media, they may overvalue relatively rare but dramatic risks because of their overpresence and undervalue frequent, less dramatic risks. Third, according to the preparedness hypothesis, people are prone to fear events that have been particularly threatening to survival in human evolutionary history. Given that in most of human evolutionary history people lived in relatively small groups, rarely exceeding 100 people, a dread risk, which kills many people at once, could potentially wipe out one’s whole group. Indeed, research found that people’s fear peaks for risks killing around 100 people but does not increase if larger groups are killed. Fourth, fearing dread risks can be an ecologically rational strategy. Besides killing a large number of people at a single point in time, dread risks reduce the number of children and young adults who would have potentially produced offspring. Accordingly, people are more concerned about risks killing younger, and hence more fertile, groups.

Outrage

Outrage is a strong moral emotion, involving anger over an adverse event coupled with an attribution of blame towards someone perceived to have failed to do what they should have done to prevent it. Outrage is the consequence of an event, involving a strong belief that risk management has been inadequate. Looking forward, it may greatly increase the perceived risk from a hazard.

Human factors

One of the growing areas of focus in risk management is the field of human factors where behavioural and organizational psychology underpin our understanding of risk based decision making. This field considers questions such as “how do we make risk based decisions?”, “why are we irrationally more scared of sharks and terrorists than we are of motor vehicles and medications?”

In decision theory, regret (and anticipation of regret) can play a significant part in decision-making, distinct from risk aversion(preferring the status quo in case one becomes worse off).

Framing is a fundamental problem with all forms of risk assessment. In particular, because of bounded rationality (our brains get overloaded, so we take mental shortcuts), the risk of extreme events is discounted because the probability is too low to evaluate intuitively. As an example, one of the leading causes of death is road accidents caused by drunk driving – partly because any given driver frames the problem by largely or totally ignoring the risk of a serious or fatal accident.

For instance, an extremely disturbing event (an attack by hijacking, or moral hazards) may be ignored in analysis despite the fact it has occurred and has a nonzero probability. Or, an event that everyone agrees is inevitable may be ruled out of analysis due to greed or an unwillingness to admit that it is believed to be inevitable. These human tendencies for error and wishful thinking often affect even the most rigorous applications of the scientific method and are a major concern of the philosophy of science.

All decision-making under uncertainty must consider cognitive bias, cultural bias, and notational bias: No group of people assessing risk is immune to “groupthink”: acceptance of obviously wrong answers simply because it is socially painful to disagree, where there are conflicts of interest.

Framing involves other information that affects the outcome of a risky decision. The right prefrontal cortex has been shown to take a more global perspective while greater left prefrontal activity relates to local or focal processing.

From the Theory of Leaky Modules McElroy and Seta proposed that they could predictably alter the framing effect by the selective manipulation of regional prefrontal activity with finger tapping or monaural listening. The result was as expected. Rightward tapping or listening had the effect of narrowing attention such that the frame was ignored. This is a practical way of manipulating regional cortical activation to affect risky decisions, especially because directed tapping or listening is easily done.

Psychology of risk taking

A growing area of research has been to examine various psychological aspects of risk taking. Researchers typically run randomised experiments with a treatment and control group to ascertain the effect of different psychological factors that may be associated with risk taking. Thus, positive and negative feedback about past risk taking can affect future risk taking. In an experiment, people who were led to believe they are very competent at decision making saw more opportunities in a risky choice and took more risks, while those led to believe they were not very competent saw more threats and took fewer risks.

Other considerations

Risk and uncertainty

… Uncertainty must be taken in a sense radically distinct from the familiar notion of Risk, from which it has never been properly separated. The term “risk,” as loosely used in everyday speech and in economic discussion, really covers two things which, functionally at least, in their causal relations to the phenomena of economic organization, are categorically different. … The essential fact is that “risk” means in some cases a quantity susceptible of measurement, while at other times it is something distinctly not of this character; and there are far-reaching and crucial differences in the bearings of the phenomenon depending on which of the two is really present and operating. … It will appear that a measurable uncertainty, or “risk” proper, as we shall use the term, is so far different from an unmeasurable one that it is not in effect an uncertainty at all. We … accordingly restrict the term “uncertainty” to cases of the non-quantitive type.:

Thus, Knightian uncertainty is immeasurable, not possible to calculate, while in the Knightian sense risk is measurable.

Another distinction between risk and uncertainty is proposed by Douglas Hubbard:Uncertainty: The lack of complete certainty, that is, the existence of more than one possibility. The “true” outcome/state/result/value is not known.Measurement of uncertainty: A set of probabilities assigned to a set of possibilities. Example: “There is a 60% chance this market will double in five years”Risk: A state of uncertainty where some of the possibilities involve a loss, catastrophe, or other undesirable outcome.Measurement of risk: A set of possibilities each with quantified probabilities and quantified losses. Example: “There is a 40% chance the proposed oil well will be dry with a loss of $12 million in exploratory drilling costs”.

In this sense, one may have uncertainty without risk but not risk without uncertainty. We can be uncertain about the winner of a contest, but unless we have some personal stake in it, we have no risk. If we bet money on the outcome of the contest, then we have a risk. In both cases there are more than one outcome. The measure of uncertainty refers only to the probabilities assigned to outcomes, while the measure of risk requires both probabilities for outcomes and losses quantified for outcomes.

Mild Versus Wild Risk

Benoit Mandelbrot distinguished between “mild” and “wild” risk and argued that risk assessment and analysis must be fundamentally different for the two types of risk. Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable. Wild risk follows fat-tailed distributions, e.g., Pareto or power-law distributions, is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict. A common error in risk assessment and analysis is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and analysis are to be valid and reliable, according to Mandelbrot.

Risk attitude, appetite and tolerance

The terms risk attitudeappetite, and tolerance are often used similarly to describe an organisation’s or individual’s attitude towards risk-taking. One’s attitude may be described as risk-averserisk-neutral, or risk-seeking. Risk tolerance looks at acceptable/unacceptable deviations from what is expected. Risk appetite looks at how much risk one is willing to accept. There can still be deviations that are within a risk appetite. For example, recent research finds that insured individuals are significantly likely to divest from risky asset holdings in response to a decline in health, controlling for variables such as income, age, and out-of-pocket medical expenses.

Gambling is a risk-increasing investment, wherein money on hand is risked for a possible large return, but with the possibility of losing it all. Purchasing a lottery ticket is a very risky investment with a high chance of no return and a small chance of a very high return. In contrast, putting money in a bank at a defined rate of interest is a risk-averse action that gives a guaranteed return of a small gain and precludes other investments with possibly higher gain. The possibility of getting no return on an investment is also known as the rate of ruin.

Risk compensation is a theory which suggests that people typically adjust their behavior in response to the perceived level of risk, becoming more careful where they sense greater risk and less careful if they feel more protected. By way of example, it has been observed that motorists drove faster when wearing seatbelts and closer to the vehicle in front when the vehicles were fitted with anti-lock brakes.

Risk and autonomy

The experience of many people who rely on human services for support is that ‘risk’ is often used as a reason to prevent them from gaining further independence or fully accessing the community, and that these services are often unnecessarily risk averse. “People’s autonomy used to be compromised by institution walls, now it’s too often our risk management practices”, according to John O’Brien. Michael Fischer and Ewan Ferlie (2013) find that contradictions between formal risk controls and the role of subjective factors in human services (such as the role of emotions and ideology) can undermine service values, so producing tensions and even intractable and ‘heated’ conflict.

Risk society

Anthony Giddens and Ulrich Beck argued that whilst humans have always been subjected to a level of risk – such as natural disasters – these have usually been perceived as produced by non-human forces. Modern societies, however, are exposed to risks such as pollution, that are the result of the modernization process itself. Giddens defines these two types of risks as external risks and manufactured risks. The term Risk society was coined in the 1980s and its popularity during the 1990s was both as a consequence of its links to trends in thinking about wider modernity, and also to its links to popular discourse, in particular the growing environmental concerns during the period.

Safety

Safety is the state of being “safe”, the condition of being protected from harm or other danger. Safety can also refer to the control of recognized hazards in order to achieve an acceptable level of risk.

Meanings

There are two slightly different meanings of safety. For example, home safety may indicate a building’s ability to protect against external harm events (such as weather, home invasion, etc.), or may indicate that its internal installations (such as appliances, stairs, etc.) are safe (not dangerous or harmful) for its inhabitants.

Discussions of safety often include mention of related terms. Security is such a term. With time the definitions between these two have often become interchanged, equated, and frequently appear juxtaposed in the same sentence. Readers unfortunately are left to conclude whether they comprise a redundancy. This confuses the uniqueness that should be reserved for each by itself. When seen as unique, as we intend here, each term will assume its rightful place in influencing and being influenced by the other.

Safety is the condition of a “steady state” of an organization or place doing what it is supposed to do. “What it is supposed to do” is defined in terms of public codes and standards, associated architectural and engineering designs, corporate vision and mission statements, and operational plans and personnel policies. For any organization, place, or function, large or small, safety is a normative concept. It complies with situation-specific definitions of what is expected and acceptable.

Using this definition, protection from a home’s external threats and protection from its internal structural and equipment failures (see Meanings, above) are not two types of safety but rather two aspects of a home’s steady state.

In the world of everyday affairs, not all goes as planned. Some entity’s steady state is challenged. This is where security science, which is of more recent date, enters. Drawing from the definition of safety, then:

Security is the process or means, physical or human, of delaying, preventing, and otherwise protecting against external or internal, defects, dangers, loss, criminals, and other individuals or actions that threaten, hinder or destroy an organization’s “steady state,” and deprive it of its intended purpose for being.

Using this generic definition of safety it is possible to specify the elements of a security program.

Limitations

Safety can be limited in relation to some guarantee or a standard of insurance to the quality and unharmful function of an object or organization. It is used in order to ensure that the object or organization will do only what it is meant to do.

It is important to realize that safety is relative. Eliminating all risk, if even possible, would be extremely difficult and very expensive. A safe situation is one where risks of injury or property damage are low and manageable.

When something is called safe, this usually means that it is safe within certain reasonable limits and parameters. For example, a medication may be safe, for most people, under most circumstances, if taken in a certain amount.

A choice motivated by safety may have other, unsafe consequences. For example, frail elderly people are sometimes moved out of their homes and into hospitals or skilled nursing homes with the claim that this will improve the person’s safety. The safety provided is that daily medications will be supervised, the person will not need to engage in some potentially risky activities such as climbing stairs or cooking, and if the person falls down, someone there will be able to help the person get back up. However, the end result might be decidedly unsafe, including the dangers of transfer trauma, hospital delirium, elder abuse, hospital-acquired infections, depression, anxiety, and even a desire to die.

Types

There is a distinction between products that meet standards, that are safe, and that merely feel safe. The highway safety community uses these terms:

Normative

Normative safety is achieved when a product or design meets applicable standards and practices for design and construction or manufacture, regardless of the product’s actual safety history.

Substantive

Substantive or objective safety occurs when the real-world safety history is favorable, whether or not standards are met.

Perceived

Perceived or subjective safety refers to the users’ level of comfort and perception of risk, without consideration of standards or safety history. For example, traffic signals are perceived as safe, yet under some circumstances, they can increase traffic crashes at an intersection. Traffic roundabouts have a generally favorable safety record yet often make drivers nervous.

Low perceived safety can have costs. For example, after the 9/11 attacks in 2001, many people chose to drive rather than fly, despite the fact that, even counting terrorist attacks, flying is safer than driving. Perceived risk discourages people from walking and bicycling for transportation, enjoyment or exercise, even though the health benefits outweigh the risk of injury.

Security

Also called social safety or public safety, security addresses the risk of harm due to intentional criminal acts such as assault, burglary or vandalism.

Because of the moral issues involved, security is of higher importance to many people than substantive safety. For example, a death due to murder is considered worse than a death in a car crash, even though in many countries, traffic deaths are more common than homicides.

Risks and responses

Safety is generally interpreted as implying a real and significant impact on risk of death, injury or damage to property. In response to perceived risks many interventions may be proposed with engineering responses and regulation being two of the most common.

Probably the most common individual response to perceived safety issues is insurance, which compensates for or provides restitution in the case of damage or loss.

System safety and reliability engineering

System safety and reliability engineering is an engineering discipline. Continuous changes in technology, environmental regulation and public safety concerns make the analysis of complex safety-critical systems more and more demanding.

A common fallacy, for example among electrical engineers regarding structure power systems, is that safety issues can be readily deduced. In fact, safety issues have been discovered one by one, over more than a century in the case mentioned, in the work of many thousands of practitioners, and cannot be deduced by a single individual over a few decades. A knowledge of the literature, the standards and custom in a field is a critical part of safety engineering. A combination of theory and track record of practices is involved, and track record indicates some of the areas of theory that are relevant. (In the US, persons with a state license in Professional Engineering in Electrical Engineering are expected to be competent in this regard, the foregoing notwithstanding, but most electrical engineers have no need of the license for their work.)

Safety is often seen as one of a group of related disciplines: quality, reliability, availability, maintainability and safety. (Availability is sometimes not mentioned, on the principle that it is a simple function of reliability and maintainability.) These issues tend to determine the value of any work, and deficits in any of these areas are considered to result in a cost, beyond the cost of addressing the area in the first place; good management is then expected to minimize total cost.

Measures

Safety measures are activities and precautions taken to improve safety, i.e. reduce risk related to human health. Common safety measures include:

  • Chemical analysis
  • Destructive testing of samples
  • Drug testing of employees, etc.
  • Examination of activities by specialists to minimize physical stress or increase productivity
  • Geological surveys to determine whether land or water sources are polluted, how firm the ground is at a potential building site, etc.
  • Government regulation so suppliers know what standards their product is expected to meet.
  • Industry regulation so suppliers know what level of quality is expected. Industry regulation is often imposed to avoid potential government regulation.
  • Instruction manuals explaining how to use a product or perform an activity
  • Instructional videos demonstrating proper use of products
  • Root cause analysis to identify causes of a system failure and correct deficiencies.
  • Internet safety or Online Safety, is protection of the user‘s safety from cyber threats or computer crime in general.
  • Periodic evaluations of employees, departments, etc.
  • Physical examinations to determine whether a person has a physical condition that would create a problem.
  • Process safety management is an analytical tool focused on preventing releases of highly hazardous chemicals.
  • Safety margins/Safety factors. For instance, a product rated to never be required to handle more than 200 pounds might be designed to fail under at least 400 pounds, a safety factor of two. Higher numbers are used in more sensitive applications such as medical or transit safety.
  • Self-imposed regulation of various types.
  • Implementation of standard protocols and procedures so that activities are conducted in a known way.
  • Statements of ethics by industry organizations or an individual company so its employees know what is expected of them.
  • Stress testing subjects a person or product to stresses in excess of those the person or product is designed to handle, to determining the “breaking point”.
  • Training of employees, vendors, product users
  • Visual examination for dangerous situations such as emergency exits blocked because they are being used as storage areas.
  • Visual examination for flaws such as cracks, peeling, loose connections.
  • X-ray analysis to see inside a sealed object such as a weld, a cement wall or an airplane outer skin.

Standards organizations

A number of standards organizations exist that promulgate safety standards. These may be voluntary organizations or government agencies. These agencies first define the safety standards, which they publish in the form of codes. They are also Accreditation Bodies and entitle independent third parties such as testing and certification agencies to inspect and ensure compliance to the standards they defined. For instance, the American Society of Mechanical Engineers (ASME) formulated a certain number of safety standards in its Boiler and Pressure Vessel Code (BPVC) and accredited TÜV Rheinland to provide certification services to guarantee product compliance to the defined safety regulations.

United States

American National Standards Institute

A major American standards organization is the American National Standards Institute (ANSI). Usually, members of a particular industry will voluntarily form a committee to study safety issues and propose standards. Those standards are then recommended to ANSI, which reviews and adopts them. Many government regulations require that products sold or used must comply with a particular ANSI standard.

Government agencies

Many government agencies set safety standards for matters under their jurisdiction, such as:

  • the Food and Drug Administration
  • the Consumer Product Safety Commission
  • the United States Environmental Protection Agency

Testing laboratories

Product safety testing, for the United States, is largely controlled by the Consumer Product Safety Commission. In addition, workplace related products come under the jurisdiction of the Occupational Safety and Health Administration (OSHA), which certifies independent testing companies as Nationally Recognized Testing Laboratories (NRTL), see.

European Union

Institutions

  • the European Commission (EC)
  • the European Committee for Standardization (CEN)
  • the European Food Safety Authority (EFSA)
  • the European Safety Federation (ESF)

Testing laboratories

The European Commission provides the legal framework, but the different Member States may authorize test laboratories to carry out safety testing.

Other countries

Standards institutions

  • British Standards Institution
  • Canadian Standards Association
  • Deutsches Institut für Normung
  • International Organization for Standardization
  • Standards Australia

Testing laboratories

Many countries have national organizations that have accreditation to test and/or submit test reports for safety certification. These are typically referred to as a Notified or Competent Body.

Tags: