Chapter 7

Risk Analysis
We must be constantly aware of the
likelihood of malfunctions
and errors.
Peter L. Bernstein
7.1. The nature of risk
7.1.1. Certainty and uncertainty
Certainty and uncertainty are two complementary concepts. Certainty
means that we know precisely that a given event will take place or not. It is a result
of complete information and of a trusting experience about a given event. For
example, having a Train table we know the departure time for all the trains leaving
the station Bucharest North. We consider these events to be certain. In urope,
except !reat Britain, driving the car on public roads is done on the right side of the
road. In !reat Britain, it is on the left side of the road. "hese are certain facts
imposed by legislation.
Uncertainty means that we do not have enough information about a given
event, or we do not have it at all. "he forecast about the next day weather contains
some useful information but it is an incomplete one. "here is no guarantee that
next day will rain or not. "here are good chances to rain, but nobody can tell
exactly when and how much rain there will be. "he forecast for the next week is
even less precise and certain. "he forecast for the next month contains much less
information and so on. #ncertainty has many degree of expressing it as a function
of the information and knowledge we have at a given moment. "hus, the field of
knowing about a given event is limited by knowing nothing $%ero information& and
knowing all we need $'(( per cent information&. For the limiting situation of
knowing everything about a given event we use the concept of certainty. For all
other situations we use the concept of uncertainty. "hus, certainty is only a
singular case of uncertainty. #ncertainty is the principle that there is a limit to the
precision and to the extent of knowledge about a sub)ect or an event. #ncertainty
arises because we cannot know everything. *Everything about the future is
uncertain, as is most of the past; even the present contains a lot of uncertainty, due
to your ignorance, and uncertainty is everywhere about you. ften the uncertainty
does not matter and you will be able to proceed as if tomorrow will be !ust like
today, where the sun will rise, the car will start, the food will not be poisoned, the
boss will be her usual self. Without this certainty, without this assurance of
continuity, life as we know it would be impossible+ $,indley, -((., p./&.
0ince uncertainty may be perceive as a field where knowing and ignorance
mix in different proportions, some authors consider that there is a scale of
uncertainty ranging from predictable uncertainty at one end to uncertain
uncertainty at the other $,uhmann, '112&. 3n example of a relatively predictable
uncertainty would be world demographics. 3n uncertain uncertainty might be
trying to predict technologies which have not yet been invented or developed.
0tatistics show that the worldwide population is estimated to grow by -1 per cent
by -(-' $i.e. a rise of './1 billion people&. In the #4, estimates are for a 5 per cent
population increase in the same time period $-.6 million people&. "he number of
'.7257years7olds will decline by '6 per cent and the number of 667.57years7olds
will have increased 5( per cent in the same time period. "hese estimates decrease
the uncertainty but they do not eliminate it. 8owever, based on these estimates
decision makers can anticipate some effects on their business. For instance, some
typical effects of demographic changes on clothing retailers might be $9c!ee,
"homas : Wilson, -((6&;
,arger market for cloths makers in the late7middle7aged group of the
population. 9ore opportunities for design and style in this market.
3 declining number of high7spending fashion7conscious '67-57years7olds.
3 greater number of more affluent *grannies+, who may spend more
money on clothes for the fewer babies that will be around.
#ncertainty is generating fear of unknown and for many people this fear is <uite
uncomfortable. 3s a result, many people would prefer the suppression of
uncertainty. *Those who choose to deny uncertainty invent a stable world of their
own. "uch people#s natural desire to reduce uncertainty, which may be basic to the
whole cognitive enterprise of understanding the world, is taken to the e$treme
point where they believe uncertainty does not e$ists+ $8astie : =awes, -((',
p.2->&. 3ctually, most of our education in schools is based on certainty and on
deterministic thinking, which means that any event will have probability e<ual to
one $i.e. the event will happen&, or e<ual to %ero $i.e. the event will not happen&. In
deterministic thinking the uncertainty is denied to create a false confidence
$Bratianu, -((1c&. =eterministic thinking is used extensively in science and in
legislation. 0cientific facts are repeatable and thus they can be verified by anybody
interested in that specific field of science. ,egal facts are uni<ue, they don?t repeat
themselves in the same contexts. *The repeatability aspect of science, with its
conse%uent removal of almost all uncertainty, often leads people to think that all
science is ob!ective, as it virtually is after there has been a lot of confirmatory
repetition, but active science is full of uncertainty, as healthy disagreement
between scientist testifies+ $,indley, -((., p.1&.
If the operational management deals with everyday problems, strategic
management deals with future problems. 8owever, the future does not exist. "here
is a future time only in our heads and everything related to the future is full of
uncertainty. 9anagers try to reduce this uncertainty by developing strategies to
achieve company goals in the next 276 years. "he better they deal with uncertainty
the higher their chances to achieve the pro)ected goals. *There are winners
because there is uncertainty or, to put it in a more positive way, without
uncertainty there can be no winners. &nstead of seeing uncertainty as a problem,
therefore, we had better start learning to love it as the basic source of our future
success+ $@an der 8ei)den et all., -((1, p.'2&.
7.1.2. Probabilities and risks
"o understand better the concept of probability, we shall emphasi%e the
fact that in a deterministic world an event may happen or not. If that event does
happen it is like a true statement we made about that event. If the event does not
happen, then it is like a false statement we made about that event. 8owever, in the
real world we cannot know with certainty that an event will precisely happen or
not. We belief that the event might happen. "he word belief reflects a relationship
between the person and the event. It is not a property of one?s thinking and it is not
a characteristic of that event. *'ather, belief e$presses a relationship between you
and the world, in particular between you and an event in that world. The word that
will be used to measure the strength of your belief is probability, so that we talk
about your probability that an event is true, or more succinctly your probability
for that event+ $,indley, -((., p.'-&.
!enerally speaking, probability shows how likely something is to happen.
From mathematical point of view, probability is a ratio showing the chances that a
particular thing will happen. ,et us consider an urn containing '(( ballsA -6 balls
have a red colour and /6 have a white colour. "he belief that the random
withdrawal of a red ball from this urn is measured by the value of the fraction
-6B'((. "hus, the probability of extraction of a red ball from this urn is the ratio of
favourable outcomes $-6& to the total opportunity set $'((&. It can be expressed as
2(C, or (.2. "here are many debates related to sub)ective versus ob)ective
interpretations of probabilities. 3ccording to ob)ective interpretations, probabilities
are real, and they constitute a metric to measure uncertainty. "hey can be
discovered by logic or estimated through statistical analyses. 3ccording to
sub)ective interpretations, probabilities are human beliefs. Individuals use them to
characteri%e their own uncertainty. ven if the chosen metric has a certain degree
of ob)ectivity, uncertainty measurement through probabilities and its interpretation
are intrinsically sub)ective in their nature. ,et us consider a gamble with the
following two possibilities;
$a& Win D6( with the probability of (.-, otherwise nothing.
$b& Win D2( with the probability of (.-6, otherwise nothing.
"he expected value of the alternative $a& is; (.- x D6( E D'(. "he expected value of
alternative $b& is; (.-6 x D2( E D/.6(. It is obvious that ob)ectively the probable
outcome of the alternative $a& is higher then the probable outcome of the
alternative $b&; D'( F D/.6(. 8owever, many people interpret sub)ectively these
two possibilities and choose alternative $b& because the probability to win is higher.
,et us change the context and consider the following two possibilities;
$c& Win D-(( with the probability of (./6, otherwise nothing.
$d& Win D'(( for sure.
"he probable outcome of the alternative $c& is; (./6 x D-(( E D'6(. "he outcome
of the alternative $d& is D'(( with certainty. "he expected value of the alternative
$c& is higher than the expected value of alternative $d&; D'6( F D'((. 8owever, the
great ma)ority of people will prefer the alternative $d& because is winning is
certain. 3ctually, these above examples reflect two important facts;
$'& Geople have a sub)ective perception of uncertainty and risk.
$-& 9ost of the people have the tendency of avoiding risks, by choosing those
events and alternatives of actions for which the probabilities have a smaller
value, regarding the final expected value of the other alternatives.
"here is a challenging game played at one famous 3merican "@ show known as
the *9onty 8all problem+ which illustrates in a beautiful way the conflict between
ob)ective probability and the sub)ective perception of it, as explained by Blake
$-((>&. 9onty 8all was the host of the show. In the beginning, 9onty showed the
contestant three closed doors. "hen, 9onty explained that there is a car behind one
door, selected at random, and a goat behind each of the other two doors. 9onty
then asks the player to choose one of the doors, making the assumption that the
contestant would like to get the car and not a goat. When the player has chosen a
door, and the door remains shut for the moment, 9onty opens one of the remaining
doors and everybody see a goat. 8e then offers the contestant a simple choice;
$a& =o you want to change the doorH, or
$b& =o you want to stick with your first choiceH
"hink for yourself. If you consider that now there is one out of two chances to
guess the door with the car behind it, you would stick with the initial choice. "his
problem given many times to people in a laboratory context showed a preference
of .(C for sticking with the first choice, indicating a perception of (.6 probability
to guess the car in the new situation. Inly 5(C wanted to change the door. "he
interesting fact is that there is a clear conflict between the ob)ective probability and
the way people perceive it in this game. For a better understanding we shall
consider all possible combinations of the car and the goats behind the three doors
$fig. /.'& in the beginning of the game.
Figure 7.1. Illustration for the Monty Hall problem
,et us consider that the player has chosen the left7hand of the doors, which is
indicated in fig./.' with a bold outline. "he rectangles crossed by a diagonal line
represent the doors opened by 9onty, and the arrows show the option for changing
the door. 3s you can guess, 9onty knows behind which door is the car and he
always will open a door behind which there is a goat. If the player sticks with his
first choice, there is ' chance out of 2 possible events for him to guess the door
with the car. If the player would like to change the door, after the door with the
goat behind is opened, there are - chances out of 2 possible events for him to guess
the door with the car. "hus, the illustration shows very clearly that changing the
door increases the chances for guessing the car. 8owever, even after such a
CAR GOAT GOAT
GOAT CAR GOAT
GOAT GOAT CAR
detailed explanation some people still consider that actually there is a clear '
chance out of two possible events after one door is opened, for the very reason that
there are only - doors remained closed. "here is no need of complex probability
theory to demonstrate that our intuition is based on a sub)ective probability, which
sometimes might be in conflict with the ob)ective situation.
Jisk is a concept with many meanings and definitions, depending on the
specific application and situational contexts. In engineering and in business risk
denotes some potential negative conse<uences with respect to course of an action.
"hese conse<uences depend on the probability of occurrence of a certain
unfavourable event and on the magnitude of losses generated by that event. If we
consider the risk of an earth<uake for a given city, then we must compute
somehow the probability of producing an earth<uake in that city and what could be
the value of total damages produced by that event, of course as a function of its
intensity. In <uantitative terms, the value of risk is defined as following;
'isk ( )*robability of an accident+ $ )losses per accident+.
8owever, there are fields of activity where risk has also positive meanings.
For instance, in game theory or in finance, risk is only a measure of the variance of
possible outcomes. Financial risk is often defined as the unexpected variability or
volatility of returns, and thus includes both potential worse than expected as well
as better than expected returns. !ambling is a risky investment, wherein money on
hand is risked for a possible large return, but also the possibility of loosing it. In
the other hand, putting money in a bank at a defined rate of interest is a risk7averse
course of action, which means a guaranteed return of a small gain.
In *ro!ect ,anagement risk is defined as the *cumulative effect of the
probability of uncertain occurrences that may positively or negatively affect
pro!ect ob!ectives- $Gritchard, -((', p.1&. It is important for a pro)ect manager to
understand if a pro)ect event is risky or not, by considering its potential
occurrences. valuating risk in this manner re<uires using some )udgement. For
example, although a given event may have a very low probability of happening, its
negative conse<uences may be catastrophic. "hink, for example, at the nuclear
catastrophe produces at Khernobyl. 3t a different scale, a commercial airline flight
illustrates this type of situation; although the probability of a crash is low, the
conse<uences are generally grave. "he nature of any given risk is composed of
three fundamental elements; the event, the probability of event occurrence, and the
severity or impact of event occurrence. In order to perform a risk analysis it is
important to define accurately the event and to associate to it a good guess
probability. 3lso, describing the possible conse<uences and evaluating their impact
is extremely important. "hat means to have a good data basis and to use a creative
mind in developing different possible scenarios. In tab./.' there are presented
different categories of risks facing organi%ations $9c!ee, "homas : Wilson,
-((6, p.62-&.
Table 7.1 Categories of riss fa!ing organi"ations
Ris !ategory #$amples #n%ogenous&e$ogenous to
organi"ation
0"J3"!L Khanging patterns of demand
Kompetitor actions
Khanging markets
BusinessB!overnment
relationships
New disruptive technologies
introduced
9ostly exogenous
9ostly exogenous
9ostly exogenous
ndogenous and exogenous
xogenous
IGJ3"IIN0 9anufacturingBprocess systems
FinancialBaccounting controls
Jegulators
ndogenous
ndogenous
xogenous
KINI9IK Goor cash flow
Khanges in interest rates
Kurrency exchange
Goor credit
9ostly exogenous
xogenous
xogenous
xogenous and endogenous
83M3J=0 Natural disasters such as
earth<uake or volcano
"errorist attacks
Kriminal activity
I" failure
xogenous
xogenous
xogenous and endogenous
xogenous
"able /.' contains only some of the most common examples. In real life of any
organi%ation can be many more such examples. 8owever, this above classification
can help decision makers in breaking down the risks into smaller categories and to
deal easier with them following some similarities with the known risks. In that
way, decision makers can rate each risk for severity and potential loss. In total,
such a rating can produce an overall risk assessment score for an organi%ation.
0ome authors make a distinction between managerial risk and
organi%ational risk $9c!ee, "homas : Wilson, -((6&. ,anagerial risk taking is
where managers make choices associated with uncertain outcomes. For instance,
high levels of heterogeneity in the composition of top management are likely to
promote greater risk taking. 9anagers with different backgrounds will have
different views concerning risk interpretation and thus chances to make harder
decisions associated with higher risks are greater. In the other hand, experience
demonstrated that homogeneous top management teams have a greater tendency to
preserve the status <uo and only take action on less risky decisions. rgani.ational
risk is where organi%ations face volatile income streams which are associated with
turbulent and unpredictable environments. "he more complex the environment is,
the greater the degree of organi%ational risk is. 3lso, the higher level of dynamism,
the greater the organi%ational risk. 8ere, dynamism refers to the stochastic
characteristics of the internal and external business environment. "hese
characteristics include, for example, discontinuities caused by the introduction of
new technologies or novel products from competitors.
7.2. The subjective perception of risk
7.2.1. Loss and gain
Because of the sub)ective interpretations of uncertainty and probability,
there is a different perception of risk at the individual level of people, as well as at
the organi%ational level. "he same event might be considered risky by some
individuals and less risky by others. 3lso, two different events having the same
level of risk might be perceived as having different levels of risks. "he perception
of risk is a complex and sub)ective process. ,et us consider the situation 3 as
being the cumulative effect of '(( deaths produced in car accidents in a certain big
city during one year, and let consider the situation B as being '(( deaths as a result
of an airplane crash, during the same year. 3lthough the number of deaths is the
same, for the same time interval and the same city, the situation B is perceived of
being more dangerous than the situation 3. "hat is because the psychological
impact of learning of '(( people who died )ust in one event is much greater than
the psychological impact of only one person who died in one event. "his might be
the explanation why people consider flying an airplane being much more
dangerous than driving a car.
Jesearch shows that there are four important influences on risk perception;
how one understands risk, how one perceives loss and gain, cognitive biases, and
personality $Fenton7I?Kreevy : 0oane, -(('&. #nderstanding risk is marked by
two important factors; fear and control. Fear factor means how much we dread the
potential outcome, and the control factor means the extent to which we are in
control of events. When risks combine both dread and lack of control, for example
in a nuclear accident, they are perceived as very great. In financial markets, both
factors can be significant. Individuals make decisions more because of the fear of
losing than in the hope of winning. "hus, a ma)or component of risk perception is
how we perceive loss and gain. *When people are in a position of gain, they
become increasingly risk averse and unwilling to accept gambles because they
wish to hold on to their gains. When people are in a position of loss and as losses
increase, they become more risk seeking because they have nothing very much to
lose+ $Fenton7I?Kreevy : 0oane, -((', p.-.&. "his kind of asymmetry could be
found in perceiving financial losses and gains, but it could be applied also to some
intangible elements like reputation and brands. "he decision makers will tend to
prefer a sure gain over a probable gain of expected e<ual value. We emphasi%e the
fact that loss and gain are relative concepts, since we may have different answers
for the <uestions; 8ow much lossH 8ow much gainH Khanging the reference
system the meaning of loss and gain is also changed. For instance, a businessman
may consider a gain if the huge loss )ust evaluated can be reduced. "he effects of
loss, gain and the reference system presented above can operate also at the group
and organi%ation levels. 8owever, at the group level things are different since
decisions can be negotiated but risk perceptions not.
,iving with uncertainty and risks becomes a necessity. "he unexpected and
rapid changes in all components of our business life lead for new competences and
skills in decision making under uncertainty and risk management as an integrated
part of the operational and strategic management. 3fter all, *Without uncertainty,
there would be no hope, no ethics, and no freedom of choice. &t is only because we
do not know what the future holds for us )e.g. the e$act time and manner of our
death+ that we can have hope. &t is only because we do not know e$actly the results
of our choices that our choice can be free and can pose a true ethical dilemma+
$8astie : =awes, -((', p.2->&.
7.2.2. Cognitive biases
Kognitive biases exist due to our thinking models formed through
education and cultural embedding. For instance, individuals who have a well
developed deterministic thinking model will be afraid of uncertainty and will have
the tendency to avoid making decisions in situations characteri%ed by a high level
of uncertainty. "his bias will contribute to losing many opportunities due to their
associated uncertainties. "he risk of not taking into consideration some
opportunities might be higher than the risk of challenging them.
Kognitive biases may arise also from heuristics, that appear as intuitions,
insights or hunches that help us in working out a solution much faster than the
rational solutions. 8euristics are <uite useful in complex situations since they
allow us to simplify them and obtain solutions in a faster way. 3nother common
bias is the confirmation bias. In many situations people make assumptions or
predictions about possible events, and many of them have a tendency to pay more
attention to information that confirms the working hypothesis than to information
that contradicts it. In other words, many people see what they wanted to see and
thus the risks cannot be identified due to unseen information $Fenton7I?Kreevy :
0oane, -(('&. 3lso, we may include here the turkey metaphor. *Consider a turkey
that is fed every day. Every single feeding will firm up the bird#s belief that it is the
general rule of life to be fed every day by friendly members of the human race
/looking out for its best interests#, as a politician would say. n the afternoon of
the Wednesday before Thanksgiving, something une$pected will happen to the
turkey. &t will incur a revision of belief+ $"aleb, -((/, p.5(.
"his king of rare and unexpected events created the Black 0wan syndrome,
described in details by "aleb. "he impact of the highly improbable events is much
more than we are aware. Black 0wan logic makes what we don#t know to be much
more relevant than what we do know. 8owever, it is important to emphasi%e the
relativity of the reference system. In the turkey metaphor the unexpected event
happens to be for the turkey and not for the butcher. In the contrary, he knows
very well the tradition of having at the lunch turkey for "hanksgiving.
Gersonality plays a very important role in risk perception through some
innate dispositions $i.e. feelings, preferences, sensitivities, habits, reactions etc.&.
For instance, an individual who is sensation seeking will have the tendency to
perceive risks as small. 3ny risk tends to be discounted because of the possible
gains in excitement. 3lso, an optimistic person will consider a given event less
risky than a pessimistic one. Iptimistic leaders will si%e any opportunities, while
pessimistic leaders will consider same opportunities as threats.
Jesearch demonstrated that the illusion of control may lead to poor risk
management. 9anagers should be aware of the conditions that encourage this bias.
"he conclusion of this section concerning cognitive biases is that managers should
be aware of the clear difference between the ob)ective risk evaluated using
probabilities and the sub)ective perception of risk based on individual and
organi%ational experience; *0 management strategy that acknowledges the
individualistic and variable nature of risk perception and enables the open
discussion and reconciliation of such difference will increase the effectiveness of
decision making+ $Fenton7I?Kreevy : 0oane, -((', p.-1&.
7.3. Risk management
7.3.1. Risk identification and definition
Jisk management is a complex process which integrates the following
main activities; risk identification, risk definition, risk evaluation, risk mitigation,
risk monitoring and control $fig./.-&. "hese activities are presented in a simple
linear se<uence for simplicity. In reality they are complex and nonlinear activities,
with many feedbacks and iterations. 0ince many sources of the organi%ational risks
belong to the external business, political, technological and social environment, the
new approach is that of the integrated risk management.
In the last decades there was a change in the risk management role and
recognition in the company?s life. 8owever, *the drivers of risk management
institutionali.ation are not so much globali.ation, regulation, shareholder value,
new technologies, or even the pace of change )though these are undoubtedly
important+, but changing responsibilities, values, and e$pectations among
managers+ $8unt, -((', p.-12&.
Figure 7.' The pro!ess of ris management
Risks identification. Jisks are always associated with uncertainty and with
the human nature of generating errors. 3lso, technology used may causes some
failures. 8owever, risks are not self evident events. "hey must be searched for and
Jisk Identification
Jisk =efinition
Jisk valuation
Jisk 9itigation
Jisk 9onitoring
identified in any pro)ect design or decision making process. We may say that risks
must be discovered, )ust because they are probable events placed in a future
pro)ect. It is necessary to use the devil?s advocacy procedure and a very creative
mind. Nust think of the terrorists attacks at 0eptember '', -((' in New Lork. Inly
a diabolical mind could have ever imagined such a scenario. 3nd, it did happen. In
any pro)ect design things can go wrong from different known or unknown yet
reasons. It is the duty of the manager to search for any possible and probable event
that may harm the course of the action, or for those conse<uences which may
follow the implementation of a given decision. "hus, risk identification is almost
an art because there are no scientific procedures to identify the probable risks.
Jisk identification seeks to pin down all risks facing the business, from
stationary theft to fraud, liability, and fatality, without placing a value on these
risks. In a top7down risk mapping process, risks are identified by examining
publicly available information, conducting risk identification workshops with
senior managers, or applying risk identification techni<ues to financial data. In a
bottom7up process, workshops are held with middle and lower managers, with
results aggregated up to board level. "hus, risks are about events that, when
triggered, cause problems. 8ence, risk identification can start with the source of
problems, or with the problem itself. Jisk sources may be internal or external to
the system that is the target of risk management.
Jisks are related to identified threats. "hreats may exist with various
entities, most important with shareholders, customers and legislative bodies such
as the government, or with competitors from the business environment. 3lso,
threats can be identified from a 0WI" analysis of the company or of the strategic
business unit. "he chosen method of identifying risks may depend on culture,
industry practice and compliance. Kommon risk identification methods are;
b!ectives1based risk identification. "he company establishes strategic and
operational ob)ectives. 3ny event that may endanger achieving an
ob)ective partly or completely is identified as risk. 3lso, any existing
uncertainty may be associated with a possible risk.
"cenario1based risk identification. 0cenarios are conceived for dealing
with uncertainty of the future pro)ect development, or market analysis.
3ny event that triggers an undesired scenario alternative is identified as
risk. 0cenarios can help identifying possible risks since they generate a
whole spectrum of possible futures, which means a large analysis basis for
a large field of uncertainties.
Ta$onomy1based identification. Basically, this method re<uires a breaking
down of each risk general source into several elemental risk sources. "his
method should be complemented with documentation reviews and
information gathering techni<ue. "hat means to make use of expert
interviews, analogy comparisons, the =elphy techni<ue and 0WI"
analysis. Identification of opportunities and threats and guessing their
possible impact on business course is a very useful tool.
Common1risk checking. In several industries lists with known risks are
available. ach risk in the list can be checked for application to a particular
situation. For instance, in the software industry there is a list of common
vulnerabilities and exposures.
Norion $-(('& classifies the company7wide risks as follows;
Business risks; product risk, technological risk, and macroeconomic risk.
Business risks are considered those that the company willingly assumes in
order to create a competitive advantage. "hese risks are called symmetrical
because they can generate both losses and gains.
vent risks $non7business risks&; legal risk, reputational risk, disaster risk,
regulatory risk, and political risk. "hese risks are usually associated to
external causes and they are out of the company control. "hey are not
symmetrical risks since they may generate only losses.
Financial risks $non7business risks&; market risk, credit risk, li<uidity risk,
and operational risk. "hese risks are associated with the financial markets.
"hey are also symmetrical risks, since they may create both losses and
gains in time.
Risk definition. Ince identified as a probable event, the risk must be
defined. Jisk definition means the action of describing clearly the potential risky
event and the practical circumstances in which it might appear, as well as its
influence on the course of the future pro)ect development. If this step is done
properly, then the next steps will be done more accurately. =ealing with
uncertainties, the definition should not be interpreted in a deterministic way. It is
an action done to formulate as clearly as possible the nature of the risk, the factors
that could generates such a risk and its possible conse<uences on the decision
making process. Jisk definition is very close related to its evaluation or
measurement.
7.3.2. Risk evaluation
Ine of the most used formula for risk evaluation is that given in the first part of
this chapter, based on the probability of an event occurrence and the magnitude of
conse<uences of that event. For example, if statistics show that in a country there
are '6 million automobile accidents per year, and one accident in 2(( results in a
fatality, the societal risk of dying in a car accident during one year is;
Jisk E $'6x'(
.
accidentsByear& x $' deathB2(( accidents& E 6(,((( deathsByear.
It results that in risk evaluation it is extremely important to have a statistical data
basis which helps us in obtaining the probability values as significant fre<uencies
for different events.
Jisk measurement or risk evaluation means to obtain a <uantitative
estimate of the magnitude of the harmful event by using a certain method. "here
are different methods for different fields of activity, since each field has its own
specificity. In engineering, specialists use the event tree analysis and the fault tree
analysis. In the first case, the logic is to generate se<uences of events which are
interrelated from functional point of view, such that for any initial event we can
form a branch7like structure showing the propagation of failures. "he probability
of any particular outcome is obtained by multiplying together the succession of
probabilities along appropriate branch. 3 fault tree is essentially the reverse of an
event tree. For a particular failure, the fault tree is used to identify the
combinations and se<uences of others failures that lead to the given failure. In
business it is necessary to present the final conclusions in a financial metric.
7.3.3. Risk mitigation and control
Risk mitigation. Ince risks have been identified, defined and assessed, all
techni<ues to manage them fall into one or more of the following ma)or categories;
transfer, avoidance, mitigation, and acceptance. 'isk transfer means causing
another party to accept the risk, typically by contract. For example, insurance is
one type of risk transfer that uses contract. 'isk avoidance means simply to avoid
risky activities. For example, one person may avoid travelling by airplane in order
to avoid the risk of the airplane crash. 3voidance may seem the answer to any kind
of risk. 8owever, avoiding risks also means to loose the potential of some gains
which are actually associated to these risks. Not starting a business in order to
avoid the risk of loss also avoids the possibility of earning profits. It is important to
emphasis the fact that not all risks can be avoided or eliminated. 3lthough some
people belief that they can eliminate any risks, in their deterministic thinking, the
ignorance, ambiguity, and uncertainty will always create risks that )ust cannot be
eliminated or avoided. "his is a ma)or aspect of the difference between the
ob)ective and sub)ective risks.
'isk reduction means to think of different methods to reduce the severity
of possible negative conse<uences. For example, in office buildings there are
sprinklers designed to put out a fire to reduce the risk of loss by fire. In computer
science and software production modern methodologies reduce risks by developing
and delivering software incrementally. Grevious methods used to deliver software
only in their final stage of development, and any disfunction found imposed
reworking the whole program, which proved to be very costly. ,ooking at the
above formula for computing the risk value we see that reduction of risks can be
obtained also by reducing the probability of occurrence of the given event. If this
event is created by an outside source that is not under the management control,
reducing this probability will be almost impossible. 8owever, if the source of risk
is internal, then it is important to analy%e all the factors related to this risk and
working on them to reduce the probability of occurrence. "his is the classical
method used in <uality assurance. 'isk retention involves accepting the loss when
it occurs. "hat is a good strategy only when the magnitude of risk is rather small
and can be handled without a large cost.
Risk monitoring and control. "his is a very important part of risk
management, and it is done for accepted risks in order to keep the level of loss
under some expected values. 3lso, it is important to know that there is no further
generation of risky events which have not been taken into consideration in the risk
analysis procedure. 8owever, the efficiency of this stage of the risk management
depends on the efficiency of the previous stages. If there is no clear identification
and definition of each possible risk, or there is not an ade<uate measurement of the
risk, then it will be very difficult for managers to control the downside of the risk
evolution and for mitigation its conse<uences.
3s a conclusion of this chapter we shall refer again to one of 8unt?s
assertions; *Today, it is not an e$aggeration to say that risk assessment has
become central to all forms of management decision making. 'isk control is
viewed as essential to maintaining stability and continuity in the running of
corporations. 'egardless of specific risks, events, and industry sectors, risk
management is now seen as highly relevant to all corporate functions and
processes+ $8unt, -((', p.->1&.