Risk assessment
Risk assessment is a step in a risk management
Risk management
Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...

 procedure. Risk assessment is the determination of quantitative
Quantitative property
A quantitative property is one that exists in a range of magnitudes, and can therefore be measured with a number. Measurements of any particular quantitative property are expressed as a specific quantity, referred to as a unit, multiplied by a number. Examples of physical quantities are distance,...

 or qualitative value of risk related to a concrete situation and a recognized threat
Threat of force in public international law is a situation between states described by British lawyer Ian Brownlie as:The 1969 Vienna convention on the Law of Treaties notes in its preamble that both the threat and the use of force are prohibited...

 (also called hazard). Quantitative risk assessment requires calculations of two components of risk
Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...

: R, the magnitude of the potential loss L, and the probability p, that the loss will occur.
In all types of engineering of complex systems sophisticated risk assessments are often made within Safety engineering
Safety engineering
Safety engineering is an applied science strongly related to systems engineering / industrial engineering and the subset System Safety Engineering...

 and Reliability engineering
Reliability engineering
Reliability engineering is an engineering field, that deals with the study, evaluation, and life-cycle management of reliability: the ability of a system or component to perform its required functions under stated conditions for a specified period of time. It is often measured as a probability of...

 when it concerns threats to life, environment or machine functioning. The nuclear, aerospace, oil, rail and military industries have a long history of dealing with risk assessment. Also, medical, hospital, and food industries control risks and perform risk assessments on a continual basis. Methods for assessment of risk may differ between industries and whether it pertains to general financial decisions or environmental, ecological, or public health risk assessment.


Risk assessment consists of an objective evaluation of risk in which assumptions and uncertainties are clearly considered and presented. Part of the difficulty in risk management is that measurement of both of the quantities in which risk assessment is concerned - potential loss and probability of occurrence - can be very difficult to measure. The chance of error in measuring these two concepts is large. Risk with a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring. In theory, both are of nearly equal priority, but in practice it can be very difficult to manage when faced with the scarcity of resources, especially time, in which to conduct the risk management process. Expressed mathematically,
Financial decisions, such as insurance, express loss in terms of dollar amounts. When risk assessment is used for public health or environmental decisions, loss can be quantified in a common metric such as a country's currency or some numerical measure of a location's quality of life. For public health and environmental decisions, loss is simply a verbal description of the outcome, such as increased cancer incidence or incidence of birth defects. In that case, the "risk" is expressed as
If the risk estimate takes into account information on the number of individuals exposed, it is termed a "population risk" and is in units of expected increased cases per a time period. If the risk estimate does not take into account the number of individuals exposed, it is termed an "individual risk" and is in units of incidence rate per a time period. Population risks are of more use for cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals are "acceptable"....

Risk assessment in public health

In the context of public health
Public health
Public health is "the science and art of preventing disease, prolonging life and promoting health through the organized efforts and informed choices of society, organizations, public and private, communities and individuals" . It is concerned with threats to health based on population health...

, risk assessment is the process of quantifying the probability of a harmful effect to individuals or populations from certain human activities. In most countries the use of specific chemicals or the operations of specific facilities (e.g. power plants, manufacturing plants) is not allowed unless it can be shown that they do not increase the risk of death or illness above a specific threshold. For example, the American Food and Drug Administration
Food and Drug Administration
The Food and Drug Administration is an agency of the United States Department of Health and Human Services, one of the United States federal executive departments...

 (FDA) regulates food safety through risk assessment. The FDA required in 1973 that cancer-causing compounds must not be present in meat at concentrations that would cause a cancer risk greater than 1 in a million lifetimes. The US Environmental Protection Agency provides basic information about environmental risk assessments for the public via its risk assessment portal.

How the risk is determined

In the estimation of risks, three or more steps are involved that require the inputs of different disciplines:
  1. Hazard Identification, aims to determine the qualitative nature of the potential adverse consequences of the contaminant (chemical, radiation, noise, etc.) and the strength of the evidence it can have that effect. This is done, for chemical hazards, by drawing from the results of the sciences of toxicology
    Toxicology is a branch of biology, chemistry, and medicine concerned with the study of the adverse effects of chemicals on living organisms...

     and epidemiology
    Epidemiology is the study of health-event, health-characteristic, or health-determinant patterns in a population. It is the cornerstone method of public health research, and helps inform policy decisions and evidence-based medicine by identifying risk factors for disease and targets for preventive...

    . For other kinds of hazard, engineering or other disciplines are involved.
  2. Dose-Response Analysis, is determining the relationship between dose and the probability or the incidence of effect (dose-response assessment). The complexity of this step in many contexts derives mainly from the need to extrapolate results from experimental animals (e.g. mouse
    A mouse is a small mammal belonging to the order of rodents. The best known mouse species is the common house mouse . It is also a popular pet. In some places, certain kinds of field mice are also common. This rodent is eaten by large birds such as hawks and eagles...

    , rat
    Rats are various medium-sized, long-tailed rodents of the superfamily Muroidea. "True rats" are members of the genus Rattus, the most important of which to humans are the black rat, Rattus rattus, and the brown rat, Rattus norvegicus...

    ) to humans, and/or from high to lower doses. In addition, the differences between individuals due to genetics
    Genetics , a discipline of biology, is the science of genes, heredity, and variation in living organisms....

     or other factors mean that the hazard may be higher for particular groups, called susceptible populations. An alternative to dose-response estimation is to determine an effect unlikely to yield observable effects, that is, a no effect concentration
    No effect concentration
    Measures of pollutant concentration are used to determine risk assessment in public health.Industry is continually synthesizing new chemicals, the regulation of which requires evaluation of the potential danger for human health and the environment...

    . In developing such a dose, to account for the largely unknown effects of animal to human extrapolations, increased variability in humans, or missing data, a prudent approach is often adopted by including safety factors in the estimate of the "safe" dose, typically a factor of 10 for each unknown step.
  3. Exposure Quantification, aims to determine the amount of a contaminant (dose) that individuals and populations will receive. This is done by examining the results of the discipline of exposure assessment
    Exposure assessment
    Exposure assessment is a branch of environmental science that focuses on the processes that take place at the interface between the environment containing the contaminant of interest and the organism being considered. These are the final steps in the path to release an environmental contaminant,...

    . As different location, lifestyles and other factors likely influence the amount of contaminant that is received, a range or distribution of possible values is generated in this step. Particular care is taken to determine the exposure of the susceptible population(s).

Finally, the results of the three steps above are then combined to produce an estimate of risk. Because of the different susceptibilities and exposures, this risk will vary within a population.

Small subpopulations

When risks apply mainly to small subpopulations, there is uncertainty at which point intervention is necessary. What if a risk is very low for everyone but 0.1% of the population? A difference exists whether this 0.1% is represented by *all infants younger than X days or *recreational users of a particular product. If the risk is higher for a particular sub-population because of abnormal exposure rather than susceptibility, there is a potential to consider strategies to further reduce the exposure of that subgroup. If an identifiable sub-population is more susceptible due to inherent genetic or other factors, there is a policy choice whether to set policies for protecting the general population that are protective of such groups (as is currently done for children when data exists, or is done under the Clean Air Act for populations such as asthmatics) or whether if the group is too small, or the costs to high. Sometimes, a more specific calculation can be applied whether it is more important to analyze each method specifically the changes of the risk assessment method in containing all problems that each of us people could replace.

Acceptable risk increase

The idea of not increasing lifetime risk by more than one in a million has become common place in public health discourse and policy. How consensus settled on this particular figure is unclear. In some respects this figure has the characteristics of a mythical number
Mythical number
Not to be confused with an imaginary number.A mythical number is a number used and accepted as deriving from scientific investigation and/or careful selection, but whose origin is unknown and whose basis is unsubstantiated. An example is the number 48 billion, which has often been accepted as the...

. In another sense the figure provides a numerical basis for what to consider a negligible increase in risk. Some current environmental decision making allows some discretion to deem individual risks potentially "acceptable" if below one in ten thousand increased lifetime risk. Low risk criteria such as these provide some protection for a case where individuals may be exposed to multiple chemicals (whether pollutants or food additives, or other chemicals). However, both of these benchmarks are clearly small relative to the typical one in four lifetime risk of death by cancer (due to all causes combined) in developed countries. On the other hand, adoption of a zero-risk policy could be motivated by the fact that the 1 in a million policy still would cause the death of hundreds or thousands of people in a large enough population. In practice however, a true zero-risk is possible only with the suppression of the risk-causing activity.

More stringent requirements (even 1 in a million) may not be technologically feasible at a given time or may be prohibitively expensive as to render the risk-causing activity unsustainable, resulting in the optimal degree of intervention being a balance between risks vs. benefit. For example, it might well be that the emissions from hospital incinerators result in a certain number of deaths per year. However, this risk must be balanced against the available alternatives. In some unusual cases, there are significant public health risks, as well as economic costs, associated with all options. For example, there are risks associated with no incineration
Incineration is a waste treatment process that involves the combustion of organic substances contained in waste materials. Incineration and other high temperature waste treatment systems are described as "thermal treatment". Incineration of waste materials converts the waste into ash, flue gas, and...

 (with the potential risk for spread of infectious diseases) or even no hospitals. Further investigation often identifies more options such as separating noninfectious from infectious wastes, or air pollution controls on a medical incinerator that provide a broad range of options of acceptable risk - though with varying practical implications and varying economic costs. Intelligent thought about a reasonably full set of options is essential. Thus, it is not unusual for there to be an iterative process between analysis, consideration of options, and follow up analysis.

Risk assessment in auditing

For audits performed by an outside audit firm, risk assessment is a very crucial stage before accepting an audit engagement. According to ISA315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, "the auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control."inherent risk
Inherent risk
Inherent risk, in the audit of financial statements, is the risk that the account, disclosure or financial statement note being attested to by an independent CPA firm is materially misstated without considering internal controls due to error or fraud...

, control risk and detection risk.

Risk assessments performed by internal auditors are entirely different. They are usually designed to facilitate the annual audit plan. Using various elements, such as changes in volume of business, management, technology, and the economy, coupled with the knowledge and experience of management regarding the particular area, plus the previous rating of the area and the time since the last audit, the audit department determines which areas have more risk and should be a priority within the audit plan. These risk assessment are different than those prepared by the department. Those should be evaluated as part of the internal audit risk assessment process, but should not be the sole basis. Only internal audit department generated risk assessments should used for audit planning purposes. Likewise, internal audit should not be preparing risk assessments for the various departments. They should prepare their own. They are responsible for establishing policies and procedures designed to mitigate the risks identified by the risk assessment. It is internal audit's responsibility to evaluate the effectiveness of the departmentally prepared risk assessments and make recommendations for improvement.

Risk assessment and human health

There are many resources that provide health risk information.
The National Library of Medicine provides risk assessment and regulation information tools for a varied audience. These include TOXNET (databases on hazardous chemicals, environmental health, and toxic releases), the Household Products Database (potential health effects of chemicals in over 10,000 common household products), and TOXMAP
TOXMAP is a geographic information system from the United States National Library of Medicine that uses maps of the United States to help users visually explore data from the United States Environmental Protection Agency's Toxics Release Inventory and Superfund programs...

 (maps of US Environmental Agency Superfund
Superfund is the common name for the Comprehensive Environmental Response, Compensation, and Liability Act of 1980 , a United States federal law designed to clean up sites contaminated with hazardous substances...

 and Toxics Release Inventory
Toxics Release Inventory
The Toxics Release Inventory is a publicly available database containing information on toxic chemical releases and other waste management activities in the United States.-Summary of requirements:...

 data). The United States Environmental Protection Agency
United States Environmental Protection Agency
The U.S. Environmental Protection Agency is an agency of the federal government of the United States charged with protecting human health and the environment, by writing and enforcing regulations based on laws passed by Congress...

  provides basic information about environmental risk assessments for the public.

Risk assessment in information security

IT risk
IT risk
Information technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...

 assessment can be performed by a qualitative or quantitative approach, following different methodologies.

Risk assessment in project management

In project management
Project management
Project management is the discipline of planning, organizing, securing, and managing resources to achieve specific goals. A project is a temporary endeavor with a defined beginning and end , undertaken to meet unique goals and objectives, typically to bring about beneficial change or added value...

, risk assessment is an integral part of the risk management plan, studying the probability, the impact, and the effect of every known risk on the project, as well as the corrective action to take should that risk occur.

Risk assessment for megaprojects

Megaprojects (sometimes also called "major programs") are extremely large-scale investment projects, typically costing more than US$1 billion per project. Megaprojects include bridges, tunnels, highways, railways, airports, seaports, power plants, dams, wastewater projects, coastal flood protection, oil and natural gas extraction projects, public buildings, information technology systems, aerospace projects, and defence systems. Megaprojects have been shown to be particularly risky in terms of finance, safety, and social and environmental impacts. Risk assessment is therefore particularly pertinent for megaprojects and special methods and special education have been developed for such risk assessment.

Quantitative risk assessment

Quantitative risk assessments include a calculation of the single loss expectancy
Single loss expectancy
Single Loss Expectancy is a term related to Risk Management and Risk Assessment. It can be defined as the monetary value expected from the occurrence of a risk on an asset.It is mathematically expressed as:...

 (SLE) of an asset. The single loss expectancy can be defined as the loss of value to asset based on a single security incident. The team then calculates the Annualized Rate of Occurrence (ARO) of the threat to the asset. The ARO is an estimate based on the data of how often a threat would be successful in exploiting a vulnerability. From this information, the Annualized Loss Expectancy
Annualized Loss Expectancy
The annualized loss expectancy is the product of the annual rate of occurrence and the single loss expectancy. It is mathematically expressed as:...

 (ALE) can be calculated. The annualized loss expectancy is a calculation of the single loss expectancy multiplied by the annual rate of occurrence, or how much an organization could estimate to lose from an asset based on the risks, threats, and vulnerabilities. It then becomes possible from a financial perspective to justify expenditures to implement countermeasures to protect the asset.

Risk assessment in software evolution

Studies have shown that early parts of the system development cycle such as requirements and design specifications are especially prone to error. This effect is particularly notorious in projects involving multiple stakeholders with different points of view. Evolutionary software processes offer an iterative approach to requirement engineering to alleviate the problems of uncertainty, ambiguity and inconsistency inherent in software developments.

Criticisms of quantitative risk assessment

Barry Commoner
Barry Commoner
Barry Commoner is an American biologist, college professor, and eco-socialist. He ran for president of the United States in the 1980 US presidential election on the Citizens Party ticket. He was also editor of Science Illustrated magazine.-Biography:Commoner was born in Brooklyn...

, Brian Wynne
Brian Wynne
Brian Wynne is Professor of Science Studies and Research Director of the Centre for the Study of Environmental Change at the University of Lancaster. His education includes MA , PhD , MPhil...

 and other critics have expressed concerns that risk assessment tends to be overly quantitative and reductive. For example, they argue that risk assessments ignore qualitative differences among risks. Some charge that assessments may drop out important non-quantifiable or inaccessible information, such as variations among the classes of people exposed to hazards. Furthermore, Commoner and O'Brien claim that quantitative approaches divert attention from precautionary or preventative measures. Others, like Nassim Nicholas Taleb consider risk managers little more than "blind users" of statistical tools and methods.

Risk assessment in shipping industry

As from July 2010 shipping companies implemented risk assessment prosedures in order to asses the risk in key shipboard operations. These procedures were implemented as part of the amended ISM code. The risk assessment should be performed before perfuming a key operation. If the risk is assessed to be high then additional measures must be implemented in order to reduce the risk. Shared knowledge from audits and some examples can be found in the following link.

See also

  • Benefit risk
  • Cost risk
  • Digital Continuity
    Digital continuity
    Digital continuity is the ability to maintain the digital information of a creator in such a way that the information will continue to be available, as needed, despite changes in digital storage technology. It focuses on making sure that information is complete, available and therefore usable...

  • Edwards v. National Coal Board
    Edwards v. National Coal Board
    Edwards v. National Coal Board was an important case in English case law. The 1949 case revolved around whether it was "reasonably practicable" to prevent even the smallest possibility of a rock fall in a coal mine.-Underlying facts:...

  • Extreme risk
    Extreme risk
    Extreme risks are risks of very bad outcomes or "high consequence", but of low probability. They include the risks of terrorist attack,biosecurity risks such as the invasion of pests, and extreme natural disasters such as major earthquakes.-Introduction:...

  • Flood risk assessment
    Flood risk assessment
    A flood risk assessment is an assessment of the risk of flooding, particularly in relation to residential, commercial and industrial land use.-England and Wales:...

  • Form 696
    Form 696
    Form 696 is a risk assessment form which the London Metropolitan Police requests promoters and licensees of events to complete and submit 14 days in advance of an event in 21 London boroughs. Non compliance with this may result in police opposition to event licenses being granted...

  • Green Globe
    Green Globe
    Green Globe is based on Agenda 21 principles for Sustainable Development endorsed by 182 Heads of State at the United Nations Rio De Janeiro Earth Summit . Green Globe Certification and Green Globe Asia Pacific deliver separate certification services and standards to the travel & tourism as well...

  • Hazard (risk)
    Hazard (risk)
    A hazard is any biological, chemical, mechanical, or physical agent that is reasonably likely to cause harm or damage to humans, other organisms, or the environment in the absence of its control.. This can include, but is not limited to: asbestos, electricity, microbial pathogens, motor vehicles,...

  • Hazard Identification
    Hazard Identification
    A Hazard Identification Study or HAZID is a tool for hazard analysis, used early in a project as soon as process flow diagrams, draft heat and mass balances, and plot layouts are available. Existing site infrastructure, weather, and geotechnical data are also required, these being a source of...

  • Health Impact Assessment
    Health Impact Assessment
    Health Impact Assessment is defined as "a combination of procedures, methods and tools bywhich a policy, program or project may be judged as to its potential effects on the...

  • Information assurance
    Information Assurance
    Information assurance is the practice of managing risks related to the use, processing, storage, and transmission of information or data and the systems and processes used for those purposes...

  • List of auditing topics
  • ISO 28000
  • ISO 31000
    ISO 31000
    ISO 31000 is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management...

  • Megaprojects and Risk
  • Network Theory in Risk Assessment
    Network Theory in Risk Assessment
    A network is an abstract structure capturing only the basics of connection patterns and little else. Because it is a generalized pattern, tools developed for analyzing, modeling and understanding networks can theoretically be implemented across disciplines...

  • Optimism bias
    Optimism bias
    Optimism bias is the demonstrated systematic tendency for people to be overly optimistic about the outcome of planned actions. This includes over-estimating the likelihood of positive events and under-estimating the likelihood of negative events. Along with the illusion of control and illusory...

  • Probabilistic risk assessment
    Probabilistic risk assessment
    Probabilistic risk assessment is a systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity ....

  • Probit model
    Probit model
    In statistics, a probit model is a type of regression where the dependent variable can only take two values, for example married or not married....

  • Reference class forecasting
    Reference class forecasting
    Reference class forecasting is the method of predicting the future, through looking at similar past situations and their outcomes.Reference class forcasting predicts the outcome of a planned action based on actual outcomes in a reference class of similar actions to that being forecast. The theories...

  • Risk
    Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...

  • Risk aversion
    Risk aversion
    Risk aversion is a concept in psychology, economics, and finance, based on the behavior of humans while exposed to uncertainty....

  • Risk management
    Risk management
    Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...

  • Risk management tools
    Risk management tools
    Risk Management is a non-intuitive field of study, where the most simple of models consist of a probability multiplied by an impact. Even understanding individual risks is difficult as multiple probabilities can contribute to Risk total probability, and impacts can be "units" of cost, time, events...

  • RiskAoA
    RiskAoA is a United States Department of Defense project Risk Management tool, allowing the instantaneous review of portfolio , proposal or alternatives Risk. It was designed by Air Force Research Laboratory Headquarters to perform predictive risk analysis for the Analysis of Alternatives ...

  • Security risk
    Security risk
    Security Risk describes employing the concept of risk to the security risk management paradigm to make a particular determination of security orientated events.According to CNSS Instruction No...

  • Strategic misrepresentation
    Strategic misrepresentation
    "Strategic misrepresentation is the planned, systematic distortion or misstatement of fact—lying—in response to incentives in the budget process...

General references

  • Barry Commoner
    Barry Commoner
    Barry Commoner is an American biologist, college professor, and eco-socialist. He ran for president of the United States in the 1980 US presidential election on the Citizens Party ticket. He was also editor of Science Illustrated magazine.-Biography:Commoner was born in Brooklyn...

    . “Comparing apples to oranges: Risk of cost/benefit analysis” from Contemporary moral controversies in technology, A. P. Iannone, ed., pp. 64–65.
  • Flyvbjerg, Bent, "From Nobel Prize to Project Management: Getting Risks Right." Project Management Journal, vol. 37, no. 3, August 2006, pp. 5-15.
  • Hallenbeck, William H. Quantitative risk assessment for environmental and occupational health. Chelsea, Mich.: Lewis Publishers, 1986
  • Harremoës, Poul, ed. Late lessons from early warnings: the precautionary principle
    Precautionary principle
    The precautionary principle or precautionary approach states that if an action or policy has a suspected risk of causing harm to the public or to the environment, in the absence of scientific consensus that the action or policy is harmful, the burden of proof that it is not harmful falls on those...

  • John M. Lachin. Biostatistical methods: the assessment of relative risks.
  • Deborah G. Mayo. “Sociological versus metascientific views of technological risk assessment” in Shrader-Frechette and Westra.
  • Nyholm, J, 2009 "Persistency, bioaccumulation and toxicity assessment of selected brominated flame retardants"

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.