Risk management


1. Risk management and dependability

Risks defined in ISO31000 as the effect of uncertainty on objectives, whether positive or negative.

Risk management is a set of concepts, approaches and tools that are exerted in a continuous and iterative process aiming to successively identify and analyse the risks, assess and prioritize them. But also, it is to consider the means that master, follow and control threats. Finally, all the gained experience is employed to enrich our know-how (risk management appears as a way to consolidate information, share it, improve the overall knowledge of a problem, encourage cooperative work and responsiveness in order to facilitate/optimize decision making).

Figure 1
Figure 1 : A common approach of risk management obtained from several studies in different fields such as information systems, software engineering, dependability, project management ...

Dependability is defined as either the ability of an entity to satisfy one or more required functions under given conditions or a measure of a system's availability, reliability, and its maintenance support.

Beyond the classic definition of Dependability given above, it is also considered as a science of failures and builds on the steps of identification, assessment, prediction, measurement and control of failures. Thus, dependability is not an end in itself but it can be seen as a way to reach the objectives of Risk Management by providing: approaches, methods, tools and vocabulary...

2. The process of Risk management

In risk management, characterization of any situation is a primordial task. The statement of all necessary information helps to analyse and understand the threats in any situation: identify the nature and the type of events and gather all the information on the links causes / effects for better understanding (and therefore better control) of risk. This first phase can be represented by the tree shown below:

Figure 2: First phase (Risk identification)
Figure 2: First phase (Risk identification)

The second phase is to evaluate the risk quantitatively. To do so, it is then fundamental to prioritize situations and suggest appropriate action plans. In the literature we can find many forms help to evaluate risks. In order to summarize them, we quote: risk-cost model proposed in Michaels and Wood (1989), Blaison (1992) which is based on functional analysis for weighting the affected risk; Villemeur (1988) proposes to amplify the importance of risk and its impacts and defines a model of risk for users; Similarly, the construction of simplified models Chapman and Ward (1997) defines a 3 * 3 matrix, Blaison (1992) offer 4 * 4 matrices but do not affect the same levels of risk. Ruwaida Abdul Aziz described a 6 * 6 matrix (Aziz (1997)) … Franceschini and Galetto (2001) raise the problem of interpreting quantitative and qualitative models; they offer a simplified valuation « hybrid » of risk.

Whatever the method used, we note that the chosen scales should be appropriate to the situation of analyzed risk, and the expertise involved in the analysis. The importance of risk assessment is the choice of actions relevant control. In Gouriveau (2003) the author proposes a typology of possible actions.

Figure 3: policies of action control (The acceptance of risk leads obviously to no action. Nevertheless, the fact of taking the risk is the result of a decision and it is interesting to identify the « no action ».
Figure 3: policies of action control (The acceptance of risk leads obviously to no action. Nevertheless, the fact of taking the risk is the result of a decision and it is interesting to identify the "no action".

3. Tools of Risk Management

There is no standard procedure for the risk management process. The analysts have to use a variety of tools depending on the application context, the culture chosen by them company, experience and expectations to the study that they lead. The tools used in Risk Management are almost the same tools developed for dependability analysis. They are generally distinguished according to their type of approach i.e., inductive or deductive, to their type of analysis i.e., qualitative or quantitative or to their formalism i.e., tabular, tree...

Several tools are commonly used in industrial field such as FMEA (Failure Mode and Effects Analysis), HAZOP ((HAZard and OPerability study), HACCP (Hazard Analysis Critical Control Point), PHA (Process Hazard Analysis) , Reliability Block Diagrams, Petri nets and Markov graphs...etc. Studies by means of these tools are all based on the analysis of sequential combinations i.e., functions, components or events. Whether the purpose is purely qualitative (explanation of a phenomenon...), quantitative (probabilistic assessment...) or both. In addition, the analysis of a system relies on the representation of the system by models: functional model, structural model or event model.

We can classify risk management tools in six different families:

  • Informal tools such as Brainstorming, Interview, Questionnaires & Checklists, Rubrics...etc. These tools are essential for hazard identification.

  • Tabular tools such as Preliminary Risk Analysis (PRA), Failure Mode, Effects, and Criticality Analysis (FMECA), Hazard and Operability study (HAZOP)...etc. These methods rely on system's functions, its components and the associated events.

  • Arboreal tools such as Ishikawa diagram, Cause-effect Diagram, Fault Tree, Reliability Diagram, Event Graphs...etc. This tools are inductive/deductive approaches and prove to be useful for assess risk by introducing computational treatment.

  • Network tools such as Petri Nets, Bayesian Networks, Markov Graphs, Controlled Interval Memory (CIM)...etc., Although, these tools are powerful and widely applicable,they are still less present in first levels of risk analysis.

  • Mathematical tool such as Pareto Diagram, ABC Method, Monte Carlo, Bayes Theorem...etc.

  • Human reliability tools such as Technology for human error rate prediction, human Cognitive Reliability...etc.

Figure 4: Deployment of risk management tools
Figure 4: Deployment of risk management tools

Bibliography

R. Abdul Aziz. Management des risques dans les projets industriels elaboration et mise en oeuvre d'une methode, thèse de doctorat. PhD thesis, 1997.

G. Blaison. Extension de la sûreté du fonctionnement à la maîtrise des risques d'entreprise, thèse de doctorat. PhD thesis, Université de Nancy I, 1992. 1 2

CB. Chapman and SC. Ward. Project Risk Management : Processes, Techniques and Insights. John Wiley & Sons, 1997.

F. Franceschini and M. Galetto. A new approach for evaluation of risk priorities of failure modes in fmea. International Journal of Production Research, 39(13):2991–3002, 2001.

R. Gouriveau. Analyse des risques : Formalisation des connaissances et structuration des données pour l’intégration des outils d'étude et de décision, thèse de doctorat. PhD thesis, Institut National Polytechnique de Toulouse, 2003.

J.V. Michaels and W.P. Wood. Design to Cost. New Dimensions In Engineering Series. John Wiley & Sons, 1989.

A. Villemeur. Sûreté des fonctionnements des systemes industriels. Volume 67 of Direction des Etudes et Recherches d'Electricité de France. Eyrolles, EDF, 1988.