Content uploaded by David Slater

Author content

All content in this area was uploaded by David Slater on Aug 05, 2016

Content may be subject to copyright.

Confidential – Draft for publication 1/3/2012

1

Risk Matrix Basics

Ben Ale (University of Delft), Pete Burnap and David Slater (Cardiff

University)

Abstract

There is a growing volume of discussion on the value or otherwise of the ubiquitous “Heat Maps”,

which have become de facto, the weapon of choice in discussing and comparing corporate,

national and global risks, whether for regulation, governance, or political justifications. This note

sets out to remind us of the strengths and limitations of blindly following standard recipes and

blithely extrapolating into inappropriate areas or applications. It all depends on understanding the

basis of their derivation and the limitations of inherent approximations from dumbing them down.

Introduction

Risk management is an increasingly important task in managing enterprises, companies, countries

and societies. The most prominent risks, which attract the public eye the most, are risks that involve

human life or health or the state of the environment. But in many cases the stakes are of a different

nature. In the financial markets risk usually is associated with losing money as a consequence of

investments turning bad, mortgages not being paid back or fraudulent bookkeeping. In construction

the risks are associated with completing a railroad in time and within budget or a building collapsing.

All these have in common that the outcome of an action, a decision or an activity is to a certain level

uncertain. The uncertainty not only pertains to the magnitude of the potential loss but also to the

question of the likelihood of a particular loss.

The political debate is often laden with confusion about the representation of risks, the magnitude

of risks and the decision-making tools and mechanisms. A typical example is the discussion about the

validity of risk matrices. In this discussion the presentation of the risk as points or lines is confused

with the decision mechanism - usually some red, yellow, green coloring scheme – and the choice of

the demarcations between these areas.

In this report we try to take away at least some of the confusion in the hope that the discussion will

depart from discussion about methods and focus on what should be important, which is the

discussion about acceptability. The latter discussion is completely and utterly political (Ale, 2003).

The need for graphical representations of risk often stems from the need to get around the physical,

chemical and mathematical instruments that play a role in safety science. This unfortunately

introduces many misconceptions, even about what has been published earlier. In order to

understand the discussions and to take away these misconceptions the reader is invited to bite the

bullet. In the following things will be kept as simple as possible but also be made as complicated as

necessary. The mathematical formulas are there to illustrate a point and sometimes give

mathematical proof for those who otherwise would not be convinced. They can also be skipped by

those who are willing to believe that everything stated as being fact in this report can be proven.

Confidential – Draft for publication 1/3/2012

2

Risk management

In order to deal with uncertainty in an organised way the concept of probability is introduced.

Probability is the measure the likelihood that something will happen. It has an exact mathematical

definition. Organised risk management starts with the estimation of the “magnitude” of the risks

involved followed by some process of decision making. The first – known – form of a decision making

principle was formulated by A. Arnaud in 1662

Fear of harm ought to be proportional not merely to the gravity of the harm, but

also to the probability of the event

Risk therefore is a combination of consequences and probabilities. In Arnauds view the true measure

of risk is the multiplication of probability and consequence. Risk is probability times effect. What in

mathematical terms is designated by the expectation of the consequences. We will see that

decisions that follow Arnaud’s rule in having the acceptability of an activity directly proportional to

this measure of risk are common in economics. However the more contentious decisions, and these

are often related to issue of life and death, do not seem to follow this rule. Many attempts have

been made to capture apparently different relationships between acceptability, probability and

consequence.

Therefore the process of risk management can be summarised as in figure 1 (van Leeuwen en

Hermens, 1995). After identification of all the potential adverse events, the probabilities and

consequences are modelled and quantified. The risks are also qualified. Qualification in this context

means establishing other attributes of the activity with which the risk is associated and which are

important for the decision to undertake the activity. These attributes are often value laden

especially when the risk involves potential harm to human life or health. Although it may seem that

establishing the magnitude of risk is value free, it often is not, because, as we will see later, the way

Figure 1: Steps in the risk management cycle

Monitor

Reduction

(when required)

Decision

Qualification

Kind of Risk

Quantification

Consequences

and Probabilities

Identification

Confidential – Draft for publication 1/3/2012

3

this magnitude is expressed may itself contribute to the framing of the decision. After this work has

been done the information is ready for use in a decision making process. After it has been decided

whether the risk is acceptable or has to be reduced, the risk is monitored and a new cycle may start

depending on whether the risk seems to remain acceptable or not. Although decision is only a small

block in the diagram of figure 1, this usually is takes the most time and the most discussion.

Especially the discussions about the use of nuclear power, about the risks of chemical industry and

the associated transport and about the long term effects of human activities on the climate of the

earth have shown that in decision making there is often more than consequence and probability

alone (Gezondheidsraad, 1993)

In real life the risk management process is not as clean as the schematic suggests. As said before,

value judgements are often made in the steps where information is assembled and in this way the

gathering and presentation of information becomes a part of the decision making. As Harry Ottway

(1973, 1975) put it:

Risk estimation may be thought of as the identification of consequences of a

decision and the subsequent estimation of the magnitude of associated risks.

Risk evaluation is the complex process of anticipating the social response to risks;

… this could be termed as the “acceptability of risks”

We could also make a distinction between risk management and risk governance. Risk management

may be thought of as keeping risk within defined limits against define costs. Risk governance is the

process in which we deal with a problem that involves risk, but also many other things.

Risk

In the sometimes heated discussions about risk acceptability, risk has been defined and redefined

countless times, often to reflect those aspects or arguments that a proposer or author deemed

important. This is not discussed here any further but serves as the argument why for this report a

number of definitions need to be given, as they will be used in this report, without prejudice about

the validity of any other definition one can give. Let event be an occurrence or happening resulting

from a decision.

Consequence (c) is the outcome of an event

Probability (p) is the chance that the event will occur. Probability is a number between 0 and 1.

Frequency is the average rate per unit time (usually a year) that an event will happen. It is often also

called the probability per year. The latter is mathematically imprecise and leads to much confusion.

As an example take car accidents. There a few hundred of these each year. Therefor the probability

of a car accident is 1. (At least 1 has already happened so the probability cannot be smaller). For the

future one might think that form tomorrow there is a chance that no more accidents will happen. In

that case the probability of car accidents is smaller than 1. These probabilities however are highly

uninformative. It is much handier to work with the (expected) number of accidents per year.

Riskpoint is the combination the outcome and the probability/frequency of an event

Riskset is the set of riskpoints all possible events of a decision.

Confidential – Draft for publication 1/3/2012

4

Risk (R) is the magnitude of riskset. R can be evaluated in various ways.

In many cases the discussion about risks involves an argument of uncertainty. This will be dealt with

later. For now it is sufficient to assume that consequences and probabilities can be established or

estimated.

In its simplest form the magnitude of risk is the total value of the expected outcomes or expectation

value. This is also referred to as risk is probability times consequence or

*R p c

If there is a range of consequences and the probabilities for the different outcomes are different

then the risk in general is

1*

n

ii

i

R p c

This definition of Risk is used in finance and insurance. It is a single number. Therefor risks measured

in this way can easily be compared.

Unacceptable consequences

The problem with measuring risks in the simple way described earlier is that it implies that the

decision maker will attach equal value to risks for which the R is equal; that it does not matter

whether there is a 1/100 chance of winning 100 euro or a 1/1000 chance of winning 1000 euros. In

normal life betting games this is often the case. However if the consequences are very high this

might no longer be the case. As an example after 9/11 insurance companies were no longer

prepared to insure losses in excess of 1 billion euro’s regardless of the probability. In such

circumstances the consequences and the probabilities or frequencies have to be presented and

considered separately.

Intermission: presenting risks

At this stage in this report it is necessary to introduce the various ways risk can be presented and

how uncertainty can be taken into account leading to even more complications.

The presentation of R as product of c and f or the sum of the products of c’s and f’s is a single

number. The R of 100 euro’s with is probability of 1/100 is 1. This presentation is necessarily a two

dimensional picture. Usually f (frequency) is given as a function of c (consequences).

FN diagrams

Suppose the following list of events with consequences and frequencies is known:

c

f

1

0.85341

3

0.104124

4

0.057345

10

0.010761

25

0.001552

Confidential – Draft for publication 1/3/2012

5

50

0.000376

1000

1.01E-06

10000

1.06E-08

The R for this set is 1.56. A graph using linear scales depicting these points looks like figure 2.

This is a very unfortunate representation as most points seem to be on the vertical axis. Therefor a

smarter way of presenting these numbers is in a so-called “double logarithmic” diagram in which the

value at the “tick marks” increase exponentially instead of linearly as given in figure 3..

The frequencies in this example have been chosen to decrease with increasing consequences, but

that does not have to be the case. Suppose we have a list of events as follows:

c

f

1

6.04E-01

Fig 2 Frequencies and consequences on a linear scale

C ->

f ->

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

0 2000 4000 6000 8000 10000 12000

Fig 3 Frequencies and consequences on a double logarithmic scale

C ->

f ->

0.000001

0.00001

0.0001

0.001

0.01

0.1

1

110 100 1000 10000 100000

Confidential – Draft for publication 1/3/2012

6

3

5.16E-01

4

6.47E-01

10

7.64E-01

25

9.93E-02

50

3.94E-01

1000

4.46E-01

10000

4.43E-01

That would on a double log scale look like figure 4

The graph would sort of wander about. A much neater way of doing this is to add the frequencies up

from the largest consequence to the lowest. This always leads to a decreasing line (figure 5)

It should be noted that the frequency axis in figures 2-4 have f and in figure 5 it says F, making the

Fig 4 Frequencies and consequences on a double logarithmic scale

C ->

f ->

1.00E-06

1.00E-05

1.00E-04

1.00E-03

1.00E-02

1.00E-01

1.00E+00

110 100 1000 10000 100000

Fig 5 Cumulative Frequencies and consequences on a double logarithmic scale

C ->

F ->

1.00E-01

1.00E+00

1.00E+01

110 100 1000 10000 100000

Confidential – Draft for publication 1/3/2012

7

difference between regular and cumulative frequencies. However this is not always done and

especially in the older literature, when the typesetting options were much more limited one has to

refer to the original paper to know. The graph with cumulative frequencies is called a

complementary cumulative distribution function (CCDF) and is the regular form of the FN diagram.

It should also be noted that there is no line drawn in any of these diagrams. That is because if the

consequences would be number of people killed, such a number could only be an integer. Before an

FN diagram can be converted into an FN curve a few further steps have to be taken.

This will be done after the histogram representation has to be dealt with

Histograms

In many cases the potential consequences are not precisely known. In such cases a number is

presented as a range of numbers and all events having consequences in that range are put in the

same bin.

Suppose that in total 40 accidents have been found with the following numbers of people affected:

1-9

11

10-99

13

100-999

12

1000 - …

4

This could be presented in a bar chart: (Fig 6 left)

Now suppose that these numbers could be refined to the following table:

1 - 3

6

4 - 9

5

10 - 39

6

40 - 99

7

101 - 399

9

400 - 999

3

1000 - …

4

Then the bar chart would look like figure 6 right. It should be noted that the numbers in each of the

bins on the right hand side are lower than that on the left hand side. This has implications when

these numbers are used in any measure of acceptability, but that will be dealt with later.

Figure 6: Bar charts for numbers of events.

0.00E+00

2.00E+00

4.00E+00

6.00E+00

8.00E+00

1.00E+01

1.20E+01

1.40E+01

1 - 9 10 - 99 100 - 999 1000

0.00E+00

2.00E+00

4.00E+00

6.00E+00

8.00E+00

1.00E+01

1.20E+01

1.40E+01

1 - 3 4 - 9 10 - 39 40 - 99 101 - 399 400 - 999 1000 -…

Confidential – Draft for publication 1/3/2012

8

If on would convert both diagrams into curves one could plot them in the same plot as given in

figure 7. The advantages of this representation are immediately obvious. The plot is invariant for the

size of the bins. Even if every bin would only be one person wide i.e N = 1; N= 2 etc even then the

figure would look the same. That is why in risk presentations the FN diagram or CCDF is the

preferred presentation.

It can be easily seen that should these numbers be found in a period of 1000 years the only thing left

to do is divide the values on the vertical axis by 1000 to get the number of events per year.

If one were to represent this data as continuous curves one could end up with curves such as in

figure 8. It is only for the reason that the numbers of cases do not decrease with increasing N that

one can see that the “bargraph” curve cannot be an FN diagram. Therefore these representations of

Figure 7 FN diagrams for numbers of events.

1

10

100

110 100 1000 10000

Figure 8: curves.

1

10

100

110 100 1000 10000

barchart

FN

Confidential – Draft for publication 1/3/2012

9

discrete data are dangerous for later interpretation and uses, but this habit is nonetheless

widespread.

A math trick

There is one trick however that does not change the shape nor the values in the presentation of an

FN diagram, but increases its useability. This trick is to define the FN curve for non integer number as

follows:

For r N < M < N+1 F(M) = F(N). This converts the FN diagram into a stepwise continuous function.

This means that it can be integrated. As has been shown by Ale (1996) and by Jongejan (2008) the

integral under the curve is equal to the expectation value of the risk. Another advantage is that the

summation and abstraction rules for functions apply.

Risk Criteria

In the previous section nothing has been said about criteria. Until now, all diagrams were just

representation of risk calculations, be it simple invented ones just for illustration.

It is obvious that the simplest way of limiting a risk is to set a maximum to the expectation value R.

The simplest way to compare risks is on the basis of their expectation value. There are however two

Fig 9: Examples of risk matrices

Confidential – Draft for publication 1/3/2012

10

persistent problems with this approach. One is that in political choices higher consequences

sometimes weigh heavier than smaller consequences and that it is sometimes desirable and

sometimes necessary to do something about the so called “high consequence low probability” risks.

Since the accident with the Deepwater Horizon this is also referred to as ruin prevention.

The other is that consequences are often multidimensional. They involve money lost, environment

damaged, people killed and injured.

To deal with the latter first it is obvious that that depicting all these dimensions separately would

result in an dimensional diagram. Given the problems people already have understanding a two

dimensional diagram – as will be seen later – people often choose to translate the consequences in

a single entity. The magnitude of that entity then is no longer a defined number expressed in

definable measures. It is a brew of all the consequences together. What is often forgotten is that

making this brew implies value judgments with respect to the mutual valuation of all the dimensions

involved. As it was put in judgments about airports in which people killed figure next to noise levels:

it implies the answer to the question how much dB a dead person is worth. That is one of the

reasons why larger companies refrain from brewing a one dimensional consequence thingy and treat

these kinds of risks separately.

The qualifications given to these consequences are often in terms of severe or mild and the

frequencies in terms of often or rare, which than can be put nicely into a diagram such as in figure 9.

In the top half of figure 9 it is only indicated when things get worse (redder). In passing it is noted

that the direction of the consequence axis runs from right to left, which is in mathematical terms at

least non-intuitive. In the lower half the suggestion already is made that the yellow boxes have

about the same “value” in terms of risk.

Unfortunately there are numerous examples of these risk matrices where the suggestion of equal

value is implied.

It is likely, but not certain, that the frequency axis is thought of to be non cumulative.

Figure 10: Figure 3 made into a risk matrix

Probable

Improbable

Low impact High impact

Confidential – Draft for publication 1/3/2012

11

Risk matrices

With these ingredients one can convert figure 3 into a risk matrix as in figure 10. However it is very

difficult not to interpret the boxes as having some numerical value. Obviously the demarcation

between acceptable and unacceptable can be put anywhere. But be aware: the frequencies are not

cumulative. Neither were they in the often cited Farmer curve (Farmer, 1987, Ball, 1998). That

Farmers curve looks like an FNH curve is purely by accident. In nuclear energy industry High dose

events are less frequent that low dose events and thus Farmers curve is descending.

Every attempt to make a qualitative risk matrix into a quantitative one, in which the surface area

actually stands for a value and a constant valuation is assumed along some diagonal is asking for

trouble. In every step therefor implied weightings should be made explicit and probably debated in a

political arena.

Risk Criteria

The development of Fault Tree and Event tree techniques, from Second World War logistics,

through to high risk/consequence applications such as space flight and nuclear reactor reliability, is

the source of much of the modern risk manager’s repertoire. Some of the early ground breaking

work included comparisons of nuclear risks to “normal” risks, such as natural disasters and

transportation. This was displayed as a log/ log plot of frequency (of an event) versus the

Consequences (as number of fatalities caused) of that event, as seen in Figure 11 (Rasmussen, 1975).

Figure 11: fN curves for manmade risks (from Rasmussen 1975)

Confidential – Draft for publication 1/3/2012

12

In the UK, Farmer (Farmer, 1987, Ball, 1998) utilised the frequency / dose plot to assess the likely

exposure of the public to the operation of a nuclear reactor. (Figure 3)

This gave him a total level of exposure, (societal dose, risk) normalised to specific local population

distributions. This was another form of PIG but capable of quantitative derivation of individual and

total (societal) fatality risk levels for specific sites. The consequences were calculated from

representative “model” loss of containment events, but the plot allowed an envelope of total impact

to be assessed.

As will be discussed later, there were a number of disadvantages associated with this

representation. That is why, in a further development, cumulative risk curves were developed in

which the vertical axis did not represent the frequency of a certain consequence, but rather the

frequency of exceeding a certain consequence.

These cumulative FN curves are usually concave curves. There is generally a finite intercept on the N

axis and as N tends to 0, the cumulative risk frequency tends to increasingly large numbers as the

impact becomes more and more trivial.

FN curves have been used in all kinds of industries, where quantitative risk analysis was introduced

as a means to gain insight into these risks and as a basis for subsequent decision making. Examples

are the Canvey Island study (HSE, 1978) and the COVO study (Cremer and Warner, 1981) (see Figure

4). The propagation of quantified risk analyses led to the further development of comprehensive

Figure 12: The Farmer curve (from Griffith (1982)

C (

f

)

Confidential – Draft for publication 1/3/2012

13

techniques, by which detailed fault-tree and event tree analyses could be summarized in information

ready form, for decision making (Cox, 1982; Ale, 1986, 1987)

These techniques were introduced back to the nuclear industry (full circle) in the independent risk

assessment done for the Sizewell B public Inquiry (Slater 1982), and were clearly more helpful than

the reams of computer generated Fault tree submissions (Westinghouse 1982). Finally some ten

years later the UK Nuclear Inspectorate published their own version. (Harbison NII 1993))

In fact as early as 1976 the province of Groningen in the Netherlands published their views on the

acceptability of risk, given in figure 18. as an FN plot. In this diagram, there weren’t any colours (yet),

but the areas of acceptable, conditionally acceptable and non acceptable can clearly be seen. It can

also be seen that they thought that a consequence of 1000 people killed was too much. The

numbers killed below 1 were included (and rated) because they counted an injured person as 0.1 of

a kill. The figure shows that they were less risk averse when people were not killed.

Figure 13, FN curves from the COVO study

Confidential – Draft for publication 1/3/2012

14

In most of the later diagrams published by HSE, the Governments of the Netherlands, Switzerland,

Australia and Hong Kong, only one straight line was given (the demarcation of unacceptability or

intolerability) and in some cases also a maximum as an anchor point. (As a straight line can then be

drawn given its anchor point and its slope). The slope is the expression of the risk aversion index

described above. The limits of acceptability can be summarised in a table as below: (Pikaar, 1995;

Ball, 1998)

Table 1 Selection of National Risk criteria

Year

country

Anchor N

Anchor F

Slope

MAX N

details

1976

UK

10

10-4

None

ACMH– UK HSE Advisory

Committee on Major Hazards

1978

NL

10

10-4

-2

1000

Groningen -NL

1982

UK

10

10-4

-1

None

Kinchin – UK Nuclear

Industry

1988

HK

10

10-4

-1

1000

Hong Kong

1988

NL

10

10-5

-2

None

TK (1988); acceptable

line factor 100 lower

1991

UK

500

10-4

-1

1000

ACDS

1993

UK

-1 and

-1.3

?

HSE Off shore

1993

UK

10

10-4

-1

1000

1995

NL

10

10-5

-2

None

As 1988 but acceptable

line removed

1995

NL

10

10-4

-2

None

For transport per km

1997

HK

10

10-4

-1

1000

For transport per instn.

Figure 14. The risk map of the province of Groningen

F

Confidential – Draft for publication 1/3/2012

15

The bodies setting these standards have been numerous and diverse; but the methods of

presentation have been the same, with the one exception of Farmer’s original curve, which was non-

cumulative, hence an fN curve rather than an FN curve. Demarcations (limit lines), between

acceptable and non acceptable regions, are given as straight lines or steps following the gridlines or

as curves. Areas in between such as “conditionally acceptable” can be given as well. With the

improvement of typesetting techniques, colours were added. The colouring scheme of traffic lights

are universally recognised, so that naturally, the unacceptable area became red, the acceptable area

green. With the introduction of fading colours in the Microsoft drawing packages, continuous

coloration made these diagrams look like heat maps. (As in Figure 10).

As discussed previously, in an FN curve, the total risk set is depicted as a cumulative frequency

distribution presentation. This means that the “risk” is not a single point in the diagram, but a line

that may or may not cross the limit line (figure 15).

There is however no real reason why the demarcations should follow the gridlines that happen to

result if one uses a base 10 number system and a logarithmic scale. If the demarcation between

acceptable and non acceptable is plotted as a straight line on a double log graph, the line represents

the equation F (M>N) = C/N-α. Alpha is also called the aversion factor. Several attempts have been

made to derive this factor in a scientific way. The results vary from 1.2 (Okrent, 1981) to 2 (Hubert,

1990). In these cases, such a risk averse demarcation does not follow the economic rule that f*c

Figure 15: Unacceptable disasters.

Consequences

Probability

1.e-9

1.e-5

1.e-3

1.e-2

1.e-6

1.e-7

1.e-8

1.e-4

110 100 10000.1

Disasters you

cannot afford

Confidential – Draft for publication 1/3/2012

16

should be constant. Many arguments against risk aversion, explicitly or implicitly, are rooted in the

assumption that they should (Evans). Nevertheless even if an alpha of 1 is chosen there is an

element of risk aversion, sometimes reflected in setting a maximum number of people affected or a

maximum acceptable loss. It should also be borne in mind that a so called “risk neutral” limit (when

interpreted as the acceptable F (cumulative) is equal to A/N (A = constant) for each of the (f,c) points

in the riskset. . It is also pointed out that even an F=1/N limit implies some aversion (in these terms)

as f = dF/dN. So for F = A/N, f would be A/N2

This could give rise to, in principle, an unlimited expectation value as the area under the curve grows

with increasing N without limit (The integral of 1/N is log(N)). That is probably one of the reasons

why all the 1/N curves have an upper limit. A variety of criteria lines is shown below in Fig 16

showing the range of slopes and maxima.

Figure 16: graphs in FN of acceptability criteria. (from Cox R.A.)

1.0E-09

1.0E-08

1.0E-07

1.0E-06

1.0E-05

1.0E-04

1.0E-03

1.0E-02

1.0E-01

1.0E+00

1.0E+01

110 100 1000 10000

Number of Fatalities (N)

Comparison of International Societal Risk Guidelines

Scrutiny (ACDS whole

UK)

Intolerable (UK ACDS

single port)

Scrutiny (UK ACDS

single port)

Negligible (UK ACDS)

Hong Kong RG Upper

Hong Kong RG Lower

Acceptable

(Netherlands)

Frequency of N or more fatalities

Confidential – Draft for publication 1/3/2012

17

The technique is still applied (Fig 17) to industrial installations (onshore and offshore) worldwide and

developments of this fully quantitative approach are still valid, available, but now sadly little used in

the UK due to resource considerations (time, cost and expertise availability).

Fig 17 – FN plots and Risk Contours from the SAFETI package.

What has emerged is the increasing use of the visual image of a plot that is helpful in picturing

where the seriousness of risks are perceived to be – a so called “heat map” to identify hot spots.

Currently, the requirements of corporate governance (Cadbury) and many regulatory bodies (HSE)

include risk registers and often some form of “risk matrix” to display the perception of risk exposure

and measures (justified) to prevent, minimise or manage them. In its most basic form, a corporate

group discusses a list of potential threats and assigns notional likelihoods and estimates of

seriousness (consequences), often against guidelines, (e.g. examples in classes, say 0 – 5 for each

identified candidate threat). In order to assess the relative importance of these “risks”, (and perhaps

to prioritise responses), they are often plotted on a two dimensional “heat map”. This is an example

of a probability impact graph, often referred to as a PIG (see Figure 5).

As qualitative visualisation techniques to aid decision making, these PIGS have been found by many

to be very helpful and by some indispensible. The problems arise when additional, often quantitative

outputs are required or attempted. (Creswell) Such as:-

What are the correct ordinates? – Probabilities, frequencies, of events, outcomes, etc.?

One or both linear scales, or Logs, Powers?

Discrete points or area averages?

Single points or distributions?

Completeness?

Uncertainties?

“Level of Risk” ( Total, components)

Criteria, Acceptability, Tolerance, Appetite.

Calibration with records, reality?

Confidential – Draft for publication 1/3/2012

18

Discussion

So far we have concentrated on the historical development and original intent of Probability Impact

Graphs (PIGs). We have seen that they do have a legitimate mathematical basis and that their

utilisation without awareness of the “rules” can be at best misleading and at worst disastrous. But

the main driver for their continued use is that, as a way of assessing the relative positioning of

identified risks (from the Risk Register), in terms of qualitative seriousness (notional relative

immininence and scale?), it has proved useful in stimulating discussion, awareness and even action

from non specialist, but crucial decision makers in an organisation.

Recent work on the neuroscience of risk (Burke 2011)), seems to support this innate ability of people

to process and make decisions on risk in a relatively sophisticated way. At the neuron level,

mammals seem to have a “hard wired” ability to handle very rapidly and effectively, probability,

uncertainty, size of risk and promise of reward. This is a basic survival evolutionary skill: and it is

claimed (Linked in ref) that an analysis of the neuroscience data indicates a “risk aversion/

incentivisation factor of N to the 1.54.(Fig 18)

1E-08

0,0000001

0,000001

0,00001

0,0001

0,001

0,01

0,1

1

10

110 100 1000 10000

1/N

1/(N^2)

1/(N^1.5)

Figure 18. An Intelligent PIG with Aversion Criteria

Confidential – Draft for publication 1/3/2012

19

All of these factors as we have seen, can be accommodated in the risk matrix approach. Can we

therefore continue to utilise legitimately, what has become an integral part and some think, that

indispensible tool in the armoury of corporate Risk Management (and ISO standards) – the PIG? How

can we build useful plots in a resource efficient way and still get the added value from their

construction?

Group assignments of frequencies and consequences, while subjective, have some basis in proven

Delphic techniques. So there is no reason to stop employing PIGS as long as the limitations and

necessary assumptions are documented and understood. (Note ISO 31010 fails to comment on

whether the frequencies plotted are cumulative or not - fN or FN). But can we get more? We believe

the answer is to set out the rules of their utilisation, explicitly in the standards.

Recognise there are two distinct categories –

1. The” Post it” or “heat map” (Qual) Pig

2. The “Intelligent” or “Groningen” (Quant) Pig.

If we wish to rank individual risks on a presentation plot that allows us to appreciate the

implications of a group discussion on their (relative) importance and seriousness, then a Post

it PIG is helpful.

Any discussion on their individual acceptabilities, needs, however to be done on a risk by risk

basis and generalisations are difficult, (not allowed) unless some further quantification and

standardisation is employed.

Quantification is not difficult, but we should follow the rules. Currently most benchmarking,

or guides as to scale of consequence and likelihood, are given as implicit log scales. Some

actually quote frequency ranges. It helps presentation to ensure that the underlying scale is

actually logarithmic.

For simple comparisons and heat map ranking, fN plots are OK. Maxima in allowed

consequences (Nmax) are always a good idea. Risk aversion can even be incorporated by

multiplying the consequence scale by say 1.2, 1.5, or 2, (or whatever the corporate risk

appetite indicates).

For more ambitious outputs such as criteria and risk levels the (Intelligent) cumulative FN

plot is needed,

On the FN plot the group can look at a more rigorous definition and assignment of

frequencies and consequences, but risk aversion, Maximum allowed risk and acceptability

criteria are all now real and really useful outputs.(Figure 22)

The area under the FN curve is then the RISK or EXPECTATION LEVEL. This cannot be

legitimately derived from the qualitative versions

a Risk “Level” can be derived as - the area under the CCDF curve –

i.e The Risk Level is approx = ½(Nmax – N1)x(F1 – Fmax)]

The inference from this is that, we can use these plots and derive significantly more information, as

long as we are very careful. Spreadsheets can make the required mathematical transmutation of the

raw “post it” sessions relatively painless and provided the basis is understood and regularly queried

we could produce useful results

Confidential – Draft for publication 1/3/2012

20

Conclusion

Risk matrices are perceived as a convenient and understandable way of presenting risk and

displaying limits. In today’s management and policy making arena, this simplicity is preferred over

the perceived complexity of more mathematical expressions. The presentation of risk as an FN curve

is seen as exceptionally difficult to understand. In addition consequences tend to be valued as single

factor impacts, rather than the multidimensional effects, which they usually are in practice. This

development has led to an increasingly strident debate about risk matrices and methods of risk

management, to the extent that that there seems to be a call to give up on using them at all in risk

management.

With recent disasters in mind, we think they can make a real contribution, but it would be helpful to

appreciate what is behind traditional FN representations of risk and thus enable a more intelligent

(pre incident?) discussion of the dimensions and implications of risk decisions; of such things as

appetite, accountability and its limits of acceptability/tolerability (societal and corporate), in

whatever form helps; even in such FN diagrams, if it helps us manage these risks more responsibly

and effectively.. (Casting PIG’s before-----! )

Literature References

Ale, B.J.M. (1986) and R. Whitehouse, A computer based system for risk analysis of process plants.

In Heavy Gas and Risk Assessment III, 5. Hartwig (Ed) D. Reidel, Dordrecht, The Netherlands.

Ale, B.J.M. (1987) D. van Nierop, M. Seaman, safety zoning around a major industrial complex in the

Netherlands (World Congress on Chemical Hazards, July, Rome)

Ale,B.J.M. (1996) G.M.H. Lahey, P.A.M. Uijt de Haag, Zoning Instruments for Major Accident

Prevention, International Conference on Probabilistic Safety Assessment and Management, Crete

1996.

Ale, B.J.M. (2003) Keynote Lecture: Living with Risk: a management question, in ESREL 2003, Safety

and Reliability, - Bedford en van Gelder (eds), Swets en Zeitlinger, Lisse, ISBN 90 5809 551 7

Ale, B.J.M. (2009), L.J. Bellamy, R. van der Boom, J. Cooper, R.M. Cooke, L.H.J. Goossens, A.R. Hale,

D. Kurowicka, O. Morales, A.L.C. Roelen, J. Spouge, Further development of a Causal model for Air

Transport Safety (CATS): Building the mathematical heart, Reliability Engineering & System Safety,

Volume 94, Issue 9, September 2009, Pages 1433-1441

Ale, B.J.M. (2011), D. Hanea, C. van Gulijk, P.-H. Lin, S. Sillem & P. Hudson, Towards an integrated risk

model for hydrocarbon industry operation, Proceedings of the European Safety and Reliability

Conference, ESREL 2011 18-22 September 2011 - Troyes France ,Advances in Safety, Reliability and

Risk Management – Bérenguer, Grall & Guedes Soares (eds), Taylor & Francis Group, London, ISBN

978-0-415-68379-1

Arnaud, A. (1662), La Logique, ou l’art de penser, 1662

Confidential – Draft for publication 1/3/2012

21

Ball, D.J. (1998) and P.J. Floyd, Societal Risks, HSE,

C. J. Burke and P. N. Tobler(2011) Coding of reward probability and risk by single neurons in animals.,

Laboratory for Social and Neural Systems Research, Department of Economics, University of Zurich,

Zurich, Switzerland. Frontiers in Decision Neuroscience, October 2011, volume 5, article 121.

Chapman & Stephen Ward (2011). How to manage Project Opportunity and Risk. Chp 2. The

Probability-impact grid - a tool that needs scrapping. Pp 49-51. 3rd Ed. Wiley.

Lee, B. Preston, Green, G. Preparing for High Impact, Low probability Events,(2012), Chatham

House, London

Louis Anthony (Tony) Cox, Jr (2008)., What’s Wrong with Risk Matrices? Risk Analysis, Vol. 28, No. 2,

Cox, R.A. (1982) Improving risk assessment methods for process plant Journal of Hazardous

Materials, Volume 6, Issue 3, May 1982, Pages 249-260

Cremer and Warner (1981), Risk Analysis of Six Potentially Hazardous Objects in the Rijnmond Area,

London 1981; Also published by Springer Verlag 1982, ISBN 9027713936

Cresswell.(2011) 'Qualitative Risk & Probability Impact Graphs: Time for a rethink? from

http://intorisk.co.uk

Gezondheidsraad (1993) Risico is meer dan een getal

Griffith, R.F (ed) (1982) Dealing with Risk, Manchester University Press, ISBN 0-7190-0894-8

Harbison, S. (1995)

Health and Safety Executive (1978) Canvey, - an investigation of potential hazards from operations in

the Canvey Island/Thurrock are, HMSO, London

Hopkins, A (2000) Lessons from Longford: the Esso Gas Plant Explosion, Sydney, NSW, CCH Australia

Limited

Hubbard, (2009) The Failure of Risk Management. Chp 7. Worse than Useless? The most popular risk

assessment method and Why it doesn't work.Wiley & Sons.

Hubert, Ph, M.H. Barni, J.P. Moatti,(1990) Elicitation of criteria for management of major hazards,

2nd SRA conference, April 2-3 1990, Laxenburg, Austria.

ISO Standards 2700,2800, 3700

Jongejan, R, How Safe is Safe Enough?, PhD Thesis TU Delft, ISBN 978-90-9023432-8

Kinchin, G.H. (1978) Assesment of Hazards in Engineering Work, Proceedings of the Institute of Civil

Engineers, vol 64, pp431-438

Leeuwen, C.J. van and J.L.M. Hermens, (eds) Risk Assessment of Chemicals: An Introduction, Kluwer,

1995

NN (1976) Nota Milieuhygienische Normen, Provincie Groningen, 1976

Confidential – Draft for publication 1/3/2012

22

Okrent, J. (1981), Industrial Risk, Proc. R. Soc. 372 (1981) 133-149, London

Otway, Harry J. (1973), Risk Estimation and Evaluation, in Proceedings of the IIASA Planning

Conference on Energy Systems, IIASA-PC-3, International Institute of Applied Systems Analysis,

Laxenburg, Austria.

Otway, Harry J. (1975), Risk Assessment and Social Choices, IIASA Research Memorandum,

International Institute of Applied Systems Analysis, Laxenburg, Austria.

Pikaar, M.J. (1995) and en M.A. Seaman, A review of Risk Control, Report nr SVS 1994/27A ministerie

VROM, Den Haag.

Rasmussen N. (1975), Reactor Safety Study, An assessment of accident risks in U.S. commercial

nuclear power plants; WASH 1400; NUREG 75/014)

Rasmussen N, (2000) Accimaps

Slovic, P., Fischoff, B. and Lichtenstein, S., Read, S and Combs, B.,(1978) How safe is safe enough, a

psychometric study of attitudes towards technological risks and benefits, Policy Sciences, 8: 127-152,

1978

Slater, D. (1982) , Proof of evidence to the Sizewell Inquiry, HMSO

Slater, D. (2012) Risk Assessment: from the Top, The Chemical Engineer February Issue, p. The

Institution of Chemical Engineers, London

Slater, D. Burnap, P et al (2010) - Managing Risks in Complex Interdependent Systems TSB Fast

Track Project BK016A Final Report

UK National Risk Strategy 2011

WEF Global Risks Landscape 2012

Vessely, W.E. (1981), F.F. Goldberg, N.H. Roberts, D.F. Haasl, The Fault-tree Handbook, Systems and

Reliability Research Office of the NRC, Washington DC NUREG 0492,

Westinghouse – Evidence to the Sizewell B Inquiry

Confidential – Draft for publication 1/3/2012

23

Timeline(approx)

!967 - Farmer, F.R. (1967) Siting criteria – a new approach, atom (128) pp 152-70

1976 – Groningen Criteria (FN (∑fn ) plot with limits)

197? - Rasmussen Comparisons with natural disasters (fn curves)

1981 - Rijnmond Risk Output (risk contours and (log axes)fn curves)

1982 - Sizewell B – (Cox - independent” Farmer” type fn curve)

1984 - Technica - SAFETI (“All” Failure cases generation) uses Groningen criteria

!985 - Dutch External Safety Criteria (Individual and Societal Criteria, SAFETI Fn curves and

contours)

!980’s - Slovic Risk Aversion (fxn2, fxn1.2)(note on log scales)

!988 - Risk Lite - “Semi quantitative” Risk estimation (still fxn Matrices))

1990 - Corporate Risk Management (Red Amber Green Traffic Lights /Matrices)

1992 – Big Four discover Risk Matrices and move on from mere quantified inputs

1995 - Cadbury Corporate Governance Risk required Registers and produced Matrices based on

Board discussions.

2000 - Enterprise wide Risk Management tools include Risk lite graphics

2010 - ISO 3100 – PIGS - organized guesses

2011 – Linked in groups - How do we get a Level of risk from this? How do we get the total summed

risk?

2012 – back to Farmer?