Professional Documents
Culture Documents
Risk Management
Risk Management
13
Risk Management
C. Ariel Pinto
Old Dominion University
209
Engineering Management Handbook
13.1 Introduction
- George S. Patton
US Army general (1885 - 1945)
Engineering managers are the leaders toward successful research, development, and engineering activi-
ties. And monuments of these successes abounds—discoveries of drugs that saves millions of lives, taming
and harnessing nuclear power for energy, design and execution of space exploration programs, and count-
less other feats. But within these same realms exist monuments of apparent failures—disastrous chemical
spills, deadly space shuttle launch, catastrophic flood levee failures, and so on. Would have Gen. Paton
considered these failures the result of calculated risks? Or are these failures remnants of human rashness?
At the heart of this section is the science and art of managing risks in engineering systems. Critical to
managing risk is in knowing what it is. Some have described risk as…
“…probability of the occurrence of (the risky) event multiplied by the consequence of the event, given
that it has occurred”
“…are events that if they occur can jeopardize the successful completion of the projects”
- INCOSE
As the preceding descriptions of risk show, an engineering manager must recognize that risk can be
expressed as number and also may reside at the minds or feelings of humans. Whatever description of risk
is presumed by the engineering manager, one thing that is generally agreed upon is that risk, by itself, is
undesirable.
(1) Scenario identification starts out by identifying the system of concern, which elements are within our
control, and which are not. We then draw a crisp description of the ideal picture when everything about
the system occurs as planned. We then draw the risk scenarios making sure that we consider the system
from various points of views (one who owns it, one who uses it, one who is affected by it, etc.).
(2.1) Consequence estimation is based on the scenarios we previously identified. We estimate the conse-
quences if each of the scenarios occurs by looking into other events that may occur, and the ultimate cost.
This is often done by looking into the elements of the system that will be affected by the scenarios and the
repercussions.
(2.2) Likelihood estimation is based on the scenarios we previously identified; the frequency of occurrence
is estimated. This can be done by looking into the mechanism of the scenarios and the factors that con-
tribute to their occurrence.
(3) Ranking. At this point, we have a good picture of the risk in terms of the scenarios, their consequences
and frequency of occurrence. We may decide to take a second look into the list of these scenarios and
make distinctions between the more important and less important ones. The purpose of such ranking of
scenarios is to concentrate our resources to the more important ones, and yet recognizing the fact that
none of these scenarios is totally independent of each other.
(4) Generation and tradeoff of mitigation alternatives identifies ways and costs to mitigate each of the risk
scenarios. Mitigations can be in the form of affecting the causes of a scenario, or safeguard to minimize
consequences of a scenario, transferring the risks, or a combination of these.
(5) Potential problem analysis evaluates the effects of the mitigation alternatives to other elements of the
system. Mitigation alternatives are analyzed according to their effects to functionalities of the system, the
manner by which they alter interaction between elements of the system, and their potential to affect fu-
ture decisions. This is also the point where the acceptable level of risk is determined: comparing the costs
and benefits of each mitigation alternative.
(6) Implementation, monitoring, and documentation is putting into place mitigating actions based on the
perceived acceptable level of risk. There is no clear terminal activity in risk management as it is an iterative
process. As stated in the previous section, there is no way of totally eliminating risk and as new sets of sce-
narios come up every time there are changes in the system of interest, the environment, or in the presence
of new information.
This framework, illustrated in Figure 13.1, was formulated with engineering managers in mind and
with consideration toward perceivable trends in risk management tools and techniques. The following sec-
tions discuss these steps in details.
212
Risk Management
These desirable scenarios are obviously oversimplified but are representative of various types of objec-
tives for an automotive engine engineering activity representing cost, performance, and schedule goals.
The list of possible causes for cost overrun will be much longer in reality, but for the purpose of
example, let us assume for now that the list of three causes is an exhaustive list. One particularly useful
tool often used in establishing causalities of risk scenarios is a fault tree. Fault Tree Analysis (FTA) is a tool
commonly used for reliability and safety analysis that was originally developed by Bell Telephone Labora-
213
Engineering Management Handbook
tories in the 1960s for the U.S. Air Force for use with the Minuteman system, and was later adopted by
the Boeing Company and has since been used by other countless organizations.
The usefulness of FTA in establishing causalities of risk scenarios is due to several characteristics,
namely:
• Its nature of working in the failure space facilitate identification of risk scenarios
• Looks at combinations of failures, suitable to wide range of complexity of many engineering activity
• Symbolic use of events blocks and gates, enabling user-friendly and compact visualization of an other-
wise complex information (see Table 13.1)
• Readily available as a software application, enabling quick adoption
Shown in Table 13.1 are the common symbols used in FTA. This includes symbols for events and for
Boolean operators or gates.
Consider as an example, the possible causes for the scenario described as Total cost of developing a new
engine exceeds $3M from the previous section. The identified causes can be illustrated using FTA as shown
in Figure 13.2.
Figure 13.2. Simplified FTA Showing How Causalities of Risk Scenarios Can Be Represented by Events and
Gate Symbols
Total cost of
developing a new
engine exceeds
$3M
OR
214
Risk Management
215
Engineering Management Handbook
data, such as in the case of a new and emerging technology or newly studied phenomenon. Instead, there
may be well-established evidences, whether by causality or correlation to describe these risk scenarios. The
Bayesian approach, also known as evidence-based risk assessment can be useful for such cases.
Evidence-based analysis is primarily based on two axioms, Bayes’ theorem and total probability theo-
rem, respectively described in Equations 13.1 and 13.2.
P (A) P (B |A )
P ( A|B ) =
P (B ) (13.1)
In this analysis, carefully selected information that helps draw conclusions or evidences are of primary
interest.
Figure 13.3. Classical Distributions and How the Tails May Actually be Fatter in Reality
Classical
distributions
Fat tail
Expected values and use of averages are common in classical data analysis. As a result, observations
of the more-common events dominate the estimation process and because extreme observations consist
of only a small part of the data, their contribution in the estimation is relatively smaller. Therefore,
in such an approach the tail regions are not accurately estimated. This is often emphasized with the
analogy of the frozen-hot hands—One hand in boiling water and one hand in an ice bucket; on the
average—you’re just fine.
Extreme value theory (EVT), unlike classical data analysis, focuses primarily on analyzing the extreme
observations rather than the observations in the central region of the distribution. EVT is most useful in
the study of the asymptotic behavior of extreme observations of a random variable: maxima for extremely
high and minima for extremely low.
216
Risk Management
Let X1,X2,…,Xn be a set of N independent random variates and each Xi have an arbitrary probability
distribution with mean μi and a finite variance σi2 , as N→∞,
The Central Limit Theorem essentially implies that the distribution of an average tends to be Normal,
even when the distribution from which the average is computed is decidedly non-Normal (Normal a.k.a.
Gaussian).
However, when the interests is not the central region but rather the extremes, a new statistic is used:
ordered statistics or the arrangement of random variates in increasing order, such as for sample size n,
Thus, if an engineering manager is trying to determine the cumulative density function (cdf ) of, say
the Xmax, and by assuming all x’s are independent and have the same cdf = F(x), then
However, when n→∞, or when n is unknown, or when the cdf of the x’s, F(x) is unknown then esti-
mating [F(x)]n can be unwieldy. The fundamental result of EVT is the identification of the possible classes
of distributions of the extremes irrespective of the actual underlying distribution. EVT incorporates sepa-
rate estimation of the upper and the lower tails due to possible existence of asymmetry.
Asymptotic distributions can be applied when there is large number of data (i.e., sample size n→∞).
EVT shows that Fxn:n(x) can be any of the three extremal distributions, namely:
• Gumbel I (aka Gumbel) with exponential tail
• Gumbel II (aka Frechet) with polynomial tail
• Gumbel III (aka Weibull) with bounded tail
Shown in Figures 13.4a and 13.4b are the three extremal distributions as well as the difference in
their tails.
Figure 13.4. The Three Extremal Distributions Showing (a) Entire Distribution Curves and (b) a Close-Up
View of the Tails of the Curve
Weibull, bounded tail
(a)(a) (b)
(b)
217
Engineering Management Handbook
For a known F(x) function but unknown sample size n, the asymptotic distribution can be identified
by using Equation 13.3.
These is commonly read as “F(x) belongs to the domain of attraction of G-I, G-II, or G-III”.
Example:
Waiting times, w, in an M/M/1-FCFS queuing model (e.g., single grocery cashier with Markovian arrival
and service) is generally known to be:
Solution:
F(w ) = 1 − ρe −µ (1−ρ) w
1− w
log( )
ρ
F −1 ( w ) = [Eqt 2]
µ(−1 + ρ)
F −1 (1 − ε) − F −1 (1 − 2ε)
lim = 2 d [Eqt 1]
ε →0 F −1 (1 − 2ε) − F −1 (1 − 4ε)
218
Risk Management
Table 13.2. Commonly Used Probability Distributions and Their Asymptotic Domain of Attraction
1. Plot of the order statistic Xn:n (X1:n for minima) versus plotting position v
2. Plotting position v = -log[-log(pi:m)] (v = log[-log(1-pi:m)] for minima) where i is the rank in m Xn:n,
pi:m=i/(m+1), skip this step if already using G-I plotting paper
3. If G-I is asymptotic to Fxn:n(x), then the plot will approximately be a straight line
4. Otherwise, choose obvious model or be on the safe side
Shown in Figure 13.5 are the sample plots for Couchy, Normal, and Uniform distribution using the
maximal G-I plotting method (modified from Castillo, 1988). Note that by transforming the plotting po-
sitions of the order statistics, the plots of the Couchy, Normal, and Uniform distributions are also trans-
formed such that the right tail corresponding to the maximal statistics are amplified. The straight diagonal
dashed line serves as a comparison of how close or far are the plots from being a true G-I. Obviously,
the plot of the Uniform distribution is not a good fit for a G-I by the mere fact that this distribution is
bounded and can be better represented by G-III. This shows on the plot as a right tail going toward the
vertical direction. The opposite can be observed for on the plot for the Couchy distribution with the right
tail heading toward the horizontal direction and can be better represented by G-II. The Normal distribu-
tion shows a plot that is not exactly a straight diagonal line, but nonetheless has a right tail that is almost
diagonal that this can be termed as close enough to be approximated by G-I.
219
Engineering Management Handbook
Figure 13.5. Sample Plots for Couchy, Normal, and Uniform Distribution Using the Maximal G-I Plotting
Method (modified from Castillo, 1988)
0.995
y
0.99 uch
0.98 Co
0.95
Probability 0.9 rm
al
No rm
ifo
0.7 Un
0.4
0.1
0.005
0 0.2 0,4 0,6 0.8 1
x
The ranking among several scenarios can then be based on this calculated risk measure where higher
number denotes higher risk. However, it is important to note that there has been counter argument
against this method because of the equivalence that may result from scenario of low likelihood and great
consequence with that of one with great likelihood and low consequence.
A related approach is the use of a risk matrix or risk cube where each scenario is placed on a two-
dimensional matrix where the axes represent likelihood and consequence, as shown in Table 13.3. In this
example, the estimated consequences are expressed as Severity, which ranges from Negligible to Cata-
strophic, while the likelihood is expressed as Probability, which ranges from Improbable to Frequent. This
example also shows how the ranking can be made, from the lowest, moderate to high risk, color-coded
with blue, yellow, and red, respectively.
220
Risk Management
Table 13.3. Example of Risk Matrix to Rank Risk Scenarios Based on Consequence and Likelihood
SEVERITY
Catastrophic Critical Marginal Negligible
PROBABILITY
Frequent 1 3 7 13
Probable 2 5 9 16
Occasional 4 6 11 18
Remote 8 10 14 19
Improbable 12 15 17 20
Properties Exploratory questions, and why the property is important in risk ranking.
221
Engineering Management Handbook
These concepts are the building blocks of almost any risk mitigation alternatives. Based on these
building blocks, the following questions can be asked to facilitate the generation of alternatives.
• How can vulnerabilities be removed or reduced?
• How can threats be removed or reduced?
• How can consequences be reduced?
• How can consequences be transferred?
Most likely, a risk mitigation alternative will address combinations of the above questions at varying
degrees. It is worth to note that by addressing the vulnerabilities and threats, the likelihood of the risk
scenario is essentially reduced.
The following table adapted from Hofstetter et al. (2002) shows when one tool may be more appro-
priate over the other.
222
Risk Management
13.5.3 AHP
A particular comparative tool deserves detailed discussion—the Analytic Hierarchy Process (AHP).
Developed at the Wharton School of Business by Thomas Saaty, AHP is composed of previously exist-
ing concepts such as hierarchical structuring of complexity, pairwise comparisons, redundant judgments,
eigenvector method for deriving weights, and consistency considerations. A popular software implementa-
tion of AHP, “Expert Choice” was developed in 1983 and is currently widely used.
Some important capabilities of AHP are:
• Allows decision-makers to model a complex problem in a hierarchical structure showing the relation-
ship of goals, objectives, subobjectives, and alternatives
• Enables decision-makers to derive ratio scale priorities instead of arbitrarily assigning them
• More than just a decision-making tool can be used in forecasting, resource allocation, and other ap-
plications
• Pairwise Relative Comparisons
• Process can be performed using words, numbers, or graphical bars, and typically incorporates redun-
dancy, which results in a reduction of measurement error
• Accommodates use of expert judgment and its bases (the hard data, knowledge, experience for the
judgments) instead of arbitrarily assigned weights
• AHP allows for inconsistency and provides a measure of inconsistency
A particularly useful concept in risk management built into AHP is the marginal rate of substitu-
tion—essentially showed by the old adage “How much apple is an orange worth for you?” Through the
compensatory natures of AHP, engineering managers are compelled to express utility or preference and
enable them to adopt the otherwise extrinsic objectives, essentially confronting the conflict in the choice
situation by allowing them to trade off a low value dimension for a high value dimension.
Aside from the original risk scenario, which prompts the whole decision process (aka target risk) often
reflected by the main objective (e.g., minimize public risks to WNV), there maybe two other types of
unintended risk scenarios:
1. Countervailing risk—The risk (i.e., undesirable effect) that arises from the action of managing the
target risk (e.g., increase in health risks due to traffic accidents and pollution).
2. Synergistic effect—Desirable consequence of managing risk other than reducing the target risk (e.g.,
reduction in crime rate at certain hours).
223
Engineering Management Handbook
10. Choice of model and procedures—Similar to the previous issue, the proliferation of tools and meth-
ods in managing risks results to a lack of de facto standards. Thus, the engineering manager needs to
be aware of the chosen models and procedure and their suitability for the risk scenario at hand.
11. Multiple Stakeholders—Because risk transcends time and system boundaries, there are likely more
than one significant stakeholder who most likely equates to differences in their respective risk concep-
tion, objectives and behavior. These differences have to be recognized in generating alternatives and
tradeoff analysis and the potential for a suboptimal solution.
12. Multiple risk management processes—One very important purpose of monitoring and documenta-
tion in risk management is to be able to review the process at each step of managing risk. The wide
choice of tools and techniques in risk management, each with their own strengths and weaknesses,
may result to an after-the-fact realization of the omission or exaggeration of some risks. Good moni-
toring and documentation hopefully will result to an early diagnosis of such cases and enabling the
engineering manager to avoid its recurrence.
Importance to Engineering
Topic References
Managers
Risk-based For cases where financial Pinto, A.C., Arora, A., Hall, D., Schmitz, E., Challenges
economic and economic evaluation of to Sustainable Risk Management: Case Example in
evaluation alternatives are critical to Information Network Security. Engineering Management
decisions Journal, vol. 18, no. 1, March 2006.
13.9 References
Haimes, Y. Y., Kaplan, S., and Lambert, J. H. Risk filtering, ranking, and management framework using
hierarchical holographic modeling. Risk Analysis, vol. 22, no. 2, pp. 381–395, 2002.
Conrow, Edmund H., “Risk Management for Systems of Systems,” Journal of Defense Risk-Software Engin-
eering, Feb. 2005.
Conrow, Edmund H., “Risk Rant: The top 10 risk analysis issues and why they are important to you,”
Risk Management Intelligence Network, June 2, 2004.
Haimes, Yacov, Risk Assessment, Modeling, and Management, Second Edition, Hoboken, NJ: Wiley—Inter-
science, 2004.
Hofstetter, P. et al., “Tools for Comparative Analysis of Alternatives: Competing or Complementary Per-
spectives?” Risk Analysis, vol. 22, no. 5, pp. 833-851, 2002.
Castillo E. Extreme Value Theory in Engineering. San Diego: Academic Press, 1988.
225
Samuel Kovacic, Old Dominion University
Samuel F. Kovacic is a Research Scientist with the National Centers for System of Systems Engineering (NCSOSE)
at Old Dominion University. His primary research is in the philosophical constructs of worldviews and the study
of management and engineering practice as it pertains to complex situations, system of systems, strategic
management and organizational change. he retired from active duty with over 22 years service in the United
States Air Force. During that time Sam has developed extensive experience in flight and combat operations,
and the software/system engineering field working progressively challenging assignments with background
in Operations, Command, Program Management, System and Software Engineering, Budgetary Oversight,
Contractor Officer/Technical Representative, Communications, and Vulnerability Assessments. Samuel is
currently pursuing a Ph.D in Engineering Management and Systems Engineering from Old Dominion University.
He holds an M.B.A in Aviation from Embry Riddle Aeronautical University, and a B.Sc. in Computer Science from
the University of Maryland.
296
Reproduced with permission of the copyright owner. Further reproduction prohibited without
permission.