 |
||||||||||||||||||||||||||||
 |
||||||||||||||||||||||||||||
 |
||||||||||||||||||||||||||||
 |
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
Fundamentals of Risk Analysis
- What is Risk
- Types of Risk
- Asset Risk, Population Risk, and Geographic Risk
- Natural Hazards, Terrorism, and All-Hazards Risk
In common language, the terms Risk, Threat, and Vulnerability are often used interchangeably. We may speak of South Florida being vulnerable to hurricanes, or we may refer to the threat of earthquakes in California, or of the terrorism risk in Washington, DC, and we may mean much the same thing. In the discipline of risk analysis, however, these terms have very different meanings.
Risk is a quantity (a number) that refers to the expected loss from an adverse event. Commonly, and most simply, risk is measured in dollars, and represents average economic damage sustained over a given time period on an ongoing basis. Insurers assume this risk when they grant insurance policies. For example, if an insurer grants fire insurance policies to the owners of 100 identical buildings, each worth $10M, and it calculates the probability that any of the buildings is lost to fire at 1% annually, then the insurer can expect to replace, on average one building per year. Some years no buildings may be lost to fire, and other years several buildings may be lost, but on average one building will burn down each year and the insurer will have to pay the $10M replacement cost. In this example, the risk to the collection of 100 buildings from fire is equal to $10M per year.
The risk to a single asset from a defined hazard is represented as a likelihood that an adverse event occurs (in some given time period) multiplied by the magnitude of the impact of that event. For instance, if a beach house is hit annually by around two severe tropical storms, and each time it does it sustains $1,000 worth of damages, then one might say that the risk to the beach house from tropical storms is $2,000 per year. This is dangerous, though, because every 20th tropical storm may destroy the house, resulting in a loss of $100,000. Since emergency management usually focuses on these catastrophic events, we identify the adverse event with the catastrophic one, and adjust the likelihood accordingly. In the beach house example, we would say that the likelihood of loss of the beach house is 10% per year, and the amount of loss is $100,000, so the risk to the beach house from tropical storms is $10,000 per year.
The likelihood can further be broken down into two other probabilities, called Threat and Vulnerability. Threat is the probability of a hazard occurring (in a given time frame), and Vulnerability is the probability that a given asset succumbs to the hazard if it occurs. Threat is given as a rate (number of occurrences per year), or as a percentage (likelihood of occurring in some given time frame); Vulnerability is given in percent (or on a scale from zero to one). In our beach house example above, the Threat score would be 2/year (or 200%), and Vulnerability would be 1/20 (5%).
The full expression for Risk is then given as Risk ($/year) = Threat (#/year) * Vulnerability (%) * Consequence ($).
In risk analysis, it is crucial to consider which risks one is analyzing. Risk is a unique property of a scenario. A scenario is the application of a hazard or collection of hazards to an asset or a collection of assets. Thus, when evaluating risks, one must ask: the risk to what (asset), from what (hazard).
In its simplest formulation, the asset is a single facility: a building or a dam, for instance. But the concept of an asset that can be impacted by a hazard can be extended to collections of assets, systems of interconnected assets, entire infrastructure sectors, or jurisdictions containing diverse assets.
Likewise, a hazard can be a single type of natural hazard (hurricane) or terrorist event (bomb), or it can encompass a portfolio of hazards, both natural and man-made.
In both cases, whether one considers multiple assets and/or multiple hazards, the aggregate risk can be evaluated by adding the constituent risks. For instance, the risk to a building from fire and flood is the sum of the individual risks to that building from fire and from flood, as long as these hazards are independent from each other. The risk to a jurisdiction from a portfolio of hazards is the sum of the individual hazard-asset scenarios for all assets and all hazards.
The Digital Sandbox Site Profiler system seamlessly handles all scenario aggregation over the user-defined hazard types and asset portfolio of interest. Site Profiler supports the reporting and managing of risk at the asset, infrastructure sector, or jurisdictional level.
Asset Risk, Population Risk, and Geographic Risk
So far, we have only identified risks with assets. This methodology produces what is sometimes referred to as an asset risk. Aggregating the risks to all assets in a jurisdiction from all relevant hazards can produce a jurisdiction’s asset risk score. There are other formulations of risk sometimes referred to as population risk or geographic risk, but these can be seen as extensions of the asset risk concept. Population risk is the risk to the people in a geography; that is, only the individual citizens in a jurisdiction are considered as assets, not the infrastructure. Geographic risk goes to the opposite extreme: it calculates the risk to a jurisdiction as if the jurisdiction itself were a single asset.
Population risk can usually be represented as the product of the population of an area and its population density. This can be understood in terms of the R=T*V*C asset risk formula. Each person represents a single asset. The threat against each person is assumed to be the same, as is each person’s vulnerability to the attack or hazard. The precise values for T and V are not important, since population risks are calculated in order to compare different geographies. It is assumed that the values of T and V do not vary from one jurisdiction to the next. The only risk term left is Consequence. Consequence is assumed to vary with population density, since the more densely populated an area is, the more likely an attack is to harm multiple people. The risk to an individual is proportional to the population density around that person. For an area of roughly constant population density, the aggregate population risk is the sum of each person’s risk, or the population times the population density of that area.
Geographic risk treats entire jurisdictions as singular assets. This makes calculating Threat scores relatively straightforward, but raises questions about the interpretation (or calculation) of Vulnerability and Consequence. What does it mean for an entire city or state to be more or less vulnerable than another? What elements make one jurisdiction have higher consequences if successfully attacked than another? How should these components be assembled to give an accurate picture of Risk?
The U.S. Department of Homeland Security (DHS) has moved toward a risk methodology that resembles Geographic Risk. While this methodology is relatively straightforward to calculate and to explain, it may not accurately reflect the risks to the assets of a jurisdiction. Geographic Risk is a useful rule of thumb for comparing different jurisdictions at once, but it cannot serve as the foundation of a State or local risk management program since it provides little insight into the specific assets or systems that contribute to a region’s risk. Thus, while alignment with DHS risk methodology is an admirable goal, State and local jurisdictions must adopt a more granular risk methodology to inform their risk management programs.
Digital Sandbox recommends adopting an asset-based approach to risk, since this is the most flexible approach. Not only does an asset view of risk provide the emergency manager with the most information possible to make planning decisions, but the other two formulations can be cast in terms of asset risk as well.
Natural Hazards, Terrorism, and All-Hazards Risk
Natural hazards, terrorism, and even accidents and other man-made hazards can all contribute to an asset’s (or jurisdiction’s) risk. Comparing these risks with one another can be extremely problematic, though. In principle, each type of hazard generates a scenario when applied to an asset, and risks can be calculated for each of these scenarios. In practice, however, although Vulnerabilities and Consequences can often be computed, the Threat scores of these different types of hazards are incompatible.
There are two schools of thought on calculating Threat scores, and these are closely aligned with two different approaches to probability. The Frequentist approach relies on historical data about hazards to predict future occurrences. This approach works well when:
- A large body of historical evidence exists, and
- Future events can be reasonably assumed to follow historical precedent.
The Frequentist approach is the primary method used in the actuarial field of insurance, and it works reasonably well for natural disasters and unintentional man-made disasters (accidents), as long as a long enough historical time frame is used and there exists sufficient historical data.
Frequentist approaches do not work to estimate the likelihood of future terrorist events. Unlike for natural disasters, or even for accidents, terrorist hazards are initiated by an intelligent, creative, and adaptive adversary who seeks to do harm. Although terrorists sometimes employ similar tactics and weaponry, and historical precedents can signal evolving capabilities, aims, and tactics, it is a mistake to prepare for future attacks exclusively by relying on past examples. The devastating attacks of September 11, 2001 had little historical precedent, and so should serve as potent reminders of the dangers of “driving by looking in the rear-view mirror.”
The other school of thought is the Bayesian approach. Bayesian Threat scores are based on a subjective interpretation of historical data and present intelligence in order to inform an expert opinion of future likelihoods. The strength of the Bayesian approach is most evident in evaluating terrorist threats. Intelligence analysts evaluate all available data on historical events, present capabilities, the expressed intent, and other data about relevant terrorist organizations to form a subjective opinion on the relative likelihood of different types of attacks on different assets and jurisdictions.
The Bayesian approach can synthesize multiple data streams into a coherent evaluation of Threat, but these evaluations are often difficult to quantify. They are usually expressed in relative terms, such as “An attack on New York City is twice as likely as an attack on Iowa City,” or “The use of an Improvised Explosive Device (IED) in an attack on the New York City metro system is ten times more likely than the use of a chemical agent.” Neither of these examples provide an absolute scale for their predictions, in that they do not say how likely such an event is to occur in the next year, but the information can still be valuable.
Natural hazards Threat is often calculated using a Frequentist approach, and the results are given as a probability of occurring (or, equivalently, as an average rate of occurrence). Terrorism Threat, by contrast, is almost always estimated using Bayesian techniques, and is therefore provided as a form of conditional probability: “IF an attack were to occur in the next year, it would most likely be of such-and such an attack type, and would occur in so-and-so’s jurisdiction.” Because there is no absolute scale for such scores, the terrorism threats cannot be compared with the natural hazards threat scores.
Instead, Digital Sandbox recommends that natural hazards risk (and risks from other unintentional hazards, such as accidents) be calculated separately from terrorism risk, and that the two only be compared on a relative basis for the purpose of managing risks. The allocation of funds to address these disparate risks remains a policy decision for each jurisdiction.