Understanding risk management

Summary: Effectively assessing and mitigating risk can involve sophisticated mathematical analysis and modeling.

A feeling of security is essential for the welfare of all people, ancient or modern. There are many threats in the twenty-first century that can reduce the feeling of security, including financial problems, diseases, and crime. Threats feature different causes, which may be grouped into two main categories: natural (random), and intentional (malicious).

94982034-91567.jpg94982034-91566.jpg

Natural causes are independent from human will (for example, natural disasters), while intentional causes relate to the action of some adversary (for example, a terrorist). Some origins of threats, such as illness or accidents, are not completely random; though an actual intentionality is missing, correlations can be found between human behavior and the unwilled events. It is clear that the intention of any intelligent being, humans in particular, is to maximize one’s own benefit throughout an entire lifetime on the base of trade-offs between expenses and medium or long term returns. This goal justifies, among other risk management strategies, the common use of insurance policies and alarm systems.

Risk Assessment

In order to predict human behavior with respect to issues of risk, as well as to support the choice of protection strategies of any nature, risk assessment is employed. In order to assess the risk, a mathematical model is required. The most common and simple mathematical model for risk assessment consists of the following formula: R=PVD.

Risk (R) with respect to a specific threat (T) is a combination of three different factors:

  • P, the expected probability of the occurrence of T (how probable is the threat?)
  • V, the expected vulnerability with respect to T (how probable is it that T will cause the expected consequences?)
  • D, the expected damage caused by T (if the consequences caused by the threat are endured, how damaging are the consequences?)

Note that the combination operator “•” is not necessarily a multiplier. Depending on the criteria used for the analysis and on the type of scale (linear or logarithmic), it can play different roles (even as a sum).

Risk can be evaluated both using qualitative and quantitative approaches. Qualitative indices use reduced scales of values of intuitive meaning; for instance: low, medium, and high. The advantage is that estimations can be more straightforward (though rougher) and computations can be easier. The disadvantage is that results are usually less rigorous, and the combination of qualitative indices is questionable. Quantitative approaches, on the other hand, use and produce values of parameters using well-specified metrics. The disadvantage is the difficulty of getting input data, which—being produced by expert judgments, statistical analyses, and stochastic modeling—are always affected by more or less relevant uncertainty errors. The advantage is that quantitative approaches enable possible automatic optimizations using appropriate algorithms.

In some approaches the PV factor is compacted into a single factor, which will be defined as the frequency (F) of “successful” threats, expressed algebraically as F=PV.

An example of qualitative risk evaluation using associative matrices is reported in Table 1 using the estimated values of F and D to obtain R.

In quantitative approaches, risk is evaluated using a more formal approach, defining rigorous metrics for the three factors P, V, and D of the risk formula; for instance as follows:

  • P is measured in number of threat events per year.
  • V=P(T success | T happens), which is the conditional probability that a threat will succeed given that it happens.
  • D is measured in monetary damages.

Therefore, in this case, the “•” operator is actually a multiplier, and the risk can be measured; for example, in dollars per year, which is a measurement of an expected periodic monetary loss. The input values of the risk formula can be obtained in several ways, including statistical approaches and stochastic process modeling.

Risk Mitigation

In order to reduce the risk, several mechanisms can be adopted. The (possibly iterative) process of assessment and mitigation is sometimes referred to as “risk management.” The objective of this process is to find an optimal trade-off between the expense in protection mechanisms and the expected risk reduction.

Countermeasures can be very different, depending on the type of risk being faced. They include organizational modifications, periodic diagnostic checks, norms, insurance policies, patrols of agents and first responders, sensors and alarm systems, preventive maintenance, early warning, mechanisms for delaying the threat, emergency preparedness, and disaster management.

With reference to the risk formula, a countermeasure should be able to significantly reduce P, V, or D, or all of them at once. For example, in the case of a viral epidemic, a behavioral change (such as staying at home, using cars instead of public transportation, and frequently washing hands) can reduce P, a vaccine or a strengthening cure can reduce V, while warmth, rest, and medicines can reduce D.

Cost-Benefit Optimization

Countermeasures employed to reduce the risk feature their own cost. While the objective of organizations (such as companies, enterprises, or countries) is to maximize the so-called return on investment, the objective of human beings is to maximize their average welfare throughout their lives. Therefore, countermeasures are adopted whose cost and effectiveness is judged to be “adequate.” A more formal approach consists in analytically predicting the benefits resulting from the selected countermeasures, which needs appropriate mathematical models. In quantitative approaches, the periodic Expected Benefit (EB) is defined as EB=RR-CC,where RR is the expected risk reduction in a specified time slot, and CC is the countermeasures cost in a specified time slot.

The RR parameter is evaluated using standard risk assessment methodologies. Depending on the countermeasures, the CC can depend on the length of the time slot. For instance, a vaccine can last a whole lifetime with no additional costs, while insurance has periodic costs; alarm systems have an initial expense for the buying and installation of devices and additional costs because of maintenance and power consumption. Furthermore, a reliable payback analysis requires considering not only the initial investment but also the financial concepts of cash flow, opportunity cost, and final value of the capital invested.

Once a suitable mathematical model for computing the EB has been defined, it is possible to perform a set of analyses, including parameter sensitivity and automatic optimizations.

The parametric sensitivity analysis aims to evaluate the impact of data uncertainty on the computed results. To be performed, it requires that input data are modified (increased or decreased by a certain percentage) and that corresponding results are evaluated. Depending on the results of the sensitivity analysis, models can be assessed as more or less robust to certain input parameters: the more the results are affected by variations in input parameters, the less the model is suitable to be evaluated using uncertain data.

Automatic optimizations can be performed using appropriate algorithms with the aim of maximizing the EB with possible external constraints, like a limited budget. For linear problems, operations research provides a set of algorithms, which can be suitable for multi-variable and multi-objective optimization of a specific function. For large non-linear problems, genetic algorithms, which mimic the evolution of live beings, can be adopted. Genetic algorithms, in particular, are based on the concepts of populations of solutions, selection, crossover, and mutations. Genetic algorithms have proven useful in solving a large number of optimization problems, including the ones regarding risk minimization, which are difficult or impossible to manage using traditional approaches.

In conclusion, when security relates to personal benefit maximization, mathematical techniques are involved, which can be very complex since they fall in the area of multi-objective optimization with external constraints and contrasting requirements. Operations research has investigated similar problems, which have even attracted interest from the communities of researchers in statistics and probabilistic modeling. In particular, Bayesian networks are among the formalisms suitable for the stochastic cause–consequences modeling using a graph-based approach, which can also be extended with decision and cost nodes (in such a case, they are named “influence diagrams”). Bayesian networks are direct acyclic graphs (DAGs) in which nodes represent random variables, and arcs represent stochastic dependencies quantified by conditional probability tables (CPTs). It can be formally demonstrated that a well-formed Bayesian network represents the joint probability density function of the problem described by the network. Several user-friendly graphical tools are available for the solution of Bayesian networks. However, solving algorithms belong to the NP-hard class, therefore, their efficiency tends to significantly worsen as the size and complexity of the network increases.

Bibliography

Hillier, Frederick S., and Gerald J. Lieberman. Introduction To Operations Research. New York: McGraw-Hill, 1995.

Jensen, Finn V., and Thomas D. Nielsen. Bayesian Networks and Decision Graphs. 2nd ed. New York: Springer Science+Business Media, 2007.

Lewis, Ted G. Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation. Hoboken, NJ: Wiley, 2006.

Goldberg, David E. Genetic Algorithms in Search, Optimization, and Machine Learning. Philadelphia: Addison-Wesley Professional, 1989.