A decision framework for risk management, with application to the offshore oil and gas industry

In this paper we present and discuss a decision framework for risk management. The framework comprises the basic elements: problem definition (challenges, goals and alternatives), stakeholders, concerns that affect the consequence analyses and the value judgments related to these consequences and analyses (frame conditions and constraints), identification of which consequence analyses to execute and the execution of these, managerial review and judgement, and the decision. The framework has novel aspects on the way of classifying the decision situations and characterising risks. The classification is based on the two dimensions, expected consequences, and uncertainties. Our starting point is the offshore oil and gas industry, but our framework and discussion is to a large extent general and could also be applied in other areas. An example is outlined to illustrate the use of the framework.     

Quantitative risk and optimal design approaches in the snow avalanche field: Review and extensions

Standard engineering procedures, such as adopting high return periods as reference events, are a simplified means of handling the complex and multivariate nature of snow avalanches. Furthermore, such methods do not explicitly take into account the elements at risk and/or possible budgetary constraints. In recent years, many authors from a variety of fields have tried to overcome these limitations with quantitative risk evaluations including cost–benefit analyses. Their proposals are based on different modelling assumptions, and often on different definitions for certain important concepts including scenarios, vulnerability relations and time effects. The first goal of this paper is to propose a state of the art, and to discuss the common points, advantages and drawbacks of the various proposals within a unified formal framework based on decision theory. Most of the applications already in use concern long term risk assessment in land use planning and traffic road regulation, but some potential also exists for short term problems including risk assessment to back-country skiing. In a second time, new extensions of a simple decisional model for the optimal design of an avalanche dam are proposed to illustrate the key point of the place of uncertainty in risk analyses. Finally, to stimulate further research efforts, other important outlooks including computational issues, multivariate optimal design and measures of risk alternative to the standard expected loss minimisation are discussed.     

Collaboration structure and knowledge diffusion in Turkish management academia

This article proposes a conceptual framework to study diffusion of knowledge via collaborative social interactions. The framework primes deliberation on (i) nature of knowledg, (ii) chain of knowledge process, and (iii) modes of knowledge transfer while examining mechanisms of knowledge diffusion and collaboration structure. Within such a differentiation scheme while information is considered as a form of filtered data within a context of relevancies, knowledge is considered as a systematically processed information that is bound to individual or collective actions and praxis. The framework is applied employing an empirical research method based on meta-network analysis. The examplary case traces how management sciences related knowledge is diffused and what collaboration structures are exhibited by Turkish management academia from 1920s until 2008. Results from knowledge diffusion models which have been devised and tested in this study hint that management knowledge within local publications follows patterns of information diffusion rather than patterns of knowledge transfer found elsewhere. On the other hand, it is seen that cognitive demand of publishing in citation indexed global journals have given way to cohesive collaborating teams as mean of collaborative knowledge production and transfer.     

A method for risk modeling of interdependencies in critical infrastructures

Failures in critical infrastructures may be hazardous to population, economy, and national security. There can be strong interdependencies between various infrastructures, but these interdependencies are seldom accounted for in current risk and vulnerability analyses. To reduce probability and mitigate consequences of infrastructure failures, these interdependencies have to be assessed. The objective of this paper is to present a method for assessing interdependencies of critical infrastructures, as part of a cross-sector risk and vulnerability analysis. The method is based on a relatively simple approach applicable for practitioners, but may be extended for more detailed analyses by specialists. Examples from a case study with the Emergency Preparedness Group of the city of Oslo, Norway, are included.     

Comprehensive Information Security Evaluation Model Based on Multi-Level Decomposition Feedback for IoT

The development of the Internet of Things (IoT) calls for a comprehensive information security evaluation framework to quantitatively measure the safety score and risk (S&R) value of the network urgently. In this paper, we summarize the architecture and vulnerability in IoT and propose a comprehensive information security evaluation model based on multi-level decomposition feedback. The evaluation model provides an idea for information security evaluation of IoT and guides the security decision maker for dynamic protection. Firstly, we establish an overall evaluation indicator system that includes four primary indicators of threat information, asset, vulnerability, and management, respectively. It also includes eleven secondary indicators of system protection rate, attack detection rate, confidentiality, availability, controllability, identifiability, number of vulnerabilities, vulnerability hazard level, staff organization, enterprise grading and service continuity, respectively. Then, we build the core algorithm to enable the evaluation model, wherein a novel weighting technique is developed and a quantitative method is proposed to measure the S&R value. Moreover, in order to better supervise the performance of the proposed evaluation model, we present four novel indicators includes residual risk, continuous conformity of residual risk, head-to-tail consistency and decrease ratio, respectively. Simulation results show the advantages of the proposed model in the evaluation of information security for IoT.     

Selective critique of risk assessments with recommendations for improving methodology and practise

Risk assessments are often criticised for defending activities that could harm the environment and human health. The risk assessments produce numbers which are used to prove that the risk associated with the activity is acceptable. In this way, risk assessments seem to be a tool generally serving business. Government agencies have based their regulations on the use of risk assessment and the prevailing practise is supported by the regulations. In this paper, we look more closely into this critique. Are risk assessments being misused or are risk assessments simply not a suitable tool for guiding decision-making in the face of risks and uncertainties? Is the use of risk assessments not servicing public interests? We argue that risk assessments may provide useful decision support but the quality of the risk assessments and the associated risk assessment processes need to be improved. In this paper, three main improvement areas (success factors) are identified and discussed: (1) the scientific basis of the risk assessments needs to be strengthened, (2) the risk assessments need to provide a much broader risk picture than what is typically the case today. Separate uncertainty analyses should be carried out, extending the traditional probabilistic-based analyses and (3) the cautionary and precautionary principles need to be seen as rational risk management approaches, and their application would, to a large extent, be based on risk and uncertainty assessments.     

Hierarchical, model-based risk management of critical infrastructures

Risk management is a process that includes several steps, from vulnerability analysis to the formulation of a risk mitigation plan that selects countermeasures to be adopted. With reference to an information infrastructure, we present a risk management strategy that considers a sequence of hierarchical models, each describing dependencies among infrastructure components. A dependency exists anytime a security-related attribute of a component depends upon the attributes of other components. We discuss how this notion supports the formal definition of risk mitigation plan and the evaluation of the infrastructure robustness. A hierarchical relation exists among models that are analyzed because each model increases the level of details of some components in a previous one. Since components and dependencies are modeled through a hypergraph, to increase the model detail level, some hypergraph nodes are replaced by more and more detailed hypergraphs. We show how critical information for the assessment can be automatically deduced from the hypergraph and define conditions that determine cases where a hierarchical decomposition simplifies the assessment. In these cases, the assessment has to analyze the hypergraph that replaces the component rather than applying again all the analyses to a more detailed, and hence larger, hypergraph. We also show how the proposed framework supports the definition of a risk mitigation plan and discuss some indicators of the overall infrastructure robustness. Lastly, the development of tools to support the assessment is discussed.     

Antecedents of proactive supply chain risk management – a contingency theory perspective

Since supplier insolvencies are a major source of supply chain disruptions, scholars have continuously suggested managing supply chain risk management (SCRM) proactively in order to avoid their occurrence. However, business practice seems to fail with this task. This paper investigates antecedents which foster proactive SCRM implementation from a contingency theory perspective. As a major contingency we choose past supplier insolvencies as an indicator for the level of vulnerability of organisations and investigate inter-organisational, intra-organisational, and individual antecedents. By consulting supply chain management and management accounting literature, hypotheses are developed and tested via content analysis in 63 interviews with representatives from the automotive industry. The findings demonstrate that a mechanistic management control system, a rational cognitive style and relational buyer–supplier relationships have positive impacts on proactively managing supplier insolvency risks. Furthermore, past experience with supplier insolvencies has a moderating, though not a direct, effect on proactiveness. This research suggests that a holistic risk management approach is required to proactively mitigate supplier insolvency risk.     

Integrating risk analysis and multi-criteria decision support under uncertainty in electricity distribution system asset management

Asset managers in electricity distribution companies generally recognize the need and the challenge of adding structure and a higher degree of formal analysis into the increasingly complex asset management decisions. This implies improving the present asset management practice by making the best use of the available data and expert knowledge and by adopting new methods for risk analysis and decision support and nevertheless better ways to document the decisions made.This paper discusses methods for integrating risk analysis and multi-criteria decision support under uncertainty in electricity distribution system asset management. The focus is on how to include the different company objectives and risk analyses into a structured decision framework when deciding how to handle the physical assets of the electricity distribution network.This paper presents an illustrative example of decision support for maintenance and reinvestment strategies based, using expert knowledge, simplified risk analyses and multi-criteria decision analysis under uncertainty.     

Risk assessment for civil engineering facilities: critical overview and discussion

The present paper should be seen as a basis for discussion of important aspects of risk analysis and assessment, as well as attempting to describe risk assessment in accordance with the present state of the art. Risk assessment is thus presented in an overview form from the viewpoint of being a means for decision-making and thus within the formal framework of decision theory. First the motivation for risk analysis is given and the theoretical basis together with the practical aspects, methodologies and techniques for the implementation of risk assessment in civil engineering applications are explained and discussed. The paper furthermore addresses the problems associated with risk acceptance criteria, risk aversion and value of human life and attempts to provide suggestions for the rational treatment of these aspects. Finally a number of problem areas are highlighted and the needs for further education, research and dissemination are stressed.     

Modeling Skewness in Vulnerability Discovery

A vulnerability discovery model attempts to model the rate at which the vulnerabilities are discovered in a software product. Recent studies have shown that the S‐shaped Alhazmi–Malaiya Logistic (AML) vulnerability discovery model often fits better than other models and demonstrates superior prediction capabilities for several major software systems. However, the AML model is based on the logistic distribution, which assumes a symmetrical discovery process with a peak in the center. Hence, it can be expected that when the discovery process does not follow a symmetrical pattern, an asymmetrical distribution based discovery model might perform better. Here, the relationship between performance of S‐shaped vulnerability discovery models and the skewness in target vulnerability datasets is examined. To study the possible dependence on the skew, alternative S‐shaped models based on the Weibull, Beta, Gamma and Normal distributions are introduced and evaluated. The models are fitted to data from eight major software systems. The applicability of the models is examined using two separate approaches: goodness of fit test to see how well the models track the data, and prediction capability using average error and average bias measures. It is observed that an excellent goodness of fit does not necessarily result in a superior prediction capability. The results show that when the prediction capability is considered, all the right skewed datasets are represented better with the Gamma distribution‐based model. The symmetrical models tend to predict better for left skewed datasets; the AML model is found to be the best among them. Copyright © 2013 John Wiley & Sons, Ltd.     

Supply chain risk classification: discussion and proposal

The supply chain management philosophy has often been used by organisations to achieve a competitive advantage, but it increases the vulnerability of these supply chains (SC) to certain risks. This dialogue between competitive advantage and risk generation has increased the number of studies related to the topic of ‘supply chain risk management’. Aiming to contribute to this field of research, a literature survey was conducted on 16 risk classifications, which included 56 risk types. These risk types were sorted according to existing conceptual similarities and then related to the five management processes intrinsic in a functional SC (plan, source, make, deliver and return), which are mainly advocated by the supply chain operations reference model. This literature review also highlights the lack of consensus among the surveyed authors concerning the risk types that affect a SC, a gap which this paper seeks to close by proposing a supply chain risk classification.     

Environmental vulnerability assessment in the vicinity of an industrial site in the frame of ARAMIS European project

This work has been carried out in the framework of the ARAMIS project, which aims at developing a comprehensive procedure for assessing the risk level associated to an industrial site with respect to the surrounding environment. To this end, an index is defined which consists of the contribution of three terms, expressing the severity of the scenario consequences, the efficiency of the safety management and the vulnerability of the surrounding environment. The present work focuses on this last aspect concerning the determination of the vulnerability, of the area in the vicinity of an industrial site, of human, environmental (or natural) and material stakes. The applied methodology consists in identifying and quantifying the targets by the means of a geographical information system (GIS) and in assessing the contribution of each target on the basis of a multicriteria decision approach (Saaty method). The result is an operational tool allowing competent authorities, industrialists and risk experts to assess the vulnerability of the area surrounding an industrial site.     

Security risk assessment: Applying the concepts of fuzzy logic

Chemical process industries (CPI) handling hazardous chemicals in bulk can be attractive targets for deliberate adversarial actions by terrorists, criminals and disgruntled employees. It is therefore imperative to have comprehensive security risk management programme including effective security risk assessment techniques. In an earlier work, it has been shown that security risk assessment can be done by conducting threat and vulnerability analysis or by developing Security Risk Factor Table (SRFT). HAZOP type vulnerability assessment sheets can be developed that are scenario based. In SRFT model, important security risk bearing factors such as location, ownership, visibility, inventory, etc., have been used. In this paper, the earlier developed SRFT model has been modified using the concepts of fuzzy logic. In the modified SRFT model, two linguistic fuzzy scales (three-point and four-point) are devised based on trapezoidal fuzzy numbers. Human subjectivity of different experts associated with previous SRFT model is tackled by mapping their scores to the newly devised fuzzy scale. Finally, the fuzzy score thus obtained is defuzzyfied to get the results. A test case of a refinery is used to explain the method and compared with the earlier work.     

Supply chain risk modelling and mitigation

In today’s global competitive environment, supply chains are more susceptible to vulnerability due to the increasing occurrence of internal and external risk events. In addition, the trend associated with lean management, which involves reducing inventory, leads to more dependency of supply chain partners on each other which exacerbates risk exposure of companies in the supply chain. This creates the need for more effective management of supply chain risks. In this research, a methodology based on Bow-Tie analysis and optimisation techniques is proposed to quantify and mitigate supply chain risks. The proposed methodology takes into consideration risk interconnections, and it identifies the best combination of mitigation strategies under budget constraints. A real case study from a high-end server manufacturing environment is presented. Results from the case study showed that the proposed methodology for risk modelling and mitigation can effectively be used to quantify the risks and achieve the required risk reduction at minimum cost while considering risk correlations.     

The role of network theory and object-oriented modeling within a framework for the vulnerability analysis of critical infrastructures

A framework for the analysis of the vulnerability of critical infrastructures has been proposed by some of the authors. The framework basically consists of two successive stages: (i) a screening analysis for identifying the parts of the critical infrastructure most relevant with respect to its vulnerability and (ii) a detailed modeling of the operational dynamics of the identified parts for gaining insights on the causes and mechanisms responsible for the vulnerability. In this paper, a critical presentation is offered of the results of a set of investigations aimed at evaluating the potentials of (i) using network analysis based on measures of topological interconnection and reliability efficiency, for the screening task; (ii) using object-oriented modeling as the simulation framework to capture the detailed dynamics of the operational scenarios involving the most vulnerable parts of the critical infrastructure as identified by the preceding network analysis. A case study based on the Swiss high-voltage transmission system is considered. The results are cross-compared and evaluated; the needs of further research are defined.     

Seismic vulnerability assessment of a continuous steel box girder bridge considering influence of LRB properties

Bridges are one of the most crucial facilities of transportation networks. Therefore, evaluation of the seismic vulnerability of bridge structures is perpetually regarded topic for researchers. In this study, we developed seismic fragility curves for a continuous steel box girder bridge considering the effect of different levels of mechanical properties of lead rubber bearing (LRB) devices including initial stiffness and yield strength on the seismic performance of such structure. A powerful framework for an earthquake engineering simulation, OpenSees, is used to perform nonlinear analyses of the bridge model. In order to construct fragility curves for this structure, a set of 20 ground acceleration records is adopted and various scales of the peak ground acceleration (PGA) from 0.1 to 1.6 g are considered. Besides, a series of damage state of the bridgeis defined based on a damage index, which is expressed in terms of the column displacement ductility ratio. Fragility analyses result reveals that reducing the initial stiffness of LRBs reduces the seismic vulnerability of bridge piers and vice versa. Meanwhile, the changes of the yield strength of LRBs have trivially effected on the seismic behaviour of the bridge piers. On the other hand, the short pier has performed more susceptibly than those of the high pier in both seismically-isolated and non-isolated bridge cases. Lastly, the results in this research also indicate that the bridge structures equipped with seismic isolation devices (e.g. LRBs) significantly mitigated the damages due to earthquakes.     

Identification, ranking, and management of risks in a major system acquisition

Risk management is essential to protect the quality of a large-scale engineering effort. It should be a well-defined process that builds on an encompassing and detailed understanding of the purpose, elements, and contexts of the system. It should accommodate qualitative and quantitative information in understanding sources of risk. In an application paper, we use hierarchical holographic modeling (HHM) to identify sources of risk in the acquisition of a large ($1 billion US) software and database system. HHM provides a framework to integrate the perceptions by managers and analysts of what could go wrong in the acquisition. In addition, we filter and prioritize the identified sources of risk based on their likelihoods and potential consequences. Finally, we generate and evaluate alternatives for risk management, focusing on potential impacts to the acquisition schedule.     

Expressing and interpreting the results of quantitative risk analyses. Review and discussion

One of the most fundamental problems when using quantitative risk analyses is related to the way the results of the analyses are expressed and interpreted. Should we restrict our attention to unobservable quantities such as hazard rates and statistically expected values (frequencies), or should we focus on the prediction of observable quantities such as the occurrence of an accidental event, the time to a specific event occurs, etc.? In this article we review the alternative approaches and discuss the implications concerning e.g. the meaning of ‘uncertainty’ of the risk numbers generated. We conclude that in practice there is no alternative but adopting the latter approach, focusing on observable quantities and using ‘subjective probabilities’. The subjectivistic (Bayesian) theory of probability provides the framework for the coherent use of judgement, which constitutes a significant (sometimes the only) part of the information that is available to us. However, it is not clear to most risk analysts what the Bayesian approach really means. There is a strong need for a more attractive presentation of the Bayesian approach. This article intends to contribute to such a presentation.