McGill Research Blog

• Performed my first web crawl with Nutch… I am feeling more like IST every day! #

Powered by Twitter Tools

Send article as PDF to

• Baby today… Should be interesting… #
• Definitely baby today… In Labor and Delivery now… Hope to be done by 8pm… #
• The delivery room is right across from the coffee machine… And there is a new pot brewing… WIN #
• Showtime in 5… Baby will be born before 7pm (we think)… No 3 seems so much easier… #
• This is the pic taken very soon before baby… Everyone is in good spirits here at Mt Nittany… http://twitpic.com/163yny #
• Water broke… Any minute now… room is getting setup for action… #
• Baby time… #
• Officially outnumbered… http://twitpic.com/1649l7 #
• Katie Mei McGill… Born 7:35p, 1 Mar 2010 http://twitpic.com/164aeo #
• Nothing beats postpartum cranberry juice and graham crackers… #
• Some specs… 5lb 7oz, length = 19+ inches, lots of hair, very cute, VERY HUNGRY (poor Jinny), getting a bath as we speak… #
• Now that the fun is over, gotta get ready for teaching in the morning… #
• Ah… My truck isn't big enough to accomodate me, myself and our three kids (w/ car seats)… What to do outside of getting a minivan? #
• Two kids in diapers… Sucks. #
• Katie's first appt checks out ok… Good to go for two more weeks… All is better than well so far… #

Powered by Twitter Tools

Send article as PDF to

As cited in Jurges (1973):

Ultimately all decisions are made on the basis of judgment.  There is no other way; and there never will be.  The question is whether these judgments are made in the fog of inadequate data, unclear and undefined issues or whether they can be made on the basis of adequate, reliable information, reliable experience and clear issues.  In the end, analysis is but an aid to judgment – judgment is supreme. – Katz and Kahn (1966)

References

Jurges, G. F. (1973). “Risk Management Keeps Aircraft Carrier Overhaul Planning on Schedule.” Naval Engineers Journal, October, pp. 13-24.

Katz, D. and Kahn, R. L. (1966). The Social Psychology of Organizations.  Wiley.

Send article as PDF to

• For a limited time we won't use chemicals to sweeten our drinks… http://twitpic.com/zexcd #

Powered by Twitter Tools

Send article as PDF to

• This is the year that will make or break me (more likely the former, I hope…)… #
• When will @mightcould come to central PA? Their sounds are awesome and great for late night writing… #

Powered by Twitter Tools

Send article as PDF to

• Sipping on my last espresso doppio in Milan before heading back to the states… Italy is truly my favorite vacation place… #
• Wow… getting home from Milan really sucked… I mean, it was truly awful… travel to the US from Europe is really a pain these days… #
• After Friday, I will be taking a four month break from traveling… traveling anywhere, especially to DC, is such a drag on time and energy #
• USAirways lost my son's stroller… guess who had to carry his squirmy 25lb body for 2 hours on the hot, overcrowded customs line at PHL? #
• Whoah… there is some sort of debate thing happening on my Facebook wall… should I intervene? What should I do? #
• One of yesterday's speakers had a heart attack right before she was going to answer a colleague's question… I hope she is all right now… #

Powered by Twitter Tools

Send article as PDF to

Note: Article updated on 17 Jan 2010

In 1981, Kaplan and Garrick published a paper entitled “On the Quantitative Definition of Risk” that defined risk as the set of all ordered triplets comprised of answers to the following triplet of questions (Kaplan and Garrick 1981):

• What can go wrong?
• How likely is it to go wrong?
• What are the consequences?

These three questions set the stage for what most risk professionals consider to be the fundamental questions of risk assessment. In recent years, more questions have been suggested, including:

• How much uncertainty is present in the analysis? (Lowder 2008)
• Over what time frame? (Haimes 2009)
• Are these risks tolerable?

In 1991, Professor Yacov Haimes offered a second set of three questions focused on the practice of risk management (Haimes 1991):

• What can be done?
• What options are available and what are the benefits and costs of each?
• What impact do these options have on future options?

Mr. Bob Ross offered a few more interesting risk questions, including several for establishing the risk context (Ross 2009):

• What are my risk management responsibilities?
• What outcomes and objectives am I expected to achieve?
• How are risks perceived by those to whom I am answerable?

Ross also offered a few more for risk management (labeled risk response or more generally risk treatment):

• What could I do about it? (the “options” part of the second Haimes risk management question)
• What should I do about it?
• What will I do about it?

And a few more on risk management effectiveness:

• How well is my chosen course of action working?
• Has anything changed that requires altering my existing risk management measures?
• Are there current trends and/or potential future developments that could require altering my existing risk management measures?

At a high level, Dr. Tony Cox summarizes all of risk analysis in terms of four high-level questions as follows (Cox 2009):

• How bad is it? (Risk Assessment)
• What to say about it? (Risk Communication)
• What to do about it? (Risk Management)
• Who to blame for it? (Risk Attribution)

Seeing how the ultimate goal of studying risk in general is to communicate risk knowledge to people that can then use it to make better (i.e., risk informed or risk supported) decisions. Risk communication, then, must consider the following lower-level questions that would help analysts decide on what to say about risk (Morgan et al. 2002; Apgar 2006):

• What does the intended recipient think or know?
• What does the recipient need to know?
• How should it be told?

Mr. Bob Ross offered the following additional questions for risk communication:

• Between whom does it need to be communicated?
• How can the necessary risk information be most effectively communicated?

Of course, there is always the risk that a communication goes south, thus we should also entertain the questions:

• How likely is it that the communication will work?
• How bad would it be if it doesn’t?

If you look carefully at these questions, you might find some overlap among them and also find that they may be interpreted in different ways by different people. In fact, we could consolidate all of these questions into a triplet of risk analysis triplets. These are summarized as follows.  Given a clearly and precisely specified situational context (e.g., security context), risk analysis centers on the following nine broad questions:

Risk Assessment Triplet

1. What can happen? Answer: scenarios characterized by the pairing of cause and outcome, where associated with outcome is the time frame
2. How likely is it? Answer: product of probability of cause and probability of outcome given cause; uncertainy in the answers is captured using imprecise probabilities
3. How bad would it be? Answer: severity of the cause/outcome pair

Risk Communication Triplet

1. What does the recipient presently think, know and perceive? Answer: the recipient’s mental model and lens for interpreting and integrating new information
2. What does the recipient need to know? Answer: key messages to improve the recipient’s understanding
3. How should it be told? Answer: in what form must the information be communicated and who should communicate it, this includes all risks associated with communications

Risk Negotiation Triplet*

1. What can be done? Answer: the types of changes that can be made in the time frame of interest
2. What options are available? Answer: Answer: real feasible options that are available with assessed benefits and costs of each, where benefits and costs include impact on future options, and all assessments include uncertainty
3. What should be done? Answer: compares benefits, costs and risks of each option in addition to other factors with a variety of non risk-related alternatives including the “do-nothing” option

*Note: In this context, Risk Negotiation refers to an organization’s discussions and deliberations around a variety of risk treatments relative to the organization’s attitude and tolerance for risk.

Risk management revisits this triplet of triplets over and over again in perpetuity. With time, we learn how well our choices fared through continuous analysis and reanalysis of our systems and their environments. With every action we take, the systems we protect respond with new or modified risks with updated probabilities and severities, and new options and considerations emerge while others become infeasible or irrelevant. And of course, with time and change comes new uncertainties and misunderstandings, both of which require the dedicated attention of risk professionals to study and resolve.

References

Apgar, D. (2006). Risk Intelligence: How to Manage What You Don’t Know. Harvard Business School Press (ISBN 1591399548).

Coles-Kemp, L. (2009). “The Effect of Organisational Structure and Culture on Information Security Risk Processes.” Risk Research Symposium (link here).

Cox, L. A. (2009). “Traditional and Current Risk Analysis.” Presented at the MORS 2009 Workshop, April 2009 (link here).

Haimes, Y. Y. (1991). “Total Risk Management.” Risk Analysis, Vol. 11, No. 2, pp. 169-171 (doi link).

Haimes, Y. Y. (2009). “On the Complex Definition of Risk: A Systems-Based Approach.” Risk Analysis, Vol. 29, No. 12, pp. 1647-1654 (doi link).

Kaplan, S. and Garrick, B. J. (1981). “On the Quantitative Definition of Risk.” Risk Analysis, Vol. 1, No. 1, pp. 11-27 (doi link).

Lowder, J. (2008). “The Difference Between Quantitative and Qualitative Risk Analysis and Why it Matters (Part 1).” BlogInfoSec.org (link here).

Morgan, M. G., Fischhoff, B., Bostrom, A. and Atman, C. (2002). Risk Communication: A Mental Models Approach. Cambridge University Press (ISBN 0521002567).

Ross, R. G. (2009). “Total Risk Management Revisited.” Working Paper.

Send article as PDF to

• Might Could is an awesome band… http://bit.ly/8d2tJq … their albums are available on iTunes… good for late night risk analysis… #
• Why do I always get stuck working on a short-fused project during the holiday season? It seems I will be working up until my flight to Italy #

Powered by Twitter Tools

Send article as PDF to

I typically come across a few excellent quotes that really resonate with what I am presently thinking about whenever I go on a paper reading binge.  Here are some interesting ones that I found recently:

Every year (or, perhaps, every day), some new industry or institution discovers that it, too, has a risk problem.  It can, if it wishes, repeat the learning process that its predecessors have undergone.  Or, it can attempt to short-circuit that process, and start with its product, namely the best available approaches to risk communication. – Baruch Fischhoff (1995)

Contemporary approaches to disaster reduction need to become more concerned with human-to-human relations, such as conflict resolution and consensus building among people, rather than human-to-nature relations. – Katsuya Yamori (2008)

References

Fischhoff, G. (1995). “Risk Perception and Communication Unplugged: Twenty Years of Process.” Risk Analysis, Vol. 15, No. 2, pp. 137-145 (doi link).

Yamori, K. (2008). “Narrative Mode of Thought in Disaster Reduction: A Crossroad for Narrative and Gaming Approaches.” in Sugiman, T., Gergen, K. J., Wagner, W. and Yamada, Y. eds. Meaning in Action: Constructions, Narratives and Representations.  Springer, pp. 241-252 (doi link).

Send article as PDF to

(This is the first post containing a Nasrudin tale related to risk…)

Nasrudin was throwing handfulls of crumbs around his house.

‘What are you doing?’ someone asked him.

‘Keeping the tigers away.’

‘But there are no tigers in these parts.’

‘That’s right.  Effective, isn’t it?’ (Shah 4)

From a risk management point of view, Nasrudin asserts that because of his actions (i.e., throwing handfulls of crumbs around his house), all risks associated with the presence of tigers has been mitigated.  That is, Nasrudin believes that his actions reduced the probability of tiger presence to zero, thus bringing risk to zero.  And because no tigers have appeared, Nasrudin suggests that his strategy is “effective.”

Anyone have a good modern analogy to this sillyness?

References

Shah, I. (1983). The Exploits of the Incomparable Mulla Nasrudin.

Send article as PDF to