You are on page 1of 7


A Risk
A process for seeing decisions’
potential risks and adverse
by James J. Rooney

In 50 Words
Or Less
• The risk-based decision-
making (RBDM) process
can arm an organiza-
tion’s employees with a
more effective approach
for identifying, weigh-
ing and mitigating the
potential risks of their
• For any decision, RBDM
allows decision makers
to better understand
what could go wrong,
its likelihood of occur-
rence and the severity
of its effects.

IT’S DIFFICULT FOR organizations to transcend

the desire to “just do it the way we’ve always done it.” Many
organizations still rely on informal and unstructured meth-
ods. Also, there are wide variations in approaches to deci-
sion-making management, systems and tools.
Today, achieving mission success has become more com-
plex for organizations and agencies in nearly every industry
and sector. Managers face challenges such as meeting their
goals on time and on budget, distributing funding efficiently
and equitably, and developing programs or projects in ways
that protect physical and social environments.

May 2016 • QP 27
Mission success is achieved by making good de- or dam failures, can be used.
cisions based on a foundation of sound policies and Using f x c to calculate the risk of an unwanted
procedures that address a project’s management and outcome allows you to compare different operations’
execution. Key drivers in achieving this are identifying risks and potentials for unwanted outcomes. This
priorities, obtaining resources, delivering the program comparison also allows you to give a risk a higher pri-
and managing finances. ority if it leads to high-consequence events.
For a more structured approach to decision making, For example, unwanted outcome A has a frequency
organizations should look to the risk-based decision- of one occurrence in 100 years and a financial con-
making (RBDM) process. It allows organizations to sequence of $10,000. Unwanted outcome B has a fre-
optimize their programs, project prioritization and re- quency of one occurrence in 10,000 years and a con-
source allocation practices (see Figure 1). sequence of $1 million. The risk of either unwanted
outcome is $100 per year, but you might be more con-
Defining risk cerned about unwanted outcome B based on the sever-
Risk is the combination of frequency (f) and conse- ity of its consequence.
quence (c), which are often expressed as a product Any operation has risk. After these risks are known,
(f x c). A risk’s frequency is often expressed as events you can take steps to reduce or eliminate them. Some
per year. But there are other bases used to express an risks, however, are simply accepted as a cost of do-
event’s frequency, such as events per mile traveled, ing business. Remaining risks, known as residual
events per transit, events per ton of material moved or risks, should be compared to an organization’s risk-
defects per item produced. acceptance criteria.
If many events have occurred, frequency can be de-
termined from past data. But organizations usually fo- Loss-prevention iceberg
cus on unwanted outcomes with severe consequences, Before you can perform a risk assessment, you must
and they typically don’t have much data recorded on understand how unwanted outcomes occur and how
such results. For these events, frequency can be cal- they can be prevented. An unwanted outcome is one
culated by using risk-assessment models, such as fault that leads to adverse effects on workers, citizens,
trees or event trees. property, commerce or the environment. An effective
Consequence is measured by the magnitude of its model for understanding unwanted outcomes is a loss-
effects. Consequence can be expressed as the num- prevention iceberg, which is illustrated in Figure 2.
ber of people injured or killed, area affected, dura- The iceberg consists of people’s various perspec-
tion of an outage, delay in a mission, money lost, tives on adverse events:
programmatic impacts or mission impacts. If many • The top of the iceberg is a small but critical area
events have occurred, consequences can be estimat- representing major losses. Major unwanted events
ed using historical data from similar events. For rare are usually caused by problems similar to those that
events, detailed modeling of an event’s effects, such cause less severe but more frequent day-to-day prob-
as the results of fires, explosions, toxic gas releases lems. For example, leaking equipment in an oil re-
finery is a source of small and large fires.
• The iceberg’s visible portion that re-
Risk-based decision-making mains above the waterline repre-
process / FIGURE 1 sents day-to-day unwanted events
that produce losses in areas such as
safety, the environment or finances.
• The shallow, submerged area represents
Decision Risk Risk Impact
structure assessment management assessment abnormal events that nearly result in
unwanted events. Generally, these
near misses outnumber actual day-to-
day unwanted events and can be con-
Risk communication
sidered precursors to actual losses.

28 QP •

• The deeply submerged area represents the many hu-

man errors, equipment failures and external events
The loss-prevention
that cause unwanted events and near misses. iceberg / FIGURE 2
• The bottom of the iceberg represents underly- National and
ing management system weaknesses—the root Major loss
causes—that create error-prone situations for peo- interest groups
•  Minor oil spills and the public
ple, conditions that lead to equipment failures and • Small property losses
situations that have inadequate protections against Industry, workers,
external events. local authorities A
and individuals major
Executives, government agencies, industry interest • Brief interruptions in commerce

groups and citizens typically focus on the top of the • Occupational injuries and illnesses
• Near misses
iceberg. They want to avoid major unwanted events • Isolated human errors
or a large number of less severe, unwanted events • Management system weaknesses
• Isolated equipment failures
that threaten organizations or lead to significant nega- • Random external event
tive publicity. They leave less severe events and loss-
prevention management to others.
Those who focus on the visible remainder of the ice- dressed with simple risk assessments.
berg are usually employees and local authorities. They It organizes information about the possibility
want to reduce routine events that affect productivity of unwanted outcomes: What separates RBDM from
and cause management headaches. They pay attention traditional decision-making approaches is its ability to
to near misses, but they usually have trouble seeing consider possible losses for any set of stakeholders.
these events. They also have difficulty finding the time These considerations could include occurrences such
and resources to investigate and prevent the underly- as property loss or harmful effects on safety, public
ing problems. health or the environment.
You cannot eliminate the entire iceberg or achieve For an engineered system or activity, risks are de-
zero risk. Even if problems are not visible, danger ex- termined by the types of possible losses, the frequency
ists below the water. Major events can break off from at which they are expected to occur and the effects
the iceberg without warning. But your attention must they might have. They’re not certain, but these poten-
focus on identifying and correcting the underlying tial losses present risks that must be considered in
root causes of your loss exposures, which is shown most decisions.
as the portion of the iceberg under the waterline in RBDM organizes information into a broad, or-
Figure 2. derly structure: Most decisions require information
about risk and other factors that could include cost or
The RBDM process schedule requirements, or understanding the public’s
You obviously cannot wait until an unwanted event perception of a decision.
becomes visible and take actions to prevent it from Every identifiable factor that can affect a decision
recurring afterward. This is why you must understand must be considered in RBDM, and each factor may
and use RBDM. have a different level of importance in the final deci-
It’s a process: RBDM involves a series of basic sion. This is why it’s necessary to use an orderly deci-
steps. The process can add value to many situations, sion-analysis structure that considers more than just
especially those that present possibilities for serious risk. It gives decision makers the information needed
or catastrophic outcomes. Depending on the situa- to make smart choices.
tions, its steps can be used at different levels of detail Organized information helps decision makers:
and with varying degrees of formality. The purpose of RBDM is to provide enough informa-
It’s critical that you complete each step in the sim- tion to help someone make a more informed decision.
plest way to provide the information a decision maker The process focuses on organizing information so it
needs. For extremely complicated situations, detailed can be logically understood. It does not replace the
risk assessments are needed, but most can be ad- decision maker, and it shouldn’t force him or her into

May 2016 • QP 29
burdensome risk assessments that gather information Stakeholders must identify these relevant decision
that’s not relevant to the decision or that’s too late to factors.
affect it. 5. Gather information about the factors that in-
It helps organizations make more informed fluence stakeholders: Perform specific analyses,
management choices: The goal of RBDM is to help such as risk assessments or cost studies, to measure
people make better and more logical choices without against the decision factors. Different types of risks
complicating their work or taking away their authority. are important factors in many types of decisions.
A good decision that’s made quickly is better than a Simply stated, a risk assessment is the process of
perfect decision made too late. A good decision also understanding what bad things can happen, how likely
does not always result in a good outcome. they are to happen and how severe their effects may
The best you can hope for is to equip intelligent de- be. These bad things could be safety and health losses,
cision makers with accurate information that’s based property losses, environmental losses, effects on your
on several decision factors and stakeholders’ interests. schedule or political issues.
Eventually, good decisions made through this process A risk assessment could be based on an individual’s
should provide the best outcomes and will provide personal judgment, or it can be a complex assessment
logical explanations for decisions if outcomes are not conducted by an expert team using a broad set of tools
favorable. and information. The key to risk assessment is choos-
ing the right approach to provide the necessary infor-
Define and understand decisions mation without overworking the problem.
It’s critical to understand and define decisions that
must be made. To do this, follow these five steps: Understanding risk
1. Define the decisions: Describe the decisions that To understand risk (Figure 3), you must answer these
must be made. Major categories include accepting questions:
or rejecting a proposed facility or operation, deter- What can go wrong? Risk assessment methods are
mining who and what to inspect, and determining used to identify combinations of events that can create
how to best improve a facility or operation. unwanted outcomes, such as equipment failures, hu-
2. Determine who must be involved in decisions: man errors or negative external events. The quantity
Identify and solicit involvement from key stakehold- and type of event that may occur can give an analyst a
ers who should be involved in making a decision or solid understanding of risks that are associated with a
will be affected by actions resulting from the deci- particular issue.
sion-making process. How likely is it? The likelihood of an unwanted
3. Identify options that are available to decision outcome occurring is usually expressed as a probabil-
makers: This will help focus efforts on issues that ity or frequency. If the likelihood is low enough, an ana-
are likely to influence the choice among credible al- lyst might conclude a possible accident scenario is not
ternatives. credible or of concern, or is an extremely low risk. But
4. Identify the factors that will influence deci- the criteria for making these judgments vary, depend-
sions and risk factors: Few decisions are based on ing on the type and severity of consequence related to
just one factor. Most will require the consideration a possible unwanted outcome.
of many factors such as costs, schedules or risks. What are the effects? An unwanted outcome can
affect several areas with different degrees of negative
results. This unwanted outcome, however, may not
Characterizing risk / FIGURE 3 cause environmental damage or public injury. The type
and severity of consequences that are related to an un-
Risk understanding wanted outcome help analysts understand and judge
risk by following these steps:
• Establish risk-related questions to answer, and iden-
What can How likely What are tify those that would provide risk insights a decision
go wrong? is it? the effects?
maker requires.

30 QP •

• Determine and describe the risk-re-

lated information needed to answer
Determining the level of risk
the questions. For each piece of in-
assessment / FIGURE 4
formation, specify the precision and Less Less Less
certainty it requires, and the analysis detailed certain cost
resources—such as staff hours or
costs—that are available. Risk screening
• Select risk-analysis tools that will analysis
efficiently develop the required risk-
Broadly focused for
related information. detailed analysis risk-based
• Establish the scope for analysis decisions
tools, and set any appropriate physi- Narrowly focused
detailed analysis
cal or analytical boundaries for the
• Generate risk-based information
using the analysis tools. This may involve some it- rarely exercised. It may be possible, however, to
erative analysis—starting with a general, low-detail avoid specific risks, such as one associated with a
analysis that progresses toward a more specific, night operation. You could avoid the risk by having
highly detailed one. the operation take place during daytime hours.
• Accept—A risk can be accepted if the benefits of
Risk management not addressing it clearly outweigh any costs that
A goal in most decision-making processes is to lower would be incurred, but you can accept only as much
or eliminate as much risk as possible. Some risks will risk as is necessary to accomplish a mission or task.
be acceptable, and others must be addressed. To re- • Reduce—The overall goal of risk management
duce risk, action must be taken to manage it, but these is to plan missions or design systems that do not
actions’ benefits must outweigh their costs. They also contain hazards. But the nature of many com-
must be acceptable to stakeholders and not cause oth- plex operations and systems make them impos-
er significant risks. sible or impractical to be designed completely
Start by assessing your risk management options hazard-free. As you analyze hazards, you will iden-
and determining how risks can be effectively managed. tify those that require resolutions. To be effective,
This process can include accepting or rejecting a risk, risk management strategies must address a risk’s
or finding specific ways to reduce its effect. You also components: severity, probability and exposure.
must use risk-based information in decision making. To help control a risk’s severity, many organiza-
Risk-related information is used in the overall de- tions use tools such as protective devices, engineer-
cision-making framework to make a rational decision. ing controls or personal protective equipment. In
This final decision-making step often involves signifi- controlling probability, for example, you can use
cant communication with a broad set of stakeholders. training, situational-awareness exercises, rest peri-
Another risk-management strategy is called spread ods and stress reduction techniques. An example of
out, transfer, avoid, accept and reduce (STAAR): a method that helps lower a risk’s exposure is re-
• Spread out—Risk is commonly dispersed by in- ducing the number of people or events involved in
creasing either its exposure distance (distance from a process.
a hazard) or the time between exposures.
• Transfer—Transferring a risk does not change its Tracking effectiveness
probability or severity. It merely shifts any possible An impact assessment is a process for tracking the ef-
losses or costs to a different entity. fectiveness of actions taken to manage risk. The goal
• Avoid—Avoiding risk altogether requires cancel- is to verify that the organization is getting the expected
ing or delaying a job, mission or operation. Because results from its risk management decisions. If it’s not, a
these can be vital to organizations, this option is new decision-making process must be considered.

May 2016 • QP 31

Risk communication is a two-way process that must For safety reasons, police officers go through a
take place during the RBDM process. During each step standard set of procedures to ensure vehicles do not
of the process, you must communicate with stakehold- have serious deficiencies or dangerous drivers. They
ers and provide: are performing an activity, and they don’t conduct a
• Guidance on key issues to consider—Stakehold- complete safety inspection, vehicle search, or sobriety
ers must identify what issues are important to them. or emission test on every vehicle.
They should present their views on how to perform This is because they don’t have the resources to
each step of the process or at least comment on spend four hours on every vehicle stop, especially if
plans that are suggested by others. the vehicle appears to be in good shape. Instead, police
• Relevant information needed for assess- officers concentrate their efforts on the drivers and vi-
ments—Some or all of the stakeholders may have olations they may have committed—because poor or
key information that’s needed in the decision-mak- impaired driving is generally thought to be a common
ing process. cause of accidents.
• Buy-in for final decisions—Stakeholders should
agree on the work to be done in each phase of the Challenging norms
RBDM process. They can then support the ultimate Sometimes, it’s possible to change the prescriptive re-
decisions. quirements that appear to be inflexible. Use the RBDM
Because a risk assessment’s goal is to provide in- process to change those prescriptive requirements that
formation that helps stakeholders make better deci- do not effectively manage important risks.
sions, it should focus on providing only risk informa- This process is for everyone. Even an inexperienced
tion that decision makers will need. The required types person who receives basic training in using a well-
of information can vary based on the types of issues developed, risk-based checklist will make good risk-
being studied, the stakeholders who are involved, the based decisions. An organization’s more-experienced
significance of the risks, the costs required to control personnel can help develop information for complex
the risks, and the availability of information and data decisions and create new RBDM tools.
related to the issue being assessed. RBDM challenges cultures that always fall back on
Your goal should be to perform the least amount of saying, “It’s always been done this way.” The process
risk assessment necessary to provide information that forces those organizations to ask, “Why has it always
just meets a threshold of being adequate for decision been done this way? Do regulations require this deci-
making. In other words, do as little as possible to pro- sion to be made this way, or is it simply a convenient
vide information decision makers need. interpretation of a flexible rule?”
Decision makers usually can make decisions us- RBDM can assist decision makers in any industry
ing information that has little detail or might even be or sector, help manage risk, optimize integrity and
uncertain. In some cases, however, more complicated achieve success. QP
risk-assessment information is necessary. Figure 4
(p. 31) illustrates why it’s important to begin risk as- REFERENCE
1. Stanley Kaplan and John Garrick, “On the Quantitative Definition of Risk,”
sessments at the most general level. More detailed Risk Analysis, Vol. 1, No. 1, 1981, pp. 11–27.

studies should be done only in areas where additional

risk assessments can help the decision maker.
Unnecessary assessments don’t benefit the decision
maker, and they waste resources that are better spent
on solving the problem or investigating other issues.
JAMES J. ROONEY is director of training services with
ABS Group’s Safety, Risk and Compliance Division in
Policing RBDM Knoxville, TN. He earned a master’s degree in nuclear
engineering from the University of Tennessee in
There’s a helpful analogy I use to explain the RBDM Knoxville. Rooney is a former chair of ASQ’s board
of directors, a fellow of ASQ and holds the following
process: When police officers stop vehicles, they are ASQ certifications: biomedical auditor, hazard analysis
conducting a safety activity that’s designed to prevent and critical control point auditor, manager of quality/
organizational excellence, auditor, engineer, improvement associate, process
accidents. That’s their goal. analyst, technician, reliability engineer and Six Sigma Green Belt.

32 QP •