Running

A Risk
A process for seeing decisions’
potential risks and adverse
effects
by James J. Rooney

In 50 Words
Or Less
• The risk-based decision-
making (RBDM) process
can arm an organiza-
tion’s employees with a
more effective approach
for identifying, weigh-
ing and mitigating the
potential risks of their
decisions.
• For any decision, RBDM
allows decision makers
to better understand
what could go wrong,
its likelihood of occur-
rence and the severity
of its effects.
 RISK MANAGEMENT

IT’S DIFFICULT FOR organizations to transcend

the desire to “just do it the way we’ve always done it.” Many
organizations still rely on informal and unstructured meth-
ods. Also, there are wide variations in approaches to deci-
sion-making management, systems and tools.
Today, achieving mission success has become more com-
plex for organizations and agencies in nearly every industry
and sector. Managers face challenges such as meeting their
goals on time and on budget, distributing funding efficiently
and equitably, and developing programs or projects in ways
that protect physical and social environments.

May 2016 • QP 27
 Mission success is achieved by making good de-
cisions based on a foundation of sound policies and
procedures that address a project’s management and
execution. Key drivers in achieving this are identifying
priorities, obtaining resources, delivering the program
and managing finances.
For a more structured approach to decision making,
organizations should look to the risk-based decision-
making (RBDM) process. It allows organizations to
optimize their programs, project prioritization and re-
source allocation practices (see Figure 1).
Defining risk
Risk is the combination of frequency (f) and conse-
quence (c), which are often expressed as a product
(f x c). A risk’s frequency is often expressed as events
per year. But there are other bases used to express an
event’s frequency, such as events per mile traveled,
events per transit, events per ton of material moved or
defects per item produced.
If many events have occurred, frequency can be de-
termined from past data. But organizations usually fo-
cus on unwanted outcomes with severe consequences,
and they typically don’t have much data recorded on
such results. For these events, frequency can be cal-
culated by using risk-assessment models, such as fault
trees or event trees.
Consequence is measured by the magnitude of its
effects. Consequence can be expressed as the num-
ber of people injured or killed, area affected, dura-
tion of an outage, delay in a mission, money lost,
programmatic impacts or mission impacts. If many
events have occurred, consequences can be estimat-
ed using historical data from similar events. For rare
events, detailed modeling of an event’s effects, such
as the results of fires, explosions, toxic gas releases
Risk-based decision-making
process / FIGURE 1
Decision Risk Risk Impact
structure assessment management assessment
Risk communication
28 QP • www.qualityprogress.com
or dam failures, can be used.
Using f x c to calculate the risk of an unwanted
outcome allows you to compare different operations’
risks and potentials for unwanted outcomes. This
comparison also allows you to give a risk a higher pri-
ority if it leads to high-consequence events.
For example, unwanted outcome A has a frequency
of one occurrence in 100 years and a financial con-
sequence of $10,000. Unwanted outcome B has a fre-
quency of one occurrence in 10,000 years and a con-
sequence of $1 million. The risk of either unwanted
outcome is $100 per year, but you might be more con-
cerned about unwanted outcome B based on the sever-
ity of its consequence.
Any operation has risk. After these risks are known,
you can take steps to reduce or eliminate them. Some
risks, however, are simply accepted as a cost of do-
ing business. Remaining risks, known as residual
risks, should be compared to an organization’s risk-
acceptance criteria.
Loss-prevention iceberg
Before you can perform a risk assessment, you must
understand how unwanted outcomes occur and how
they can be prevented. An unwanted outcome is one
that leads to adverse effects on workers, citizens,
property, commerce or the environment. An effective
model for understanding unwanted outcomes is a loss-
prevention iceberg, which is illustrated in Figure 2.
The iceberg consists of people’s various perspec-
tives on adverse events:
• The top of the iceberg is a small but critical area
representing major losses. Major unwanted events
are usually caused by problems similar to those that
cause less severe but more frequent day-to-day prob-
lems. For example, leaking equipment in an oil re-
finery is a source of small and large fires.
• The iceberg’s visible portion that re-
mains above the waterline repre-
sents day-to-day unwanted events
that produce losses in areas such as
safety, the environment or finances.
• The shallow, submerged area represents
abnormal events that nearly result in
unwanted events. Generally, these
near misses outnumber actual day-to-
day unwanted events and can be con-
sidered precursors to actual losses.

• The deeply submerged area represents the many hu-
man errors, equipment failures and external events
that cause unwanted events and near misses.
• The bottom of the iceberg represents underly-
ing management system weaknesses—the root
causes—that create error-prone situations for peo-
ple, conditions that lead to equipment failures and
situations that have inadequate protections against
external events.
Executives, government agencies, industry interest
groups and citizens typically focus on the top of the
iceberg. They want to avoid major unwanted events
or a large number of less severe, unwanted events
that threaten organizations or lead to significant nega-
tive publicity. They leave less severe events and loss-
prevention management to others.
Those who focus on the visible remainder of the ice-
berg are usually employees and local authorities. They
want to reduce routine events that affect productivity
and cause management headaches. They pay attention
to near misses, but they usually have trouble seeing
these events. They also have difficulty finding the time
and resources to investigate and prevent the underly-
ing problems.
You cannot eliminate the entire iceberg or achieve
zero risk. Even if problems are not visible, danger ex-
ists below the water. Major events can break off from
the iceberg without warning. But your attention must
focus on identifying and correcting the underlying
root causes of your loss exposures, which is shown
as the portion of the iceberg under the waterline in
Figure 2.
The RBDM process
You obviously cannot wait until an unwanted event
becomes visible and take actions to prevent it from
recurring afterward. This is why you must understand
and use RBDM.
It’s a process: RBDM involves a series of basic
steps. The process can add value to many situations,
especially those that present possibilities for serious
or catastrophic outcomes. Depending on the situa-
tions, its steps can be used at different levels of detail
and with varying degrees of formality.
It’s critical that you complete each step in the sim-
plest way to provide the information a decision maker
needs. For extremely complicated situations, detailed
risk assessments are needed, but most can be ad-
RISK MANAGEMENT
The loss-prevention
iceberg / FIGURE 2
National and
international
Major loss
authorities,
interest groups
•  Minor oil spills and the public
• Small property losses
Industry, workers,
local authorities A
and individuals major
• Brief interruptions in commerce
loss?
• Occupational injuries and illnesses
• Near misses
• Isolated human errors
• Management system weaknesses
• Isolated equipment failures
• Random external event
dressed with simple risk assessments.
It organizes information about the possibility
of unwanted outcomes: What separates RBDM from
traditional decision-making approaches is its ability to
consider possible losses for any set of stakeholders.
These considerations could include occurrences such
as property loss or harmful effects on safety, public
health or the environment.
For an engineered system or activity, risks are de-
termined by the types of possible losses, the frequency
at which they are expected to occur and the effects
they might have. They’re not certain, but these poten-
tial losses present risks that must be considered in
most decisions.
RBDM organizes information into a broad, or-
derly structure: Most decisions require information
about risk and other factors that could include cost or
schedule requirements, or understanding the public’s
perception of a decision.
Every identifiable factor that can affect a decision
must be considered in RBDM, and each factor may
have a different level of importance in the final deci-
sion. This is why it’s necessary to use an orderly deci-
sion-analysis structure that considers more than just
risk. It gives decision makers the information needed
to make smart choices.
Organized information helps decision makers:
The purpose of RBDM is to provide enough informa-
tion to help someone make a more informed decision.
The process focuses on organizing information so it
can be logically understood. It does not replace the
decision maker, and it shouldn’t force him or her into
May 2016 • QP 29
 burdensome risk assessments that gather information
that’s not relevant to the decision or that’s too late to
affect it.
It helps organizations make more informed
management choices: The goal of RBDM is to help
people make better and more logical choices without
complicating their work or taking away their authority.
A good decision that’s made quickly is better than a
perfect decision made too late. A good decision also
does not always result in a good outcome.
The best you can hope for is to equip intelligent de-
cision makers with accurate information that’s based
on several decision factors and stakeholders’ interests.
Eventually, good decisions made through this process
should provide the best outcomes and will provide
logical explanations for decisions if outcomes are not
favorable.
Define and understand decisions
It’s critical to understand and define decisions that
must be made. To do this, follow these five steps:
1. Define the decisions: Describe the decisions that
must be made. Major categories include accepting
or rejecting a proposed facility or operation, deter-
mining who and what to inspect, and determining
how to best improve a facility or operation.
2. Determine who must be involved in decisions:
Identify and solicit involvement from key stakehold-
ers who should be involved in making a decision or
will be affected by actions resulting from the deci-
sion-making process.
3. Identify options that are available to decision
makers: This will help focus efforts on issues that
are likely to influence the choice among credible al-
ternatives.
4. Identify the factors that will influence deci-
sions and risk factors: Few decisions are based on
just one factor. Most will require the consideration
of many factors such as costs, schedules or risks.
Characterizing risk / FIGURE 3
Risk understanding
What can How likely What are
go wrong? is it? the effects?
30 QP • www.qualityprogress.com
Stakeholders must identify these relevant decision
factors.
5. Gather information about the factors that in-
fluence stakeholders: Perform specific analyses,
such as risk assessments or cost studies, to measure
against the decision factors. Different types of risks
are important factors in many types of decisions.
Simply stated, a risk assessment is the process of
understanding what bad things can happen, how likely
they are to happen and how severe their effects may
be. These bad things could be safety and health losses,
property losses, environmental losses, effects on your
schedule or political issues.
A risk assessment could be based on an individual’s
personal judgment, or it can be a complex assessment
conducted by an expert team using a broad set of tools
and information. The key to risk assessment is choos-
ing the right approach to provide the necessary infor-
mation without overworking the problem.
Understanding risk
To understand risk (Figure 3), you must answer these
questions:
What can go wrong? Risk assessment methods are
used to identify combinations of events that can create
unwanted outcomes, such as equipment failures, hu-
man errors or negative external events. The quantity
and type of event that may occur can give an analyst a
solid understanding of risks that are associated with a
particular issue.
How likely is it? The likelihood of an unwanted
outcome occurring is usually expressed as a probabil-
ity or frequency. If the likelihood is low enough, an ana-
lyst might conclude a possible accident scenario is not
credible or of concern, or is an extremely low risk. But
the criteria for making these judgments vary, depend-
ing on the type and severity of consequence related to
a possible unwanted outcome.
What are the effects? An unwanted outcome can
affect several areas with different degrees of negative
results. This unwanted outcome, however, may not
cause environmental damage or public injury. The type
and severity of consequences that are related to an un-
wanted outcome help analysts understand and judge
risk by following these steps:
• Establish risk-related questions to answer, and iden-
tify those that would provide risk insights a decision
maker requires.

• Determine and describe the risk-re-
lated information needed to answer
Determining the level of risk
the questions. For each piece of in-
assessment / FIGURE 4
formation, specify the precision and Less
certainty it requires, and the analysis detailed certain
resources—such as staff hours or
costs—that are available.
• Select risk-analysis tools that will
efficiently develop the required risk-
related information.
• Establish the scope for analysis
tools, and set any appropriate physi-
cal or analytical boundaries for the
analysis.
• Generate risk-based information
using the analysis tools. This may involve some it-
erative analysis—starting with a general, low-detail
analysis that progresses toward a more specific,
highly detailed one.
Risk management
A goal in most decision-making processes is to lower
or eliminate as much risk as possible. Some risks will
be acceptable, and others must be addressed. To re-
duce risk, action must be taken to manage it, but these
actions’ benefits must outweigh their costs. They also
must be acceptable to stakeholders and not cause oth-
er significant risks.
Start by assessing your risk management options
and determining how risks can be effectively managed.
This process can include accepting or rejecting a risk,
or finding specific ways to reduce its effect. You also
must use risk-based information in decision making.
Risk-related information is used in the overall de-
cision-making framework to make a rational decision.
This final decision-making step often involves signifi-
cant communication with a broad set of stakeholders.
Another risk-management strategy is called spread
out, transfer, avoid, accept and reduce (STAAR):
• Spread out—Risk is commonly dispersed by in-
creasing either its exposure distance (distance from
a hazard) or the time between exposures.
• Transfer—Transferring a risk does not change its
probability or severity. It merely shifts any possible
losses or costs to a different entity.
• Avoid—Avoiding risk altogether requires cancel-
ing or delaying a job, mission or operation. Because
these can be vital to organizations, this option is
RISK MANAGEMENT
Less Less
Hazard
cost
identification
Risk screening
analysis
Information
Broadly focused for
detailed analysis risk-based
decisions
Narrowly focused
detailed analysis
rarely exercised. It may be possible, however, to
avoid specific risks, such as one associated with a
night operation. You could avoid the risk by having
the operation take place during daytime hours.
• Accept—A risk can be accepted if the benefits of
not addressing it clearly outweigh any costs that
would be incurred, but you can accept only as much
risk as is necessary to accomplish a mission or task.
• Reduce—The overall goal of risk management
is to plan missions or design systems that do not
contain hazards. But the nature of many com-
plex operations and systems make them impos-
sible or impractical to be designed completely
hazard-free. As you analyze hazards, you will iden-
tify those that require resolutions. To be effective,
risk management strategies must address a risk’s
components: severity, probability and exposure.
To help control a risk’s severity, many organiza-
tions use tools such as protective devices, engineer-
ing controls or personal protective equipment. In
controlling probability, for example, you can use
training, situational-awareness exercises, rest peri-
ods and stress reduction techniques. An example of
a method that helps lower a risk’s exposure is re-
ducing the number of people or events involved in
a process.
Tracking effectiveness
An impact assessment is a process for tracking the ef-
fectiveness of actions taken to manage risk. The goal
is to verify that the organization is getting the expected
results from its risk management decisions. If it’s not, a
new decision-making process must be considered.
May 2016 • QP 31
 RISK MANAGEMENT
Risk communication is a two-way process that must
take place during the RBDM process. During each step
of the process, you must communicate with stakehold-
ers and provide:
• Guidance on key issues to consider—Stakehold-
ers must identify what issues are important to them.
They should present their views on how to perform
each step of the process or at least comment on
plans that are suggested by others.
• Relevant information needed for assess-
ments—Some or all of the stakeholders may have
key information that’s needed in the decision-mak-
ing process.
• Buy-in for final decisions—Stakeholders should
agree on the work to be done in each phase of the
RBDM process. They can then support the ultimate
decisions.
Because a risk assessment’s goal is to provide in-
formation that helps stakeholders make better deci-
sions, it should focus on providing only risk informa-
tion that decision makers will need. The required types
of information can vary based on the types of issues
being studied, the stakeholders who are involved, the
significance of the risks, the costs required to control
the risks, and the availability of information and data
related to the issue being assessed.
Your goal should be to perform the least amount of
risk assessment necessary to provide information that
just meets a threshold of being adequate for decision
making. In other words, do as little as possible to pro-
vide information decision makers need.
Decision makers usually can make decisions us-
ing information that has little detail or might even be
uncertain. In some cases, however, more complicated
risk-assessment information is necessary. Figure 4
(p. 31) illustrates why it’s important to begin risk as-
sessments at the most general level. More detailed
studies should be done only in areas where additional
risk assessments can help the decision maker.
Unnecessary assessments don’t benefit the decision
maker, and they waste resources that are better spent
on solving the problem or investigating other issues.
Policing RBDM
There’s a helpful analogy I use to explain the RBDM
process: When police officers stop vehicles, they are
conducting a safety activity that’s designed to prevent
accidents. That’s their goal.
32 QP • www.qualityprogress.com
For safety reasons, police officers go through a
standard set of procedures to ensure vehicles do not
have serious deficiencies or dangerous drivers. They
are performing an activity, and they don’t conduct a
complete safety inspection, vehicle search, or sobriety
or emission test on every vehicle.
This is because they don’t have the resources to
spend four hours on every vehicle stop, especially if
the vehicle appears to be in good shape. Instead, police
officers concentrate their efforts on the drivers and vi-
olations they may have committed—because poor or
impaired driving is generally thought to be a common
cause of accidents.
Challenging norms
Sometimes, it’s possible to change the prescriptive re-
quirements that appear to be inflexible. Use the RBDM
process to change those prescriptive requirements that
do not effectively manage important risks.
This process is for everyone. Even an inexperienced
person who receives basic training in using a well-
developed, risk-based checklist will make good risk-
based decisions. An organization’s more-experienced
personnel can help develop information for complex
decisions and create new RBDM tools.
RBDM challenges cultures that always fall back on
saying, “It’s always been done this way.” The process
forces those organizations to ask, “Why has it always
been done this way? Do regulations require this deci-
sion to be made this way, or is it simply a convenient
interpretation of a flexible rule?”
RBDM can assist decision makers in any industry
or sector, help manage risk, optimize integrity and
achieve success. QP
REFERENCE
1. Stanley Kaplan and John Garrick, “On the Quantitative Definition of Risk,”
Risk Analysis, Vol. 1, No. 1, 1981, pp. 11–27.
JAMES J. ROONEY is director of training services with
ABS Group’s Safety, Risk and Compliance Division in
Knoxville, TN. He earned a master’s degree in nuclear
engineering from the University of Tennessee in
Knoxville. Rooney is a former chair of ASQ’s board
of directors, a fellow of ASQ and holds the following
ASQ certifications: biomedical auditor, hazard analysis
and critical control point auditor, manager of quality/
organizational excellence, auditor, engineer, improvement associate, process
analyst, technician, reliability engineer and Six Sigma Green Belt.