Share on Facebook Share on Twitter Email
Answers.com

Risk assessment

 
TechEncyclopedia:

risk assessment

Home > Library > Technology > Computer Encyclopedia

A report that shows an organization's vulnerabilities and the estimated cost of recovery in the event of damage. It also summarizes defensive measures and associated costs based on the amount of risk the organization is willing to accept (the risk tolerance).

A "risk analysis" is the process of arriving at a risk assessment, also called a "threat and risk assessment." A "threat" is a harmful act such as the deployment of a virus or illegal network penetration. A "risk" is the expectation that a threat may succeed and the potential damage that can occur. See risk management and risk mitigation.

Download Computer Desktop Encyclopedia to your PC, iPhone or Android.

Search unanswered questions...

Enter a question here...
Search: All sources Community Q&A Reference topics

Gale Encyclopedia of Public Health:

Risk Assessment, Risk Management

Top
Home > Library > Health > Public Health Encyclopedia

During the last two decades of the twentieth century, risk science evolved into an important academic and applied discipline. The U.S. National Research Council issued a pioneering report in 1983, titled Risk Assessment in the Federal Government: Managing the Process. This report represented the first formalized effort to describe the health-risk assessment and management process in a structured way. It consolidated earlier efforts at developing a comprehensive framework, and it has been widely endorsed throughout the world.

The framework consists of three components: research, risk assessment, and risk management. Research refers to the collection, analysis, and interpretation of biological, chemical, and physical data from laboratory and other scientific studies, including studies on human populations, where possible. Risk assessment is defined as the characterization of the potential adverse health effects of human exposures to environmental hazards. Risk assessment consists of four steps: hazard identification (the process of determining whether exposure to an agent can lead to adverse health outcomes), dose-response assessment (characterizing the relation between the dose of an agent administered or received and the occurrence of adverse health effects in exposed populations), exposure assessment (measuring or estimating the intensity, frequency, and duration of human exposures to an agent currently present in the environment), and risk characterization (estimating the risk of adverse health effects under specific conditions of human exposure).

At the risk-management stage, alternative regulatory options are developed and evaluated. Selection of a particular regulatory option involves consideration of the public health, economic, social, and political consequences of implementation. Other factors of significance include the technical feasibility of the proposed solution, the desired level of control, the ability to enforce regulations, uncertainty in scientific data and the corresponding inferential bridges used to fill gaps in knowledge, and the public perception and level of information. The implementation of a specific course of action should be accompanied by the communication of information concerning the basis of the decision to affected parties.

Catalyzed in part by the guidance provided by the U.S. National Research Council, risk science evolved rapidly. In Canada, Health Canada developed a comprehensive framework for the assessment and management of population health risks, which served to identify the critical steps involved in health-risk assessment and management in further detail. The Canadian Standards Association also issued a national standard for risk assessment. An important feature of this standard was its broad applicability, providing general risk-assessment guidelines for health, environmental, and engineering applications. This was followed by a similar standard focusing on principles for risk-management decision making. The Canadian Public Health Association used the Health Canada risk-determination framework to establish a benefit/risk/cost determination framework to describe and evaluate risk/benefit methodology as it is applicable to the field of prescription drug use, including the use of quality adjusted life years (QUALYs) to measure risks and benefits.

The most recent contribution to the field of health-risk assessment is the 1997 report of the U.S. Presidential/Congressional Commission on Risk Assessment and Risk Management, based on a dynamic process involving the ongoing engagement of stakeholders. The Commission's Framework for Environmental Health Risk Management is designed to help all types of risk managers—including government officials, private-sector businesses, and individual members of the public— make good risk-management decisions when dealing with any type of environmental health risk. The framework is general enough to work in a wide variety of situations, with the level and effort invested being scaled to the importance of the problem, the potential severity and economic impact of the risk, the level of controversy surrounding the risk, and resource constraints. The framework is intended primarily for risk decisions related to setting standards, controlling pollution, protecting health, and cleaning up the environment. The framework consists of six steps: (1) define the problem and put it into context, (2) analyze the risks associated with the problem in context, (3) examine options for addressing the risks, (4) make decisions about which options to implement, (5) take actions to implement the decisions, and (6) conduct an evaluation of the results of the action. All stages of the process are implemented with the involvement of interested and affected parties.

The three key principles underpinning this framework include adopting a broad context for risk assessment (instead of evaluating single risks associated with single agents in single environmental mediums, the framework puts health and environmental problems in their larger real-world contexts); involvement of stakeholders at all phases of the process; and adopting an iterative approach, so that any new information or perspectives that may emerge may be taken into account by revisiting early stages of the process.

In addition to the overall frameworks for risk assessment and risk management described here, progress has also been made in many areas, including the use of scientific data to characterize health risks; the principles underlying risk-management decision making; understanding public perception of risk (and differences between public and expert opinion); and the communication of information on risk, and its potential influence on perceived risk.

The development of these frameworks and associated principles and guidelines have brought an element of clarity to the field of risk assessment and risk management. Principles such as fairness, equity, utility, honesty, and autonomy encourage consistency, transparency, and completeness in decision making. Risk-management principles can be of value in assigning priorities to important risk issues competing for attention and resources, in reaching decisions in the face of scientific uncertainty about the level of risk associated with health hazards, in balancing benefits and risks, and in acknowledging social and cultural considerations in risk management. Without such guidance, risk-management decision making can be highly complex, raising difficult questions to which there are often no easy answers.

(SEE ALSO: Benefits, Ethics, and Risks; Environmental Determinants of Health; Exposure Assessment; Risk Communication; Toxicology)

Bibliography

Benett, P., and Calman, C., eds. (1999). Risk Communication and Public Health. Oxford, UK: Oxford Medical Publications.

Canadian Standards Association (1997). Risk Management: Guideline for Decision-Makers. Toronto: Author.

Hattis, D. (1996). "Drawing the Line: Quantitative Criteria for Risk Management." Environment 38:11–15, 35–39.

Health Canada (1990, revised 1993). Health Risk Determination: The Challenge of Health Protection. Ottawa: Author.

Krewski, D.; Slovic, P.; Bartlett, S.; Flynn, J.; and Mertz, C. K. (1995). "Health Risk Perception in Canada II: Worldviews, Attitudes, and Opinions." Human and Ecological Risk Assessment 1:53–70.

Presidential/Congressional Commission on Risk Assessment and Risk Management (1997). Framework for Environmental Health Risk Management. Final Report, Vol. 1. Washington, DC: U.S. Government Printing Office.

U.S. National Research Council (1983). Risk Assessment in the Federal Government: Managing the Process. Washington, DC: National Academy Press.

—— (1994). Science and Judgement in Risk Assessment. Washington, DC: National Academy Press.

—— (2000). Scientific Issues in Developmental Toxicity Risk Assessment. Washington, DC: National Academy Press.

— DANIEL KREWSKI


Investopedia Financial Dictionary:

Risk Assessment

Top
Home > Library > Business & Finance > Investment Dictionary

The process of determining the likelihood that a specified negative event will occur. Investors and business managers use risk assessments to determine things like whether to undertake a particular venture, what rate of return they require to make a particular investment and how to mitigate an activity’s potential losses.

Investopedia Says:

Examples of formal risk assessment techniques and measurements include conditional value at risk-cVaR (used by portfolio managers to reduce the likelihood of incurring large losses); loan-to-value ratios (used by mortgage lenders to evaluate the risk of lending funds to purchase a particular property); and credit analysis (used by lenders to analyze a potential client’s financial data to determine whether to lend money and if so, how much and at what interest rate).

Related Links:
These statistical measurements highlight how to mitigate risk and increase rewards. 5 Ways To Measure Mutual Fund Risk
Many investors do not understand how to determine the level of risk their individual portfolios should bear. Determining Risk And The Risk Pyramid
Learn how the expected extra return on stocks is measured and why academic studies usually estimate a low premium. The Equity-Risk Premium: More Risk For Higher Returns
See the model in action with real data and evaluate whether its assumptions are valid. Calculating The Equity Risk Premium
Volatility is not the only way to measure risk. Learn about the "new science of risk management". An Introduction To Value at Risk (VAR)
Beta says something about price risk, but how much does it say about fundamental risk factors? Beta: Know The Risk
Derivatives can reduce the risks associated with changes in foreign exchange rates, interest rates and commodity prices. How Companies Use Derivatives To Hedge Risk


US Defense Department Military Dictionary:

risk assessment

Top
Home > Library > History, Politics & Society > Military Dictionary

(DOD) The identification and assessment of hazards (first two steps of risk management process).

Mosby's Dental Dictionary:

risk assessment

Top
Home > Library > Health > Dental Dictionary

n

Process of evaluating a potential hazard, likelihood of suffering, or any adverse effects.

Wikipedia on Answers.com:

Risk assessment

Top
Home > Library > Miscellaneous > Wikipedia
 This article includes a list of references, but its sources remain unclear because it has insufficient inline citations. Please help to improve this article by introducing more precise citations. (August 2010)

Risk assessment is a step in a risk management procedure. Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur. In all types of engineering of complex systems sophisticated risk assessments are often made within Safety engineering and Reliability engineering when it concerns threats to life, environment or machine functioning. The nuclear, aerospace, oil, rail and military industries have a long history of dealing with risk assessment. Also, medical, hospital, and food industries control risks and perform risk assessments on a continual basis. Methods for assessment of risk may differ between industries and whether it pertains to general financial decisions or environmental, ecological, or public health risk assessment.

Contents

Explanation

Risk assessment consists of an objective evaluation of risk in which assumptions and uncertainties are clearly considered and presented. Part of the difficulty in risk management is that measurement of both of the quantities in which risk assessment is concerned - potential loss and probability of occurrence - can be very difficult to measure. The chance of error in measuring these two concepts is large. Risk with a large potential loss and a low probability of occurring is often treated differently from one with a low potential loss and a high likelihood of occurring. In theory, both are of nearly equal priority, but in practice it can be very difficult to manage when faced with the scarcity of resources, especially time, in which to conduct the risk management process. Expressed mathematically,

R_i=L_i p(L_i)\,\!
R_{total}=\sum_i L_i p(L_i)\,\!
Risk assessment from a financial point of view.

Financial decisions, such as insurance, express loss in terms of dollar amounts. When risk assessment is used for public health or environmental decisions, loss can be quantified in a common metric such as a country's currency or some numerical measure of a location's quality of life. For public health and environmental decisions, loss is simply a verbal description of the outcome, such as increased cancer incidence or incidence of birth defects. In that case, the "risk" is expressed as

R_i= p(L_i)\,\!

If the risk estimate takes into account information on the number of individuals exposed, it is termed a "population risk" and is in units of expected increased cases per a time period. If the risk estimate does not take into account the number of individuals exposed, it is termed an "individual risk" and is in units of incidence rate per a time period. Population risks are of more use for cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals are "acceptable"....

Risk assessment in public health

In the context of public health, risk assessment is the process of quantifying the probability of a harmful effect to individuals or populations from certain human activities. In most countries the use of specific chemicals or the operations of specific facilities (e.g. power plants, manufacturing plants) is not allowed unless it can be shown that they do not increase the risk of death or illness above a specific threshold. For example, the American Food and Drug Administration (FDA) regulates food safety through risk assessment.[1] The FDA required in 1973 that cancer-causing compounds must not be present in meat at concentrations that would cause a cancer risk greater than 1 in a million lifetimes. The US Environmental Protection Agency provides basic information about environmental risk assessments for the public via its risk assessment portal.[2]

How the risk is determined

In the estimation of risks, three or more steps are involved that require the inputs of different disciplines:

  1. Hazard Identification, aims to determine the qualitative nature of the potential adverse consequences of the contaminant (chemical, radiation, noise, etc.) and the strength of the evidence it can have that effect. This is done, for chemical hazards, by drawing from the results of the sciences of toxicology and epidemiology. For other kinds of hazard, engineering or other disciplines are involved.
  2. Dose-Response Analysis, is determining the relationship between dose and the probability or the incidence of effect (dose-response assessment). The complexity of this step in many contexts derives mainly from the need to extrapolate results from experimental animals (e.g. mouse, rat) to humans, and/or from high to lower doses. In addition, the differences between individuals due to genetics or other factors mean that the hazard may be higher for particular groups, called susceptible populations. An alternative to dose-response estimation is to determine an effect unlikely to yield observable effects, that is, a no effect concentration. In developing such a dose, to account for the largely unknown effects of animal to human extrapolations, increased variability in humans, or missing data, a prudent approach is often adopted by including safety factors in the estimate of the "safe" dose, typically a factor of 10 for each unknown step.
  3. Exposure Quantification, aims to determine the amount of a contaminant (dose) that individuals and populations will receive. This is done by examining the results of the discipline of exposure assessment. As different location, lifestyles and other factors likely influence the amount of contaminant that is received, a range or distribution of possible values is generated in this step. Particular care is taken to determine the exposure of the susceptible population(s).

Finally, the results of the three steps above are then combined to produce an estimate of risk. Because of the different susceptibilities and exposures, this risk will vary within a population.

Small subpopulations

When risks apply mainly to small subpopulations, there is uncertainty at which point intervention is necessary. What if a risk is very low for everyone but 0.1% of the population? A difference exists whether this 0.1% is represented by *all infants younger than X days or *recreational users of a particular product. If the risk is higher for a particular sub-population because of abnormal exposure rather than susceptibility, there is a potential to consider strategies to further reduce the exposure of that subgroup. If an identifiable sub-population is more susceptible due to inherent genetic or other factors, there is a policy choice whether to set policies for protecting the general population that are protective of such groups (as is currently done for children when data exists, or is done under the Clean Air Act for populations such as asthmatics) or whether if the group is too small, or the costs to high. Sometimes, a more specific calculation can be applied whether it is more important to analyze each method specifically the changes of the risk assessment method in containing all problems that each of us people could replace.

Acceptable risk increase

The idea of not increasing lifetime risk by more than one in a million has become common place in public health discourse and policy. How consensus settled on this particular figure is unclear. In some respects this figure has the characteristics of a mythical number. In another sense the figure provides a numerical basis for what to consider a negligible increase in risk. Some current environmental decision making allows some discretion to deem individual risks potentially "acceptable" if below one in ten thousand increased lifetime risk. Low risk criteria such as these provide some protection for a case where individuals may be exposed to multiple chemicals (whether pollutants or food additives, or other chemicals). However, both of these benchmarks are clearly small relative to the typical one in four lifetime risk of death by cancer (due to all causes combined) in developed countries. On the other hand, adoption of a zero-risk policy could be motivated by the fact that the 1 in a million policy still would cause the death of hundreds or thousands of people in a large enough population. In practice however, a true zero-risk is possible only with the suppression of the risk-causing activity.

More stringent requirements (even 1 in a million) may not be technologically feasible at a given time or may be prohibitively expensive as to render the risk-causing activity unsustainable, resulting in the optimal degree of intervention being a balance between risks vs. benefit. For example, it might well be that the emissions from hospital incinerators result in a certain number of deaths per year. However, this risk must be balanced against the available alternatives. In some unusual cases, there are significant public health risks, as well as economic costs, associated with all options. For example, there are risks associated with no incineration (with the potential risk for spread of infectious diseases) or even no hospitals. Further investigation often identifies more options such as separating noninfectious from infectious wastes, or air pollution controls on a medical incinerator that provide a broad range of options of acceptable risk - though with varying practical implications and varying economic costs. Intelligent thought about a reasonably full set of options is essential. Thus, it is not unusual for there to be an iterative process between analysis, consideration of options, and follow up analysis.

Risk assessment in auditing

For audits performed by an outside audit firm, risk assessment is a very crucial stage before accepting an audit engagement. According to ISA315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, "the auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control."<evidence relating to the auditor’s risk assessment of a material misstatement in the client’s financial statements. Then, the auditor obtains initial evidence regarding the classes of transactions at the client and the operating effectiveness of the client’s internal controls.In auditing, audit risk includes inherent risk, control risk and detection risk.

Risk assessments performed by internal auditors are entirely different. They are usually designed to facilitate the annual audit plan. Using various elements, such as changes in volume of business, management, technology, and the economy, coupled with the knowledge and experience of management regarding the particular area, plus the previous rating of the area and the time since the last audit, the audit department determines which areas have more risk and should be a priority within the audit plan. These risk assessment are different than those prepared by the department. Those should be evaluated as part of the internal audit risk assessment process, but should not be the sole basis. Only internal audit department generated risk assessments should used for audit planning purposes. Likewise, internal audit should not be preparing risk assessments for the various departments. They should prepare their own. They are responsible for establishing policies and procedures designed to mitigate the risks identified by the risk assessment. It is internal audit's responsibility to evaluate the effectiveness of the departmentally prepared risk assessments and make recommendations for improvement.

Risk assessment and human health

There are many resources that provide health risk information. The National Library of Medicine provides risk assessment and regulation information tools for a varied audience.[3] These include TOXNET (databases on hazardous chemicals, environmental health, and toxic releases),[4] the Household Products Database (potential health effects of chemicals in over 10,000 common household products),[5] and TOXMAP (maps of US Environmental Agency Superfund and Toxics Release Inventory data). The United States Environmental Protection Agency provides basic information about environmental risk assessments for the public.[6]

Risk assessment in information security

Main article: IT risk management#Risk assessment

IT risk assessment can be performed by a qualitative or quantitative approach, following different methodologies.

Risk assessment in project management

In project management, risk assessment is an integral part of the risk management plan, studying the probability, the impact, and the effect of every known risk on the project, as well as the corrective action to take should that risk occur.[7]

Risk assessment for megaprojects

Megaprojects (sometimes also called "major programs") are extremely large-scale investment projects, typically costing more than US$1 billion per project. Megaprojects include bridges, tunnels, highways, railways, airports, seaports, power plants, dams, wastewater projects, coastal flood protection, oil and natural gas extraction projects, public buildings, information technology systems, aerospace projects, and defence systems. Megaprojects have been shown to be particularly risky in terms of finance, safety, and social and environmental impacts. Risk assessment is therefore particularly pertinent for megaprojects and special methods and special education have been developed for such risk assessment.[8][9]

Quantitative risk assessment

Further information: Quantitative Risk Assessment software

Quantitative risk assessments include a calculation of the single loss expectancy (SLE) of an asset. The single loss expectancy can be defined as the loss of value to asset based on a single security incident. The team then calculates the Annualized Rate of Occurrence (ARO) of the threat to the asset. The ARO is an estimate based on the data of how often a threat would be successful in exploiting a vulnerability. From this information, the Annualized Loss Expectancy (ALE) can be calculated. The annualized loss expectancy is a calculation of the single loss expectancy multiplied by the annual rate of occurrence, or how much an organization could estimate to lose from an asset based on the risks, threats, and vulnerabilities. It then becomes possible from a financial perspective to justify expenditures to implement countermeasures to protect the asset.

Risk assessment in software evolution

Further information: ACM A Formal Risk Assessment Model for Software Evolution

Studies have shown that early parts of the system development cycle such as requirements and design specifications are especially prone to error. This effect is particularly notorious in projects involving multiple stakeholders with different points of view. Evolutionary software processes offer an iterative approach to requirement engineering to alleviate the problems of uncertainty, ambiguity and inconsistency inherent in software developments.

Criticisms of quantitative risk assessment

Barry Commoner, Brian Wynne and other critics have expressed concerns that risk assessment tends to be overly quantitative and reductive. For example, they argue that risk assessments ignore qualitative differences among risks. Some charge that assessments may drop out important non-quantifiable or inaccessible information, such as variations among the classes of people exposed to hazards. Furthermore, Commoner and O'Brien claim that quantitative approaches divert attention from precautionary or preventative measures.[10] Others, like Nassim Nicholas Taleb consider risk managers little more than "blind users" of statistical tools and methods.[11]

Risk assessment in shipping industry

As from July 2010 shipping companies implemented risk assessment prosedures in order to asses the risk in key shipboard operations. These procedures were implemented as part of the amended ISM code[12]. The risk assessment should be performed before perfuming a key operation. If the risk is assessed to be high then additional measures must be implemented in order to reduce the risk. Shared knowledge from audits and some examples can be found in the following link.

See also

References

Footnotes

  1. ^ Merrill, Richard A. "Food Safety Regulation: Reforming the Delaney Clause" in Annual Review of Public Health, 1997, 18:313-40. This source includes a useful historical survey of prior food safety regulation.
  2. ^ EPA.gov
  3. ^ SIS.nlm.nih.gov
  4. ^ Toxnet.nlm.nih.gov
  5. ^ HPD.nlm.nih.gov
  6. ^ EPA.gov
  7. ^ Managing Project Risks - Retrieved May 20th, 2010
  8. ^ Bent Flyvbjerg, Nils Bruzelius, and Werner Rothengatter, 2003, Megaprojects and Risk: An Anatomy of Ambition (Cambridge University Press).
  9. ^ Oxford BT Centre for Major Programme Management
  10. ^ Commoner, Barry. O'Brien, Mary. Shrader-Frechette and Westra 1997.
  11. ^ The fourth quadrant: a map of the limits of statistics [9.15.08] Nassim Nicholas Taleb An Edge Original Essay
  12. ^ "ISM code Risk Assessment amendments". http://www.ancomaritime.com/files/f4141fdbbd0028bcdfb2376c152d4f99-13.html. 

General references

External links


This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)

 
 
Related topics:
risk (technology)
Control Risk Assessment (in accounting)
fire testing

Related answers:
Can you have generic risk assessments? Read answer...
Who should carry out risk assessment? Read answer...
Why do you carry out risk assessment? Read answer...

Help us answer these:
Audit Risk Assessment?
Country risk assessment?
What is the legislation for risk assessment and management?

Post a question - any question - to the WikiAnswers community:

 

Copyrights:

TechEncyclopedia. THIS DEFINITION IS FOR PERSONAL USE ONLY.
All other reproduction is strictly prohibited without permission from the publisher.
© 1981-2012 The Computer Language Company Inc.  All rights reserved.  Read more
$copyright.smallImage.alttext Gale Encyclopedia of Public Health. Encyclopedia of Public Health. Copyright © 2002 by The Gale Group, Inc. All rights reserved.  Read more
Investopedia Financial Dictionary. Copyright ©2010, Investopedia.com - Owned and Operated by Investopedia US, A Division of ValueClick, Inc. All rights reserved.  Read more
US Defense Department Military Dictionary. US Department of Defense Dictionary of Military and Associated Words, 2003.  Read more
Mosby's Dental Dictionary. Mosby's Dental Dictionary. Copyright © 2004 by Elsevier, Inc. All rights reserved.  Read more
Wikipedia on Answers.com. This article is licensed under the Creative Commons Attribution/Share-Alike License. It uses material from the Wikipedia article Risk assessment Read more

Related answers
» More
Answer these
» More
Follow us
Facebook Twitter
YouTube

Mentioned in

» More» More