Society For Risk Analysis Annual Meeting 2013

Session Schedule & Abstracts

* Disclaimer: All presentations represent the views of the authors, and not the organizations that support their research. Please apply the standard disclaimer that any opinions, findings, and conclusions or recommendations in abstracts, posters, and presentations at the meeting are those of the authors and do not necessarily reflect the views of any other organization or agency. Meeting attendees and authors should be aware that this disclaimer is intended to apply to all abstracts contained in this document. Authors who wish to emphasize this disclaimer should do so in their presentation or poster. In an effort to make the abstracts as concise as possible and easy for meeting participants to read, the abstracts have been formatted such that they exclude references to papers, affiliations, and/or funding sources. Authors who wish to provide attendees with this information should do so in their presentation or poster.

Common abbreviations

Poster Platform: Applications in the Expanding Field of Risk Management

Room: Key Ballroom 1   1:30 PM - 3:00 PM

Chair(s): Steve Ackerlund

M3-A.1  Applying terrorism risk management concepts to enhance ISO 31000 risk management. Lathrop JF*; Innovative Decisions, Inc.

Abstract: We take big steps when we step from widely accepted risk management, such as specified in ISO 31000, to broader risk management concepts informed by other fields. This talk will briefly synthesize risk management concepts from terrorism risk management, and other new thinking, with the classic risk management concepts specified in ISO 31000. We have learned from our work in terrorism risk assessment/management that in many arenas we need to orient our thinking around managing risk that specifically addresses unanticipated scenarios. Risk management can be improved by taking advantage of three key concepts we’ve developed in our terrorism risk management work: robustness, resilience and quality of position. Then we examine new concepts provided to us from Nassim “Black Swan” Taleb in the latest book he has inflicted upon us, Antifragile, and develop concepts informed by combining his latest work with our terrorism work. This paper will combine concepts from both of those areas into recommendations for an additional set of principles of risk management, to be added to the considerable set of principles, already widely accepted, in ISO 31000.

M3-A.2  Cyber-security Risk Management. Panjwani S*; THANE Inc

Abstract: Current cyber-security risk management is driven by two complementary philosophies. The first strategy is called is called “penetrate-and-patch”, which focuses on identifying and patching vulnerabilities. Often a team of security experts is used to identify exploitable vulnerabilities. The second strategy is called “secure-design,” which suggests preventing vulnerabilities by designing more secure systems and developing more secure software. This approach identifies secure coding practices by studying known vulnerabilities. To support these risk management strategies, current risk assessment methods focus on identifying vulnerabilities. The challenge with current vulnerability centric risk management strategies is that, in the last decade the overall number of reported vulnerabilities has increased. More importantly, despite efforts to make software and cyber-infrastructure more secure, all types of vulnerabilities that existed at the beginning of the decade still existed at the end. Current risk management methods also assume that there are no unknowns in the cyber-security domain and all information is available a priori. This assumption produces counter intuitive results. Some experts have suggested replacing the risk based approach with a due-diligence based approach citing inconsistencies and inability of current expert driven risk management methods to improve the state of security. Current cyber-security risk management and assessment methods need to be improved. However, the lack of improved state of cyber-security is not only because of the limitation of current methods, but is caused by the failure to understand unique characteristics of the cyber-security domain. The author developed a new risk assessment framework by capturing these unique requirements of cyber-security domain. A new risk management philosophy is also developed that uses the attacker behavior to lead the attacker away from the target.

M3-A.3  An overview of applications of risk management principles in food safety and nutrition. Mojduszka EM*; USDA/OCE/ORACBA

Abstract: Effective and efficient food safety risk management is of great importance to the U.S. food industry, consumers, and the government. The Centers for Disease Control and Prevention (CDC) report that over 3000 people die each year in the U.S. from food borne illnesses and 128,000 are hospitalized. The cost to the U.S. economy (including productivity losses) from food borne illnesses is approximately $77 billion per year (CDC web-site). In addition, in the 1990s and 2000s, several indicators of the healthfulness of the American diet deteriorated, including an increase in the percentage of adults and children who are obese or overweight. The estimated cost of this epidemic to the U.S. economy by 2020 is expected to be in the hundreds of billions of dollars (CDC web-site). These estimates emphasize significance of nutrition risks to the U.S. population as well as importance of utilizing effective and efficient, private and public, nutrition risk management approaches. In this paper, I provide an overview of applications of risk management principles in food safety and nutrition. I compare and contrast the ISO 31000:2009 standard published in the general risk management area and standards published in specific food safety and nutrition risk management areas, including ISO 22000:2005 (Food Safety Management Systems), Codex Hazard Analysis, Hazard Critical Control Points (HACCP), and ISO 22002-1:2009 (Prerequisite Programs, PRPs, on Food Safety). I identify and evaluate advantages but also important shortcomings of the standards for food safety and nutrition risk management applications. My specific focus is on evaluating interdependence of the standards as substitutes or complements. This information is necessary for improving effectiveness and efficiency of the standards in practice. I finally propose how the applications of the standards could be further extended in private and public food safety and nutrition policy making.

M3-A.5  EPA Promotes Risk Based Asset Management as Deployed in Springfield Massachusetts. Schimmel JD, Lovely RK*; Springfield Water and Sewer, Kleinfelder

Abstract: The Springfield Water and Sewer Commission (SWSC) is responsible for managing the wastewater system in Springfield, MA. Of special concern are the wastewater interceptors that allow Combined Sewer Overflow (CSO) in to the rivers around the City during wet weather events. After finding water quality issues the EPA issued several Administrative Orders requiring the Commission to perform over $300M in CSO related work. Concurrently the SWSC has seen an increase in failures including pipe collapses within the wastewater collection system that threaten the City’s environment and communities. The SWSC did not have the resources to simultaneously address the Administrative Orders and imminent collection system failures. EPA educators promote a Risk based Asset Management strategy originally developed in Australia and New Zealand. This approach involves stakeholder input to rank the consequences of failure against an established set of service levels for which a wastewater utility is committed to provide. The method also requires failure mode assessments from which failure probabilities can be derived. With this information available a utility can calculate risks from consequences of failure and failure probability. The risk values are used to prioritize where to direct organizational resources. The information can also be used as a basis for other cost saving tools including deterioration modeling, life cycle costing, and business case evaluation. Through a series of workshops the SWSC - Kleinfelder team was able to demonstrate to the EPA how a Risk based Asset Management approach is the best method for the SWSC to meet all of its obligations. The presentation will walk the audience through the key elements of Risk based Asset Management and how it has been effectively deployed in Springfield to the benefit of all stakeholders including the EPA, City communities, and the Commissioners.

M3-A.7  Analyzing and managing risks in research labs: How it is done. Pluess DN*, Groso A, Meyer T; Swiss Federal Institute of Technology Lausanne

Abstract: Available risk analysis techniques are well adapted to industry since they were developed for their purposes. For academic research environment, most of these techniques are of limited use because of several differences compared to the industrial environment. Due to the nature of scientific research, accurate statistical data for processes or equipment are hardly available. However, most of the existing techniques depend on these data, e.g. studies on reliability for risk quantification. Another difficulty is to take into account special conditions present in research laboratories when using available methodologies. A majority of these techniques are designed for analyzing clearly defined processes. In academic research settings, most of the process’ variables are not well defined or continuously evolving. Additionally, different hazards present in the same laboratory may influence each other and can therefore be amplified. Different solutions for the challenge of adapting an existing method to research laboratories are available in the literature. However, most of recommendations focus on a specific field of scientific research, such as chemistry. In order to tackle this problem, we developed a holistic risk analysis technique for research and development environment. This newly developed method features an enhancement of the risk estimation (using probability, severity and detectability) with a new risk dimension, called worsening factors. Additionally, a semi-quantitative calculation method based on Bayesian networks is used to improve the risk estimation. This new risk analysis technique, specific for the research environment, is intuitive, easily performable by non-experts (web interface), less resource demanding than other techniques and more accurate. Linked with an adapted safety policy it becomes a comprehensive risk management tool. We will illustrate the application of this new method through several real research laboratories’ risk assessments.

[back to schedule]