While avoiding the many nuances of ‘acceptable’ vs ‘tolerable’ risk and ‘How safe is safe enough?’ issues, let’s scratch the surface of setting, moving towards, or sustaining a target risk level.
We begin with a premise that risk reduction is sought for some asset or collection of assets. We explore the risk reduction opportunities with a view towards efficient use of resources. If the incremental risk reduction potentially achieved – let’s call it ‘loss avoidance’ – by some action is higher than its cost, then it makes sense to do it. The cost of the action is more than offset by the loss avoidance.
Even if an action’s cost is significantly higher than the resulting loss avoidance, it might still be the choice of decision-makers. This is consistent with the decades-old ‘As Low As Reasonably Practicable’ (ALARP) practice of risk management. ALARP dictates that actions are justifiable up to the point where their cost is ‘grossly disproportionate’ to their resulting loss avoidance.
So let’s identify the loss avoidance opportunities. In the common equation of risk, R = P x C, two possibilities to reduce risk are apparent. Of the two, there are usually many more opportunities on the probability side.
This makes sense. While some consequencereduction measures are certainly available – emergency response, leak detection, etc. – it is always preferable to avoid the incident scenario altogether rather than attempt to control its unfolding.
With probability a function of exposure/ mitigation/resistance 1, there are normally two2 practical risk-reduction opportunities: either (1) bolster the defenses through more mitigation, or (2) increase the ability to absorb damage without failure – i.e. increase resistance. The latter is often only available during design while the former is always available.
Now, with probability-side mitigation identified as our best opportunity to reduce risk, let’s focus on that aspect. While we may wish to direct our actions to mitigation measures, let’s not lose sight of the big picture – the total risk. Since expected loss (EL)3 is the most complete, objective, and defensible measure of risk, it should be used as the main determinant of action/no-action, i.e. risk management. That is, the amount of ‘loss avoidance’ to be achieved is most efficiently measured by EL.
To illustrate this, a pipeline-operations/ maintenance team examines loss avoidance measures for a portion of a pipeline system. For each option contemplated, costs are estimated and changes in risk (EL) level calculated, resulting in benefit/cost ratios, i.e. [loss avoidance]/[project costs]:
- The current seven-year integrity reassessment interval could be changed to five years, with a benefit/cost ratio of 0.23;
- A depth of cover survey is estimated to carry a 2.2 benefit/cost ratio;
- A close interval survey a 1.2 benefit/cost; and
- A protective slab, a 0.9 benefit/cost ratio.
These are based on estimated long-term costs, both capital and ongoing maintenance, compared to EL reduction (avoided loss) as measured by their risk assessment. EL is the most complete measure of risk and, hence, of any reactions to a risk level. If decision-makers opine that additional considerations are warranted, it probably means that the EL calculation is not yet complete in their minds. For example, a CEO may believe that incident-consequence estimates do not fully include effects on corporate shareholders and company stock valuations. He may be right. Risk assessors should demonstrate that even the most emotional responses to an incident are captured and the CEO’s concerns are indeed reflected in the risk estimates. Otherwise, the bases of decisions are being split into a logical, rational approach (i.e. the riskassessment results) and an emotional, subjective basis (i.e. someone’s opinion regarding the emotional impact of incidents). While not uncommon, most would agree that this would be improved if all considerations were included in the more rational, defensible part of the decision-making (even if this, too, must include some subjectivity).
Having passed some version of ALARP as partially illustrated here, a facility is theoretically ‘safe enough’. However, some may choose a risk management programme beyond a purely analytical approach. For example, a ‘continuous improvement’ approach to supplement the go/no-go decision-making also has precedent in many industries. This is consistent with the history of risk assessment. Risk tolerance is ultimately a personal choice, even though decisionmakers are forced to choose risk levels on behalf of companies and the surrounding public. Nonetheless, most will agree that a robust and objective analysis, based on formal risk assessment, is an essential aspect of any risk-management programme.
1 See previous articles detailing this analysis of failure potential.
2 Exposure is normally not reasonably changeable. Relocation of the facility is not commonly a practical risk-reduction option.
3 Again, see previous articles discussing expected loss.