White Paper Transforming the Corps into a Risk Managing Organization Abstract

advertisement
White Paper
Transforming the Corps into a Risk Managing Organization1
Abstract
The Corps' reliance on engineering design standards, a hierarchical decision structure and
strong link to Congressional budget priorities may have been appropriate for the past but not
for the future. The increasing recognition by the agency and by the public of the limits of
prediction ( uncertainty) and in the limits of what protection the Corps and the nation can
provide against extreme events, led to the Actions for Change and the Corps interest in
adopting a risk analysis approach to decision making. Risk analysis comprises three related
and iterative tasks: 1) risk assessment, to include the data and analytical activities that define the
likelihood and future consequences of different alternatives having different costs, (2) risk
management, to include what hazards and opportunities will receive agency attention and what
risk vs. benefit, vs. cost choices will be made and by whom and what would be the impact of
current decisions on future options, and 3) risk communication among policy makers, budget
authorities and the public who must collectively make investment or regulatory decisions (risk
management) with the knowledge provided by the risk assessment. An example is provided to
illustrate how the Corps might function as a risk management agency. Some of the ways in
which a risk management approach advances the Corps' mission and service to the nation are
identified and several changes to the Corps organization, planning, budgeting and sharing of
decision authority are described. The paper concludes with a number of recommendations for
immediate action to begin the transition to becoming a risk management agency.
Introduction
Hurricanes Katrina and Rita and the subsequent criticisms of the nation’s and the Corps of
Engineers approaches to projects design, budgeting and communication of risk have been a
wakeup call for the U.S. Army Corps of Engineers. The evaluations that were made after the
storms revealed the limitations of the traditional engineering approaches to design of projects in
the face of natural and man-made hazards and the ways in which risk was evaluated, recognized
and communicated. The traditional approach presumes that risk assessment and risk management
are technical decisions that are solely the responsibility of the professional engineer. However,
absent perfect knowledge and unlimited financial resources performance and design can never
yield “fail safe” projects. As noted in the book “to Engineer is Human,”
All designs for use are arbitrary. The designer or his client has to choose in
what degree and where there shall be failure. Thus, the shape of all things is
1
Contributing Authors: David Moser, USACE, Institute for Water Resources; Todd. Bridges,
USACE, Engineer Research and Development Center; Steven Cone, USACE, Institute for Water
Resources; Yacov Haimes, University of Virginia; Brian K. Harper, USACE, Institute for
Water Resources; Leonard Shabman, Resources for the Future; and, Charles Yoe, College of
Notre Dame
1
the product of arbitrary choice. If you vary the terms of your compromise--say
more speed, more heat, less safety, more discomfort, lower first cost--then you
vary the shape of the thing designed. It is quite impossible for any design to be
the logical outcome of the requirements simply because, the requirements
being in conflict, their logical outcome is an impossibility.
There are always “residual risks” defined as the likelihood and consequences of occurrences that
exceed the stresses that can be met by the project. Furthermore, routine applications of specific
factors of safety, freeboard requirements, and other uniform standards without understanding
whether these design adjustments actually address vulnerabilities that may compromise project
reliability may do little to reduce failure risk Additionally, the methods for communication of
residual risks and project reliability to the affected public, Corps, and government decision
makers has been revealed ineffective.
These issues are not confined to flood hazards. The nation’s water resource problems and their
potential solutions all involve risk and require decision making under uncertainty. The problems
are complex and multifaceted and in need of a decision making paradigm that acknowledges this
complexity and imprecision.
The Actions for Change represent a new direction for the Corps of Engineers in terms of how it
plans, decides upon and then implements, solutions to the nation’s water resources problems.
The Actions emphasize the need for risk assessment and risk management within a systems
context, the need to effectively communicate risk and the need to increase public service
professionalism within the Corps. The actions call for more attention to quantifying the risks and
acknowledging uncertainties in terms of human life, health and safety, economics, environment,
finances and other values that are important to people. The actions call for better communication
of the risks of choosing different alternatives for the nation and for individual citizens. If the
Corps is going to be part of a new national effort to better recognize and then manage risks, it
must be competent at characterizing them (risk assessment) and communicating the nature of
these risks to a wide variety of stakeholders and decision makers.
The systems under consideration within the Corps portfolio of projects include: locks, dams and
channels forming a navigation system; a combination of structural, non-structural, and restored
natural features operating to reduce flood risks; beach and dune complexes; series of structures
and operating procedures at a reservoir to meet multiple purposes; and, systems of ecosystem
features comprising a restoration project. These systems include many interacting components
whose relationships and dependencies can give rise to complex system behaviors. The
performances of these systems are affected by any number of natural and anthropogenic factors
(e.g., weather patterns, economic trends) that vary both temporally and spatially.
The discussion that follows will require significant changes in the way the Corps is organized for
planning, decision making and budgeting. Allowing the Corps to become a risk managing
organization is a non-incremental step for the nation and for the organization itself. This paper
outlines the e scope and depth of change, as called for by the 12 actions, in order to facilitate the
discussions that must take place if change is to be realized.
2
Traditional Ways of Managing Risk
The Corps' decision making on engineering performance and design begins with a code that has
grown to in excess of 310 Engineering Regulations, over two dozen Engineering Circulars, more
than 170 Engineering Manuals, about 140 Engineering Pamphlets and hundreds more technical
letters, planning guidance letters and various Army publications. As a large but decentralized
organization, the Corps has relied on development of engineering standards for application
within a regional office or across the agency as one means of exercising organizational control.
These formal regulations are interpreted with informal rules found in the oral traditions of the
Corps' organizational culture.
Risk analysis, more specifically engineering reliability assessment and risk cost assessment,
explicitly accounts for the uncertainties and vulnerabilities that accompany any project, and then
identify the performance and design changes and their costs to reduce the risk of project failure.
This directed assessment of critical vulnerabilities differentiates risk analysis from the
application of uniform standards.
The Corps, in the spirit of the codes of ethics of most professional engineering societies holds
paramount the safety of the public. Design and performance standards were to be applied at
projects sites to minimize catastrophic loss of property and life. However, despite this admirable
goal the agency has found itself unable to provide that assurance because of budget constraints,
lack of knowledge of future storms, unanticipated design limits or all three.
Explicit risk assessment and engineering reliability analysis only recently have begun to
substitute for application of standards, in limited areas such as dam safety and flood risk
evaluation. However, the language of “safety” and “protection” continues to be used to describe
the promise of a Corps project. What risk assessment highlights is the impossibility of achieving
complete safety. Instead, more and more agencies are managing risk, the flipside of safety.
Communication of what “might go wrong” and the likelihood of that happening both without any
action being taken, and with a particular project in place focuses attention on remaining risk.
With attention on remaining risk and the cost and practicality of alternatives for reducing that
risk, decisions can be made about how much the nation is willing and able to pay to reduce a
future risk (or how safe is safe enough?)
In the current Corps' project formulation and design
Design Goal Examples
process the project delivery team characterizes the
expected future conditions with and without a project in
Factors of safety for design of
place. Analysts typically use a single expected value to
navigation channels, slopes on a
represent each variable in the performance evaluation.
levee section, wall thickness.
The application of standards is made to assure the
structure will meet the performance goal and avoid
failure. The cost of the project as designed to meet the standard is estimated and then the cost
must be justified by an assessment of project NED and NER benefits. The problem is that the
initial performance and design goals are set in an uncertain world.
Uncertainty has many sources. One of these is the inherent randomness of natural systems. For
example, there can be a residual risk of flooding for any given degree of protection chosen for a
3
project as larger but infrequent flood flows may occur. Desired ecological end points may not be
realized for a given restoration effort, if other factors beyond those in the restoration plan result
intrude. This randomness may be reflected in estimates of the probability of different
circumstances occurring
A different source of uncertainty results from our limited understanding of natural systems.
Limits on understanding arise from gaps in our conceptual models (basic scientific
understanding) and necessary simplifications of models, and limited data, used to predict natural
phenomena. Uncertainty will also be present when predicting human behavior and choices. For
example, flood plain development or water supply demand may exceed predictions,
unanticipated land and population settlement may stress ecosystems or unpredicted increases in
ship sizes may place new demands on harbor dimensions. These sources of uncertainty would
require the Corps to anticipate future events that have occurred infrequently or never in the past.
This source of uncertainty is the domain of scenario analysis, a way to deal with uncertainty that
does not assign probabilities to possible outcomes.
Risk analysis admits to the reality of uncertainty and attempts to plan, build, operate and then
adapt decisions over time as new understandings serve to reduce the uncertainty that
accompanies the original planning. This is a different approach than designing, implementing
and then routinely operating projects built to meet performance and design standards.
Risk analysis is designed explicitly for making decisions under conditions of uncertainty. It
reorients the Corps’ focus away from safety and toward risk assessment and management. The
Corps extensive experience, data, and knowledge bases developed over many years are an ideal
platform on which to build a risk analysis approach to decision making.
What is Risk Analysis
Risk is a measure of the probability of undesirable consequences. Risk analysis is a decisionmaking framework that explicitly evaluates the level of risk if no action is taken and recognizes
the monetary and non-monetary costs and benefits of reducing risks when making decisions.
Risk analysis comprises three tasks: risk assessment, risk management, and risk communication.
Risk analysis organizations pursue their missions by managing risks. Risk analysis is being
adopted by a growing number of organizations nationally and globally.
Figure 1 shows the interrelatedness of the three parts of risk analysis and the notion that risk
communication is a vital and joining activity that must take place for the analysis to be an
effective decision framework. Note that the technical scientific work takes place in the risk
assessment while risk management is more concerned with applying social values and policy to
sort through options and tradeoffs revealed in the risk assessment.
4
Figure 1: Three Parts of Risk Analysis
Based on WHO 2007
More formally, risk analysis is the process of separating the whole of risk into its component
tasks by assessing the risk and related uncertainties for the purpose of efficacious management of
the risk, facilitated by effective communication about the risks. Its tasks can be described as
follows:
1. Risk assessment is a broad term that encompasses a variety of analytic techniques that are
used in different situations, depending upon the nature of the risk, the available data, and
needs of decision makers. It is a systematic, evidence based approach for quantifying and
describing the nature, likelihood, and magnitude of risk associated with the current condition
and the same values resulting from a changed condition due to some action.
2. Risk management is the process of problem finding and initiating action to identify, evaluate,
select, implement, monitor and modify actions taken to alter levels of risk, as compared to
taking no action. The purpose of risk management is to choose those technically sound
integrated actions to reduce risks after consideration of the costs of each increment of risk
reduction. Environmental, social, cultural, ethical, political and legal considerations all factor
into the decision made on how much cost will be incurred for each increment of risk
reduction (how safe is safe enough?)
5
3. Risk communication is the open, two-way exchange of information and opinion about
hazards and risks leading to a better understanding of the risks and better risk management
decisions. Risk communication is integrated into the assessment and management processes.
It is not a task that occurs only after decisions have been made. Risk communication ensures
that the decision makers, other stakeholders and affected parties understand and appreciate
the process of risk assessment and in so doing can be fully engaged in and responsible for
risk management.
Role of Uncertainty in Risk Analysis
As used here uncertainty is the result of imperfect knowledge concerning the present or future
state of a system, event, situation, or (sub) population under consideration. Uncertainty leads to
lack of confidence in predictions, inferences, or conclusions. Uncertainty occurs because of a
lack of knowledge. Here we distinguish it from variability, although many consider variability a
specific source of uncertainty. For example, a risk assessor may be very certain that stream
flows vary over a year but may be uncertain about the amount of that variability. Collecting
more and better data can often reduce uncertainty, whereas variability is an inherent property of
the system/population being evaluated. Variability can be better characterized and addressed
quantitatively with more data but it cannot be reduced or eliminated. Efforts to clearly
distinguish between variability and uncertainty are important for both risk assessment and risk
characterization because they can influence risk management decisions. (Modified from EPA
2003).
The Corps operates in an uncertain reality. Rather than cling to a deterministic approach to
decision-making, the Corps needs to establish a 'culture of uncertainty'. Because of increasing
complexity and a rapidly increasing pace of change, the future is fundamentally unknowable.
Risk assessment techniques and methods provide an extensive set of tools for addressing
uncertainty encountered in a decision problem. Scenario analysis is one set of tools used to
consider the many possible futures that could affect decision making. Risk communications
must take care in successfully communicating the relevant uncertainties and their implications
for decisions. Risk managers must weigh uncertainty in their decision-making and provide for
dealing with the inevitable mistakes that will result with actions like staged implementation and
adaptive management. Gone are the days when an analysis can be collapsed into or summarized
by a single number or scenario.
Risk Assessment: An Elaboration
The risk assessment process attempts to answer the following four questions:
•
What can go wrong?
•
How can it happen?
•
What is the likelihood?
•
What are consequences?
Risk assessment has a somewhat different meaning than the Corps' terminology of "risk-based'
or "risk-informed" or "risk and uncertainty." It may be characterized as a more formal and
6
focused effort to describe and define the
impacts of a risk to facilitate their effective
management. The proposed and
subsequently withdrawn (2007) OMB Risk
Assessment bulletin defined the term:
‘“risk assessment” means a scientific
and/or technical document that
assembles and synthesizes scientific
information to determine whether a
potential hazard exists and/or the
extent of possible risk to human
health, safety, or the environment.”’
Hazard Defined
A thing or action that can cause adverse
effects… (OMAF 1997)
A potential source of harm (EPA 2003)
It is important to think broadly in terms of
what a hazard is. All will be familiar with
natural hazards like floods and water quality
that destroys habitat, anthropogenic hazards
like vessel operation or dam safety. These are
only some of the hazards that present risks to
be managed. The challenge to Corps personnel
will be to see a broader range of hazards
including cost overruns, budget shortfalls,
negative net benefits, other financial risks,
missed milestones, and the like.
Risk assessment would augment the
technical work done throughout the Corps’
organization. An update of the traditional
definition of risk assessment taken from the
1983 National Research Council’s Risk Assessment in the Federal Government: Managing the
Process (the so-called "Redbook") includes the following steps:
1.
2.
3.
4.
Hazard Identification
Hazard Characterization
Exposure Assessment
Risk Characterization
Hazards are the focal point of this process and the major change would be to add an explicit
hazard identification step to the various Corps tasks. In a general sense, "hazard" is anything that
is a potential source of harm to a valued asset (human, animal, natural, economic, social). It is
important that one not limit the notion of a hazard to a natural hazard. So in this sense, a hazard
can be thought of as an assumption about some uncertain value or parameter that, if incorrect,
can result in the undesirable consequence of the failure to achieve the economic return
anticipated.
Hazard Identification
This identifies all biological, chemical, social, economic, and physical agents or
natural/anthropogenic events capable of causing adverse effects on people, property, economy,
culture, social structure, or environment. The hazard identification step explicitly identifies the
hazards that will be of concern in the risk management activity.
Hazard Characterization
The qualitative and/or quantitative evaluation of the nature of the adverse effects associated with
the identified hazard(s), which may be present in the situation of interest. The hazard
characterization step describes the harm that can be done when the hazard is present.
Exposure Assessment
7
Exposure occurs when a susceptible asset comes in contact with a hazard. An exposure
assessment, then, is the determination or estimation (which may be qualitative or quantitative) of
the magnitude, frequency, or duration, and route of exposure. This task describes how the
asset/entity/receptor of interest comes in contact with the hazard.
Risk Characterization
The qualitative and/or quantitative estimation, including attendant uncertainties, of the
probability of occurrence and severity of known or potential adverse effects in a given watershed
or decision problem based on the evidence gathered in hazard identification, hazard
characterization and exposure assessment.
Risk Management: An Elaboration
Risk management may be understood informally as the work required to answer these questions:
1. What is the problem?
2. What can be done to reduce the likelihood or severity of the risk described?
3. What are the tradeoffs in terms of costs, benefits, and risks among the available options
both now and in the future?
4. What is the best way to address the described risk?
In sum, risk management is the process of problem finding and initiating action to identify,
evaluate, select, implement, monitor and modify actions taken to alter levels of risk. The goal of
risk management is scientifically sound, effective, efficient, integrated actions that reduce risks
while taking into account economic, environmental, social, cultural, ethical, political and legal
considerations.
Thinking of risk management as part of risk analysis it is possible to identify some broad
categories of activities that comprise risk management.
Risk Evaluation.
The risk manager’s risk evaluation activities include all the initial risk management activities.
These include such things as identifying problems and opportunities to act on, directing the risk
profile (situation analysis), defining goals, determining the scope, range and relevant risk
assessment policy, commissioning a risk assessment when needed, considering the risk
assessment process and its results with especial attention to relevant uncertainties.
Assess Risk Management Options.
Option assessment activities include the process of identifying, evaluating, selecting,
implementing, and monitoring actions taken to alter levels of risk. This is a deliberate process of
systematically considering all options and their associated trade-offs. Risk management means
deciding the level of risk that is tolerable or acceptable in consideration of the costs and other
consequences of different risk reduction actions. Risk management also means giving
appropriate consideration to the analytical uncertainties identified during the risk assessment and
other evaluations.
Implement Risk Management Decision.
8
Implementation activities include executing all steps necessary to make the chosen risk
management alternative a reality. Part of implementation may include adaptive management
processes to learn while acting when uncertainties identified in the preceding steps are
significant and the costs of making a “wrong” decision are deemed to be high.
Monitoring and Review.
Monitoring and review activities are undertaken to improve understanding and reduce
uncertainty over time through learning. Learning will assure the success of the implemented risk
management measure(s). Over time, with learning, even the goals of the risk management
measure(s) may be adjusted. Risk management policies may induce changes in human behaviors
that can alter risks (i.e., reduce, increase, or change their character), and these linkages must be
incorporated into evaluations of the effectiveness of such policies. (OMB 2007)
Risk Communication: An Elaboration
Beginning with an informal definition, risk communication is the work that must be done to
answer the following questions for a risk management activity:
1.
2.
3.
4.
5.
6.
7.
8.
Why are we communicating?
Who is our audience?
What do we want to learn from our audience?
What do they want to know?
What do we want to get across?
How will we communicate?
How will we listen?
How will we respond?
Effective two-way risk communication has both internal and external communication
components. Internal risk communication requires early and continuing communication,
coordination, and collaboration among risk assessors and agency officials throughout the
decision making process.
Stakeholder Engagement
The external process includes all communication between the agency analysts, officials and
affected stakeholders. Stakeholder involvement goes beyond the traditional public participation
process of conveying information to the public. It supports decision-making and ensures that
public values are considered in the decision making process. Feelings are an important source of
information.
Involving stakeholders improves the knowledge base for decision-making and can reduce the
overall time and expense involved in decision-making. It may improve the credibility of the
agencies responsible for managing risks. It should generate better-accepted, more readily
implemented risk management decisions. Furthermore, it is irresponsible dangerous not to
engage stakeholders in meaningful input and feedback opportunities in the risk management
process.
9
Successful risk communication leads to a common recognition and understanding of the hazards,
risk management options, and shared acceptance of the risk management decisions.
Communicating About the Nature of Risk
Constituents and stakeholders need awareness and an understanding of the characteristics and
importance of the hazard of concern. It is important to convey the magnitude and severity of the
risk, as well as the urgency of the situation. People must understand whether the risk is
becoming greater or smaller (trends) as well the probability of exposure to the hazard.
The geographic, temporal, and specific distribution of exposure to the hazard needs to be
understood as well as the amount of exposure that constitutes a significant risk. For flood
hazards, this is easy to imagine. The nature and size of the population at risk as well as
knowledge of who is at the greatest risk all need to be conveyed to stakeholders.
Risk is only one part of the issue. People engage in risky activities (e.g., living in floodplains)
for many good reasons. The actual or expected benefits associated with each risk should be
identified and understood. It is important to know who benefits and in what ways. The
magnitude and importance of those benefits need to be weighed to find the balance point
between risks and benefits.
Communicating Uncertainties in Risk Assessment
One of the challenges of risk communication is conveying the existence and significance of
uncertainties encountered in the assessment of the risks to both decision makers and stakeholders
as appropriate. The methods used to assess the risk should be described and made available.
Significant uncertainties need to be explicitly and specifically identified. The importance of each
of the uncertainties, as well as the weaknesses of, or inaccuracies in, the available data need to be
communicated. The assumptions on which estimates are based must be identified. Sensitivity
analysis of the risk estimates and other decision-making criteria must be conducted and the
results communicated. The effects of changes in assumptions on risk management decisions
must be thoroughly explored. It is important to objectively assess and convey the assessors’
level of confidence in the results of the risk assessment.
It is the risk assessor’s job to assess and convey the extent and significance of uncertainty in the
technical aspects of a decision process. It is the risk manager’s job to weight its importance in
the decision.
Communicating Risk Management Options
The action(s) taken to control or manage the risk must be carefully communicated and a common
understanding about the risk management actions needs to be developed among the affected
publics. The justification for choosing a specific risk management option must be made
transparently explicit, and based on a shared responsibility, as much as possible, for the choice
made. The effectiveness of a specific option and any residual, transformed or substitute risks
must be recognized. The action(s) individuals may take to reduce personal risk should be
carefully communicated as a part of the risk management alterative that is chosen.
10
The benefits of a specific options as well as the cost of managing the risk, and who pays for each
option considered are essential information. For emphasis, we repeat, the risks that remain after
a risk management option is implemented need to be clearly understood by all affected parties
and decision makers.
Managing Risks
Being a Risk Managing Organization
The Corps thought it was managing risk for many years, as it has applied the engineering
standards approach to performance and design. To purposefully become a risk management
organization in a contemporary sense, means adopting the best modern practices used by the
Corps and other government agencies, in risk assessment, management and communication.
This process replaces the engineering performance and design standards approach, as
appropriate, to grapple with difficult, diverse and complex risks of managing the Nation’s water
resources and existing Corps infrastructure.
More broadly, instead of pursuing a project-construction focused definition of its responsibilities,
the Corps will define its Civil Works mission as helping the nation to manage risks to human
life, health and safety, to the economy and to ecosystems, all in consideration of available
budgets for these purposes. Social and ecological outcomes will replace project outputs as the
measures of success. The Corps would practice enterprise risk management. This means risk
management would suffuse all business lines, programs, and levels of the organization. Day-today business and long-term strategic planning would all become risk management activities.
Embracing this contemporary risk management approach does not guarantee that every decision
will result in a good outcome. In an uncertain world, everything cannot be known and “bad”
outcomes of “good” decisions will occur despite the best efforts to the contrary. Risk
management provides the best approach to minimizing these mistakes by assuring a sciencebased, transparent, and collaborative decision process.
How To Be A Risk Management Organization: Activities
A straw man risk management model is presented to illustrate how a risk managing organization
could operate. This model is adapted from a model currently in use within US FDA (CFSAN
2003).
11
Figure 2: Organic Risk Management
Source: CFSAN 2003
A risk management activity can take place at many levels within an agency or group of agencies
with decision making responsibility and authority. From an individual agency viewpoint, those
responsible for many risk management decisions are typically middle- to senior-level managers
who make risk management decisions on a daily basis. For issues within a program office, the
office director or designee might be the risk manager. For cross-office issues, the District
Engineer might be the risk manager. This suggests that risk management decision authority has
a hierarchy based on the importance of the decision. At every step of the risk management
process, risk management decisions may have to be elevated depending on their importance to
the ultimate decision an action chosen. Even so, risk management is ultimately a shared
responsibility, especially at the action level, among the agency, budget authorities and
stakeholders. This model illustrates the manner in which risk management activities proceed.
There are seven components of this risk management framework.
The first two steps encompass all that must occur in order for the Corps to initiate a risk
management activity. The third step is where programs (Planning, Programs, O&M, and so on)
are executed. The decision step replaces maximization of “risk neutral” net present value as a
decision rule (NED) and other currently dominating considerations to focus attention on the level
of risk with versus without any contemplated action and the costs (financial, ecological,
opportunity) of the action. The decision step is also where social values and considerations of
equity can influence the choice of action. Implementation is an important part of the Corps’
12
program and would remain so. The last two steps mark a significant change in the way business
is done. They steer the Corps in the direction of routinely practicing adaptive management. The
arrows in the framework diagram shows that this is an iterative process.
To better illustrate the life cycle of a risk management activity, sample activities for each step are
listed below.
Triggers and inputs
o Collect and assess inputs (e.g., information, Congressional initiatives)
o Identify critical mass of inputs that triggers need action to initiate a risk management
activity
o Formulate statement of the problem.
Prioritization
o Articulate problem defined in the previous step
o Evaluate adequacy of available resources vs. needed resources
o Determine go/no go on problem/issue
Process
Internal Process (This is where day-to-day work is accomplished)
• Identify and assign lead and form teams as needed
• Gather science-based evidence (risk assessment, engineering, economics, social
science, and new research)
• Determine other influencing factors (policy, legal authority, societal values)
• Develop strategy for conducting the external process
• Determine risk management options
External Process (This is where external risk communication is most intense.)
• Implement strategy for (risk) communication
• Evaluate feedback from communication efforts
• Readjust strategy for external process, if needed
Decision (This process involves all appropriate stakeholders)
o Identify and evaluate options for decision
o Document the decision-making process including how the available information and data
were used to make a recommendation
o Make a recommendation
o Clear/ approve recommended decision
o Develop implementation strategy
o Develop continuing learning (hypotheses, monitoring, model development and
improvement) strategy
Implementation (Differs by new focus on outcomes that will be measured.)
o Carry out the implementation strategy based on the decision made (identify and mobilize
program resources)
o Determine how outcome will be measured
13
o Identify who will monitor and evaluate outcome of decision
Outcome (Corps will constantly monitor its success based on identified outcomes.)
o Measure or evaluate results
Monitor/Evaluate/Modify (Adaptive management across all programs.)
o Carry out monitoring strategy
o Evaluate results
o Implement learning strategy by revising hypotheses, system models, etc.
o Adjust management action as needed.
Although this management process may not suit the Corps’ needs as described, it does provide
an example of a real risk management model currently in use by a Federal agency.
What Value Does a Commitment to Risk Analysis Add to the
Corps?
The reasons for doing risk analysis are simple and compelling. In response to Hurricanes
Katrina and Rita, the Corps committed to change. A central feature of that change is to adopt
risk informed decision making as part of its approach to how it plans, designs, constructs,
operates, and maintains civil works infrastructure. In doing so, the Corps:
o Shows the agency’s commitment to substantive change in the aftermath of Katrina and
other difficulties.
o Improves the quality of thinking and analyses before a decision is made, thereby
improving the quality of decisions.
o Better reduces the risks to human life, health, property, ecosystems, and economies.
o Integrates social values in to Risk Management.
o Facilitates more reliable production of water resource outputs and, therefore, more
desirable societal outcomes.
o Identifies and addresses key uncertainties encountered in all business lines and functions.
o Fosters better cost control of projects and budgets.
Additionally, the adoption of risk analysis and a risk management process places the Corps inline
with goals and objectives of the recently issued OMB memorandum on principles of risk
analysis. (OMB 2007)
Risk Management and How the Corps Will Do Business
The foregoing should not imply that the Corps is not making any strides in risk management.
For instance, flood damage reduction has been evaluated using risk assessment for over ten
years. In the dam safety area, risk analysis tools and techniques are being used to prioritize
14
efforts to reduce the overall level of risk posed by Corps dams. However, these are mostly
piecemeal efforts that do not involve all elements of the organization. To evolve the Corps into a
risk management organization will require changes in how the agency thinks about itself and
conducts business. Below are several ways in which the Corps will be different when adopting a
risk management paradigm.
Develop a Risk Management Culture
The influence of the Corps organizational culture may be as significant as formal standards in
perpetuating and enforcing traditional agency practices. Therefore, changes in organizational
culture will be necessary to change traditional practices. If an effort to advance risk analysis
approaches is to succeed, factors such as the way the review process is structured, the new role
of technical guidance and regulations, the way budgets are allocated, and the commitment of the
organizational hierarchy may be as important as writing new rules or technical training.
Managing change must be a central component of any implementation strategy.
Technical Centers with an Operational Role in Making Risk Assessments
A necessary step to infusing risk management is to move to a more centralized technical analysis
structure. Risk assessments require the development and application of specialized models,
knowledge, skills, and experience. It is simply not feasible or cost-effective to expect these to be
developed and nurtured in every Corps District. In this reorganization two or three national
centers would be established. All risk assessment models would be run and assessment results
developed in these centers. These centers would be responsible for all the of the risk
assessments for all phases of a project; from planning, design, and construction, through
operation, rehabilitation, and decommissioning. The responsibility of the district office would be
to become familiar enough with the needs of the risk assessment methods that they could provide
assistance in data base assembly for their particular project of concern.
Public Understanding of Risk Concepts and the Costs of Risk Reduction
A first step toward greater acceptance of explicit risk management will be increased public
understanding of risk and the general concept of risk management. Although some movement in
this direction appears to have occurred, significant change is likely to be a long-term process. If
the Corps is to use risk analysis best practice it must be able to respond to changing social
values, this means expanding its decision-making criteria beyond the risk neutral net preset value
criterion (NED). For example, risk management decisions may be based more on physical (rather
than monetary) descriptions of failure consequences. Likewise there needs to be a full
appreciation of budget constraints, competing areas where risk reduction might be a focus for
limited funds and the incremental costs for ever higher levels of risk reduction in relation to
remaining risk for any action.
Shared Risk Management Responsibility
The Corps alone is not in a position to make the societal judgments about acceptable risk. Risk
managers must balance the professional insights of the Corps’ professional staff with the public
and stakeholders concerns for such matters as residual risks, reliability, and cost. The only way
to reconcile the responsibilities and the limitations on the Corps, as it becomes a risk
management agency, is through an acknowledgment by both the risk managers and the public
15
that engineering design is not a certain technical computation and that cost/ risk reduction tradeoffs must always be considered.
A risk managing organization will communicate that no project is risk free and that there are
always choices and compromises that must be made in design, construction, and maintenance.
However, engineers have a higher responsibility than the average citizen as choices are made,
because they better understand the limitations and potential consequences of failure of
engineered structures. That responsibility will shift to the Corps’ risk managers and it will rely
heavily on inputs garnered in risk assessment and communication activities.
Recommendations
1. Adopt the risk analysis framework. Figure 1 presents a starting point to develop the Corps
framework. The framework needs to be broad enough to cover the all the Corps business
lines and missions. Additionally, the framework should be applicable to decisions
throughout the life-cycle of a project or plan.
2. Standardize the Corps risk language. The Corps needs to adopt a set of risk terms and
definitions. Currently, the Corps uses risk terms from the literature and has invented others
without developing accepted usage and meaning. This will aid understanding both within the
Corps and when communicating with stakeholders. This will also get the evolving risk
management framework off to a good start by assuring the language used will not need to be
revisited.
3. Develop a risk management model. Figure 2 shows an existing risk management model of
another Federal agency. It represents a starting point for the Corps to develop its own model
that meets the requirements for Corps risk management.
4. Commission papers on implementing risk analysis. All business lines and missions should
develop papers, draft protocols and guidance describing how the risk analysis framework and
risk management model will be implemented. These should include identifying the “risk
manager” and the process that will be followed to make risk management decisions.
5. Learn from ongoing risk analysis. The Corps is doing some aspects of risk analysis in
several areas. Quantitative risk assessment has been a part of major rehabilitation and flood
damage reduction for over ten years. Risk assessment and risk management tools are being
applied in the Corps dam safety program at the portfolio level. These and potentially other
applications should be used as learning opportunities for other areas. Additionally, they can
be used to develop and test a unified risk management framework.
16
References
CFSAN 2003. CFSAN’s Risk Management Framework. Center for Food Safety and Applied
Nutrition, Food and Drug Administration, US Department of Health and Human Services,
December 2003.
EPA 2003. Integrated Risk Information, Glossary of IRIS terms. Washington, D.C. U.S.
Environmental Protection Agency (downloaded July 8, 2005).
http://www.epa.gov/iris/gloss8.htm
OMAF 1997. A General Risk Assessment Framework for the Ontario Ministry of Agriculture
and Food.
http://www.gov.on.ca/OMAFRA/english/research/risk/frameworks/as1.html#core.
OMB 2007. Updated Principles for Risk Analysis, M-07-24, Memorandum for The Heads of
Executive Departments and Agencies
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-24.pdf
WHO 2007. About risk analysis in food
http://www.who.int/foodsafety/micro/riskanalysis/en/
17
WHO | About risk analysis in food
Home
Food safety
About WHO
About | Contact us | Publications | Related links
Countries
WHO > Programmes and projects > Food safety > Microbiological risks in food
Health topics
Publications
All WHO
Search
This site only
printable version
About risk analysis in food
Data and statistics
Programmes and
projects
Food Safety
The World Health Organization (WHO) and the Food and Agriculture Organization of the United Nations
(FAO) are in the forefront of the development of risk-based approaches for the management of public
health hazards in food. The approach used is called risk analysis, and is made up of three components:
Zoonoses
:: Risk assessment
Microbiological risks
:: Risk management
Chemical risks
Biotechnology (GM
foods)
Food standards
(Codex
Alimentarius)
:: Risk communication
The diagram below illustrates the relationship between the three components of risk analysis.
Foodborne disease
Food production to
consumption
Capacity building
Consumer education
Related documents
:: Application of Risk Analysis to Food Standards Issues, a Joint FAO/WHO Expert Consultation, Geneva,
Switzerland, 13-17 March 1995
Contacts | E-mail scams | Employment | FAQs | Feedback | Privacy | RSS feeds
© WHO 2008
http://www.who.int/foodsafety/micro/riskanalysis/en/10/2/2008 12:07:42 PM
Download