[SystemSafety] Confusion over Risk, Yet Again

[Steve Tockey]

Matthew Squair wrote:

*) “So risk is just the ‘possibility’? Or is it the combination of possibility and the unwanted combinations?”

I mean to say that “risk” just means that something undesirable may happen. The two key elements here are “undesirable” and “may happen”.



*) “Strictly if a outcome has a probability of 0 or 1 it is not a risk, e.g if I jump out of a plane without my aforementioned parachute then there’s an absolute certainty* that I’ll die. P=1 so no risk. Risk only relates to uncertain propositions.”

Right. That’s what I am saying, too. If probability is 0, then there’s no “may happen”. It’s “can’t happen” so nobody should care about it. For probability 1, it has essentially already happened. It isn’t a risk anymore, it’s a problem. Art Gemmer, the guy who gave the definition of risk that I used has also been known to say,

“A problem is a previously recognized or unrecognized risk that has materialized"

 There’s no risk management to here, there is only damage control.



*) “Missing from this is whether we care. Not all losses are worth caring about, for example I don’t care about paper cuts. I don’t care about spraining an ankle when parachuting either in other words such events are not risks from my perspective. I do care if I break my neck though. So the definition needs to be compounded with “… that we care about”

Are you picking at semantic nits here? I said, “A measure of the (degree of) harm …”. Care and harm are correlated, no? If I don’t care then there can be no harm.



*) “But what of risks that we are unaware of but are still exposed to?”

Answer: we are still exposed to them, regardless. And there is still a probability and a severity for those we-are-unaware-about-them risks. I’m not sure I get your point here.



*) “So risk really expresses our perception of risk, not the actuality. ”

I disagree here. MANAGING risk exposes our perception. We perceive X to be a risk, even though it might not be. We don’t perceive Y as a risk, even though it is. We may choose to manage risk X, but clearly can’t manage risk Y because we aren’t even aware of it. We perceive the probability of X to be p(X), even though the real probability could be completely different. We perceive the severity of X to be s(X) even though the real severity may be completely different. We cannot even perceive p(Y) or s(Y) because we don’t even know Y exists. While I 100% agree that we act on risk (i.e., we manage risk) based entirely on perception, what the real risk landscape is may not match our perception. Take the recent Grenfell Tower tragedy. I can’t believe the relevant regulatory authorities did not act in good faith when they issued the regulations. They must have thought (ahem, perceived) that their regulations were sufficient. Clearly in hindsight they weren’t.



*) “Exposure is such an overloaded term and incorrect to use, in this context Exposure = risk as far as I can see, so why not actually use that word?”

Maybe picking at another semantic nit? The issue is that to me, at least, that “exposure” has quantified the risk. We need to be able to talk about bad things that might happen—risks—without requiring that they be quantified in terms of exposure. Two different concepts: 1) I perceive it exists but I may not have quantified it, and 2) I have quantified it according to my perception of probability and severity. I need two different words to communicate two different concepts effectively.



*) “This is heading towards the risk = expectation fallacy. Irreversible risks are simply not the same as reversible risks.”

What is the fallacy? The fundamental tool of risk management is to act in a way that reduces either (or both) probability or severity. Some actions can reduce probability to 0, some cannot. Some actions can reduce severity to 0, some cannot. For some risks, nothing can be done to reduce probability or severity. But the goal of risk management is to (economically) reduce (perceived) probabilities and severities to hopefully acceptable levels.

There’s even the situation of “induced risk”. Suppose that I choose to take action A to manage risk X. My hope is clearly that by doing A, I reduce p(X) and/or s(X). However, by doing A, I induce a new risk, Z, that wasn’t there if I didn’t do A. Clearly, one would hope that the induced exposure from Z is a lot less than reduction in exposure from Y but this is certainly never guaranteed.



*) “And now we have arrived, the long way round, at risk as the expectation of loss as per de Moivre. See previous comment about it’s limitations. If that’s the destination why not use de Moivre’s definition in the first place?”

As long as “expectation” doesn’t imply it has to have been quantified, then I don’t see any meaningful difference between de Moivre’s definition and Gemmer’s definition. It’s just that I tend to prefer Gemmer’s definition because—at least to me—“expectation” means it’s been quantified ala “expected value”.



*) “Unmentioned is that you're trying to measure something that doesn’t exist, it’s an measurement of an intangible object.”

Hmmm. . . Things that don’t exist in the physical world are unmeasurable? Interesting. How much money did you spend last month on the place that you live? Money, per se, doesn’t exist. It is no more than a means of quantifying value. Value is intangible, and yet we quantify value in in terms of money in every financial transaction we make.



Regards,

— steve




From: Matthew Squair <mattsquair at gmail.com<mailto:mattsquair at gmail.com>>
Date: Wednesday, August 9, 2017 at 5:51 PM
To: Steve Tockey <Steve.Tockey at construx.com<mailto:Steve.Tockey at construx.com>>
Cc: "systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>" <systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>>
Subject: Re: [SystemSafety] Confusion over Risk, Yet Again

Apologies. Meant to share more widely, we do seem to be trapped in a frequentist time-warp...

Well…

 Risk: "The possibility of unwanted consequences of an event or
decision

So risk is just the ‘possibility’? Or is it the combination of possibility and the unwanted combinations?

*) Probability: A measure of the likelihood that a risk's unwanted
consequences will be suffered, possibly a number between 0.0 and 1.0

This seems to be going down the frequentist interpretation of probability rabbit hole, there is however the evidential interpretation and the evidential interpretation was excluded because?

For example say I am designing a parachute. The proposition that there is a design error is either True/False. However there is some uncertainty about the proposition. Which I can express (for arguments sake) using pascalian probability. Here probability = uncertainty. Not frequency. That’s an 'evidence of’ perspective.

Strictly if a outcome has a probability of 0 or 1 it is not a risk, e.g if I jump out of a plane without my aforementioned parachute then there’s an absolute certainty* that I’ll die. P=1 so no risk. Risk only relates to uncertain propositions.

*Lets not quibble about trees, assume it’s the Nullabor.

) Severity: A measure of the (degree of) harm caused by a risk's unwanted
consequence, possibly in terms of money, time, or other valued resource

Missing from this is whether we care. Not all losses are worth caring about, for example I don’t care about paper cuts. I don’t care about spraining an ankle when parachuting either in other words such events are not risks from my perspective. I do care if I break my neck though. So the definition needs to be compounded with “… that we care about”.

*) Exposure: A measure that combines probability and severity so that
different risks can be reasonably compared.

But what of risks that we are unaware of but are still exposed to? For example I may be unaware that there’s a design flaw in my parachute release handle. It’s there, I’m exposed but I don’t know about it. So risk really expresses our perception of risk, not the actuality. All the above is therefore a definition of our [risk perception]. In other words an observer’s internal state.

Exposure is such an overloaded term and incorrect to use, in this context Exposure = risk as far as I can see, so why not actually use that word?

Clearly, a high probability &
high severity risk gives a higher exposure than a low probability & low
severity risk. But, if Risk A has high probability & low severity while
Risk B has low probability & high severity, which one gives higher
exposure?

This is heading towards the risk = expectation fallacy. Irreversible risks are simply not the same as reversible risks.

Let’s play a game called Russian dice, we get a six sided die and if it’s anything other than a six nothing happens. If it’s a 6 I get to shoot you. Now expectation wise the E=(1+2+3+4+5+6)/6 21/6 = 3.5 that’s less than 6 so mathematically you’re safe, but would you take that gamble. I wouldn’t, nor would anybody I know because we recognise the numbers don’t reflect the risk.

Exposure should be derived via a defined function, e.g., if
probability is expressed as a fraction between 0.0 and 1.0 & severity is
expressed in terms of money then exposure can be calculated as the
probability value times the severity value. Measurement theory becomes
very important here, however.

And now we have arrived, the long way round, at risk as the expectation of loss as per de Moivre. See previous comment about it’s limitations. If that’s the destination why not use de Moivre’s definition in the first place?

Measurement theory becomes
very important here, however.

Unmentioned is that you're trying to measure something that doesn’t exist, it’s an measurement of an intangible object. Measuring risk is not the same as measuring say the deflection of a steel leaf spring. In point of fact all that exists is the method you use, which defines in turn the intangible object you are ‘measuring’. So ‘risk' is an operationalism of an intangible.

Therefore using probability is a specific operationalism of ‘risk', don’t assume that it’s the only one
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20170814/2362817d/attachment-0001.html>