苏ICP备112451047180号-6
本章回顾并讨论了风险管理的基本问题和原则,包括:风险可接受性(容忍度);降低风险和ALARP原则;警示和预防原则。并提供了一个案例研究,显示了在实际管理环境中这些问题和原则的重要性。在仔细研究之前,让我们简要介绍一下风险管理的一些基本功能。
风险管理的目的是确保采取足够的措施来保护人员,环境和资产免遭正在进行的活动的可能有害影响,并平衡不同的关注点,尤其是风险和成本。风险管理包括避免危害和减少潜在危害的措施。传统上,在核能,石油和天然气等行业中,风险管理基于规定性的监管制度,该制度针对安排的设计和运营制定了详细要求。该制度已逐渐被更注重目标的制度所取代,着重于实现目标而不是实现目标的手段。
风险管理是面向目标机制的一个组成部分。人们公认,风险无法消除,而必须加以管理。如今,在各个行业和整个社会中,在组织中实施风险管理具有巨大的动力和热情。寄予厚望的是,风险管理是实现高绩效的适当框架。
风险管理涉及在实现获利机会与减少损失之间取得适当的平衡。它是良好管理实践的组成部分,也是良好公司治理的基本要素。这是一个由步骤组成的迭代过程,当按顺序执行时,这些步骤可以导致决策的持续改进并促进绩效的持续改进。
为了支持有关设计和运营的决策,进行了风险分析。它们包括危险和威胁的识别,原因分析,结果分析和风险描述。然后评估结果。分析和评估的整体称为风险评估。风险评估之后是风险处理,该过程涉及制定和实施修改风险的措施,包括旨在规避,降低(“优化”),转移或保留风险的措施。风险转移是指与另一方共享与风险相关的收益或损失。它通常受保险影响。风险管理涵盖组织在风险方面的指导和控制的所有协调活动。
在许多企业中,风险管理任务分为三大类:战略风险,财务风险和操作风险。战略风险包括对企业的长期战略和计划很重要的方面和因素,例如并购,技术,竞争,政治条件,法律法规和劳动力市场。金融风险包括企业的财务状况,包括:市场风险,与商品和服务的成本,汇率和证券(股票,债券等)相关。信用风险,与债务人未能按照约定的条件履行其义务有关。流动性风险,反映出无法获得现金;及时出售资产的困难。操作风险与影响正常操作状况的条件有关:意外事件,包括故障和缺陷,质量偏差,自然灾害。预期的行为;破坏活动,不满员工等。能力丧失,关键人员。与合同缺陷和责任保险相关的法律情况。
为了使企业成功实施风险管理,需要高层管理人员的参与,并且必须在许多层面上实施活动。确保成功的一些重要点是:建立风险管理策略,即企业如何定义和实施风险管理的原则。是应该仅仅遵循法规要求(最低要求),还是应该是“同类中最好的”为企业建立风险管理流程,即企业要遵循的正式流程和例行程序。建立具有角色和职责的管理结构,以使风险分析过程集成到组织中。分析和支持系统的实施,例如风险分析工具,各种事件发生的记录系统等。风险管理文化的沟通,培训和发展,从而使内部的能力,理解和动机水平组织得到增强。考虑到上述风险管理的基础知识,下一步是开发可用于实际决策的原则和方法。但是,这并不简单。存在许多挑战,在这里我们解决其中的一些挑战:在决策环境中使用此风险图来为各种决策选择建立信息性的风险图。建立信息丰富的风险图意味着确定适当的风险指数和不确定性评估。在决策环境中使用风险图片意味着风险接受标准,成本收益分析和ALARP原则的定义和应用,该原则规定应将风险降低到合理可行的最低水平。
通常用概率和期望值来定义和描述风险。然而,由于概率和期望值可能掩盖不确定性,因此这受到了挑战。分配的概率取决于许多假设和假设,并且取决于背景知识。不确定性通常隐藏在此背景知识中,并且将注意力集中在所分配的概率上可能会伪装可能产生令人惊讶结果的因素。通过直接跳入概率,重要的不确定性方面很容易被截断,潜在的意外可能会被忽略。
例如,让我们考虑一下从1970年代风险分析师的眼中看到的,与从事海上石油项目的潜水员未来的健康问题相关的风险。分析人员为潜水员在未来30年内因潜水活动而遇到健康问题(正确定义)的可能性分配一个值。让我们假设分配了1%的值,该数字基于当时可用的知识。没有充分的迹象表明潜水员会遇到健康问题,但是今天我们知道,这些可能性导致了错误的预测。许多潜水员经历了严重的健康问题(Avon和Vine,2007年)。通过仅将风险限制在概率分配上,隐藏了不确定性和风险的重要方面。缺乏对潜在现象的理解,但是仅靠概率分配并不能完全描述这种状态。
根据这一认识,提出了几种风险观点和定义。例如,雅芳(Avon,2007a,2008a)将风险定义为事件/后果和相关不确定性的二维组合(事件会发生,后果是什么)。Avon和Renan(2008a)提出了密切相关的观点,他们将与活动相关的风险定义为活动后果的不确定性和严重性,严重性是指强度,大小,扩展,范围和其他可能的量度关于人类珍视的东西(生命,环境,金钱等)。损失和收益,例如以金钱或死亡人数表示,是确定后果严重程度的方法。另见雅芳和克里斯滕森(2005)。
在不确定性较大的情况下,风险评估可以支持决策,但其他原则是,还需要采取措施和手段,例如警告/预防原则以及稳健性和适应性策略。需要提供信息丰富的决策依据,但它的细微之处要比仅通过概率分析所获得的更为细微。许多研究人员已经强调了这一点,例如Apostolicism(1990)和Apostolicism and Lemon(2005):定性风险分析(QRA)的结果绝不是决策的唯一依据。与安全相关的决策是基于风险的,而不是基于风险的。但是,仅通过提及解决概率和期望值之外的不确定性的必要性并不能证明这一结论是合理的。此处的主要问题是,需要将风险与其他问题保持平衡。
当要比较各种解决方案和措施并要做出决定时,已经进行的分析和评估为做出这样的决定提供了基础。在许多情况下,既定的设计原则和标准提供了明确的指导。评估风险时,必须首先遵守这些原则和标准。普遍认为,风险管理流程,尤其是ALARP流程,需要正式的准则或标准(例如,风险接受标准和成本效益指数)以简化决策。必须注意;但是,在使用这种形式的正式决策标准时会显示出来,因为它们很容易导致决策过程的机械化。这种机械化是不幸的,因为:仅基于与风险相关的数字(概率和期望值)的决策标准不能涵盖风险,成本和收益的所有方面,没有一种方法能够根据机械设备是否符合要求来确定机械决策的准确性。结果超出或低于数字标准。在不确定性下做出决定是管理责任,管理层应意识到相关的风险和不确定性。
Apostolicism and Lemon(2005)采取了务实的方法进行风险分析和风险管理,承认确定攻击概率的困难。理想情况下,他们希望基于期望值实施风险告知程序。但是,由于这种方法将需要使用尚未“严格推导”的概率,因此他们认为自己不得不诉诸一种更为实用的方法。
当面对较大不确定性的问题时,这是一种可能的方法。风险分析根本无法为决策过程提供足够坚实的基础。我们遵循相同的思路。需要进行管理审查和判断过程。有必要以概率和期望值的形式看待超出计算的风险状况。传统的定量风险分析在这方面是失败的。我们承认有必要分析风险,但是在不确定性较大的情况下,通过执行传统的定量风险分析会增加价值。由于估算中的不确定性,或者由于不确定性评估强烈依赖于分析人员,因此所产生的数字的任意性可能很重要。
应该承认,不能使用概率和期望值准确地表达风险。如上例所示,在许多情况下,定量风险分析最好用定性方法代替。一种可以称为半定量方法的方法。使用诸如预期的死亡人数之类的风险指数对风险进行量化,给人的印象是可以用非常精确的方式表达风险。但是,在大多数情况下,任意性很大。在半定量方法中,可以通过提供更为细微的风险状况来认识到这一点,其中包括可能导致相对于概率和预期值的“意外”的因素。量化通常需要强有力的简化和假设,结果,重要的因素可能会被忽略或权重过小(或过大)。在定性或半定量分析中,可以考虑影响风险的基本因素来建立更全面的风险图景。与流行的定量风险分析相比,风险描述的精确度与风险分析工具的准确性相符。此外,风险量化对资源的要求很高。需要询问是否以最佳方式使用了资源。我们得出的结论是,在许多情况下,通过开辟更广泛,更具定性的方法,可以获得更多收益,该方法可以考虑超出概率和预期值的范围。
通过计算的概率和期望值,例如在核能和石油天然气行业中看到的传统定量风险评估提供了一个相当狭窄的风险范围,因此我们得出结论,应谨慎对待具有较大不确定性的问题使用此方法。在这种情况下,强调定性方面的替代方法更合适。需要广泛的风险描述。在规范性歧义情况下也是如此,因为风险特征为风险评估过程提供了基础。主要关注的是价值判断,但应由可靠的科学评估支持,以显示出广泛的风险状况。如果有人试图证明科学地接受风险是合理的,那么就采用了过于狭窄的风险处理方法。对于不确定性较大和规范含糊的情况,将不确定性视为风险的主要组成部分对于成功实施风险管理至关重要。
风险描述应涵盖计算出的概率和期望值,以及:敏感性,显示风险指数如何依赖于背景知识(假设和假设); 不确定性评估; 背景知识的描述,包括使用的模型和数据。
不确定性评估不应仅限于标准概率分析,因为这种分析可能会掩盖重要的不确定性因素。寻找定量,明确的方法来表达不确定性,甚至超越主观概率,似乎是一种可能的前进之路。但是,不建议采用这种方法。试图精确并准确表达极其不确定的内容是没有意义的。相反,我们建议采用更开放的定性方法来揭示此类不确定性。从方法论和科学的角度来看,有些人可能认为这没有吸引力。也许是,但是它更适合解决眼前的问题,这涉及风险和不确定性的分析和管理。
译文的出处:Terje Aven.2010. Enterprise Risk Management[J] Risk in Technological Systems, 2013(10):175-198.
Enterprise Risk Management
Terje Aven
This chapter reviews and discusses the basic issues and principles of risk management, including: risk acceptability (tolerability); risk reduction and the ALARP principle; cautionary and precautionary principles. And presents a case study showing the importance of these issues and principles in a practical management context. Before we take a closer look, let us briefly address some basic features of risk management.
The purpose of risk management is to ensure that adequate measures are taken to protect people, the environment, and assets from possible harmful consequences of the activities being undertaken, as well as to balance different concerns, in particular risks and costs. Risk management includes measures both to avoid the hazards and to reduce their potential harm. Traditionally, in industries such as nuclear, oil, and gas, risk management was based on a prescriptive regulating regime, in which detailed requirements were set with regard to the design and operation of the arrangements. This regime has gradually been replaced by a more goal-oriented regime, putting emphasis on what to achieve rather than on the means of achieving it.
Risk management is an integral aspect of a goal-oriented regime. It is acknowledged that risk cannot be eliminated but must be managed. There is nowadays an enormous drive and enthusiasm in various industries and in society as a whole to implement risk management in organizations. There are high expectations that risk management is the proper framework through which to achieve high levels of performance.
Risk management involves achieving an appropriate balance between realizing opportunities for gain and minimizing losses. It is an integral part of good management practice and an essential element of good corporate governance. It is an iterative process consisting of steps that, when undertaken in sequence, can lead to a continuous improvement in decision-making and facilitate a continuous improvement in performance.
To support decision-making regarding design and operation, risk analyses are carried out. They include the identification of hazards and threats, cause analyses, consequence analyses, and risk descriptions. The results are then evaluated. The totality of the analyses and the evaluations are referred to as risk assessments. Risk assessment is followed by risk treatment, which is a process involving the development and implementation of measures to modify the risk, including measures designed to avoid, reduce (“optimize”), transfer, or retain the risk. Risk transfer means sharing with another party the benefit or loss associated with a risk. It is typically affected through insurance. Risk management covers all coordinated activities in the direction and control of an organization with regard to risk.
In many enterprises, the risk management tasks are divided into three main categories: strategic risk, financial risk, and operational risk. Strategic risk includes aspects and factors that are important for the enterprise’s long-term strategy and plans, for example mergers and acquisitions,technology, competition, political conditions, legislation and regulations, and labor market. Financial risk includes the enterprise’s financial situation, and includes: Market risk, associated with the costs of goods and services, foreign exchange rates and securities (shares, bonds, etc.). Credit risk, associated with a debtor’s failure to meet its obligations in accordance with agreed terms. Liquidity risk, reflecting lack of access to cash; the difficulty of selling an asset in a timely manner. Operational risk is related to conditions affecting the normal operating situation: Accidental events, including failures and defects, quality deviations, natural disasters. Intended acts; sabotage, disgruntled employees, etc. Loss of competence, key personnel. Legal circumstances, associated for instance, with defective contracts and liability insurance.
For an enterprise to become successful in its implementation of risk management, top management needs to be involved, and activities must be put into effect on many levels. Some important points to ensure success are: the establishment of a strategy for risk management, i.e., the principles of how the enterprise defines and implements risk management. Should one simply follow the regulatory requirements (minimal requirements), or should one be the “best in the class”? The establishment of a risk management process for the enterprise, i.e. formal processes and routines that the enterprise is to follow. The establishment of management structures, with roles and responsibilities, such that the risk analysis process becomes integrated into the organization. The implementation of analyses and support systems, such as risk analysis tools, recording systems for occurrences of various types of events, etc. The communication, training, and development of a risk management culture, so that the competence, understanding, and motivation level within the organization is enhanced. Given the above fundamentals of risk management, the next step is to develop principles and a methodology that can be used in practical decision-making. This is not, however, straightforward. There are a number of challenges and here we address some of these: establishing an informative risk picture for the various decision alternatives, using this risk picture in a decision-making context. Establishing an informative risk picture means identifying appropriate risk indices and assessments of uncertainties. Using the risk picture in a decision making context means the definition and application of risk acceptance criteria, cost benefit analyses and the ALARP principle, which states that risk should be reduced to a level which is as low as is reasonably practicable.
It is common to define and describe risks in terms of probabilities and expected values. This has, however, been challenged, since the probabilities and expected values can camouflage uncertainties; the assigned probabilities are conditional on a number of assumptions and suppositions, and they depend on the background knowledge. Uncertainties are often hidden in this background knowledge, and restricting attention to the assigned probabilities can camouflage factors that could produce surprising outcomes. By jumping directly into probabilities, important uncertainty aspects are easily truncated, and potential surprises may be left unconsidered.
Let us, as an example, consider the risks, seen through the eyes of a risk analyst in the 1970s, associated with future health problems for divers working on offshore petroleum projects. The analyst assigns a value to the probability that a diver would experience health problems (properly defined) during the coming 30 years due to the diving activities. Let us assume that a value of 1 % was assigned, a number based on the knowledge available at that time. There are no strong indications that the divers will experience health problems, but we know today that these probabilities led to poor predictions. Many divers have experienced severe health problems (Avon and Vine, 2007). By restricting risk to the probability assignments alone, important aspects of uncertainty and risk are hidden. There is a lack of understanding about the underlying phenomena, but the probability assignments alone are not able to fully describe this status.
Several risk perspectives and definitions have been proposed in line with this realization. For example, Avon (2007a, 2008a) defines risk as the two-dimensional combination of events/consequences and associated uncertainties (will the events occur, what the consequences will be). A closely related perspective is suggested by Avon and Renan (2008a), who define risk associated with an activity as uncertainty about and severity of the consequences of the activity, where severity refers to intensity, size, extension, scope and other potential measures of magnitude with respect to something that humans value (lives, the environment, money, etc.). Losses and gains, expressed for example in monetary terms or as the number of fatalities, are ways of defining the severity of the consequences. See also Avon and Christensen (2005).
In the case of large uncertainties, risk assessments can support decision-making, but other principles, measures, and instruments are also required, such as the cautionary/precautionary principles as well as robustness and resilience strategies. An informative decision basis is needed, but it should be far more nuanced than can be obtained by a probabilistic analysis alone. This has been stressed by many researchers, e.g. Apostolicism (1990) and Apostolicism and Lemon (2005): qualitative risk analysis (QRA) results are never the sole basis for decision-making. Safety- and security-related decision-making is risk-informed, not risk-based. This conclusion is not, however, justified merely by referring to the need for addressing uncertainties beyond probabilities and expected values. The main issue here is the fact that risks need to be balanced with other concerns.
When various solutions and measures are to be compared and a decision is to be made, the analysis and assessments that have been conducted provide a basis for such a decision. In many cases, established design principles and standards provide clear guidance. Compliance with such principles and standards must be among the first reference points when assessing risks. It is common thinking that risk management processes, and especially ALARP processes, require formal guidelines or criteria (e.g., risk acceptance criteria and cost-effectiveness indices) to simplify the decision-making. Care must; however, be shown when using this type of formal decision-making criteria, as they easily result in a mechanization of the decision-making process. Such mechanization is unfortunate because: Decision-making criteria based on risk-related numbers alone (probabilities and expected values) do not capture all the aspects of risk, costs, and benefits, no method has a precision that justifies a mechanical decision based on whether the result is over or below a numerical criterion. It is a managerial responsibility to make decisions under uncertainty, and management should be aware of the relevant risks and uncertainties.
Apostolicism and Lemon (2005) adopt a pragmatic approach to risk analysis and risk management, acknowledging the difficulties of determining the probabilities of an attack. Ideally, they would like to implement a risk-informed procedure, based on expected values. However, since such an approach would require the use of probabilities that have not been “rigorously derived”, they see themselves forced to resort to a more pragmatic approach.
This is one possible approach when facing problems of large uncertainties. The risk analyses simply do not provide a sufficiently solid basis for the decision-making process. We argue along the same lines. There is a need for a management review and judgment process. It is necessary to see beyond the computed risk picture in the form of the probabilities and expected values. Traditional quantitative risk analyses fail in this respect. We acknowledge the need for analyzing risk, but question the value added by performing traditional quantitative risk analyses in the case of large uncertainties. The arbitrariness in the numbers produced can be significant, due to the uncertainties in the estimates or as a result of the uncertainty assessments being strongly dependent on the analysts.
It should be acknowledged that risk cannot be accurately expressed using probabilities and expected values. A quantitative risk analysis is in many cases better replaced by a more qualitative approach, as shown in the examples above; an approach which may be referred to as a semi-quantitative approach. Quantifying risk using risk indices such as the expected number of fatalities gives an impression that risk can be expressed in a very precise way. However, in most cases, the arbitrariness is large. In a semi-quantitative approach this is acknowledged by providing a more nuanced risk picture, which includes factors that can cause “surprises” relative to the probabilities and the expected values. Quantification often requires strong simplifications and assumptions and, as a result, important factors could be ignored or given too little (or too much) weight. In a qualitative or semi-quantitative analysis, a more comprehensive risk picture can be established, taking into account underlying factors influencing risk. In contrast to the prevailing use of quantitative risk analyses, the precision level of the risk description is in line with the accuracy of the risk analysis tools. In addition, risk quantification is very resource demanding. One needs to ask whether the resources are used in the best way. We conclude that in many cases more is gained by opening up the way to a broader, more qualitative approach, which allows for considerations beyond the probabilities and expected values.
The traditional quantitative risk assessments as seen for example in the nuclear and the oil & gas industries provide a rather narrow risk picture, through calculated probabilities and expected values, and we conclude that this approach should be used with care for problems with large uncertainties. Alternative approaches highlighting the qualitative aspects are more appropriate in such cases. A broad risk description is required. This is also the case in the normative ambiguity situations, as the risk characterizations provide a basis for the risk evaluation processes. The main concern is the value judgments, but they should be supported by solid scientific assessments, showing a broad risk picture. If one tries to demonstrate that it is rational to accept risk, on a scientific basis, too narrow an approach to risk has been adopted. Recognizing uncertainty as a main component of risk is essential to successfully implement risk management, for cases of large uncertainties and normative ambiguity.
A risk description should cover computed probabilities and expected values, as well as: Sensitivities showing how the risk indices depend on the background knowledge (assumptions and suppositions); Uncertainty assessments; Description of the background knowledge, including models and data used.
The uncertainty assessments should not be restricted to standard probabilistic analysis, as this analysis could hide important uncertainty factors. The search for quantitative, explicit approaches for expressing the uncertainties, even beyond the subjective probabilities, may seem to be a possible way forward. However, such an approach is not recommended. Trying to be precise and to accurately express what is extremely uncertain does not make sense. Instead we recommend a more open qualitative approach to reveal such uncertainties. Some might consider this to be less attractive from a methodological and scientific point of view. Perhaps it is, but it would be more suited for solving the problem at hand, which is about the analysis and management of risk and uncertainties.