Corps Risk Analysis Gateway

Training Module

Introduction to Risk Assessment

Series:
Corps Risk Analysis Online Training Modules

Prepared by:
Institute for Water Resources
US Army Corps of Engineers

US Army Corps of Engineers

Introduction to Risk Assessment

Contents
Introduction to Risk Assessment .................................................................................................... 2
Chapter 1 - Risk Assessment Defined ............................................................................................. 4
1.0 Risk Assessment Defined ...................................................................................................... 4
Explore – Risk Assessment at Federal Agencies ......................................................................... 6
Chapter 2 - Risk Assessment Model................................................................................................ 8
2.0 Risk Assessment Model......................................................................................................... 8
Risk Assessment Steps .......................................................................................................... 10
2.1 Identify Risks (Look for the Hazard or Opportunity)........................................................... 11
2.2 Assess Consequences and Likelihoods ............................................................................... 16
2.3 Characterize Risks ............................................................................................................... 18
Chapter 3 - Risk Assessment Toolbox ........................................................................................... 19
3.0 Risk Assessment Toolbox .................................................................................................... 19
Explore – Tips for a Good Risk Assessment .............................................................................. 22
Chapter 4 - Summary and Conclusions ......................................................................................... 24
Chapter 5 - Resources ................................................................................................................... 25
Chapter 6 - Self Assessment.......................................................................................................... 28

i
Introduction to Risk Assessment

Introduction to Risk Assessment

This module was originally developed as a web-based training on the Corps Risk Analysis
Gateway. The content has been modified to fit this format. Additional modules are available for
download on the IWR website.

Figure 1. Risk assessment is the analytical component of the Risk Analysis Framework.

As noted throughout the Risk Analysis Gateway, there are three key tasks of risk analysis,
including the following:

1. Risk assessment: defining the nature of the risk, its probability, and the consequences,
either quantitatively or qualitatively (or a combination).
2. Risk management: the actions taken to accept, assume, and manage risk.
3. Risk communication: the multi-directional exchange of information to allow better
understanding of the risk.

2
Introduction to Risk Assessment

The goal of risk assessment is to identify and describe the risk(s) associated with a decision
problem and to examine and evaluate the potential impacts of the risk. The purpose of risk
assessment is to gather the information necessary to provide risk managers with the
information needed to inform decisions.

In this introductory module, you will learn about activities associated with a risk assessment.
Tools for conducting risk assessments, that is, the qualitative and quantitative methods for
analyzing the potential risks, will be considered in the follow-on learning modules.

It is not the intent of this module to teach all of the possible methods for conducting risk
analyses. Rather, the intent is to provide a broad understanding of the wide range of
approaches and to provide resources to obtain more information about the various methods.

After completing this module you will be able to do the following:

1. Describe the risk assessment model for the U.S. Army Corps of Engineers (USACE or
Corps).
2. Identify potential risks.
3. Understand the steps taken to conduct a risk assessment.

You are encouraged to read through the examples, which look at specific concepts in more
depth.

This training is approximately 30 minutes.

This course includes a self-assessment; it's recommended that you be able to achieve 70% for
successful course completion.

3
Introduction to Risk Assessment

Chapter 1 - Risk Assessment Defined

1.0 RISK ASSESSMENT DEFINED
USACE defines risk assessment in a white paper called Transforming the Corps into a Risk
Managing Organization as the following (Series:
White_Paper_Transforming_the_Corps_into_a_Risk_Managing_Organization_Moser_et_al_No
[Link]):[1]

Risk assessment is a broad term that encompasses a variety of analytic techniques that
are used in different situations, depending upon the nature of the risk, the available data,
and needs of decision makers. It is a systematic, evidence based approach for quantifying
and describing the nature, likelihood, and magnitude of risk associated with the current
condition and the same values resulting from a changed condition due to some action.

Risk assessment is defined differently among federal agencies (see Explore), and yet there are
common themes: defining and analyzing the risk using scientific/analytical techniques.

Within the USACE risk management model, risk assessment is comprised of two key
steps: identifying risks and analyzing risks (see Figure 2). Risk assessment is where the
evidence is gathered, organized, analyzed, and used to support decision making. The process
identifies and addresses uncertainty, which is then conveyed to decision makers for their
consideration.

4
Introduction to Risk Assessment

Figure 2. USACE Risk-Informed Decision Making Model

[1] Moser, D., Bridges, T., Cone, S., Haimes, Y., Harper, B., Shabman, L. & Yoe, C. (2007
unpublished). Transforming the Corps into a risk managing organization.

5
Introduction to Risk Assessment

EXPLORE – RISK ASSESSMENT AT FEDERAL AGENCIES

U.S. Environmental Protection Agency (EPA)[2]

EPA uses risk assessment to characterize the nature and magnitude of health risks to humans
(e.g., residents, workers, recreational visitors) and ecological receptors (e.g., birds, fish, wildlife)
from chemical contaminants and other stressors that may be present in the environment.

At EPA, environmental risk assessments typically fall into one of two areas:

• Human Health
• Ecological

Risk assessment is, to the highest extent possible, a scientific process. In general terms, risk
depends on the following factors:

• How much of a chemical is present in an environmental medium (e.g., soil, water, air).
• How much contact (exposure) a person or ecological receptor has with the contaminated
environmental medium.
• The inherent toxicity of the chemical.

Following a planning and scoping stage where the purpose and scope of a risk assessment is
decided, the risk assessment process usually begins by collecting measurements that
characterize the nature and extent of chemical contamination in the environment, as well as
information needed to predict how the contaminants behave in the future.

Federal Drug Administration (FDA)[3]

Risk assessors provide information risk managers need to make science-based policy decisions.

Risk profiles are comprehensive descriptions of a hazard, the supply and consumption chains of
the foods it affects, and potential interventions. These types of risk assessments don’t include
models that estimate outcomes and comparisons of interventions.

Quantitative risk assessments are mathematical models into which risk assessors enter
information from risk profiles and other sources. The outcomes are estimates of risk, usually
measured as the likelihood of illness from consuming a serving of food, and number of illnesses,
per year, among a population that eats the food. Risk assessments also estimate and compare
reductions in contamination and/or illness that would be generated by specific interventions
applied at specific points of the farm-to-fork continuum.

Quantitative risk assessments may consider:

6
Introduction to Risk Assessment

• One hazard in relation to one food; also called product-pathway risk assessments.
• One hazard in relation to multiple foods.
• Multiple hazards in relation to multiple foods.

Decision-analysis tools under development by FDA consider the kinds of data and information
above in a larger context, to increase the likelihood that proposed policies will be both
adoptable and effective in real-world settings. In considering which interventions would result in
the greatest public-health gains when evaluating a specific risk scenario, the tools take into
account other factors; for example, the cost-effectiveness and feasibility of the interventions
and the likelihood that industry or consumers would apply them. The tools consider the various
elements collectively and generate solution sets of optimized priorities and choices.

[2] U.S. Environmental Protection Agency. (No date). Risk assessment home: basic
information. Retrieved January 2, 2013 from [Link]

[3] U.S. Food and Drug Administration. (December 18, 2012). Risk analysis at FDA: food
safety. Retrieved January 2, 2013 from:
[Link]
[Link].

7
Introduction to Risk Assessment

Chapter 2 - Risk Assessment Model

2.0 RISK ASSESSMENT MODEL
In its most basic form, risk assessments are conducted in order to answer one or more of the
following questions:[4]

• What can go wrong?

• How can it happen?
• What are the consequences?
• How likely is it to happen?

These informal questions can be addressed by a vast array of definitions, process, models, or
tools that are available to conduct the basic work of risk assessment. This module will only
scratch the surface of the wide range of possible analytic tools. Figure 3 presents a model that
currently meets USACE needs for a more formal expression of the risk assessment process.

8
Introduction to Risk Assessment

Figure 3. Conceptual Risk Assessment Model

This is the same risk assessment that is conducted in the identify risk and analyze risk steps of
the risk management model (of Figure 2). The generic risk assessment concepts are identified

9
Introduction to Risk Assessment

more explicitly in this conceptual model. Ideally, any specific risk assessment conducted by
USACE would include each of these steps.

Risk Assessment Steps

Look for Hazard or Opportunity

Identify the hazards that can cause harm or the opportunities for gain that are uncertain.
Consequence Assessment
Decide who or what may be harmed or benefited in what ways. Gather and analyze the
relevant data. Characterize the consequences and their uncertainty qualitatively and
quantitatively.
Likelihood Assessment
Assess the benefit of various adverse and beneficial consequences. Characterize these
likelihoods and their uncertainty qualitatively and quantitatively.
Risk Characterization
Estimate the probability of occurrence, the severity of adverse consequences and the
magnitude of potential gains, including attendant uncertainties, of the hazards and
opportunities identified based on the evidence in the preceding steps. Characterize the risk
qualitatively or quantitatively with appropriate attention to baseline and residual risks, risk
reductions, transformations and transfers.

Each of these steps is discussed in the following sections.

[4] Yoe, Charles. (2012). Principles of risk analysis: decision making under uncertainty. CRC
Press: Boca Raton, FL. Page 7.

10
Introduction to Risk Assessment

2.1 IDENTIFY RISKS (LOOK FOR THE HAZARD OR OPPORTUNITY)

The primary elements of the hazards or opportunity step include:

• Identifying risk.
• Profiling risk.
• Deciding whether to complete a risk assessment or not.

Step 1 in any risk assessment phase is to identify the risks of interest. Risk identification is the
process of finding, recognizing and describing risks in a narrative fashion. Informally, this is
done by asking and answering the questions, what can go wrong and how can it happen? This
is done by looking for the hazards that can cause harm and the opportunities for potential gains
that are uncertain.

USACE faces two broad categories of risk: risk of loss and risk of unrealized potential gains.

• Risk of loss: Also called a pure risk, risk of loss could be a loss due to flood; storm
damage; infrastructure failure; disruption of project services, bad weather; economic
setbacks; or any sort of hazard. The losses could include loss of life, health, safety,
property damage, ecosystem services, transportation services, power and additional
losses.
• Unrealized potential gain: Unrealized potential gain is called a speculative
risk. Examples of potential gains that may not be realized include reductions in
transportation cost savings, ecosystem restoration benefits, operation and maintenance
efficiencies, an investment that did not produce the expected benefits, and other similar
potential gains.

There are multiple dimensions to a risk that should be of concern to USACE. These include the
following:

• Existing and emerging risks: Current risks and risk that can reasonably be expected in
the future. For example, the without-project (the condition of an area if USACE does not
build a structure) expected annual damages (EAD) associated with an existing flood
problem would serve as an existing risk, and estimates of EAD for the same floodplain in
the future would serve as an emerging risk.

• Risk reductions: Reductions in risk expected to result from risk management strategies;
for example, the difference between with- and without-condition (with a USACE project,
or without a USACE project) EAD estimates for a flood risk management (FRM) project
would be a risk reduction exercise.

• Residual risks: Risk remaining after risk management strategies are implemented; for
example, the with-condition (with a USACE project) EAD associated with a FRM project
would be a measurement of residual risk.

11
Introduction to Risk Assessment

• New risks: Creation of a risk that did not previously exist; for example, the construction
of a levee brings into existence the risk of a levee failure, which would be considered a
new risk.

• Risk transformations: Any changes in the nature (i.e., consequence or probability) or

source of the risk that results from a risk management strategy; for example, a levee
might transform a slow rising fluvial flood risk into a catastrophic overtopping event for
flood flows in excess of the levee’s capacity, transforming the nature of the risk.

• Risk transfers: Any shifting of the burden of the risk from one group to another; for
example, building a levee to protect development on the right river bank might induce
additional flooding for development on the left river bank, transferring risk to another
group.

There are potential risks in every one of the Corps’ business lines:

• Hydropower: Risks associated with potential dam failures (new risk).

• Navigation: Risks associated with lock improvements and unintended consequences

(new risk).

• Flood risk management: Potential risks to life, health, safety, and property, both in
coastal and riverine areas (risk reductions, existing risks, risk transformations).

• Recreation: Risks associated with unrealized gains from the construction of a

recreational facility (new risk).

• Environmental restoration: Comparative ecological risks associated with remedial

action alternatives (risk transfers or risk transformations).

Planning, regulatory, project management, construction and operation life cycles all face
unique risk situations. Note that in USACE planning studies, there are potential risks associated
both with project and without project (no change) conditions.

After the potential risks are identified, a risk profile can be prepared. In its simplest form, this
is a description of what is currently known about the identified risks. This is the equivalent of a
scoping process for risks. A risk profile clearly identifies what is and what is not known about
the identified risks.

The risk profile can be used to decide whether a more detailed risk assessment is needed or
not. There will be times when the risk profile provides all the information needed to make a
decision. In that case, a risk assessment is not needed. However, if there is insufficient
information about the risk(s), a more formal effort to obtain that information must be
undertaken in a risk assessment.

12
Introduction to Risk Assessment

USACE developed a risk register template for use in feasibility studies

([Link] This template is also
applicable for use in risk assessments. The initial risk profile (i.e., what is known about the risk
and their causes, and the consequences of that risk) can be documented in the risk
register. The risk register can be updated and populated as one works through the decision
making model of a planning feasibility study.

Table 1 and 2 on the next two pages show some of the information that is collected in the risk
register; other types of information are dependent on the type of hazard/opportunity being
reviewed (e.g., economics, real estate, hydraulics and hydrology, cost, engineering, etc.). A
detailed video about the USACE risk register, titled “SMART Planning – The Risk Register (June
2012),” is available at the Corps online Planning Community
Toolbox ([Link]

13
Introduction to Risk Assessment

Table 1. USACE Risk Register Selected Parameters

Sheet 1. Define Project Risks

Column Parameter Parameter Description

A Item ID number.
B Date Date of entry (record each date entry was modified).
C Assessors Name(s) of person(s) assessing the task.
D Action Identify the action you propose to take (i.e., things you will do
or not do) in order to accomplish the strategy and develop
the information identified in the decision management plan.
E Risk Briefly identify the risk associated with the action you are
taking, i.e., considering the entry in column D, what can go
wrong and how can it happen?
F Consequence Describe the consequence of the column E risk. If things do
"go wrong" in the way described, what are the specific
consequences for: i) the study, ii) implementing the project or
iii) project outcomes? (List the most significant consequence
first if more than one.)
G Consequence rating If the most significant consequence in column F occurs, what
is its potential magnitude?
H Evidence for consequence Enter specific evidence used to support the consequence
rating rating in column G.
I Likelihood rating What is the likelihood that the most significant consequence
in column F will occur?
J Evidence for likelihood Enter specific evidence used to support the likelihood rating
rating in column I.
K Confidence rating Of the consequence and likelihood ratings, choose the one
you have the least confidence in and rate your level of
confidence in that rating.
L Risk rating Qualitative risk rating from lookup table.
M Risk management options Enter alternatives to the action you proposed in column D. If
you can identify the cost or schedule impacts of the
alternatives please do so.
N Recommendation Identify the preferred course of action for managing the risk
you have identified. “Tolerate the risk associated with the
action” in column D is the default option for this. You may
recommend something other than the column D entry.
O Study tasks affected For study risks, identify any other study tasks that could be
affected by the outcome of the risk identified for this entry.
P Outcome Describe the effect of your recommended course of action on
the study or project outcomes.
Q Notes Make note of any significant information not provided in the
other cells.

14
Introduction to Risk Assessment

Table 2. USACE Risk Register Selected Parameters

Sheet 2. Define Economic Parameters

Column Parameter Parameter Description

A Item ID number.
B Date Date of entry (record each date entry was modified).
C Assessors Name(s) of person(s) assessing the task.
D Action Identify the action you propose to take (i.e., things you will do or
not do) in order to accomplish the strategy and develop the
information identified in the decision management plan.
E Risk and its cause Briefly identify the risk associated with the action you are taking,
i.e., considering the entry in column D, “what can go wrong and
how can it happen?”
F Consequence Describe the consequence of the column E risk. If things do "go
wrong" in the way described, what is the specific consequence
for: i) the study, ii) implementing the project or iii) project
outcomes? (List the most significant consequence first if more
than one.)
G Consequence rating If the most significant consequence in column F occurs, what is its
potential magnitude?
H Evidence for Enter specific evidence used to support the consequence rating in
consequence rating column G.
I Likelihood rating What is the likelihood that the most significant consequence in
column F will occur?
J Evidence for likelihood Enter specific evidence used to support the likelihood rating in
rating column I.
K Confidence rating Of the consequence and likelihood ratings, choose the one you
have the least confidence in and rate your level of confidence in
that rating.
L Risk rating Qualitative risk rating from lookup table.
M Risk management Enter alternatives to the action you proposed in column D. If you
options can identify the cost or schedule impacts of the alternatives,
please do so.
N Recommendation Identify the preferred course of action for managing the risk you
have identified. “Tolerate the risk associated with the action” in
column D is the default option for this. You may recommend
something other than the column D entry.
O Study tasks affected For study risks, identify any other study tasks that could be
affected by the outcome of the risk identified for this entry.
P Outcome Describe the effect of your recommended course of action on the
study or project outcomes.
Q Notes Make note of any significant information not provided in the
other cells.

15
Introduction to Risk Assessment

2.2 ASSESS CONSEQUENCES AND LIKELIHOODS

Throughout the Risk Analysis Gateway, risk is described by a simple equation:

Risk = Probability x Consequence

These two elements comprise the next two steps (Step 2 and Step3) in the risk assessment
model.

In the consequence assessment (Step 2), the potential consequences of both hazards and
opportunities must be identified and described. This activity might be described as the cause-
effect link in the risk assessment. Questions to consider include:

• What undesirable effects do the hazards have?

• What desirable effects might the opportunities offer?
• Who might be impacted by the hazard or opportunity?

In a flood risk management planning study, the consequence assessment would include the
estimation of a stage-damage curve (Figure 4). This curve shows the consequences of various
levels of flooding on property damage in a floodplain reach.

Concurrently or sequentially with the consequence assessment, the likelihood of the various
negative or positive consequences will need to be assessed (Step 3). This likelihood assessment
is often called an exposure assessment in other risk assessment models. Once the possible
undesirable consequences of hazards or the desirable consequences of opportunities are
defined, then the likelihoods of the sequence of events that produce these outcomes can be
considered.

Most risks cannot be directly observed or measured because they are potential outcomes that
may or may not occur. Uncertain occurrence is a necessary condition for risk. Certain events are
not risks.

Probability is the language of uncertainty and qualitatively or quantitatively assessing the

likelihoods of the various adverse and beneficial consequences associated with the identified
risks. Probabilities need to be considered during risk assessment.

Continuing with a flood risk management study example, these likelihoods are captured in part
by the stage-discharge and discharge-frequency curves (Figure 4). These two curves together
enable the estimation of the likelihood that the varying levels of flooding and their associated
damages will occur. (See the Flood Risk Management National Economic Development Manual
(Series: [Link]) for more information about this example.)

16
Introduction to Risk Assessment

Figure 4. Consequence assessment, likelihood assessment, and risk characterization

Such information about the consequence and likelihood assessments for a specific action can
be input into the risk register initiated in Section 2.1.

17
Introduction to Risk Assessment

2.3 CHARACTERIZE RISKS

Step 4 in the risk assessment model is the risk characterization. Characterizations include one
or more estimates of risk and a narrative description of the risk.

The risk characterization estimates the likelihood and severity of the adverse effects or the
potential gains from opportunities. The estimate also addresses key attending uncertainties.
Risk characterizations can be quantitative or qualitative. Risk estimates should include all the
relevant aspects of the risk, which may encompass existing, future, historical, reduced, residual,
new, transformed or transferred risks. A risk description is a narrative explanation and
depiction of a risk that bounds and defines a risk for decision making purposes. It’s the story
that accompanies the risk estimate. It places each risk in a proper context for decision makers
and others to understand.

A good risk characterization converts the scientific evidence base and the remaining
uncertainty into a statement of risk. During the risk characterization, the overall importance of
the various uncertainties encountered throughout the risk assessment is brought into focus.
Risk characterization should include sensitivity analysis or formal uncertainty analysis
commensurate with the nature of the risk assessment.

This step draws on the analytical work completed in the other steps to characterize the risks. In
the flood risk management example, the damage frequency curve (Figure 4) integrates the
consequence and likelihood assessments and enables planners to use expected annual
damages to estimate the risk of flooding.

The elements of the risk assessment model are not always so easy to separate in every risk
assessment. Every risk assessment will not include all four steps. In some instances it may be
more efficient to conduct a detailed analysis of the likelihood of an event--for example, if there
is some evidence to suggest imaginable potential consequences may never occur. For example,
demonstrating that a potential flood cannot reach a piece of critical infrastructure, like an
airport, makes it unnecessary for a damage survey and a risk characterization.

Information from the risk characterization for a specific action(s) can be entered into the risk
register initiated in Section 2.1. The following sections provide more specific information about
various types of methods and tools that can be used to facilitate the risk assessment.

18
Introduction to Risk Assessment

Chapter 3 - Risk Assessment Toolbox

3.0 RISK ASSESSMENT TOOLBOX
Varying levels of risk assessment can be completed depending on the circumstances and the
nature of the problem. As previously noted, risk assessments are conducted in order to answer
one or more of the following questions:[5]

• What can go wrong?

• How can it happen?
• What are the consequences?
• How likely is it to happen?

Risk assessment can be described as the process of compiling, combining and presenting
evidence to support a statement about the risk of a particular activity or event. There are a
number of defined processes, techniques, tools and models that can be used to support the
assessment. Risk assessments can be qualitative, quantitative or a combination of both. The
approach selected in any one case generally depends on the level of information available, the
intended use of the results and the level of analysis required.

In qualitative assessments, the risk characterization produces non-numerical estimates of risk.

Often times, qualitative risk assessments are undertaken due to lack of funding, time or
expertise to tackle the problem quantitatively. Descriptive or categorical treatments of
information are used in lieu of quantitative numerical estimates. Qualitative assessments can
still be analytical evidence-based characterizations of risk that provide consistency and
transparency in the way risks are handled.

Quantitative tools rely on numbers to express the level of risk. Typically, quantitative risk
assessments have more transparency and the validity of the analysis can be more easily
determined. Quantitative risk assessment relies on models and can range from simple to
complex.

The type and level of analysis to be conducted during the risk assessment is driven in some
cases by the level of uncertainty and the consequences of being wrong. This assessment has
evolved into a paradigm for decision making under uncertainty. It recognizes that there may be
uncertainty about one or more aspects of the likelihood or the consequence of a risk of
concern. Consequently, risk assessment is intentional in the way it directs analysts and decision
makers alike to base their decisions on the available science while paying appropriate attention
to the remaining uncertainty.

Risk analysis is for decision making under uncertainty, which is a separate training module in
the Risk Analysis Gateway. When there is little to no uncertainty in decision making, risk
analysis is not needed. However, many management and mission critical decisions do involve

19
Introduction to Risk Assessment

significant uncertainty and the consequences of a wrong decision are more serious. When
uncertainty is great and the consequences of a wrong decision are serious, risk analysis is
needed. When there is little uncertainty and the consequences of a mistake are minor, other
decision paradigms will work as well. Figure 5 summarizes this idea.

Figure 5. Considerations for risk analysis

The lower left quadrant where the consequence of the wrong decision is little and uncertainty
is minor tends to describe activities like personnel assignments, routine purchases, data
collection, some permit applications, routine coordination activities, administrative activities,
budget updates and the like. These are routine tasks with little uncertainty or situations where
a wrong decision will have trivial or easily reversed consequences.

The lower right quadrant holds classes of decision problems where there may well be
significant amounts of uncertainty, but the consequence of a decision mistake are relatively
minor. These situations require a modest amount of risk analysis. That might mean at least
enough analysis to reassure decision makers that the consequences of a mistake are indeed
slight. Examples of such decisions could include some routine or recurring aspects of project
design, routine emergency management activities, management of construction projects,
allocation of operation and maintenance resources within the District, and so on.

As the consequences of a mistake grow more serious, the need for more rigorous risk analysis
grows as well. The presumed normal situation for USACE decision making is described as one

20
Introduction to Risk Assessment

with relatively less uncertainty but serious consequences for a decision error. Thus, risk analysis
is presumed to be a routine part of such decision making processes. Ideally, it will be the
dominant decision making paradigm. Examples of such areas include recurring and always
unique situations like lake siltation, reservoir reallocation, maintenance dredging,
reconnaissance studies, feasibility studies, dam and levee safety programs, managing the
annual budget of the Corps, programs management, allocating inspection resources, and so on.

The greater need for the detailed analyses of risk occurs for those decisions with both a lot of
uncertainty and potentially severe consequences for a decision error. When the uncertainty is
great enough, adaptive management techniques may be needed to reduce the uncertainty to
support decision making.

Regardless of the method of the risk analysis, the risk register

([Link] noted in Section 2.1 is a
tool that has been specifically developed for USACE feasibility studies. This risk register can be
used to organize data and information about the risk assessment and to document the analysis.

The basic characteristics of qualitative and quantitative methods for assessing risk are discussed
in the following learning modules on the Corps Risk Analysis Gateway site:

• Assessing Risk Using Qualitative Methods

• Assessing Risk Using Quantitative Methods

[5] Yoe, Charles. (2012). Principles of risk analysis: decision making under uncertainty. CRC
Press: Boca Raton, FL. Page 7.

21
Introduction to Risk Assessment

EXPLORE – TIPS FOR A GOOD RISK ASSESSMENT

Dr. Charles Yoe, a recognized expert in both risk analysis and USACE planning processes,
provides the following suggestions for conducting a good risk assessment.

1. A good risk assessment must begin with the questions that need to be answered by the
risk assessment to support decision making. Get these questions right, and then answer
them clearly and concisely.

2. Keep risk assessment functionally separated from the risk management task. If possible,
have different people perform these two tasks. Make sure they communicate early and
often.

3. Corps risk assessment is best accomplished as a team activity. Evidence-based analysis

requires subject matter experts. It is unusual for a single person to possess all the
knowledge required to complete a risk assessment. Good teams are at least
multidisciplinary. Better teams are interdisciplinary. The best teams are trans-
disciplinary.

4. The magnitude of the effort is commensurate with the resources available and in
proportion to the seriousness of the problem. Risk analysis in general and risk
assessment in particular are perfectly scalable processes. A good risk assessment
process can be completed in an hour if that is all the time you have, or in a couple of
years.

5. The process is often as important as the result. Following the risk assessment process
aids the understanding of the problem and its solutions.

6. A good risk assessment assumes an independent point of view. It is not the assessor’s
job to protect lives, save or create jobs, or to punish or reward anyone. Assessors only
need to provide objective evidence-based answers to the questions they have been
asked.

7. A good risk assessment separates what we know from what we do not know. It then
focuses special attention on what we do not know. Good risk assessment gets the right
science into the assessment and then it gets that science right. Assessors use science to
answer the risk manager’s questions. Honesty about uncertainty provides the
confidence bounds on those answers.

8. Good science, good data, good models and the best available evidence are integral to
good risk assessment. The analysis must be tied to the evidence.

9. It is the way that risk assessment addresses the things we do not know that makes it
such a useful and distinctive decision making paradigm. In a good risk assessment, all
assumptions are clearly identified for the benefit of other members of the assessment

22
Introduction to Risk Assessment

team, risk managers and anyone else who will read or rely upon the results of the risk
assessment.

10. Sensitivity analysis should be a part of every risk assessment. Testing the sensitivity of
assessment results including the answers to the risk manager’s questions is a minimum
requirement for every assessment qualitative or quantitative.

11. To distinguish risk assessment from safety analysis, we need to consider risk broadly and
focus on the risks of interest (e.g., existing risk, future risk, historical risk, risk reductions,
new risks, residual risk, transferred risk, transformed risk). It’s not always necessary to
consider each of these kinds of risk, but it is rarely adequate to consider only one
dimension of a risk

12. Good risk assessments are unbiased and objective. They tell the truth about what is
known and not known about the risks. They are as transparent and as simple as
possible, but no simpler. Practicality, logic, comprehensiveness, conciseness, clarity and
consistency are additional qualities desired in a risk assessment.

13. Risk assessments usually produce more estimates and insights than scientific facts. The
assessment provides information; they do not produce decisions. Risk managers make
decisions.

14. Risk assessments can have educational value. They often identify the limits of our
knowledge and in doing so, guide future research. Completed risk assessments may be
conducive to learning about similar or related risks.

15. Documentation is an important part of the risk assessment process. Effective

documentation tells a good story well. It lays out the answers to the risk manager’s
questions clearly, well, and simply.

23
Introduction to Risk Assessment

Chapter 4 - Summary and Conclusions

4.0 SUMMARY AND CONCLUSIONS
The level of risk assessment to be undertaken may be driven by the consequence of making a
wrong decision and the level of uncertainty in the outcomes. However, there are practical
matters that also drive the level of risk assessment chosen including the time and resources
available to conduct the analysis. There may be cases where risk assessments are conducted
through a combination of various approaches, including both qualitative and quantitative
methods.

There are five key points to take away regarding risk assessment overall, including the
following:

1. Risk assessment is the science-based component of risk analysis that answers the risk
manager’s questions about the risks.
2. The Corps generic risk assessment model has four steps: hazard/opportunity
identification, likelihood assessment, consequence assessment and risk characterization.
3. Communicating uncertainty effectively is a critical task of risk assessment.
4. Good risk assessment begins with the questions risk managers need to be answered to
support their decision making.
5. Risks can be assessed qualitatively or quantitatively.

24
Introduction to Risk Assessment

Chapter 5 - Resources
5.0 RESOURCES
The following additional resources regarding risk assessment approaches are available.

Risk Assessment

Davis, D., Faber, B. and Stedinger, J. (2008). USACE experience in implementing risk analysis for
flood damage reduction projects. Journal of Contemporary Water Research and
Education. Issue 140, pps. 3-14.

Information Systems Audit and Control Association (ISACA). (n.d.). Risk assessment tools: a
primer. Retrieved May 16, 2013 from: [Link]
2/Pages/[Link].

International Electrotechnical Commission (IEC)/International Organization for Standardization

(ISO). (2009). ISO 31000:2009, Risk management—risk assessment techniques. Retrieved
January 13, 2013 from [Link]

Moser, D., Bridges, T., Cone, S., Haimes, Y., Harper, B., Shabman, L. & Yoe, C. (2007
unpublished). Transforming the Corps into a risk managing organization.

U.S. Army Corps of Engineers. (2012) Planning community toolbox, Using a risk register in
feasibility studies. Retrieved January 13, 2013 from:
[Link]

U.S. Environmental Protection Agency. (No date). Risk assessment home: basic
information. Retrieved January 2, 2013 from
[Link]

U.S. Food and Drug Administration. (December 18, 2012). Risk analysis at FDA: food
safety. Retrieved January 2, 2013 from:

[Link]
[Link].

Yoe, Charles. (2012). Principles of risk analysis: decision making under uncertainty. CRC Press:
Boca Raton, FL. [Link]

25
Introduction to Risk Assessment

Informational Websites

@Risk: [Link]

Beach fx: [Link]

Criterion Decision Plus: [Link]

Event Tree analysis from: [Link]

Effective [Link]: Your meeting resource

center: [Link]

Global Facility for Disaster Reduction and Recovery: [Link]

IWR Planning Suite MCDA: [Link]

Palisades Corporation: [Link]

Risk Engineering, Inc.: [Link]

U.S. Army Corps of Engineers, Collaborative Planning

Toolkit: [Link]

U.S. Army Corps of Engineers, Flood Risk Management Program: [Link]

U.S. Army Corps of Engineers, guidance on human health and ecological risk
assessment: [Link]

U.S. Army Corps of Engineers, Hydrologic Engineering Center, software tools:

[Link]

U.S. Army Corps of Engineers, Institute for Water Resources, software

tools: [Link]

U.S. Army Corps of Engineers, Planning Model

Certification: [Link]
&ThisPage=ModelCert&Side=No

U.S. Army Corps of Engineers, Planning Community

Toolbox: [Link]

U.S. Army Corps of Engineers, Levee Safety Program, Risk Assessment:

[Link]

26
Introduction to Risk Assessment

U.S. Army Corps of Engineers, Risk Management

Center: [Link]
aspx

U.S. Environmental Protection Agency, Risk Assessment: [Link]

U.S. Food and Drug Administration, FDA-

iRisk: [Link]
afetyAssessment/[Link]

[Link]

U.S. Food and Drug Administration, Risk Assessment Models: [Link]

27
Introduction to Risk Assessment

Chapter 6 - Self Assessment

6.0 SELF ASSESSMENT
1. Risk assessment is the actions taken to accept, assume, and manage risk. T/F

2. Which of the following is NOT one of the four steps in the risk assessment process?
a. Identify risks
b. Publicize the risk
c. Assess consequences of risk occurrence
d. Assess likelihood of risk occurrence
e. Characterize risks

3. Risk characterization can only be properly defined in quantitative terms. T/F

4. The risk of unrealized potential gain is called a speculative risk. T/F

5. Residual risks are the creation of a risk that did not previously exist; for example, the
construction of a levee brings into existence the risk of a levee failure. T/F

6. If you are trying to answer the following questions, are you assessing the probability or
consequences of the risk?

What undesirable effects do the hazards have?

What desirable effects might the opportunities offer?
Who might be impacted by the hazard or opportunity?

a. the probability of the risk

b. the consequences of the risk

7. If the consequence of the wrong decision is serious and the uncertainty of risk is great,
which of the following levels of risk analysis should be conducted?
a. Extensive risk analysis with adaptive management
b. Routine levels of risk analysis

8. What tool can be used in USACE feasibility studies to organize data and information
about the risk assessment and to document the analysis?
a. Risk Ware
b. Risk Register
c. Risk Communicator
d. Risk Log

9. Risk assessments generally produce scientific facts. T/F

10. Within the Corps, a risk assessment is best accomplished by a single individual. T/F

28
Introduction to Risk Assessment

6.0 SELF ASSESSMENT - ANSWERS

1. Risk assessment is the actions taken to accept, assume, and manage risk. T/F

False. CORRECT. The statement above is the definition of risk management. Risk
assessment is defining the nature of the risk, its probability, and the
consequences, either quantitatively or qualitatively (or combination).

2. Which of the following is NOT one of the four steps in the risk assessment process?
a. Identify risks INCORRECT
b. Publicize the risk CORRECT. This is not one of the four steps of risk assessment
c. Assess consequences of risk occurrence INCORRECT
d. Assess likelihood of risk occurrence INCORRECT
e. Characterize risks INCORRECT

3. Risk characterization can only be properly defined in quantitative terms. T/F

False. CORRECT. Risks can be characterized both qualitatively and

quantitatively.

4. The risk of unrealized potential gain is called a speculative risk. T/F

True. CORRECT. Examples of potential gains that may not be realized include
reductions in transportation cost savings, ecosystem restoration benefits,
operation and maintenance efficiencies, an investment that did not produce the
expected benefits, and other similar potential gains.

5. Residual risks are the creation of a risk that did not previously exist; for example, the
construction of a levee brings into existence the risk of a levee failure. T/F

False. CORRECT. Residual risks are the risks remaining after risk management
strategies are implemented; for example, the with-condition (with a USACE
project) expected annual damages associated with a flood risk management
project would be a measurement of residual risk.

6. If you are trying to answer the following questions, are you assessing the probability or
consequences of the risk?

What undesirable effects do the hazards have?

What desirable effects might the opportunities offer?
Who might be impacted by the hazard or opportunity?

a. the probability of the risk INCORRECT

b. the consequences of the risk CORRECT

29
Introduction to Risk Assessment

7. If the consequence of the wrong decision is serious and the uncertainty of risk is great,
which of the following levels of risk analysis should be conducted?
a. Extensive risk analysis with adaptive management CORRECT. The need for the
greatest amount of risk analysis occurs for those decisions with both a lot of
uncertainty and potentially severe consequences for a decision error.
b. Routine levels of risk analysis INCORRECT

8. What tool can be used in USACE feasibility studies to organize data and information
about the risk assessment and to document the analysis?
a. Risk Ware INCORRECT
b. Risk Register CORRECT
c. Risk Communicator INCORRECT
d. Risk Log INCORRECT

9. Risk assessments generally produce scientific facts. T/F

False. CORRECT. Risk assessments usually produce more estimates and insights
than scientific facts. The assessment provides information; they do not produce
decisions. Risk managers make decisions.

10. Within the Corps, a risk assessment is best accomplished by a single individual. T/F

False. CORRECT. Corps risk assessment is best accomplished as a team activity.

Evidence-based analysis requires subject matter experts. It is unusual for a single
person to possess all the knowledge required to complete a risk assessment.
Good teams are at least multidisciplinary. Better teams are interdisciplinary. The
best teams are trans-disciplinary.

30