Risk Assesment service, Uncategorized

Risk Assessment service

Posted on November 29, 2022November 29, 2022 by owner

Mild Versus Wild Risk

Benoit Mandelbrot distinguished between “mild” and “wild” risk and argued that risk assessment and management must be fundamentally different for the two types of risk. Mild risk follows normal or near-normal probability distributions, is subject to regression to the mean and the law of large numbers, and is therefore relatively predictable. Wild risk follows fat-tailed distributions, e.g., Pareto or power-law distributions, is subject to regression to the tail (infinite mean or variance, rendering the law of large numbers invalid or ineffective), and is therefore difficult or impossible to predict. A common error in risk assessment and management is to underestimate the wildness of risk, assuming risk to be mild when in fact it is wild, which must be avoided if risk assessment and management are to be valid and reliable, according to Mandelbrot.

Mathematical conceptualization

Risk assessment from a financial point of view.

To see the risk management process expressed mathematically, one can define total risk as the sum over individual risks, {\displaystyle R_{i}} $R_{i}$ , which can be computed as the product of potential losses, {\displaystyle L_{i}} $L_i$ , and their probabilities, {\displaystyle p(L_{i})} $p(L_{i})$ :{\displaystyle R_{i}=L_{i}p(L_{i})\,\!} $R_{i}=L_{i}p(L_{i})\,\!$ {\displaystyle R_{total}=\sum _{i}L_{i}p(L_{i})\,\!} $R_{{total}}=\sum _{i}L_{i}p(L_{i})\,\!$

Even though for some risks {\displaystyle R_{i},R_{j}} $R_{i},R_{j}$ , we might have {\displaystyle R_{i}=R_{j}} $R_{i}=R_{j}$ , if the probability {\displaystyle p(L_{j})} $p(L_{j})$ is small compared to {\displaystyle p(L_{i})} $p(L_{i})$ , its estimation might be based only on a smaller number of prior events, and hence, more uncertain. On the other hand, since {\displaystyle R_{i}=R_{j}} $R_{i}=R_{j}$ , {\displaystyle L_{j}} $L_j$ must be larger than {\displaystyle L_{i}} $L_i$ , so decisions based on this uncertainty would be more consequential, and hence, warrant a different approach.

Financial decisions, such as insurance, express loss in terms of dollar amounts. When risk assessment is used for public health or environmental decisions, the loss can be quantified in a common metric such as a country’s currency or some numerical measure of a location’s quality of life. For public health and environmental decisions, the loss is simply a verbal description of the outcome, such as increased cancer incidence or incidence of birth defects. In that case, the “risk” is expressed as{\displaystyle R_{i}=p(L_{i})\,\!} $R_{i}=p(L_{i})\,\!$

If the risk estimate takes into account information on the number of individuals exposed, it is termed a “population risk” and is in units of expected increased cases per time period. If the risk estimate does not take into account the number of individuals exposed, it is termed an “individual risk” and is in units of incidence rate per time period. Population risks are of more use for cost/benefit analysis; individual risks are of more use for evaluating whether risks to individuals are “acceptable”.

In quantitative risk assessment, an annualized loss expectancy (ALE) may be used to justify the cost of implementing countermeasures to protect an asset. This may be calculated by multiplying the single loss expectancy (SLE), which is the loss of value based on a single security incident, with the annualized rate of occurrence (ARO), which is an estimate of how often a threat would be successful in exploiting a vulnerability.

The usefulness of quantitative risk assessment has been questioned, however. Barry Commoner, Brian Wynne and other critics have expressed concerns that risk assessment tends to be overly quantitative and reductive. For example, they argue that risk assessments ignore qualitative differences among risks. Some charge that assessments may drop out important non-quantifiable or inaccessible information, such as variations among the classes of people exposed to hazards, or social amplification. Furthermore, Commoner and O’Brien claim that quantitative approaches divert attention from precautionary or preventative measures. Others, like Nassim Nicholas Taleb consider risk managers little more than “blind users” of statistical tools and methods

Mild Versus Wild Risk

Mathematical conceptualization

owner

Login