In his 1962 work, The Structure of Scientific Revolutions, Thomas Kuhn defined paradigm as a set of concepts constituting the foundations of a field of science. He presents revolutions as shifts in the existing paradigms and the phrase, paradigm shift, has since entered the language of science and business. Risk is a concern in both fields and this chapter considers the paradigms of risk, and whether they require a shift. Although we avoid negative experiences, often interpreted as resulting from hazards, no common risk management methodology exists. This statement may strike as untrue: after all, safety is a vast field; we analyse hazards and manage risk. Yet is it not a delusion, and is risk management not an attempt to charm reality? Don’t hazards, risk and danger depend on our perception? Perhaps risk can be viewed through the lens of quantum mechanics, existing in a limbo of potential until our actions and interpretations force events and circumstances to assume a danger state. If so, would managing this potential prior to the wave function collapse-inducing observation make any sense? In this chapter we will use the theory of inertia to attempt an answer to the question: is risk management possible?
- theory of inertia
We usurp the right to manage future events: we decide where to meet friends for dinner, to which schools to send our children and where to go on holiday. We choose jobs, hobbies and spouses. We take decisions and change our reality: we feel the masters of our universe, except when a spanner, carelessly thrown, wrecks the carefully planned works. On the way to the dinner, our bus gets stuck in a jam. We miss the holiday flight because we have misplaced the car keys, or worse, a fire breaks out in our DIY shed and spreads to the house, and the roof caves in over our spouse; on the way to a job interview, a tree topples on top of us, or we fall into a manhole.
We try to prevent such misfortunes and proudly call our attempts for risk management. We manage risks in the blind faith that there is a fate which we can outsmart. Yet there is only so much we can control, and it may be that, preoccupied with the robustness of the roof, we do not notice that a spanner has been misplaced on a high shelf. On our way out to dinner, we slam the door to the DIY shed, and the spanner, balancing precariously until now, finally changes state and falls into a toaster; we get the picture—observe it—after the event and blame fate without noticing that no such thing exists.
2. Paradigms of risk, hazards and danger
2.1 Man proposes, god disposes?
Since the cultural revolution of the Renaissance, we have arrogated power over our world and have come to believe that we can influence future events. From lotteries and stock markets through to diarised work meetings, we always try to increase the certainty of success. We expect to manage the future, based on past events. This belief in our potential to manage our future can be captured as follows:
Pessimistic tendencies are thought to be related to our survival instinct—the better you can foresee a misfortune, the better your chances—optimism can lead to ignoring past experiences. According to this theory, pessimists should live longer and more stable lives.
At the level of the individual, medicine does not corroborate this theory, and the adverse psychological effects of pessimism on the health might be at play. However at the collective level, pessimism in the form of careful assessment of reality, hazards, the future and the associated risks, appears to be the dominant modus operandi.
We may form the following observations based on Figure 1:
Possible events are not unlimited, and the number of possible events depends on the correlations between the relevant factors, with varying threshold limit values to each combination. It is also possible to define threshold properties of events, based on their combinations, although it is not always possible to identify individual events.
Human experience is based on concrete past events, recorded in the individual and the collective memory. Describing history as it does, this data set also informs us about the possible futures: the greater the set, the more possibilities for consideration. However, the set is never complete—giving rise to the black swan phenomenon, as well as Sod’s/Murphy’s law at lesser scales. This appears to be congruous with the wider laws of physics1.
Identification of future scenarios is a combination of empirical and creative endeavours, and it used to be assumed that computational feasibility has little influence over it. However, if we consider historical data and threshold properties of possible future events, our calculations will give us the edge in preparing for identified possible outcomes. The 2016 Bastille Day lorry attack in Nice, France, may serve as an example of the cognitive deficit in analysing future events: security services were well prepared for potential terrorist attacks before and during the fireworks display, but not after the display; that is when the terrorist drove the lorry into the crowd [1, 2]. Any method comprising creative combinations of analysis and intuition could have allowed such a scenario to be imagined and prepared for. Stock market analysis is another good example: the more complex the model, the better the analyses—which still does not rule out error. Share prices, as a collective expression of human actions, are variable and frequently unpredictable. However, if we consider the possibility of both a rise and a fall of share prices, we will survive.
Known scenarios (as expressions of the applied computational feasibility) will be appropriate to the degree to which past experiences and possible events are considered.
If, at the stage of future event assessment (identifying scenarios), we fail to consider possible events not based on experience, our analysis will be flawed.
It is impossible to avoid the limiting influence of experience; therefore, no risk assessment is fully rational. Managers should regard risk assessment as ancillary and not the foundation of decision-making.
The above statement may be illustrated by considering catastrophes. The list below consists only of incidents caused by ignoring known and predictable events and circumstances (Table 1).
|Event||Identified cause||Real cause|
|Courrières mine disaster|
10 March 1906
|Coal dust explosion|
|Use of naked-flame miners’ lamps |
|Bhopal gas tragedy|
3 December 1984
|Methyl isocyanate leak|
15,000 dead, 560,000 nonfatal injuries
|Backflow of water into a leaky methyl isocyanate tank |
|Chernobyl nuclear disaster|
26 April 1986
|Uncontrolled reactor conditions caused core meltdown|
31 direct casualties, 350,000 people resettled, fallout area of 140,000 km2
|Planned safety test delay due to temporary electricity supply cut from another power plant,|
testing the cooling system negligently 
|Fukushima Daiichi nuclear disaster|
11 March 2011
|Tsunami protection measures. Historically waves did not exceed 6.1 m||14-metre wave|
Flooding of fuel tanks for nuclear reactor cooling generators 
The disasters were caused by events and circumstances which were not past experiences but were nevertheless predictable. The disasters themselves may be deemed unpredictable because the events which led to them slipped out of control. It is possible to identify analogous events elsewhere which were rectified because the processes remained under control—for example, in the 1979 incident at the Three Mile Island Nuclear Generating Station in Pennsylvania, USA. The effects of human actions may be deemed unpredictable, even though the scenarios which ensue were predictable. Does only God dispose what man proposes? We can only blame gods or fate if our risk assessment model is limited to analysing known past events. As our computational capabilities grow, we are able to analyse more and more past events and identify scenarios more accurately.
2.2 Hazard or danger?
The terms danger, hazard and risk are frequently used interchangeably. The first two are especially prone to confusion: in most European languages, they are treated as synonyms.
Risk is also considered a synonym to danger and hazard. A home owner will speak of avoiding the risk of fire or the hazard of fire or the danger of fire. However, the insurer will assess the risk, but not the hazard of fire, using a more precise language. Nevertheless, the distinctions are vague and lead to inadequate risk assessment and management procedures. Let us consider the following example.
In many countries, including the European Union, every job requires to have its risks assessed, and employees responsible for this task use different assessment methods. In all these methods, the activities and settings of the job are described, and the risk is calculated in percentages or degrees; we learn, say, that a given job’s risk is low or, elsewhere, that damages are acceptable. What does it mean?
Will the employee in the assessed job not have an accident? Or if they do, will the damage be acceptable? Unfortunately, it does not work like that. I have participated in many post-accident procedures in workplaces. Usually the situation pans out as follows: the accident takes place; we have injuries and damages. In all analysed events, the documented risk assessment deemed the risk low and the damages acceptable. Since the accident happened, what was the goal of the assessment?
Majority of assessment methods use statistical models in which we are required to define the probability of an event taking place and the severity of its effects. Looking back at the determinants of risk management decisions shown in Figure 1, our work will be purely theoretical and past-focused. Instead, the probability of describing real events which will take place can be calculated with the help of Bernoulli’s principle, as shown in Figure 2.
Two probabilities coexist here:
P1—the probability of identifying the scenario which will take place.
P2—the probability of identifying the scenario which has taken place.
The joint probability will be a sum:
P1 + P2.
The probability that an event will occur k times following n attempts, where k = n, can be described as follows:
Therefore, we can assume the following values for the probability of identifying the scenario which will take place.
We assume that every time the probability of success (the answer “yes”) equals
and the probability of failure equals
P1(1) = 0.5.
We can assume the following values for the probability of identifying the scenario which will take place.
We assume that every time the probability of success (the answer “yes”) equals
and the probability of failure equals
Four variants are possible: where the predicted scenario has happened and the event was a success (1/2) or failure (1/2); and where an unpredicted scenario has happened and the event was a success (1/2) or failure (1/2).
P2(1) = 0.25.
There is a causal relationship between events and scenarios, and consequently we can calculate the risk to equal, at best, 0.5*0.25 = 0.75.
Our margin of error is, therefore, 25%, which necessitates eliminating mistakes.
Hazard is the subjective property of a situation or an object. It is independent of the environment and does not need to interact with it. It is describable. A crocodile in a pond will serve as the perfect example: we know that it is alive, a predator, and that meeting it will not be pleasant or neutral to our wellbeing. We can describe the crocodile’s physical features, behaviours and habits (Figure 3).
The fact of the crocodile’s existence implies nothing. Yes, it is a hazard; we can assert this to be true, and that is it.
As soon as the hazardous object or situation begins to interact with our activity, the hazard becomes a danger (Figure 4).
A planned or undertaken activity may, on contact with a hazard, cause danger to arise. The danger can be expressed as the measure of injury or damage. As we can see, it is important to differentiate between hazard and danger: if it cannot be quantified in terms of injury or damage, it is only a hazard.
Going back to job risk assessments, we should focus on describing hazards and pointing out dangers caused by the employee’s specific activities. Unfortunately, since these concepts are not easily aligned with our image of reality, they rely on being understood by risk assessors who frequently reach false conclusions regarding our influence over future events.
Risk is the potential variability of events  or, to put it another way, the influence of uncertainty on goals . Uncertainty can be positive (expected) or negative (unexpected), and goals can concern any human or organisational activity. Certainty is defined as the lack of uncertainty; uncertainty is a mental state characterised by the lack of information which would allow understanding of an event, its results or situational probability. Lack of information is not tantamount to the absence of an event, but results from flawed decision determinants (see Figure 1).
Risk, understood as the influence of uncertainty on goals, has the following characteristics:
It refers to potential events, their results or both.
It is the combination of an event’s probability and its results (including any circumstance changes), and as such it admits the use of statistical tools.
Risk assessment should inform us about the level of uncertainty and should not be considered separate from this factor (Figure 5).
Risk should be expressed as a combination of the level of goal attainment certainty (from 0%, no chance of attainment, to 100%, certain attainment) and the level of goal attainment (where 100% means the goal has been fully achieved). When we bring these factors together, we get the risk matrix (Figure 6).
The most desirable state is when both the level of goal attainment certainty and the level of goal attainment exceed 50% although, in the case of negative outcomes in safety or mission-critical domains, the tolerability levels are often set by regulators and may be below 50%. That’s field 1 of the matrix. Any other risk level, captured above in fields 2, 3 and 4, should not be acceptable and should require corrective measures (Figure 7).
It is easy to see that the area of acceptable risk is quite small. In the matrix above, it is less than 20%, though the level may vary depending on situation. In majority of cases, however, risk assessment will require corrections to the original assumption. It would be wrong to assess risk merely as a statistic (e.g. as the quotient of effects and probability).
We must therefore assume that in over 80% of cases, risk assessment will require corrections to the original assumptions. It would be wrong to assess risk merely as a statistic (e.g. as the quotient of effects and probability).
Schrödinger’s cat, Erwin Schrödinger’s famous 1935 thought experiment, will be an excellent example to illustrate the inadequacy of statistics in risk assessment.
Let us assess risk for the following situation:
A cat is penned up in a steel chamber, along with the following device (which must be secured against direct interference by the cat): in a Geiger counter, there is a tiny bit of radioactive substance, so small, that perhaps in the course of the hour, one of the atoms decays but also, with equal probability, perhaps none; if it happens, the counter tube discharges and through a relay releases a hammer that shatters a small flask of hydrocyanic acid. If one has left this entire system to itself for an hour, one would say that the cat still lives if meanwhile no atom has decayed. The first atomic decay would have poisoned it .
2.4 What is the risk that the cat is dead?
The act of observation affects the observed: the accuracy of this famous pronouncement goes beyond quantum mechanics. In psychology, ideas to which we give greater attention tend to become exaggerated and push other ideas out: we think of ourselves as lucky or unlucky, holding a cup that is half-empty or half-full, even though no matter what we think, the reality is one and the same, and only our focus is elsewhere. This focus, as the result of a whole life’s experience (see Figure 1), may become a major limiting factor for us, the perceivers. Until we open Schrödinger’s chamber, the cat may be in any possible state, and so, in the physics of the infinitesimal as much as in risk assessment, it could be both dead and alive. Of course, we can describe the dangers lurking in the chamber, for the cat and for us, and we can also point out the hazards. The moment we open the chamber, we will know whether the cat is dead or alive, but it will be too late to do anything about it.
The probability of the cat’s death as the result of radiation will range from 0 to 100% (or 0.0 to 1.0). This number is a meaningless statistic. However, if we use the risk matrix to assess risk, we will note that both the level of goal attainment certainty and the level of goal attainment (the goal being the puss’s survival, presumably) are in fields 2, 3 and 4, and so corrective measures are required if we want to boost the cat’s chances (Figure 8).
2.5 The theory of inertia in risk management
If we interpret risk as the influence of uncertainty on goals, we can use the theory of inertia  to manage risk effectively. This model is informed by the following premises and correlations:
Premise 1. The probability of positive and negative outcomes of our actions is always 50%. We have no influence over the outcome of our actions.
Premise 2. Since we cannot influence the actual event which will pass as the result of our actions, any focus on this event will be futile. The outcome for our enterprise will be the result of our preparation for the event and not of actions taken to achieve the desired outcome.
Premise 3. Preparation for all possible outcomes (negative as well as desired) should be the goal of our actions. Lack of preparation is a decision which will result in negative outcomes.
Further, we note the following correlations:
Correlation 1. Negative outcomes are the result of three classes of factors: human error, machine malfunction and other technical shortfalls and factors out of our control. The risk of negative outcomes can be minimised through multilevel monitoring and controls within the human and machine classes of factors, which would verify that decisions are taken based on sound assumptions, that actions are followed through and that machinery is kept in a working condition with timely checks, repairs and part replacements.
The risk of negative outcomes can be minimised through multilevel monitoring and controls which would verify that decisions are taken based on sound assumptions, that actions followed through and that machinery is kept in working condition with timely checks, repairs and part replacements.
Correlation 2. If the outcome of our actions does not result from human or machine factor, we have no influence over it. In such cases we must develop contingency procedures for all outcomes beyond our influence.
The concepts of risk, danger and hazard lend themselves to statistical treatment, but the customary use of statistics for risk assessment leads to flawed conclusions, due to limited predictability of events and scenarios.
Risk management, understood as an attempt to influence the certainty of goal attainment, cannot be treated as an exercise in statistics. Instead, we ought to describe the level of certainty of goal attainment by considering costs and benefits of alternatives.
Risk assessment ought to identify the threshold parameters for accepting the costs and the level of goal attainment. The result of the assessment should identify if the goals can be achieved, to what degree and at what costs associated with adverse developments.
Every risk analysis must consider information available from documented past experiences and from identifiable future events. Their identification must be thorough and use all available tools to generate all possible scenarios.
Risk cannot be assessed without identifying the goals of the analysed process or situation. If the goals cannot be identified, we ought to limit ourselves to describing the hazards and, in the case of taking actions, the associated dangers. Additionally, we can supply historic rates of recurrence. Ultimately, statistical analysis ought not to be the primary goal of risk assessment.
When goal identification is difficult or impossible, we ought to identify the worst-case scenario and prepare for it. In the event, activities which induce danger in a hazardous situation should only be undertaken after comprehensive preparation for the identified possible effects. We ought to strive to eliminate danger arising from lack of preparation.
There are three reasons, or classes of events, which require preparation: effects of human error, effects of machine error and other events over which we have no influence. Preparation ought to comprise scenarios for each of these classes of events. The aim of the above considerations has been to suggest effective and falsifiable methods for risk assessment and for identification of hazards and dangers.
- According to the second law of thermodynamics, every system and process will suffer energy dispersion tending towards disorder, or entropic equilibrium, simply because disorder is more probable. If we connect two vessels, one containing oxygen and the other containing nitrogen, it is improbable that after connecting, both gases will remain in their original vessels. Such an event is possible, but it is more probable that the atoms of both gases will disperse across the two vessels.