Open access

Introductory Chapter: A Systems Framework for Risk Assessment

Written By

Ali Hessami

Submitted: February 14th, 2019 Published: April 17th, 2019

DOI: 10.5772/intechopen.85429

Chapter metrics overview

1,122 Chapter Downloads

View Full Metrics

1. Introduction

Throughout the ages, man’s preoccupation with determining and controlling his destiny has sparked a keen interest in foretelling the future. This has strangely been based on a linear notion of time and event space, considering the future, a mere extension of the past. Another intriguing facet of this enterprise is probably driven by the maxim that “good news is no news”; therefore, more weight and prominence has been given to negative and downside forecasting, focusing on the detrimental and potentially catastrophic events. This perspective is tacitly echoed in the news media in which a significant proportion of events covered are of depressive, sinister, vile and sometimes tragic pedigree, almost to the detriment of the positivity and hope.

The systematic approach to the understanding and judicious resolution of complex events practiced around the eighteenth century BC by Babylonian Asipus bears close resemblance with the risk-based paradigms in vogue nearly two millennia later. However, we argue that the public and private enterprises need to transcend beyond compliance with regulatory frameworks that typically set baseline benchmarks for acceptable performance and risk of adversity.

The risk management industry in vogue today epitomises this unipolar and adversarial perspective by spending time, resource and effort in predicting and at best avoiding future incidents, accidents and their consequent losses. This is hardly a message of hope, progression and transformation. While addressing foreseeable future adversities is a rational and prudent measure, it lacks the motive force of advancement and success without which we will remain stagnant and at best free from harm or loss.

We present a critique of the obsession with risk and set out a systematic and equitable framework for decision-making, supported by a new methodology for elicitation, representation, communication and resolution of real-world issues and problems. The systematic assessment principles developed here are proposed as a universal set of goals pertinent to assessment of risks arising from all systems irrespective of type, size, origin, environment and function.


2. A question of balance

“Almost every wise saying has an opposite one, no less wise, to balance it.”

G. Santayana

The prophet Zoroaster (630–550 BC), born in the mountains east of the Caspian Sea, founded the Persian religion of Zoroastrianism [1]. He is claimed to have received revelations from Ahura Mazda (the “Lord Wisdom”) at an early age. The Persian scripture known as the Avesta contains hymns called Gathas, which are attributed to Zoroaster. His teachings portray the universe as a battle ground for good and evil. He also taught about the purpose of living in the world of opposites founded on the premise that there must be an underlying intelligence to the universe and laws governing it. Scholars claim that Zoroastrian doctrine has had a fundamental influence on the subsequent religions of the Middle Eastern origin and through them, on the civilisations founded on these creeds.

Further east, a mystical and intuitive school of thought, Taoism, emerged around the sixth century BC as a reaction to the perceived limitations of rational knowledge. The adherents of this philosophy developed an essentially scientific yet empirical observation of nature, in order to discover the characteristics of reality, Tao, believing that ultimate reality is beyond the capacity of reasoning and rational thought [2]. In this intuitive quest, the Taoist sages came to profound insights about nature, the most important of which are transformation and change. They interpreted the changes in nature as a result of interplay between polar opposites of yin and yang, which are seen as dynamically linked opposites. This implies an implicit belief in the unity of opposites, which has more affinity with quantum mechanical interpretation of universe than an extension of rational insight. The belief in the continuous interplay of opposites led to two fundamental Taoist rules about human conduct. The first emphasises that to achieve anything, one ought to start with its opposite such as “in order to take, one will surely give first.” The second rule states that in order to retain anything, one should admit in it, something of its opposite pole such as “be bent and you will remain straight.” In a similar analogy to the Zoroastrian forces of good and evil, the Taoists strive to attain and maintain a dynamic balance between the polar opposites of yin and yang, which are seen as a spontaneous and innate tendency in all things. In this view, humans should model their behaviour in harmony with nature, driven by intuitive knowledge.

Further to the west, and almost at the same time, Heraclitus of Ephesus in Greece came to the same realisation about the constant transformation of nature [3]. To this, he added a further observation about the cyclic nature of change. Like Chinese Taoist sages, Heraclitus discerned the dynamic interplay of the polar opposites as a unity, a notion now associated with the findings of modern physics.

The three isomorphic visions of reality, emerging from three advanced civilisations around 600 BC, portray a holistic and harmonious perspective on the nature of existence, reality and truth. They epitomise the need for adoption of a more balanced and realistic approach to the understanding, harnessing and management of polar opposites, threats and opportunities, inherent in every facet of life. This is ancient wisdom tantamount to achievement of a dynamic balance in preference over maximisation of gain or minimisation of loss advocated by the pervasive unipolar philosophies of today.


3. The role of creativity

“Uncertainty and mystery are energies of life. Don't let them scare you unduly, for they keep boredom at bay and spark creativity.”

R.I. Fitzhenry

The nature of creative behaviour and thought has long been debated by psychologists. They broadly agree that such behaviour is distinguished by its novelty and value. The thinking process inherent in creative behaviour is sometimes referred to as divergent since it moves outward from the problem in a variety of directions, potentially leading to many solutions. This is contrasted with convergent thinking, which moves in a straightforward fashion towards a single specific answer [4]. A similar distinction is made by De Bono [5, 6] where divergent and creative thought processes are referred to as lateral and the conventional thinking as vertical.

A range of specific techniques have been developed that may facilitate the creative process. Many of these are founded on the basic principles of creative thinking. However, apart from anecdotal observations, there is little empirical evidence to support their efficacy. Two broad categories of techniques promoting creative thinking are characterised by the nature of the source. Those relating to the cognition of an individual are known as “intra-individual”, while creative thought originating from a group of people is referred to as “inter-individual.”

The intra-individual techniques promote divergent thinking by breaking or challenging the mental models in an individual and sometimes treating problems as opportunities [7]. The inter-individual or group-based techniques employ the inherent diversity in perspective and mental set to generate a new composite perspective to a problem. Unfortunately, there is no credible theoretical model to support the group characteristics such as composition or size with respect to its creative performance. The optimal size is often quoted as varying between 5 and 7, while the composition should by necessity include members from various stakeholder groups affected by the problem [8]. By far, brainstorming is the best-known technique for group-based creative ideas generation and problem solving. The four key rules of brain storming are as follows:

  • No criticism of any ideas allowed

  • All ideas including the absurd ones are welcome

  • The more ideas the better

  • Composite and piggyback ideas are encouraged

While numerous reports have been compiled in support of effectiveness of brainstorming, recent experimental studies have suggested otherwise. The general conclusions being that brainstorming may be useful in some settings but it is not a substitute for individual production of ideas [4]. De Bono [5, 6] also described a technique called “Six Hats” mostly applied to effective management of meetings. In this approach, each hat represents a different perspective on the problem, avoiding conflict and encouraging constructive and conjunctive group thinking.

Whatever the substance and mechanics of creativity, it is considered as a highly effective process for enhanced productivity and achieving differential business advantage. This is particularly relevant to the competitive, rapidly changing and complex problems facing the business environment of today. Creativity challenges the familiar solutions, concepts and strategies for problem solving, which often dominate our thinking, paving the way for novel, high gain and valuable alternatives to come to the fore. The formidable challenges of complexity, inter-relatedness and rapidly evolving issues of today can only be countered through equally potent and penetrating weapon of creativity. Incremental advancement through vertical thinking is no match for the scale and scope of today’s tasks.


4. The paradox?

“Nature does nothing without purpose or uselessly.”


Most human endeavours are underpinned by motivation and drivers that are broadly positive and purposeful. These comprise a broad spectrum of activities and tasks ranging from the pursuit of physiological survival needs to higher level attainment, cognitive and transcendental goals. While these pursuits entail expectation of desired positive outcomes, it is inevitable, however, due to the inherent ontologic and epistemic uncertainties that the objectives fail to materialise in part or whole or entirely unexpected often detrimental outcomes emerge instead, the so-called downside risks. So, the gain and loss, hazard and opportunity are intertwined and omnipresent with different likelihoods unless energy and effort is spent on identifying and analysing the relevant scenarios and factors that may potentially impact on the pursued goals. This is the essence of risk-based mind-set factoring in adversity and loss alongside any purposeful positive endeavour, dating back to Babylonians.

In this bipolar reality, mere focus on gain or loss is tantamount to a partial and jaundiced view of the reality that is contrary to prudence and wisdom. This calls for a rational and holistic framework where the potential for loss and gain is identified, evaluated and assessed by the duty holders, balanced and implemented based on insight, awareness and preferences. This is analogous to the Taoist concept of balance between polar opposites, seeking insight on a desirable level of balance.

The best practice standards treat risk as a potential for a gain or a loss, driven by uncertainty. However, the common parlance treats risk as an undesirable outcome that entails harm and loss. To ensure clarity and appropriate treatment for gain and loss scenarios, we propose a systems framework that comprises the following:

  • Hazards → risks

  • Opportunities → rewards

However, risks are manifestations of what is generally regarded as undesirable or hazardous circumstances, while rewards are the polar opposites. In this context, a hazard is a causative factor to risk and pertains to a condition, object, state or act with a potential to lead to loss, which may entail business/financial, safety or environmental aspects or a combination of these. The opposite concept to a hazard is an opportunity. This likewise is a causative factor for a reward and is a condition, state or act with a potential to lead to some gain/benefit that may entail personal, societal, technological, business or environmental aspects or a combination of these. The likely realisation of a gain arising from an opportunity is regarded as a reward.

This overall framework is shown in Figure 1 where typically hazards are transformed into a spectrum of risks and opportunities into rewards, respectively. The outcome is the spectrum and scale of risks and rewards that on balance informs the stakeholders in their desired decisions.

Figure 1.

A holistic risk-reward framework.

Hazards and opportunities are essentially precursors to risks and rewards and there is a strong argument that they should be identified, assessed and balanced in any rational decision support framework. This framework provides a holistic, clear and unambiguous view of the key influencing factors avoiding confusing upside and downside terminology often employed to inadequately convey the same concepts or intent.


5. Risk and facets of performance

“To win without risk is triumph without glory.”

Pierre Corneille

Before we endeavour to explore the best practice approaches to understanding, assessing and treating risks and rewards, it is constructive to briefly review the facets of a general system’s behaviour or emergence that could give rise to areas of concern in terms of potential risks. The following facets of a general system’s performance represent generic and often inter-related emergent properties that constitute the focus of attention to realisation of a product, process, service or undertaking:

  • Functional and technical

  • Commercial

  • Environmental/sustainability

  • Integrity (reliability, availability, maintainability and safety)

  • Security (threat/vulnerability)

  • Quality

  • Social and personal value (perceived and objective)

Apart from inter-relatedness of the performance facets, some of these emergent properties of products, services, systems and processes are also regulated, which implies risks must be identified and reduced to acceptable or tolerable levels before permit to deployment is given by the relevant authorities [9, 10]. Among these, safety and environment and increasingly security are the regulated facets. The regulations often demand a risk-based process for risk assessment, treatment and demonstration of safe, secure or environmentally friendly performance/behaviour through a documented compliance case [11, 12].

It is also instructive to briefly review the definition and attributes of risk before an attempt is made to develop a structured and systemic framework for its assessment and management.

The ISO key standard on Risk Management Principles and Guidelines [13] describes risk as “Effect of Uncertainty on Objectives” with effect being qualified as a deviation from the expected performance and objective as having aspects such as financial, environmental, health, safety, etc. much akin to the facets of performance elucidated above. The standard also acknowledges that risk is often characterised by events and their consequences and expressed in terms of the combination (product of) likelihood of the occurrence of an event and the consequences of that event.

The IEC Information Security suite of Standards [14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34] adopt the ISO’s definition and extends this into the information security domain by adding additional concepts such as threats that can exploit vulnerabilities of an information asset and thereby cause harm to an organisation.

The more recent systems' safety standard for the safety critical railway transportation [35] refers to risk more technically as the “combination of expected frequency of loss and the degree of severity of that loss.” However, the standard does not elaborate on the meaning and scope of loss. We define loss as the harm to people (safety including reduction of welfare, injuries and fatalities), environment (damage/contamination/destruction) or detriment to an enterprise (financial/commercial) or a combination of these.

Bearing in mind the definitions, reference to risk is not adequately communicated unless five attributes are specified namely:

Risk = f (C, S, H, L, I) where

  • C is the nature of consequence, for example, safety, commercial, etc.

  • S is the subject, for example, system, operation, specific people, etc.

  • H is the initiating hazard, for example, system crash.

  • L is the likelihood/frequency of the consequence arising from the hazard.

  • I is the intensity/extent of the loss.

In this spirit, it is not sufficient to express the technical aspect of likelihood of consequence and extent of the loss to transparently and adequately communicate the intent behind a particular risk category.


6. The current best practice

The modern best practice standards [13] advocate a general approach to the assessment and management comprising a set of objectives comprising the following (Figure 2):

  1. System or context definition

  2. Risk identification

  3. Risk analysis

  4. Risk evaluation

  5. Risk treatment

  6. Risk monitoring

  7. Risk communications

Figure 2.

Best practice risk assessment and management.

The current deficit is that the best practice standards in risk assessment essentially define a high-level roadmap but do not provide a systematic process supported by essential activities, methodologies and tools to enable the practitioners to implement the requirements in a consistent, comprehensive, verifiable and value-focused manner. Alas, this has led to a plethora of approaches and methodologies that lack credibility, systematicity, systemic rationale and completeness. Most risk assessments tend to be tool centric, that is, in the absence of a principles-based framework and supporting processes, these follow the imperatives of a particular methodology constrained by implementation in the form of a computer-based tool. There is a need for a strategic and systems-based perspective on the requirements for a structured, rational and integrated set of principles that collectively result in understanding, evaluation, assessment and treatment of risks that is not constrained by specific methodologies and associated tools. A candidate solution to this is developed in the following section.


7. The systems framework for risk assessment

“First weigh the considerations, then take the risks.”

Helmuth von Moltke

A systems framework for risk assessment constructed on a suite of principles that go beyond the definitions in the best practice standards is developed while also providing guidance on the methodologies and tools necessary to implement each principle. The argument we pose against the risk identification, analysis and evaluation as the sole activities in risk assessment is that risk treatment is fundamentally an integral part of assessment. After sufficient insight is developed in identifying, analysing and evaluating risks against tolerability criteria, many options need to be identified and evaluated to ensure suitable and sufficient risk reduction is achieved. Evaluation of the pertinent options and selection of the most impactful and cost-effective options are integral to risk assessment, treatment and demonstration of compliance with the regulatory requirements.

In the proposed framework, the evaluation, assessment and treatment of risks and rewards can be carried out in a qualitative, quantitative or hybrid manner. Whatever the approach, it is essential, however, that a common currency and compatible outcomes are generated through qualitative or quantitative approaches to facilitate comparison and integration as appropriate.

The systematic approach to the identification, evaluation, assessment and treatment of risks and rewards entails the following principal stages:

  • Hazard and opportunity identification within the system context [36]

  • Causal analysis (exploring the causation factors for hazards and opportunities) [37, 38, 39]

  • Consequence analysis (exploring the range of events that potentially arise from escalation of hazards and opportunities)

  • Loss/gain analysis (exploring the degree of loss or gain anticipated from predicted consequences)

  • Options analysis (exploring viable risk control or reward enhancement solutions)

  • Impact analysis (evaluating the expected impact of identified options on risks and rewards)

  • Demonstration of diligence and compliance

It is worth noting that the framework of seven principles embraces qualitative and quantitative approaches to the evaluation of risks and rewards to facilitate ranking, judgement and balancing.

The intent, objectives, processes and applicable methodologies for each of the seven principles are beyond the scope of this introductory chapter.


8. The way forward

“The universe will reward you for taking risks on its behalf.”

Shakti Gawain

The current obsession with risk underwritten by the vast financial and safety sectors portrays an imbalanced perspective on most issues, problems and decisions. While necessary, understanding and management of risks is not singly sufficient to provide a complete basis for rational and realistic decision-making. The emergence of risk-based laws and regulations tends to exacerbate the current myopic view in that risks potentially arising from products, processes, services and systems are subject to legal scrutiny irrespective of the overall contribution to the end users, stakeholders or the society at large.

We have offered a transparent and systematic framework to provide a holistic decision support environment for instances entailing uncertainty and risk. This approach typifies the blend of holism and creativity required to comprehend and tackle the complex and inter-related problems of modern age.

The proposed framework was originally developed by the author in 1997 and was adopted by the UK railway industry’s Engineering Safety Management System known as the Yellow Book 2. It became the de facto Code of Practice for risk analysis and assessment in the newly privatised railways in the UK at the time and appropriate training was delivered nationally to all decision-makers in safety and mission critical roles. Later, the framework, process and supporting tools were employed to develop the first national railway quantitative safety risk forecasting model under the heading of risk profiling of railways project in Railtrack plc. Two further variations of the framework were also employed in developing safety risk forecasts for the West Coast Modernisation Programme in the UK and the European Rail Traffic Management System’s (ERTMS) safety analysis.

The plethora of risk-based regulations and the underlying principles for tolerability in vogue today should progress towards a more holistic perspective comprising evaluation of hazards and opportunities and assessment of risks alongside the rewards in a given context to provide a more equitable and rational basis for a fair judgement. Mere focus on risk alone provides a myopic view of a more complex systemic reality that goes in the face of rationality, innovation and equity.


  1. 1. Bekhradnia S. The Beliefs of Zoroastrianism; 8 January 2007. New Statesman; 2007.
  2. 2. Capra F. The Tao of Physics. London: Flamingo; 1986
  3. 3. Kahn C. The Art & Thought of Heraclitus. Cambridge University Press; 1979. pp. 1-23. ISBN: 0-521-28645-X.
  4. 4. Ellis HC, Hunt RR. Fundamentals of Cognitive Psychology. Madison: Brown & Benchmark; 1993
  5. 5. De Bono E. Serious Creativity. London: Harper Collins; 1996
  6. 6. De Bono E. Lateral Thinking. London: Penguin; 1970
  7. 7. Rickards T. Creativity and Problem Solving at Work. Aldershot: Gower; 1990
  8. 8. Geschka H. Creative Techniques in Product Planning and Development: A View from West Germany. Source Book for Creative Problem Solving. NY: Creative Education Foundation Press; 1992
  9. 9. United Kingdom, Health and Safety Executive. The Tolerability of Risk from Nuclear Power Stations. Revised Ed. (1992). London: HMSO; 1988
  10. 10. The Official Journal of the European Union. Commission Regulation on a Common Safety Method on Risk Evaluation and Assessment (EC) No. 352/2009; 2009
  11. 11. Hutter BM. The Attractions of Risk-Based Regulation: Accounting for the Emergence of Risk Ideas in Regulation, ESRC Centre for Analysis of Risk and Regulation, Discussion Paper 33; London School of Economics & Political Science; 2005
  12. 12. Condon M. A Tale of Two Trends: Risk-Based and Principles-Based Regulation in Comparative Financial Services Regulation Paper Presented at the Annual Meeting of the Law and Society Association; Hilton Bonaventure, Montreal, Quebec, Canada; May 27, 2008. Available from:
  13. 13. Risk Management Principles and Guidelines. ISO 31000:2009.
  14. 14. Information Technology—Security Techniques—Information Security Management Systems—Overview and Vocabulary. ISO/IEC 27000:2014.
  15. 15. Information Technology—Security Techniques—Information Security Management Systems—Requirements. ISO/IEC 27001:2013.
  16. 16. Information Technology—Information Security Management Systems—Requirements. ISO/IEC 27001.
  17. 17. Information Technology—Code of Practice for Information Security Controls. ISO/IEC 27002.
  18. 18. Information Technology—Information Security Management System Implementation Guidance. ISO/IEC 27003.
  19. 19. Information Technology—Information Security Management—Measurement. ISO/IEC 27004.
  20. 20. Information Technology—Information Security Risk Management. ISO/IEC 27005.
  21. 21. Information Technology—Requirements for Bodies Providing Audit and Certification of Information Security Management Systems. ISO/IEC 27006.
  22. 22. Information Technology—Guidelines for Information Security Management Systems Auditing. ISO/IEC 27007.
  23. 23. Information Technology—Guidelines for Auditors on Information Security Controls. ISO/IEC TR 27008.
  24. 24. Information Technology—Sector-Specific Application of ISO/IEC 27001—Requirements. ISO/IEC 27009.
  25. 25. Information Technology—Information Security Management for Inter-sector and Inter-organizational Communications. ISO/IEC 27010.
  26. 26. Information Technology—Information Security Management Guidelines for Telecommunications Organizations Based on ISO/IEC 27002. ISO/IEC 27011
  27. 27. Information Technology—Guidance on the Integrated Implementation of ISO/IEC 27001 and ISO/IEC 20000-1. ISO/IEC 27013.
  28. 28. Information Technology—Governance of Information Security. ISO/IEC 27014.
  29. 29. Information Technology—Information Security Management Guidelines for Financial Services. ISO/IEC TR 27015.
  30. 30. Information Technology—Information Security Management—Organizational Economics. ISO/IEC TR 27016.
  31. 31. Information Technology—Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services. ISO/IEC 27017.
  32. 32. Information Technology—Code of Practice for Protection of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors. ISO/IEC 27018.
  33. 33. Information Technology—Information Security Management Guidelines Based on ISO/IEC 27002 for Process Control Systems Specific to the Energy Utility Industry. ISO/IEC 27019.
  34. 34. Health and Safety Environmental Protection—The Offshore Installations (Offshore Safety Directive) (Safety Case etc.) Regulations 2015, Statutory Instrument No. 398, HSE UK.
  35. 35. BS EN50126-1:2017. Railway Applications, the Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS). CENELEC.
  36. 36. Hazard and Operability Studies (HAZOP Studies)—Application Guide. IEC 61882:2016.
  37. 37. Fault Tree Analysis (FTA). IEC 61025:2006.
  38. 38. Analysis Techniques for System Reliability—Procedure for Failure Mode and Effects Analysis (FMEA). IEC 60812:2006.
  39. 39. Ericson II CA. Hazard Analysis Techniques for System Safety, Chapter 22. Wiley; 2005.

Written By

Ali Hessami

Submitted: February 14th, 2019 Published: April 17th, 2019