BN Applications in Operational Risk Analysis: Scope, Limitations and Methodological Requirements

Modern societies, due to their intrinsic complexity, are strongly dependent on critical resources and even more vulnerable to uncertain conditions. Despite the ability of controlling technical processes has increased over the past century, several different external and internal factors continue to affect the overall performance and sustainability of modern socio-technical systems. Globalisation, technology innovation and the organisational complexity of several actors are some of the major sources of uncertainty alongside the political context.


Introduction
Modern societies, due to their intrinsic complexity, are strongly dependent on critical resources and even more vulnerable to uncertain conditions. Despite the ability of controlling technical processes has increased over the past century, several different external and internal factors continue to affect the overall performance and sustainability of modern socio-technical systems. Globalisation, technology innovation and the organisational complexity of several actors are some of the major sources of uncertainty alongside the political context.
Emerging risks, also sometimes called global risks, are large-scale events or circumstances that arise from global trends; are beyond any particular party's capacity to control; and may have impacts not only on the organisation but also on multiple parties across geographic borders, industries, and/or sectors, in ways difficult to imagine today.
Moreover, modern societies are sustained and shaped by large socio-technical systems, where technology is deeply integrated with the human element and the organisational dimension. The identification and management of the wide spectrum of risks affecting such system of systems require new approaches and methods able to properly model and account for the growing complexity and dynamic interconnectedness of the modern world.
In this perspective, many organisations have deployed risk management programmes to identify, assess, and manage risks, using techniques such as risk assessment, scenario analysis, and stress testing as a basis for determining response strategies aligned with the entity's objectives, risk appetite and tolerance.
The recent world economic crisis pointed out two important lessons in the risk management field. The first is related to the continuous attempt of academics and practitioners to research for new approaches to predicting emerging risks and possible disaster scenarios that can irremediably affect operations or business viability. In the recent years top management, especially in the financial sector, paid more attention into sophisticated techniques, able to assure a limited exposure to specific risks, but that, on the other hand, opened to a wider exposure to correlated or systemic risks. As evidence, this approach made companies and the entire global economy more vulnerable than ever (Taleb et al., 2009). The second lesson learnt is that industrial organizations are facing highly differentiated risks, by types and scale, than the ones faced by the financial sector. An example is given by some automotive companies pushed down in the market by the same risks they had assumed for twenty years by generating profits only from energy not efficient vehicles (Kaplan et al., 2010). Moreover, risks affecting customers, employees and long-term viability of the business model are claiming for a wider understanding of risk nature and related correlations. Instead of designing more sophisticated tools to anticipate such catastrophic events, should be urgent a deeper understanding of the nature of operational risks and the development of a more integrated way to address these risks among the entire enterprise levels and entities, in order to foster its resilience and sustainability (Silvestri, 2010).

Evolutions in operational risk analysis and management
The category of "operational risk" was conceived as a composite term for a wide variety of organizational and behavioural risk factors which were traditionally excluded from formal definitions of market and credit risk (Power, 1993). Operational risk is much more than risks related to operations; in fact operations risk is a subset of the operational risks, only including risks related to the production process and planning (Samad-Khan A., 2008).
However the growing attention to operational risks is putting into light that new effort is needed not to merely re-label or codify a well established set of risk factors, but to develop a coherent new body of knowledge for the effective management of a complex phenomenon. The challenge calls for a real integration between professional and scientific contributions and perspectives (Power, 1993;Abbott, 1988).
A still widely used definition of operational risk was firstly proposed in the financial sector: "the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events" (BCBS, 2001). The apparent aim of this definition is to give operational risk a clear and actionable focus on losses, although this definition still leaves open a range of operational risk attributes. For example, in the transportation industry operational risk management was defined by Beroggi and Wallace (1994) as "a decision logic to support individual or group-level reasoning processes in risky, time constrained situations when the need for plan revision arises". Here, the authors focused on the relevance of operational risk management for decision making, but at the same time reduced its scope to real-time or tactical decisions.
The potential targets exposed to operational risks can be identified by considering which company's entities are affected by uncertain events; indeed, operational risk results from the potential disruptions in the core operating, manufacturing or processing capabilities of a generic organisation.
In conclusion, operational risks can be defined as those interactions between an uncertain event and internal organisation's processes and/or resources, with the potential of influencing the core capabilities and resulting in a value variation over a time horizon (Silvestri et al., 2009;Trucco et al., 2010

Classification of Operational Risks
The evolution towards an integrated approach to Operational Risk Management (ORM) raised the need of a comprehensive risk classification. To this end a basic classification of enterprise risks can be firstly considered, with the aim of grouping risk factors into homogeneous clusters as perceived by management and stakeholders (Figure 1). Referring to most frequently adopted risk taxonomies (e.g. Tah & Carr 2001;Chapman, 2006), the basic operational risk categories can be identified as follows:


Technology Risk: potential events in which the risk source is the technology implemented (i.e. poor performance of plants/equipments; failure in selecting a new technology, etc);  Supply chain risk: potential events related to the procurement, expediting, inspection and logistic activities;  Project risk: potential events affecting time, costs and quality objectives within project boundaries;  Environmental risk: potential natural events impacting the area where the system/plant is located;  Occupational risk: potential events affecting the employees health and safety;  Information risk: potential events affecting critical requirements of information flows within the system/plant;  Organizational risk: potential events related to lack of coordination, unclear task/objectives assignment, conflict or high turnover rate among the organization;  Management risk: potential events caused by inadequate management processes or decisions. In these respect the complexity of the organization is the key driver of management risks;  Facility and asset risks: potential events in which facilities or company assets are involved (e.g. fire).

Causal chains and influencing factors in Operational Risk Management
Despite their practical usefulness in allocating risk management responsibilities and simplifying risk reporting, operational risk classifications are largely inadequate to support the optimisation of risk control options, mainly in case of complex relationships among risk factors (e.g., interdependencies and escalation dynamics) or trade-offs between alternative lines of action . Indeed, operational risks are generated or influenced by a large spectrum of technology-, human-and organisational-related factors, that may dynamically combine together in several different ways, through complex and soft relationships that cannot be reduced to simple deterministic cause-effect chains.
Several examples can be raised to clarify this distinguishing nature of operational risks. Globalisation of supply chains and their increasing interconnectedness due to global and highly differentiated companies is an issue of increasing relevance that can be properly tackled only through more complex risk modelling approaches (Mittnik, S. & Starobinskaya, 2010). Similar requirements are needed when the relationships between global supply networks and critical infrastructures (electricity, gas, transportation, telecommunication, ...) are taken into consideration (Ferrari et al. 2011).
Also in project-based operations -e.g. aviation, power generation or oil & gas industriestraditional project risk management techniques (Chapman & Ward, 2003) are no longer sufficient to manage all the risks brought by modern large engineering projects. Indeed, interactions between project teams, company functions, business units and long term programmes create a network of interdependencies where a specific risk raising from a single project may create cascading effects climbing up at higher organisational levels, causing larger consequences than the one estimated at the project level (Silvestri et al. 2011).
In the last couple of decades common awareness on the increasing importance of human factors and organisational culture in shaping operational risks has also strengthen. Examples can be found in the analysis of the influence that safety culture may have on the occurrence of at risk behaviours and on injury rate in workplaces (De Ambroggi et al., 2008;Zhou et al., 2008), or in the increasing number of models proposed in literature to integrate human and organisational risk factors in Quantitative Risk Analysis (QRA) (Mohaghegh, Kazemi & Mosleh, 2009;, Trucco et al. 2008a).
For all that, it comes clear that the effectiveness of Operational Risk Management practices can be improved only by providing the risk identification and risk analysis phases with enhanced risk modelling capabilities, able to take into account all the relevant contributing factors and mutual influences, from the root causes to the final effects. These emerging needs have to face two different but interrelated issues:  the chronic lack of data and information on past events increases the importance of identifying and adopting proper methods to elicit experts' judgements and to assess epistemic uncertainties;  the availability of different advanced risk modelling techniques -such as Bayesian Networks, System Dynamics (Sterman, 2000), Stochastic Petri Nets (Marsan et al. 1995), Fuzzy Cognitive Maps (Kosko, 1986) -foster the need of identifying clear driving criteria in the selection of the most appropriate one, under different risk management problems and application domains.
In the following sections of the chapter we offer a systematic review of the most interesting and relevant applications of Bayesian Networks and Bayesian Belief Networks to different problems in the area of Operational Risk Management. This critical overview is then used to identify and discuss some methodological issues and requirements for the correct adoption of BN in Operational Risk Analysis.

Modelling operational risks with BN: Critical review of the state of the art
"Probability theory is nothing but common sense reduced to calculation" Laplace, 1819.
The main issue in modelling operational risks has to do with the understanding of the functioning of a complex system. It requires the application of inductive logic for each one of the possible way in which a system operates to reach its objectives. Then it is the comparison between the hypothesis formulated in the functional analysis and the observations possible on the way the system actually function that can lead to an evolution of the knowledge regarding the system itself. This knowledge is the only credible base for the understanding and therefore a correct modelling of the system under analysis (Galvagni, 2011).
Therefore, the first feature that should be evaluated in a risk model is the functional analysis form which the modelling process stems.
The use of BBNs in modelling operational risk provides a specific advantage in respect to many other modelling approaches since a BBN is to be structured as a knowledge representation of the problem domain, explicitly including the probabilistic dependence between the main elements of the model and their causal relationship, therefore explicating the analyst's understanding of the problem. This is a key feature for validating the behaviour of the model and its accuracy in reporting to third parties the reality under analysis (Friiis-Hansen, 2000).
Furthermore, another issue that appears to be in common with all projects regarding the assessment of risks embedded in complex systems lays in the lack of consistent data. Example of this are for instance risk assessment studies on industrial plants willing to take into proper account human and organizational factors, where many analysts lament the lack of an adequate dataset for the quantification of the error mechanisms as well as for the contextual and organizational conditions affecting human performance (Straeter, 2004 andFragola, 2000). Aside from this specific example in many operational domains the main issue regarding the assessment of safety and reliability of a system has to do with the scarce availability of data for the main causation factors to be taken into account. When data availability is a considerable issue the use of methods such that of Event Trees and Fault Trees would not be advisable for helping the analyst in the difficult issue of data gathering, especially because some of the data would be collected through the use of experts' judgments (Hensen, 2004). A more suitable method for implementing the main structure of safety assessment, as far as the causation factors for the accidental scenarios are concerned, is represented by the use of Bayesian Belief Networks (BBN). BBN are in fact better suited for representing uncertain knowledge. Further, since BBN approach stems from conditional independence assumptions and strongly relies on graphical representations, it makes it easy to display how the relationship among the variables and therefore the underlying data structure works. In addition, the outcome of compiling a model is the marginal probability distributions of all variables in the domain. Modelling local dependencies in facts amounts to specification of the probabilistic dependence of one variable on other variables. Therefore, even when the marginal distribution of the dependent variable is not known beforehand, it will be provided as a result of the assumptions being made on the causal relationships once the network has been compiled.
The main feature in this respect of BBN is that they allow easy inference based on observed evidence, even when the evidence to be observed is scarce. In fact, if one of the variables in the domain is observed then the probability distributions of the remaining variables in the model are easily updated accordingly. So, if the probabilities of a generic BBN are updateable, given a set of evidences collected from the field, a BBN model of organisational factors involved in accident scenarios might be validated over time, for instance, exploiting information contained in accident/incident reporting systems.
Specific examples where the pros and cons of using BBNs have already been explored are the followings:  Integration of human and organisational risk factors in system safety engineering;  Safety culture analysis and assessment; Integration between Enterprise Risk Management (ERM) and ORM.

BBN and Human and Organizational Factors (HOF) in Probabilistic Risk Analysis (PRA)
BBN are becoming more and more widely used in the current generation of Probabilistic Risk Analysis (PRA), to try and support an explicit representation of the possible impacts of organization and management processes on the safety performance of equipment and personnel (Trucco et al. 2008a).
In the Bayesian statistical framework, a fully quantified BBN represents the prior knowledge for the analyst. However, as already pointed out, the model can be updated using observations (sets evidence) about certain nodes and verifying the impact on the remaining nodes in the network. By setting evidence, an analyst is proving the model with new information (e.g., recent incident events) about the state of the system. And this information can be propagated through the network to produce updated probabilities for all nodes in the model. These resulting probabilities combine both prior information and new evidence. BBNs have been recently used in traditional Probabilistic Risk Analysis by linking BBN nodes to other risk models using the so called Hybrid Causal Logic methodology (Groth et al., 2010;Wang, 2007), which links BBNs to Event Trees and Fault Trees. The use of HCL enables to include soft causal factors, such as human error in more deterministic models, which were more traditionally used for hardware systems.
Furthermore, current HRA methods often ignore the interdependencies and causal relationships among various Performance Shaping Factors (PSFs). While only recently BBNs have been proposed as a way of assessing the interactions among PSFs and the failure modes they are suppose to influence ( Fig. 2; Leva et al., 2006;Groth, 2009).
The model used by Leva et al. (2006)  affecting human performance considering features of the ship that are also observable during a normal training session with the use of a bridge simulator. Thus the time to detect a ship, the time used for planning an action, the probability of taking the wrong decision the probability of performing the wrong execution of a manoeuvre (even if the right plan has been made) and the needed time for manoeuvring the ship have been considered as the primary elements of the operator performance in the model. As most of the Human Reliability Models also the data used for the current example mostly rely on experts' Judgments. However the model was built so as to collect and make use of real observational data (collectable from observations, as, for instance, training sessions) this should be the final test of any model: the verification coming from experience. However as pointed out by  there are a number of technical challenges in developing a predictive model of organizational safety performance most of which have to do with "the absence of a comprehensive theory, or at least a set of principles and modelling guidelines rooted in theory and empirical studies" as the major cause of current lacking of an adequate basis to validate these models. Yet as already pointed out if the probabilities of a generic BBN are updateable given a set of evidences collected from the field, a BBN model of organisational factors involved in accident scenarios for instance might be validated over time exploiting information contained in accident/incident reporting systems. So why is it that this empirical validation is often missing from the literature?
Looking at the characteristics of several HOF models proposed in literature, it seems to us that, in general it is their increasing complexity that mainly impedes to clearly justify modelling solutions, to assure consistency, replicability, and eventually the possibility to sue observation data for validation purposes. This issue might be particularly critical when multiformalism is adopted: limitations posed by the integration of different sub-models often weaken the quality and the detailed specification of single parts of the model and BBNs are therefore often mixed with other modelling formalisms used to model interconnected parts of a final PRA contributing model (e.g. operator model, system model, etc.) (Trucco & Leva, 2010). So the attempt to incorporate an even broader spectrum of soft factors -such as safety culture, climate, management commitment to safety, etc. -requires to develop complex but ambiguous HOF models where the main weakness is the measures of hardly measureable factors, and results in what Dougherty calls an "often obfuscating numerology"(1990).

The use of BBN to assess safety culture
The validity of BBNs in supporting the modelling of safety culture and the evaluation of potential strategies for safety improvement has been demonstrate by Zhou et al. (2008) when they proposed a Bayesian Network (BN) based model aimed at establishing a probabilistic relational network among causal factors, including safety climate factors and personal experience that were thought to have an influence on human behaviour pertinent to construction safety. Zhou et al. (2008) study used the data coming from a survey involving more than 4700 employees at a large construction firm to collect the data to feed the network. The BBN was built around the categories used in the survey based on theoretical models previously developed about the factors affecting safety climate. The results of the study, and consequently the factors to be considered, were revised on the bases of the results of the factorial analysis. The scope of the BBN developed was to support the diagnosis of the state of a safety climate, the diagnostic of main issues and consequently the identification of potential strategies for safety improvement. The use of BBNs for representing, analysing and improving the actual anatomy of company's safety culture and its impact on the expected probability of safe behaviours performed by workers was also used in successive studies (e.g., Trucco et al., 2008b), in some of them the results of the survey were used to find out the Bayesian structure underlying the relationships among socio-technical factors. This is possible through an algorithm called K2 (Cooper & Herskovitz, 1992). The BBNs resulting from the use of the algorithm are then often reviewed by the experts to direct the arcs in the direction that makes more sense in terms of causeeffect relationships (e.g. it is apparent, for example, that the "age of the worker" affects the safety climate and not the reverse) and an underlying theoretical model can also be used as a guiding principle (Figure 3). Trucco et al. (2008b) applied the proposed methodology to identify and analyse the effectiveness of different organizational and behaviour-based measures for improving occupational safety in a leading tractor manufacturer. The BBN representation of the safety culture structure in the manufacturing area is reported in Figure 4. Considering the current setting of systemic factors as assessed by employees (e.g. 27.2% probability of having poor safety climate, 30.8%, for good safety climate and 42% for optimal safety climate), the rate of safe work behaviours was estimated about 93.6%. Even though this value may seem high (6 unsafe behaviours out of 100), the high value of the severity index of incidents occurred at workers operating in manufacturing area suggests the need for an improvement of compliance with safe behaviours.  (Trucco et al., 2008b).

The use of BBN and risk assessment in project management
BBN have been recently applied to quantify the probability of risks affecting success of projects like for instance the probabilities of significant delays (Luu et al., 2008;Wang et al., 2009).
BBNs have in fact been usefully deployed i n t h e a r e a o f d e c i s i o n s u p p o r t u n d e r uncertainties (Bouissou et al., 1997;Ziv & Richardson, 1997). There are many uncertainties in development processes for products of processes like the uncertainties in estimating project completion time, the project needs for supply the quality of the output etc. From experience or from the literature it is to identify the main factors related to delays in projects. The literature can also be specific about the domain the project risk factors relate to, such as construction industry (Assaf et al., 2006), or software development projects (Fan & Yu, 2004) and Hi-Tech industry (Raz & Michael, 2001). However some factors are also in common across the different domains: delay antecedents for instance can be factors caused by clients, contractors, consultants, and designers, or to the main inputs (Materials-, workforce-, and equipment-related factors are input factors); environment-related factors (exogenous factors such as difficult meteorological conditions, changes in government regulations and laws, traffic control etc.); Project-related factors are factors deriving from the project characteristics and the way the process is designed to deliver the desired outcome.
The usefulness of a BBN based approach in assessing the projects associated risks and the likely outcomes can be summarised as follow:  Help to perform continuous risk management using data collected as the project develop to provide a feedback loop to detect and adjust problematic situations , as shown in Figure 5 (Lee et al., 2009).  As already said, the BBNs model can take into account the main uncertainties and provides probabilistic estimates for them. Whenever new evidence is available in the monitoring loop, the new data can be plugged in the related BBNs model to recalculate and update previous estimates.  Moreover a model developed for one project may help identifying and evaluating the relative importance of the significant factors contributing to delay cost overruns in general on the basis of the actual collection of statistical evidence (Luu et al., 2009). This in turns can also help modifying the model itself as belief networks also allows variables to be added or removed without significantly affecting the remainder of the network because modifications to the network may be isolated (

From assessing risks in project management to operations risk management: advantages of BBN approaches
Operational risks have also been defined as risks of human origin that, unlike financial risks that can be handled in a financial manner (e.g. insurances, savings, derivatives), require a more "managerial approach"(Fragniere et al., 2010).
The recent developments in the quantification of Operational Risk has, to a significant extent, been determined by changes in the supervisory regimes for financial institutions. These changes have increased the level of supervisory scrutiny on Operational Risks (OR) and how it is managed by relevant firms has been deeply affected by the high-profiled corporate failures in recent decades. This has determined the development of Operational Risks models as a means to demonstrate good management and financial strength (Cowell et al., 2007). Even in this domain Bayesian Networks offer a way to combine both qualitative and quantitative data and also to meet the requirements of the regulators for measuring OR. As pointed out by Conalba and Giudici (2004) the use of Bayesian networks for operational risk management allows to integrate, via the Bayes' theorem, different sources of information coming from loss data collection, self assessment, industry loss data and opinion of risk managers, to give a unified knowledge. This capacity in turns facilitate the managing of OR (i.e., identification, assessment, monitoring and control/mitigation) and justify decision taken on a more transparent ground, combining the use of retrospective historical data with prospective expectations and opinions so as to evaluate also the Influence of "causal" factors (Cornalba & Giudici, 2004). Summarising, the usage of BNs in modelling OR loss distribution, can have significant benefits for supporting decisions, particularly in capital allocation. Stress and scenario testing are also possible in BBNs allowing the drafting of an early warning system (Figure 6; Yoon, 2003). Fig. 6. Example of the prior distribution assigned to a BBN used for predicting costs derived from operational risks (source: Yoon, 2003).

The use of BBNs to support Enterprise Risk Management
Enterprise risk is normally defined as the possibility that something with an impact on the company objectives happens, and it can be measured in terms of combination of probability of an event (frequency) and of its consequence (impact).
Enterprise risk assessment is a keystone of Enterprise Risk Management (ERM) therefore it is vital for the assessment to be as much as possible grounded on trustworthy assumptions. Bonafede and Giudici (2006) have reported that to estimate the frequency and the impact distributions historical data as well as expert opinions are typically used. distributions are combined to get the loss distribution. In the case of enterprise risk assessment the considered risks can be strategic, operational, legal and political and they are normally difficult to quantify. As for many other domains also in this case it is often easier to gather data from experts' opinions. In this context Bayesian Network are a useful tool to integrate historical data with qualitative or quantitative estimates coming from experts. Example of applications are the use of BBN to examine the risk related to production or distribution or certain products (Pai et al., 2003) or the ones associated to specific decisions in the management of a business like the risk involved in the choice of a supplier or in outsourcing a certain service/activity. The example provided by Lockami and McCormack (2010) for instance is a BBN model that examines the probability of a supplier's revenue impact on a company based upon the supplier's associated network, operational, and external risks. Network, operational, and external risks were determined based upon the a priori probabilities for risk events which directly influence them. Figure 7 reports the network they developed in their study. The nodes named with numbers represent the set of considered potential influencing factors: misalignment of interest (1); supplier financial stress (2); supplier leadership change (3); tier stoppage (4); supplier network misalignment (5); quality problems (6); delivery problems (7); service problems (8); supplier HR problems (9); supplier locked (10); merger/divestiture (11); disasters (12). The model was found useful for supporting outsourcing decisions, develop risk profiles for suppliers so as to analyse current and future outsourcing relationships. However, as noted by the authors, the most important potential limitation to the use of this methodology to assess risks in supply networks is the ability to provide accurate information regarding external risks as reflected in the 12 risk events outlined in the model. In this domain BBN are often used as influence diagrams. An influence diagram is a Bayesian Network used for the scope of solving decision problems and it presents some special features. In an influence diagram two additional types of nodes are included in the network, namely decision nodes (rectangular shaped) and utility nodes (diamond shaped). A decision node defines the action alternatives that the user is considering. Preceding nodes on decision nodes define information available at the time of decisions. Decision nodes may have multiple children, and thus dependent on the choice of action alternative the decision node changes the state of the world. On the other hand utility nodes have no children but are conditioned on probabilistic and/or decision nodes. The utility nodes hold tables of utility for all possible configurations of the outcomes of the parent nodes. The rational basis for decision-making is established by computation of the expected utility (EU) of each of the action alternatives. Being an influence diagram a modified Bayesian Network, evidence can be inserted into the model. Propagating this evidence can give updated expected utilities for all decision variables. Hence as Hensen (2004) points out "the influence diagram serves as a dynamic decision model always showing the optimal strategy, possibly conditional on a set of observations. The optimal plan initially suggested may therefore be altered, as more data becomes available. Moreover, the expected utilities of the non-optimal choices are always available allowing a quantitative comparison of the action alternatives. However it should be noted, that when a Bayesian Network is combined with decision nodes it is essential that the Bayesian Network is modelled as a causal model since in an influence diagram the flow of information can only follow the causal link". However the modelling domains of enterprise risk assessment are often so complex that it is intrinsically difficult to establish clear causal relationship among all the variables at play.

Methodological issues and requirements for BBN applications in risk analysis
Looking at the BBN applications presented in the previous sections it is clear that compared to other analysis tools, they offer several capabilities to a risk analyst that has to face different types of risk factors and mechanisms involved in complex socio-technical system. Moreover, when needed, BBN risk models can be easily reduced to more traditional risk analyses as in the case of structural reliability problems studied through the so-called maxpropagation (Friis-Hensen, 2004); the algorithm returns the most probable configuration of the network given the occurrence of a specified event (hard evidence). When some critical failure events are taken into consideration, the max-propagation algorithm can be used to identify the most probable configuration of the network (system's risk factors) that leads to the occurrence of a specific critical event. If the nodes of the BN are binary variables, the max-propagation directly gives the most dominant cut-set as well as the application of the Fault Tree Analysis (FTA) of the same system.
In the previous paragraphs however we have been mainly focusing on the benefits of using BBN to model operational risk in various domains. Nevertheless, also BBNs have limitations and shortcomings. The adoption of a coherent modelling approach is thus a key element for assuring the relevance, the accuracy and the reproducibility of the risk model. In this regard some issues are worth to be considered:  Before starting to define the topology of the BN model it is very important to fully understand the structure and the dynamics of the system first and the scope of the analysis as well. This statement may be perceived as obvious, but nowadays Bayesian Networks are often built through very intuitive graphical software and it is therefore very easy to get carried away by the graphical modelling, that at the end may be incoherent and misleading;  The model can get highly complex very quickly with many nodes and relationships to be specified -this is especially true when the nodes have many parents. Indeed, the size of a CPT grows exponentially with the number of the parents; for example, a node with five parent variables, defined with only three states, requires the specification of 243 entries for each one of its states. In such a case, there can be too many conditional probabilities to specify -if the maximum likelihood method of prior elicitation is used, significant volume of data might actually be required, thus reducing one of the main advantages of using Bayesian methods;  BBNs pose the problem of trustworthy exert opinion elicitation. Sometimes this would need the deployment of rigorous methodologies in prior elicitation through costly methods, such as the Delphi method which involves many rounds of questionnaires. Another issue can derive from the fact that sometimes the experts are not comfortable in eliciting frequencies (Yoon, 2003);  Last but not least, BBNs generally require that the state space of nodes shall be countable and discrete; thus their application require the discretisation of random variables. Discretisation is not simple and when applied to variables continue in nature, sometimes brings to the definition of many categories and therefore many possible states. This is a downside of BBN strictly connected to the previous issue, i.e. the exponential growth of the number of states and thus of the dimension of CPTs. However, as Friis-Hansen (2004) points out, neither Fault Tree Analysis (FTA) nor Event Traa Analysis (ETA) offer any better alternatives. Cowell et al. (1999) in their book provide useful guidelines on how to deal with these methodological issues.

Conclusions
In the realm of risk assessment of modern complex socio-technical systems, as already mentioned, it is of paramount importance the identification and understanding of all the causal chains leading to disruptions or even destruction of the system. Several internal and external factors of different nature -human, organisational, natural, sociological, politicalmay influence or modulate these cause-effect mechanisms and must be taken into proper consideration. It requires the application of inductive logic for each one of the possible way a system operates to reach its objectives. This knowledge is the only credible base for the understanding and therefore a correct modelling of the system under analysis (Galvagni, 2011). The main advantage provided by the use of BNs in modelling operational risks is that the model itself can be structured as a knowledge representation of the problem, explicitly including the probabilistic dependence between the main elements of the risk model and their causal relationships, therefore explicating the level of understanding achieved by the analyst. This is a key feature for validating the accuracy of the risk model and its reliability in reporting to third parties (Friis-Hansen, 2000).
Furthermore as seen for the case of applications to project risk assessment, BBNs are able to provide a way of comparing the cost of the action to its risk mitigating effect. Similarly, in applications regarding OR it is of great importance to carefully evaluate whether the expected risk reduction for the considered initiative is worth its estimated cost. In the end, being able to provide a more transparent and rational ground to decision makers is really key. Moan (2000) clearly illustrates the benefit of rational evaluations in risk management.
However, as briefly discussed in Section 4, the specification of the structure of a BBN is often subject to debate because based on expert assumptions and/or on theoretical modelling of the reality under analysis, that have not been subject to the test of operational experience. For this reason the tendency is to deploy the BBNs capability of using real data for structural learning -i.e. letting the data speak for itself not just with regards the probability distributions of the variables but even the very structure itself (Yoon, 2003). This is currently a promising research area.