Risk Analysis, Vol. 32, No. 10, 2012 DOI: 10.1111/j.1539-6924.2012.01798.

Perspective

Foundational Issues in Risk Assessment

and Risk Management

Terje Aven

In spite of the maturity reached by many of the methods used in risk assessment and risk man-
agement, broad consensus has not been established on fundamental concepts and principles.
The risk fields still suffer from a lack of clarity on many key scientific pillars. The purpose
of this article is to point to this situation and through some illustrating examples discuss the
challenges that the fields here face. Moreover, the purpose of the article is to reflect on how
to improve the present situation and enhance the risk fields. We argue that the establishment
of some common scientific pillars as well as a strong and continuous research focus on foun-
dational issues are critical success factors. The article specifically addresses the role of the
peer-reviewed journals and the international standards in the fields. We hope that the article
can contribute to a revitalization of the discussion of foundational issues in risk assessment
and risk management.

KEY WORDS: Foundational issues; principles; risk terminology

1. INTRODUCTION how risk is best described.(3,4) It seems that the scien-

tific platforms of the fields are rather shaky.
Risk assessment and management are today in
The purpose of this article is to review and dis-
many respects acknowledged as scientific disciplines
cuss this situation (Section 2) and present some sug-
per se: there are many master and Ph.D. programs
gestions for how to improve it (Section 3). Focus will
worldwide covering the fields, as well as a consider-
be on some rather general issues, in particular, termi-
able number of scientific journals and conferences.
nology and the need for establishing some common
There is also an enormous drive and enthusiasm to
scientific pillars for the risk fields. The part on im-
implement risk management principles and methods
provement measures specifically addresses the role
in organizations, and international standards such as
of the peer-reviewed journals and the international
ISO 31000(1) and the COSO(2) provide guidance on
standards in the field. How can the scientific jour-
the way to proceed.
nals contribute to strengthening the scientific basis
At the same time, any observer of the fields of
of the risk fields? Frequently, we see that the sci-
risk assessment and risk management cannot avoid
entific journals accept papers based on perspectives
noticing that there are a number of diverging ideas
for which the arguments against are massive. Is the
and conceptions of risk out there. Many of these are
reviewing process poor or does the paper screening
related to the foundation of the fields and the use of
process simply reflect that there are many views on
risk assessments, for example, what risk means and
what is a suitable perspective?
Several international standards and guidelines
exist for providing a common understanding of
University of Stavanger, Center of Risk Management and Soci- risk management concepts, principles, and methods.
etal Safety, Stavanger, Norway; terje.aven@uis.no. However, these standards and guidelines have not

1647 0272-4332/12/0100-1647$22.00/1 
C 2012 Society for Risk Analysis
1648
been successful in establishing this common under-
standing. Why is this so? Can measures be taken to
strengthen the ability of the standards to obtain more
authoritative definitions?
Section 4 provides some overall conclusions and
recommendations from the discussion.
2. AN EVALUATION OF THE STATUS OF
THE SCIENTIFIC FOUNDATION OF THE
FIELDS OF RISK ASSESSMENT AND
RISK MANAGEMENT
In this section we will provide a review and dis-
cussion of the scientific foundation of the fields of risk
assessment and risk management, with a focus on ter-
minology and basic principles.
2.1. Terminology
Many attempts have been made to establish
broadly accepted definitions of key terms for the
fields of risk assessment and risk management, for
example, related to the general concepts of risk and
risk analysis. To turn these fields into recognizable
disciplines and professions, many scholars and insti-
tutions have devoted considerable time and effort to
bringing definitions and some sort of unity to the
fields.(5) Their work has been based on the com-
mon conviction that a scientific field or discipline
relies on well-defined and universally understood
terms.
Thompson et al.(5) give an overview of some of
the initiatives taken in this regard by the Society of
Risk Analysis (SRA) from its development in 1980
until 2005. The first attempt occurred soon after the
founding of the SRA, but the group involved found
difficulty in reaching consensus and abandoned its ef-
forts. The work was followed up in the mid 1980s
with the establishment of a special committee, but a
few years later this committee had to conclude that
it found it impossible to reach consensus on terms
such as hazard, risk, risk analysis, risk assess- the effect of uncertainty on objectives. But what does
ment, and risk characterization.
The SRA later defined risk analysis officially
in its vision statement and, with the launch of its
website, it posted a glossary that provided a list of
definitions based on the work of a Definitions Com-
mittee along with a disclaimer about the SRA never
officially adopting and not necessarily endorsing the
terms.(5) According to this vision statement, risk
analysis is broadly defined to include risk assess-
Aven
ment, risk characterization, risk communication, risk
management, and policy relating to risk, in the con-
text of risks of concern to individuals, to public and
private sector organizations, and to society at a local,
regional, national, or global level.
However, to many, risk analysis is a part of risk
assessment; see, for example, ISO,(1,6) which states
that risk analysis is the process to comprehend the
nature of risk and to determine the level of risk, that
is, a completely different understanding of this term
compared to the SRA definition. It is obviously a
very unfortunate situationa source for misunder-
standings and confusion. There are many other defi-
nitions of the term risk analysis,(7) for example, the
one being used by this journal:(8) risk analysis is the
science of evaluating health, environmental, and en-
gineering risks resulting from past, current, or antici-
pated future activities.
There are historical reasons for the SRAs use of
the term risk analysis but it is not difficult to pro-
vide arguments against it: look at any dictionary and
see how the term analysis is defined. There is no
support for this broad SRA definition of risk analysis:
analysis is not about management and communica-
tion. Following this way of thinking, an understand-
ing in line with the one used by ISO(1,6) is more rea-
sonable. Note that according to ISO,(1,6) risk analysis
does not include source (hazard/threat/opportunity)
identification as a part of risk analysis. Many authors
prefer to include this element in their definitions of
risk analysis/assessment.(9,10)
Today, there exists a vast number of definitions
of risk and risk-related concepts.(7,11) The situation
is rather chaotic. Organizations like the SRA have
neither been able to establish consensus on key con-
cepts, nor have the standard organizations. Several
initiatives have been taken recently from the stan-
dard organizations but instead of bringing clarity to
the field, they have introduced new problems and
confusion. Take, for example, the recent ISO stan-
dard on risk management,(1,6) which defines risk as
this mean? Risk has to do with uncertainty, but is it
the effect of uncertainty? And risk is related to objec-
tives, but what if objectives are not defined? Then we
have no risk? Asking experts on risk, it is no doubt
that this definition would lead to numerous differ-
ent interpretations. The definition per se is not suf-
ficiently precise, and one may certainly also ques-
tion its rationale as indicated. Detailed studies(12,13)
have shown that the standard fails in several ways in
Perspective
producing consistent and meaningful definitions of
many of the key concepts covered.
The chaotic situation on terminology will be fur-
ther illustrated by two examples.
2.1.1. Risk Defined as an Expected Value
It is common to define and express risk by the
expected value.(3,1416) But such a perspective can
be challenged, as emphasized by many analysts and
researchers:(3,17) Two probability distributions may
have the same expected values, one with mass cen-
tered around its expected value, the other having
high probabilities for severe outcomes, and clearly
the risk management should be different. For the
latter probability distribution, cautionary measures
like emergency preparedness are normally required
to meet a possible severe outcome if it should in fact
occur. From this line of argument we have to con-
clude that expected values (loss) cannot be adopted
as a general definition of risk, but of course it can be
used as a risk index or metric, and depending on the
situation it can be more or less informative and useful
as such.
2.1.2. Risk Is Restricted to the Case of
Objective Distributions
In economic applications it is common to dis-
tinguish between risk and uncertainty based on the
availability of information. In the case of risk, the
probability distribution of the quantities studied can
be assigned objectively, whereas in the case of un-
certainty these probabilities must be assigned or esti-
mated on a subjective basis.(18) This definition, which
goes back to Knight,(19) is often referred to in the lit-
erature(3) but it is not compatible with most uses of
the word risk in society today.
Economists and others have for a long time
struggled to interpret Knights work from 1921.(20,21)
A number of interpretations of Knights work have
been presented and discussed. Why are we doing
this? It is clear that if we refer to the former situa-
tion as risk and the latter as uncertainty would to terrorist attacks but as discussed in Section 2.1
mean that we exclude the risk concept from most sit-
uations of interest, as objective distributions are rare
in practice. If we adopt the subjective/Bayesian per-
spective on probability, Knights definition of risk be-
comes empty.(3)
Given all this, we unfortunately have to conclude
that the risk fields still lack a proper terminology.
1649
2.2. Risk Assessment and Risk
Management Principles
International standards could be seen as a tool
for obtaining consensus on what are good concepts,
principles, and methods. In Ale et al.(22) a set of stan-
dards on risk management were reviewed, includ-
ing the AS/NZS 4360 Risk Management Standard(23)
and the COSO Enterprise Risk Management Frame-
work.(2) Ale et al.(22) conclude that these standards
are broadly similar when it comes to basic underly-
ing ideas. Considerable agreement exists on the steps
needed for proper risk management: from the defini-
tion of critical functions to risk assessment and risk
control.
The standards on risk management (see e.g.,
ISO(1) ) also address the need for defining principles
for managing risk. These are related to aspects like
transparency, the need for seeing the risk manage-
ment in a broader context of value creation and de-
cision making. There is broad agreement on such is-
sues. However, there is not a requirement related to
fundamental scientific principles for risk assessment
and risk management, although these are critical for
the adequate understanding and use of the standards.
Examples of such principles and issues are (i) the
use of expected values in risk management, (ii) the
precautionary principle, and (iii) how to represent
and deal with uncertainties in risk assessments. For
many of these principles and issues there are diverg-
ing views on their meaning/importance/solution. The
terminology problems pointed to in the previous sec-
tion can often be traced back to disputes about such
principles and issues.
The risk = expected value definition discussed
in the previous section is a good illustration. The in-
teresting issue from a risk management point of view
is to what extent an expected value provides ade-
quate decision support in a practical situation (not
the definition of risk per se). As commented in Sec-
tion 2.1, expected values are often used in risk man-
agement to guide the decisionmakers, although there
are strong arguments against this practice. One can
compute an expected number of fatalities in relation
management could be seriously misguided by using
this value as a basis for the decision making.(24) See
Section 3.2 for some references that present alterna-
tives to the expected value-based approach.
The definition of the precautionary principle is
another illustration of the link between chaos in ter-
minology and strong disagreement on fundamental
1650
principles and issues in risk management. There ex-
ists a number of different definitions of this princi-
ple(25,26) (in particular related to the term scientific
uncertainties) and it is fact that few policies for risk
management have created more controversy than the
precautionary principle. Many researchers and ana-
lysts are skeptical of the precautionary principle as
it is not consistent with rational theories and tools
such as the expected utility theory and cost-benefit
analyses, whereas others acknowledge the need for
the principle to give proper weight to uncertainties
when making decisions under uncertainty.(3)
Then we come to the final example, the treat-
ment of uncertainties in risk assessments. Traditional
statistical analyses based on frequentist probabilities
and confidence intervals to describe variation have
been the basis for a large proportion of the risk as-
sessments carried out since the early days of the risk
field. However, in the 1980s and 1990s quantified
risk assessment (QRA, or probabilistic risk assess-
ment (PRA)) for complex systems and rare events
was rapidly developing and, to analyze and treat un-
certainties of these systems and events, the Bayesian
framework became the preferred framework, in par-
ticular in the nuclear industry.(27)
However, the probability-based approaches to
risk and uncertainty analysis can be challenged.
Many researchers and analysts find these approaches
for assessing risk and uncertainties to be too nar-
row.(4,28,29) Stirling(29) makes his point clear when
stating that using risk assessment when strong knowl-
edge about the probabilities and outcomes does
not exist, is irrational, unscientific, and potentially
misleading.
The critique is partly motivated by the (lack of)
ability of probabilities to represent or express un-
certainties and risk: the risk related to an activity
is more than variations and some analysts subjec-
tive probabilities, which may be based on a more or
less strong background knowledge and lead to poor
predictions of the quantities addressed in the
study.(30) The fundamental argument used is that the
information commonly available in the practice of
risk-uncertainty decision making does not provide a
sufficiently strong basis for a specific probability as-
signment. In addition, in a risk assessment context
there are often many stakeholders, and they may
not be satisfied with a probability-based assessment
expressing the subjective judgments of the analysis
group: a broader risk description is sought.(30)
Based on the above critiques, it is not sur-
prising that alternative approaches for represent-
Aven
ing and describing uncertainties and risk have been
suggested, including imprecise probabilities, random
sets, and possibility theory.(30,31) Work has also
been carried out to combine different approaches,
for example, probabilistic analysis and possibility
theory.(30,32,33)
All these theories produce epistemic-based un-
certainty descriptions and in particular intervals. Al-
though much effort has been made in this area, still
many questions are open related to the foundation
of these approaches and their use in risk and uncer-
tainty decision making.(3438) Many risk researchers
and risk analysts are skeptical of the use of the alter-
native approaches (such as those mentioned earlier)
for the representation and treatment of uncertainty
in risk assessment for decision making, and some also
argue intensively against them.(38)
However, others consider such a perspective as
too restrictive(30) and also welcome research direc-
tions outside the traditional probabilistic framework.
This discussion is related to the issue of risk as-
sessment being a scientific methoda topic discussed
as early as in 1981 by Cumming and Weinberg in
the editorials of the first issue of the journal Risk
Analysis,(39,40) in relation to the establishment of the
SRA. Both editorials conclude that risk assessment
comprises scientific elements but is not a scientific
method per se, as accurate risk estimation and pre-
dictions cannot be obtained in case of large uncer-
tainties. Their reference is obviously the traditional
scientific method, which is the pillar for the natu-
ral sciences. The method is based on the collection of
data through observation and experimentation, and
the formulation and testing of hypotheses. These re-
flections are about 30 years old, but they are still rel-
evant. Risk assessment fails in general as a scientific
method if the traditional scientific method is the ref-
erence.(41) However, risk assessment is also seen as a
tool for representing/expressing the knowledge and
lack of knowledge available(42,43) (for short we just
refer to this aim as uncertainty representations). In
the latter case, the traditional scientific method is ob-
viously not applicable.
If the main task of the risk assessment is un-
certainty representations, we need a measure of un-
certainty. Most risk analysts consider probability to
be the appropriate tool to represent or express such
uncertainties, but as discussed earlier there are dif-
ferent views, and many alternative approaches have
been suggested. An interesting question is to what
extent risk assessment can be viewed as scientific
when uncertainty representation is the aim. A way of
Perspective
analyzing this issue is to use the scientific criteria
of reliability and validity, where the former require-
ment relates to the extent to which the risk assess-
ment yields the same results when repeating the anal-
ysis, and the latter requirement refers to the degree
to which the risk assessment describes the specific
concepts that one is attempting to describe.(41,44) A
detailed discussion of this issue is, however, beyond
the scope of this article, but the topic is important as
it is linked to the ability of probabilities to represent
or describe the uncertainties.
These and other examples(3) demonstrate that
there are diverging views and perspectives on fun-
damental principles of risk assessment and manage-
ment. For the purpose of this article the examples
presented are sufficient for showing that the risk
fields struggle with obtaining some proper scientific
pillars on important issues.
3. HOW TO IMPROVE THE PRESENT
SITUATION?
The previous section has pointed to some severe
problems in the scientific platforms for the fields of
risk assessment and risk management. In this section
we will discuss how these problems can be rectified.
We will discuss the following issues:
(1) The need for being precise on the difference
between the scientific method of risk assess-
ment/analysis and the (scientific) field of risk
assessment (analysis).
(2) The need for distinguishing between the con-
cept of risk and how it is described or
measured.
(3) The need for establishing some common sci-
entific pillars for the risk fields.
(4) The need for more focus on foundational
issues.
(5) The need for improving the reviewing
processes for publication in scientific risk
journals.
(6) The need for a change in the way the interna-
tional standard organizations work.
3.1. The Need for Being Precise on the Difference
Between the Scientific Method of Risk
Assessment/Analysis and the (Scientific) Field
of Risk Assessment (Analysis)
The confusion concerning risk terminology has
many reasons; one of these is the double use of the
1651
terms risk analysis and risk assessment. These
terms may either refer to a specific study to be car-
ried out, or to the scientific field (discipline) with this
name. In the former case we can discuss the issue of
this study being a scientific method, as addressed in
Sections 1 and 2. In the latter case, we are concerned
about the development of concepts, principles, meth-
ods, and models to analyze (assess) risk, and the use
of these in practical contexts.(41,45)
Cumming and Weinberg concluded that risk as-
sessment (QRA) is not in general a scientific method
per se, when the reference is the traditional scien-
tific method (accurate estimations and predictions).
However, as discussed in Section 2.2, a risk assess-
ment is also a tool used to represent and describe un-
certainties, and then other criteria need to be used
to evaluate whether the assessment is a scientific
method, as was commented on in Section 2.2 when
referring to the reliability and validity criteria. A risk
assessment may, to varying degrees, meet the scien-
tific requirements for this purpose, and considerable
research is conducted to fill the gaps.(41)
This fact, that risk assessment struggles to be
accepted as a scientific method, does not, however,
have anything to do with the question whether risk
assessment or risk analysis is a scientific field or disci-
pline. There should, according to the author of this
article, be no doubt that risk assessment (analysis,
management) is actually a scientific field and even a
discipline. The many (highly ranked) scientific jour-
nals and the many study programs at our univer-
sities specifically devoted to these areas justify this
view. The areas face some serious foundational chal-
lenges, as discussed in Section 2, for example, related
to a lack of unity on terminology, but this does not
change the conclusion that risk assessment (risk anal-
ysis, risk management) is a scientific field/discipline;
it is, for example, based on the same type of universal
scientific criteria as other fields/disciplines for the
judgment of the quality of its scientific publications.
3.2. The Need for Distinguishing Between the
Concept of Risk and How It Is Described
or Measured
As pointed to in Section 2, there are many di-
verging views on how to understand the risk concept.
The author of this article believes that clarifications
and a logic structure for defining risk require that we
distinguish between the concept of risk and how it
is described or measured. As an analogy, consider
the concept distance. We can formulate a general
1652
qualitative definition of this concept but there are as
we know many different ways of measuring distance.
By such a dichotomy we can avoid risk being
identified by, for example, an expected value. An
expected value can be an informative risk metric in
some cases, but cannot serve as a general definition
of risk. The dichotomy stimulates a continuous focus
on the suitability of the tool used in measuring the
concept we study.
Based on such ideas a general conceptual risk
framework can be established.(41,43,46,47) A key point
is that risk captures consequences of an activity as
well as uncertainties (we do not know what the con-
sequences will be), and risk description or measure-
ments specify a set of consequences and use a mea-
sure of uncertainty. The background knowledge that
this measure of uncertainty is based on also needs
to be included in this description. For a summary of
arguments why it is necessary to see beyond prob-
ability to represent/express the uncertainties, see
Aven.(47)
The point made here is of theoretical impor-
tance, but it also has implications for risk manage-
ment and decision making. The above perspective
on risk is consistent with the view that decision
making under risk and uncertainties should be risk-
informed, not risk-based. The risk numbers do not
prescribe what to do, how to treat risk. This view
is supported by many analysts and researchers in
the risk fields.(28,42) Yet risk assessment consultants
and the formal decision making on the regulation of
risk remain relatively unaffected by this recognition
(Stirling,(48) p. 100). The risk-based approach is com-
mon in practice, and the literature includes a vast
number of theories and methods, as well as applica-
tions based on this thinking. An example is the use of
risk acceptance criteria where an activity is consid-
ered unacceptable if the accident probability exceeds
a predefined level.(49)
This practice is linked to the understanding of
the concept of risk. Following an approach where risk
is identified with, for example, a probability or an ex-
pected value, it is not a long step to risk-based think-
ing. On the other hand, if a perspective as outlined
earlier is adopted where we distinguish clearly be-
tween the concept of risk and how it is described or
measured, there are reasons to believe that a more
humble attitude toward knowing the truth about risk
will emerge. The risk-informed thinking becomes a
part of the conceptual framework, which should in-
crease the likelihood for proper implementation in
practice. Following this view QRA/PRA methods are
Aven
recognized as useful tools for understanding phe-
nomena and describing risk, but due attention also
has to be placed on the boundaries and limitations
of these methods. A key point is the problem of ad-
equately representing and characterizing the uncer-
tainties, as discussed in Section 2.2.
The risk-basedrisk-informed issue is of course
also about other matters, in particular the risk man-
agers and the risk analysts mindset concerning the
use of risk assessments in the decision-making pro-
cess, as was clearly formulated by one of the review-
ers of an earlier version of this article.
Too many risk managers want to be absolved of
the responsibility for having to make decisionsthey
want a risk-based approach in which their actions
are dictated by risk assessments. Then, if their actions
turn out to be wrong (poor), they can claim absolu-
tion on the basis that We did what the numbers told
us to do. If the numbers were wrong, its the analysts
fault. Risk analysts, for their part, too often lack suf-
ficient analytic humility and fall into the trap of trying
to give answers with far greater certainty than can be
justified.
Adopting a risk perspective, as outlined earlier,
such a mindset may not disappear, but it would be
more difficult to adopt as there would be no justifica-
tion for it in the way risk is understood.
3.3. The Need for Establishing Some Common
Scientific Pillars for the Risk Field
The lack of consensus on basic terminology and
principles is an unacceptable situation. The situa-
tion is chaotic and leads to poor communication. It
also hampers effective risk management as well as
the development of the risk field, as many of these
definitions and interpretations lack proper scientific
support and justification, as illustrated by, for exam-
ple, the use of the risk = expected value thesis in
Section 2.2.
Of course, business needs a different set of risk
methods and models than, for example, medicine and
engineering. There is, however, no reason why these
areas should have completely different perspectives
on how to think when studying risk and uncertainty,
when the basic challenge is the sameto conceptu-
alize that the performance of a system or an activ-
ity could lead to consequences (outcomes) different
from those desired and planned, or not in line with
stated objectives.
Establishing some basic pillars for the risk field
means to agree on some fundamental terminology
Perspective
and principles, as well as pointing to misconceptions.
This should, however, not in any way be seen as a
way of limiting critical analysis and research. On the
contrary, identifying the proper pillars requires anal-
ysis and research, and the debate should not cease
even though some form of consensus is achieved. We
know from the history that what has been seen as a
truth for a long time can later be questioned and then
rejected.
The author of this article (encouraged by a re-
viewer of an earlier version of this article) suggests
that a new initiative is taken by the SRA to convene
a senior expert group to tackle the definitional and
other fundamental issues head-on. Such an author-
itative panel that provided an imprimatur could re-
vitalize the debate on key issues and hopefully con-
tribute to institutionalizing improved thinking. His-
tory shows that it is difficult to obtain consensus, but
previous attempts go many years back. Now the fields
of risk assessment and risk management are more
mature, and new insights have been obtained con-
cerning the pros and cons of different definitions and
perspectives. Also, new conceptual frameworks have
been established, such as the one outlined in Sec-
tion 3.2. A new generation of risk researchers has
entered the scene and they may have a different
attitude to some of the problems raised some 20
30 years ago.
3.4. The Need for More General Focus
on Foundational Issues
Most papers published in the field of risk as-
sessment and management are method and proce-
dure oriented. Foundation and reliability and va-
lidity issues are not focused on very much. Look,
for example, at recent issues of the most recog-
nized journals in the risk field. Very few articles
are addressing general foundational issues. The typ-
ical paper presents a new method for solving a
specific problem or provides insight to a specific
problem. There is of course nothing wrong with such
papers, but we also need papers of more fundamen-
tal character, where the frameworks and concepts
adopted are being scrutinized. How often do we see
such papers? Not often. For example, probabilities
are often introduced without explaining their mean-
ing. Consider, for instance, the terrorism risk case. A
probability p of an attack is defined and the issue of
estimation is considered. However, this means that
a certain framework is tacitly understood, namely,
that p has a true value and in practice this means
1653
that it must be given a relative frequency interpreta-
tion;(50,51) we need to construct an infinite large popu-
lation of thought-constructed repeated experiments,
similar to the one studied. This is, however, impossi-
ble to doa frequentist probability of an attack has
no meaning.(26)
From a statistical point of view we may be con-
cerned about the estimation procedures of p, but
from a risk assessment and risk management per-
spective we need to see beyond this: Is the concept
we study well defined and an adequate index for the
purpose of the assessment and decision problem at
hand? These questions are the interesting ones seen
from a risk assessment and risk management per-
spective, but are not so interesting from a purely sta-
tistical point of view.
Special journal issues on foundation topics are a
means to obtaining increased focus on scientific pil-
lars of the risk field/disciplines. And from time to
time such issues have been published; see, for exam-
ple, the special issues of Reliability Engineering and
System Safety.(52,53) However, the intensity and ex-
tensions of such issues are rather limited. More ini-
tiatives should be taken, in particular by the journal
editors, but also by leading scientists, to encourage
the development of such issues, where in-depth dis-
cussions are provided on fundamental topics in risk
assessment and risk management.
Initiatives such as the one indicated in the previ-
ous section (the panel of experts) do not replace the
need for further papers and research on fundamen-
tal issues. For such a panel to be able to succeed it
must be supported by a sufficiently mature research
community and this can only be achieved if funda-
mental issues have been thoroughly discussed in the
scientific literature.
3.5. The Need for Improving the Reviewing
Processes for Publication in Scientific
Risk Journals
The normal procedure for reviewing a paper is
that two or three experts give their independent eval-
uation of the paper submitted as a basis for the
editor to conclude on acceptance, revision, or rejec-
tion. The reviewers for a risk assessment and/or risk
management paper often have different backgrounds
and scientific competences. Some are, for example,
experts in statistical methods, some in risk-related
topics directed at specific applications, and others
in social sciences. If a statistical or method-oriented
paper is submitted, the justification of a thesis like
1654
risk = expected values is not given much atten-
tion. A statistician reviewing the paper may not be
aware that this thesis is problematic, as his or her
competence is more in probabilistic and statistical
procedures and methods, and not so much in risk
management principles. In the case of a more applied
work, the reviewers may focus most on the practical
aspects and implications of a proposed method, and
pay less attention to the fundamental issues. The fact
that risk assessment and risk management are based
on many other scientific disciplines makes this point
especially relevant. The reviewers may only be ex-
perts in some of the areas covered by the paper be-
ing reviewed. This makes it particularly difficult to
review papers in this field. Another challenge is re-
lated to the necessity of seeing the assessment in a
broader decision-making context: a perfect analy-
sis may not meet the risk managers information and
decision-support needs. Not so many reviewers are
able to evaluate the papers from such a perspective.
Some reviewers, in particular social scientists,
may also be reluctant to disregard a specific risk per-
spective. The attitude is that we should allow for
many types of risk perspectives: one should avoid
saying that a perspective is not appropriate.
Given these challenges, what can we then do for
improving the reviewing process?
The selection of reviewers is essential for en-
suring the scientific quality of the papers. At mini-
mum, one reviewer should have broad competence
in the risk assessment/management fieldsome may
have specialized competence, but the main reviewers
should be experts in risk assessment/management.
Broad competence would mean, for example, that
the reviewers have an understanding of, for example,
common risk perspectives, including Knights think-
ing, Bayesian ideas, etc. Seeing this field (these fields)
as a scientific discipline (scientific disciplines) per se,
some basic pillars for the discipline(s) should be iden-
tified. What is suggested is that the journals in the
field develop documents summarizing their scientific
basis, and use these documents as guidelines for all
reviewers and editors. It is expected that the con-
tent of these documents would vary from journal to
journal, reflecting the different paradigms that the
journals support. Through the process of establish-
ing such documents, we may obtain consensus on
some issues and clarify those where there are dif-
ferent views. There must of course always be room
for papers that challenge the accepted wisdom. To
develop the documents, the editors should initiate
broad processes to ensure that the results are rooted
Aven
in the community (communities). These processes
would also stimulate the focus on foundational is-
sues, which is important in itself, as discussed earlier.
One of the reviewers of an earlier version of this
article indicated some other potential measures re-
lated to the reviewing process: putting reviews online
and allowing for informal reviews to expand online
after publication, as well as identifying the expertise
of the reviewers of the article so that the readers will
know which aspects of the article have in fact been
examined.
3.6. The Need for a Change in the Way the
International Standard Organizations Work
It is not difficult to point to many examples
where the international standards and guidelines fail
in providing consistent and meaningful definitions of
key concepts. We refer to Section 2 where the use
of standards was briefly discussed, and reference was
made to the review by Ale et al.(22) According to this
review, all the studied risk frameworks are based on a
likelihood and consequence description of risk, that
is, all acknowledge the need for seeing beyond ex-
pected values in risk management. Hence, we can
conclude that the risk = expected values thesis is
rejected by these standards. Given this fact, it is even
more surprising that we see the risk = expected val-
ues thesis still being adopted by so many researchers
and analysts today. A full clarification of the proba-
bilistic framework is, however, not obtained as the
standards are not precise on the meaning of proba-
bilities and uncertainties.
One may question the processes that are in-
volved in the development of such standards when
looking at the ISO(1,6) definition of risk: risk is
the effect of uncertainty on objectives, discussed in
Section 2.1. These processes are obviously difficult
as there are many different views and perspectives
out there. Seeing suggestions like the one mentioned
above (the ISO definition of risk), one may question
the judgments made by the standardization commit-
tee. One may also question why many of the worlds
leading experts on risk are not involved in these pro-
cesses. Attempts should be made to improve the links
between the scientific risk communities and organi-
zations like ISO.
As pointed to by one of the reviewers of this
article, the existence of standard organizations may
in fact represent a barrier for consensus building
processes on terminology: the possibility of unify-
ing different stands is reduced when a definition is
Perspective
approved. Yes, this is true and underlines the impor-
tance of having proper standardization processes.
4. CONCLUSIONS AND
RECOMMENDATIONS
Here are some of the main conclusions and rec-
ommendations made in the article:
It is important to distinguish between the sci-
entific method of risk assessment and the (sci-
entific) field of risk assessment.
Risk assessment (QRA) is not in general a sci-
entific method per se, when the reference is the
traditional scientific method (accurate esti-
mations and predictions).
If the aim of the risk assessment is to represent
and describe uncertainties, other criteria need
to be used to evaluate whether the assessment
is a scientific method. What criteria should ap-
ply and the degrees to which they are met,
are important topics being discussed in the
literature.
Although facing some serious foundational
challenges, risk assessment can be viewed as
a scientific field/discipline covering the devel-
opment of concepts, principles, methods, and
models to assess risk, and the use of these in
practical contexts.
The risk fields are characterized by a lack of
clarity on many concepts and principles. There
is a strong need for establishing some common
scientific pillars for the risk fields.
It is essential to distinguish between the con-
cept of risk and how it is described or mea-
sured. Risk as a concept should not be founded
on one specific measurement tool.
The SRA should revitalize its work on founda-
tions and establish a group of experts to discuss
and clarify issues related to fundamental defi-
nitions and principles.
The leading journals in the risk fields should
encourage more contributions focusing on
foundational issues to refute obvious unfortu-
nate conceptions.
The journals should develop documents show-
ing the scientific pillars of the fields to guide
reviewers and editors in the paper-reviewing
processes.
Experts in the risk fields should be more in-
volved in standardization committees to en-
sure that the directions supported by the stan-
1655
dards are in line with the best competence and
knowledge available.
ACKNOWLEDGMENTS
The author is grateful to several anonymous re-
viewers for their useful comments and suggestions to
earlier versions of the article.
REFERENCES
1. Risk Management: Principles and Guidelines, ISO 31000:
2009.
2. Enterprise Risk Management Framework. Committee of
Sponsoring Organizations (COSO), 2004. Available at:
http://www.coso.org/guidance.htm, Accessed 18 February
2012.
3. Aven T. Misconceptions of Risk. Chichester, UK: Wiley,
2010.
4. Aven T. Selective critique of risk assessments with recom-
mendations for improving methodology and practice. Relia-
bility Engineering and System Safety, 2011; 96:509514.
5. Thompson KM, Deisler Jr. PH, Schwing RC. Interdisci-
plinary vision: The first 25 years of the Society for Risk
Analysis (SRA), 19802005. Risk Analysis, 2005; 25:1333
1386.
6. Risk managementVocabulary. ISO Guide 73:2009.
7. IRGC (International Risk Governance Council). Risk Gover-
nance: Towards an Integrative Approach, White Paper No. 1,
O. Renn with an Annex by P. Graham. Geneva, Switzerland:
IRGC, 2005.
8. Risk Analysis: An International Journal Website, Aims
and Scope. Available at: http://www.wiley.com/bw/aims.
asp?ref=02724332&site=1, Accessed 25 January 2012.
9. Modarres M, Kamiskiy M, Krivtsov V. Reliability Engineer-
ing and Risk Analysis. New York: Taylor & Francis, CRC
Press, 1999.
10. Aven T. Risk Analysis. Chichester: Wiley, 2008.
11. Aven T, Renn O. On risk defined as an event where the out-
come is uncertain. Journal of Risk Research, 2009; 12:111.
12. Leitch M. ISO 31000, 2009: The new international standard
on risk management. Risk Analysis, 2010; 30(6):887892.
13. Aven T. On the new ISO guide on risk management terminol-
ogy. Reliability Engineering and System Safety, 2011; 96(7):
719726.
14. Willis HH. Guiding resource allocations based on terrorism
risk. Risk Analysis, 2007; 27(3):597606.
15. Lirer L, Petrosino P, Alberico I. Hazard assessment at vol-
canic fields: The Campi Flegrei case history. Journal of Vol-
canology and Geothermal Research, 2001; 112:5373.
16. Verma M, Verter V. Railroad transportation of dangerous
goods: Population exposure to airborne toxins. Computers &
Operations Research, 2007; 34:12871303.
17. Haimes YY. Risk Modelling, Assessment, and Management,
2nd ed. New York: Wiley, 2004.
18. Douglas EJ. Managerial Economics: Theory, Practice and
Problems, 2nd ed. New Jersey: Prentice Hall, 1983.
19. Knight FH. Risk, Uncertainty and Profit. Washington, DC:
BeardBooks, 1921, Reprinted 2002.
20. Langlois RN, Cosgel M. Frank Knight on risk, uncertainty,
and the firm: A new interpretation. Economic Inquiry, 1993;
XXXI:456465.
21. Runde J. Clarifying Frank Knights discussion of the mean-
ing of risk and uncertainty. Cambridge Journal of Economics,
1998; 22:539546.
1656
22. Ale B, Aven T, Jongejan RB. Review and discussion of ba-
sic concepts and principles in integrated risk management.
Pp. 421427 in Bris R, Soares SG, Martorell S (eds). Reliabil- 36.
ity, Risk and Safety, Theory and Applications. London: CRC
Press, Taylor & Francis Group; 2009. 37.
23. Risk Management Standard, AS/NZS 4360, 2004. Sydney:
Standards Australia International Ltd.; Wellington, New 38.
Zealand: Standards New Zealand, 2004.
24. Aven T, Renn O. The role of quantitative risk assessments for 39.
characterizing risk and uncertainty and delineating appropri-
ate risk management options, with special emphasis on terror- 40.
ism risk. Risk Analysis, 2009; 29:587600.
25. Sandin P. Dimensions of the precautionary principle. Human 41.
and Ecological Risk Assessment, 1999; 5:889907.
26. Aven T. On different types of uncertainties in the context of 42.
the precautionary principle. Risk Analysis, 2011; 31(10):1515
1525. With discussion 15381542. 43.
27. Apostolakis G. The concept of probability in safety assess-
ments of technological systems. Science, 1990; 250:13591364.
28. Renn O. Three decades of risk research: Accomplishments 44.
and new challenges. Journal of Risk Research, 1998; 1:4971.
29. Stirling A. Science, precaution and risk assessment: Towards 45.
more measured and constructive policy debate. European
Molecular Biology Organisation Reports, 2007; 8:309315. 46.
30. Aven T, Zio E. Some considerations on the treatment of un-
certainties in risk assessment for practical decision-making. 47.
Reliability Engineering and System Safety, 2011; 96:6474.
31. Dubois D. Representation, propagation and decision issues in
risk analysis under incomplete probabilistic information. Risk 48.
Analysis, 2010; 30:361368.
32. Baraldi P, Zio E. A combined Monte Carlo and possibilistic 49.
approach to uncertainty propagation in event tree analysis.
Risk Analysis, 2008; 28:13091325.
33. Baudrit C, Dubois D, Guyonnet D. Joint propagation of prob- 50.
abilistic and possibilistic information in risk assessment. IEEE
Transactions on Fuzzy Systems, 2006; 14:593608.
34. Cooke R. The anatomy of the squizzel. The role of opera- 51.
tional definitions in representing uncertainty. Reliability En-
gineering and System Safety, 2004; 85:313319.
35. Smets P. What is Dempster-Shafers model? Pp. 534 in 52.
Yager RR, Fedrizzi M, Kacprzyk J (eds). Advances in the 53.
Aven
Dempster-Shafer Theory of Evidence. New York: Wiley,
1994.
Lindley DV. The philosophy of statistics. Statistician, 2000;
49(3):293337.
Bernardo JM, Smith AFM. Bayesian Theory. Chichester, UK:
Wiley, 1994.
North W. Probability theory and consistent reasoning. Risk
Analysis, 2010, 30:377380.
Cumming RB. Is risk assessment a science? Risk Analysis,
1981; 1:13.
Weinberg AM. Reflections on risk assessment. Risk Analysis,
1981; 1:57.
Aven T. Quantitative Risk Assessment: The Scientific Plat-
form. Cambridge: Cambridge University Press, 2011.
Apostolakis GE. How useful is quantitative risk assessment?
Risk Analysis, 2004; 24:515520.
Aven T. A new scientific framework for quantitative risk as-
sessments. International Journal of Business Continuity and
Risk Management, 2009; 1:6777.
Aven T, Heide B. Reliability and validity of risk analysis. Re-
liability Engineering and System Safety, 2009; 94:18621868.
Aven T. Risk analysis and science. International Journal of
Reliability, Quality and Safety Engineering, 2004; 11:115.
Aven T. On how to define, understand and describe risk. Re-
liability Engineering and System Safety, 2010; 95:623631.
Aven T. The risk concept. Historical and recent develop-
ment trends. Reliability Engineering and System Safety, 2012;
99:3344.
Stirling A. Risk at a turning point? Journal of Risk Research,
1998; 1:97109.
Aven T, Vinnem JE. On the use of risk acceptance criteria in
the offshore oil and gas industry. Reliability Engineering and
System Safety, 2005; 90:1524.
Kujawski E, Miller GA. Quantitative risk-based analysis
for military counterterrorism systems. Systems Engineering,
2007; 10:273289.
Garrick BJ, et al. Confronting the risks of terrorism: Mak-
ing the right decisions. Reliability Engineering and System
Safety, 2004; 86:12976.
Reliability Engineering and System Safety, 1988; 23(4).
Reliability Engineering and System Safety, 1996; 54 (23).