DECLG Department of the Environment Community and Local Government, March 9, 2012. New Smoky Coal Ban Regulations will bring Cleaner Air, Fewer Deaths and can help efficiency

DECLG Department of the Environment Community and Local Government, March 9, 2012. New Smoky Coal Ban Regulations will bring Cleaner Air, Fewer Deaths and can help efficiency

Gelfand S. Clinical equipoise: actual or hypothetical disagreement? J Med Philos. 2013 Dec;38(6):590-604. doi: 10.1093/jmp/jht023. Epub 2013 Jul 22.

Hart A. 2005. Adaptive heuristics. Econometrica, 73(5):1401-1430.

http://www.math.huji.ac.il/~hart/papers/heurist.pdf

Harvard School of Public Health, 2002. Press Release: “Ban On Coal Burning in Dublin Cleans the Air and Reduces Death Rates” www.hsph.harvard.edu/news/press-releases/archives/2002-releases/press10172002.html

Hazan E, Kale S. 2007. Computational Equivalence of Fixed Points and No Regret Algorithms, and Convergence to Equilibria. Advances in Neural Information Processing Systems 20: 625-632

Health Effects Institute (HEI). 2013. Did the Irish Coal Bans Improve Air Quality and Health? HEI Update, Summer, 2013. http://pubs.healtheffects.org/getfile.php?u=929. Last Retrieved 1 February 2014.

Hershey JC, Kunreuther HC, Schoemaker PJH. 1982. Sources of Bias in Assessment Procedures for Utility Functions. Aug Management Science 28(8): 936-954.

Hoy M, Peter R, Richter A. 2014. Take-up for Genetic Tests and Ambiguity. Journal of Risk and Uncertainty, 48 (forthcoming) http://egrie2013.org/wp-content/uploads/richard.peter_.pdf

Jaksch T, Ortner R, Auer P. Near-optimal regret bounds for reinforcement learning. Journal of Machine Learning Research. 11(2010): 1563-1600.

Josephs RA, Larrick RP, Steele CM, Nisbett RE. Protecting the self from the negative consequences of risky decisions. J Pers Soc Psychol. 1992 Jan;62(1):26-37.

Kahneman D. Thinking Fast and Slow. 2011. Farrar, Straus, and Giroux. New York, New York.

(Eds.), The Cambridge handbook of thinking and reasoning (pp. 267-293). New York: Cambridge

University Press.
Kahneman D, Knetsch JL, Thaler RH. 1991. Anomalies: The Endowment Effect, Loss Aversion, and Status Quo Bias. The Journal of Economic Perspectives, 5(1), pp. 193-206, Winter 1991
Kahneman D, Tversky A. 1984. Choices, values and frames. American Psychologist, Apr. 39:341-350.
Kahneman D, Tversky A 1979. Intuitive prediction: biases and corrective procedures. TIMS Studies in Management Science 12: 313–327.
Keren G, Gerritsen, LEM. 1999. On the robustness and possible accounts of ambiguity aversion Acta Psychologica, 103(1-2):0149 - 172
Kralik JD, Xu ER, Knight EJ, Khan SA, Levine WJ. 2012. When less is more: Evolutionary origins of the affect heuristic. PLoS ONE 7(10): e46240. doi:10.1371/journal.pone.0046240
Lehrer J. Trials and errors: Why science is failing us. Wired. January 28, 2012. http://www.wired.co.uk/magazine/archive/2012/02/features/trials-and-errors?page=all

Li J, Daw ND. Signals in human striatum are appropriate for policy update rather than value prediction. J Neurosci. 2011 Apr 6;31(14):5504-11. doi: 10.1523/JNEUROSCI.6316-10.2011.

http://classwebs.spea.indiana.edu/krutilla/v541/Benfit-Cost%20Guide.pdf

Chapter 13

This chapter, which is a slight update of Paté‐Cornell and Cox (2014), identifies common blame-shifting “lame excuses” for poor risk management. These generally contribute little to effective improvements and may leave real risks and preventable causes unaddressed. We propose principles from risk and decision sciences and organizational design to improve results. These start with organizational leadership. More specifically, they include: deliberate testing and learning – especially from near-misses and accident precursors; careful causal analysis of accidents; risk quantification; candid expression of uncertainties about costs and benefits of risk-reduction options; optimization of trade-offs between gathering additional information and immediate action; promotion of safety culture; and mindful allocation of people, responsibilities, and resources to reduce risks. We propose that these principles provide sound foundations for improving successful risk management.

Psychologists, however, have convincingly documented that both prospective risk assessment and retrospective blame assignment are often flawed by various heuristics and biases (e.g., Kahneman, 2011), as discussed in Chapter 12. In assessing risky prospects and projects, several classic fallacies have been identified in the literature. People systematically tend to over-estimate benefits and under-estimate costs (the planning fallacy)³. Optimistic bias leads some to accept risky prospects that they might reject if their expectations and perceptions were more accurate (illusion of control and overconfidence). In retrospect, they may believe that whatever happened was inevitable (hindsight bias). They may prefer to continue with systems and assumptions in which large investments have already been made, rather than acknowledging, in light of new experience, that they are flawed and should be updated (sunk-cost bias).They may also blame bad luck and other people for undesired outcomes while attributing success to their own skill and efforts (self-serving bias), and altogether distort their understanding of what happened and why. Yet, identifying mistakes and their fundamental causes after a failure or a near-miss is key to learning effectively about what went wrong and how to do better in the future (Paté-Cornell, 2009). Therefore, to learn from costly experience how to improve risk management, it is essential to do realistic post-mortems, and not to let the opportunities for learning dissipate in a cloud of evasion and misdirection. Accordingly, this paper focuses on a set of well-worn “lame excuses” often advanced to justify the decisions and behaviors that preceded catastrophic failures of complex systems. It then proposes some principles to improve risk assessment and management by cutting through these excuses to identify needed changes in design, operations, and culture.

• 
  “It was not our job: we were not paid for it”, or “it was not our responsibility to report the deterioration of the structure or design errors that threaten its integrity.”
  

This kind of reasoning can be attributed to poor safety culture and the detachment of the individuals from the proper functioning of an organization or a system. Misplaced faith in the status quo encourages us to accept how things are and how work gets done until something breaks badly enough to force us to recognize that we should have made changes sooner (Hammond et al., 1998).

• 
  “It was an act of God”, implying that natural forces were involved that are uncontrollable and therefore the blame cannot be put on any human being.
  

• 
  “It was a black swan” meaning that it was both unprecedented and unimaginable before the fact.
  

This one has become a favorite excuse after Taleb’s 2007 book comparing unimaginable (or, at least, unanticipated) events to the discovery of black swans in the 17^th century by Dutch sailors who, until then, had seen only white ones (Taleb, 2007). Intended by the author to explain financial crises that only a few had seen coming, it has become a much-used descriptor for events such as the attack on the US on 9/11/2001. Yet, an attack on the world trade center had occurred in 1993 and FBI agents had detected suspicious flying training in the preceding months⁴. With preparation, vigilance, and effort, much more is reasonably foreseeable than might be expected (Russo and Schoemaker, 1990).

• 
  “It was a perfect storm”, i.e., it required such a rare conjunction of unlikely events that it seemed that it could be safely ignored.
  

This phrase became popular after the publication of a book and the release of a movie describing a convergence of several storms in the Northern Atlantic in 1991, in which a ship sank and the crew perished. Such conjunctions of unusual conditions, although individually rare, are collectively quite common (Paté-Cornell, 2012); but their probabilities are often underestimated because dependencies are unrecognized or misunderstood. In technical systems, these conjunctions sometimes come from common causes of failure such as external loads (e.g., extreme winds) or human errors that affect the whole system (e.g., flawed maintenance of all engines of an aircraft). They happen regularly in the economic sector and in supply chains, for instance, if difficult market situations and lean inventories are compounded by a natural catastrophe (independent events in this case). They are even more likely to occur in the financial industry or other tightly coupled organizations where the failure of one institution may have devastating effects on related ones. This may occur for instance, because the failure factors are economically and statistically dependent (risk “contagion”), or because psychological reactions to one event are likely to cause further failures (bank runs).

• 
  “It never did that before” (e.g., “the system had not blown up yet in previous near-misses, so, we thought that we were fine”).
  

Ignoring near-misses and considering them successes is a classic reaction. Indeed, responding effectively to prevent near-misses from developing into full-blown catastrophes may reflect competence in managing hazardous situations and be a justifiable source of pride and confidence⁵. Yet, interpreting near-misses as justification for complacency can make one miss potentially valuable lessons. This was the case, for example, of tire blowouts on the SST Concorde, which had happened 57 times before a piece of rubber from one of them punctured the fuel tank and caused the death of everyone on board in July 2000 (BEA, 2001)⁶.

• 
  “Those in charge did not know, and could not reasonably have known, what was about to happen”.
  

Excusable ignorance is a common plea in organizations that fail to pass messages, especially bad news, from the front lines to decision makers higher in the hierarchy. Indeed, “plausible deniability” is sometimes sought as a way to deflect responsibilities from top decision makers. Clearly, many signals are gathered every day and organizations need some filters to function effectively (Lakats and Paté-Cornell, 2004). Incentives sometimes are such that an agent can rationally take shortcuts to meet a resource constraint rather than bringing the problem to the attention of the principal (Paté-Cornell and Garber, 2012). Ineffective elicitation and use of the information known to the members of an organization is both common and costly when the objective should be to align the goals of the employees and those of the organization. Therefore, changing incentives and procedures of deliberations and decisions can do much to elicit, exploit, and reward information that might otherwise remain hidden (Russo and Schoemaker, 1989).

• 
  “We did not know that things had changed so much”
  

• 
  “It was permitted and convenient, so we did it.”
  

This was the case for instance, of the design of the Piper Alpha platform, where, against common sense, the control rooms had been located above the production modules (Paté-Cornell, 1993) for the convenience of operators who could easily go from one to another. Yet, an explosion in the production modules could (and eventually did) destroy possibilities of controlling the situation.

• 
  “We took every reasonable precaution and followed standard operating procedure.”
  

This would be a convincing excuse if the precautions and standard operating procedures were effectively applied to the situations for which they were intended. Yet, as potential catastrophes begin to unfold, the system, the environment, or the situation may changein ways that make the standard procedures and precautions inadequate. Blind rule-following may be disastrous if the assumptions behind the rules no longer hold. Deterioration, for example, affects automobile safety as well as that of airplanes, especially when maintenance on schedule fails to address some obvious parts such as the fuselage of an aircraft⁷ and when there is not sufficient latitude for maintenance on demand. A quick shift from standard to crisis operation mode and creative improvisation to respond to the new and unforeseen situation may then be essential to avert a disaster (Harford, 2011).

• 
  “Everybody does it”
  

The everybody-does-it-defense, commonly used by teenagers, implicitly assumes that it is no one’s obligation to examine current status quo practices and their implications, especially in a changing environment (Hammond et al., 1998) and that imitating others justifies one’s actions. Heedless imitation and herd-following behavior can, of course, multiply the consequences of failure if tight technological couplings make imitation easy and reflection more difficult. This is the case, for instance, of computer reactions to financial market situations, where automatic trading platforms and rules amplify the effects of initially minor price fluctuations. Similarly, destructive memes of harmful behaviors (whether teenage hyperventilation, recreational drug use or copycat crimes) can spread rapidly through social media. Imitative learning is a powerful force of social coherence, but thoughtless imitation, as well as following orders without questioning their ethics and consequences can destabilize systems, spread destructive habits, and amplify risks.

• 
  “All signals indicated that we were doing fine.”
  

Good test results may be falsely reassuring if the tests wereperformed in the wrong environment, or the sample size was too small. Over-confidence in biomedical circles has become so prevalent that commentators are starting to worry that science is failing us (Lehrer, 2012). For lack of operating experience, engineering and physical models as well as expert opinions may be needed to complete the picture. Besides, “we used only the best/most credible/reliable results” may reflect a self-serving selection bias⁸.

• 
  “But everyone agreed that it seemed a good idea at the time!”
  

In practice, full validation of a risk analysis model in the traditional statistical sense may be impossible for new systems or systems that have changed because the statistics at the system level are not yet available. Yet, these models can be justified based on what is known of the functions and dependencies of the various components, and of the external factors (loads, environment) that affect their robustness.

• 
  “It was an operator error”
  

Blaming the personnel in charge at the lower level is sometimes convenient to an organization. For instance, more than 60% of recent airline accidents have been blamed on pilot errors (FAA, 2013). Yet, in some cases, a system design may be the accident root cause and must be corrected to allow for some pilot mistakes before they cause a crash. In other cases, the pilots may not have been sufficiently trained, for instance, to understand the signals that they get from electronic monitors or to operate in absence of these signals. Similarly, in the medical field, some accidents are directly caused by residents who do not have sufficient experience; but the true responsibility may lie with the supervisors if they are 15 minutes away from the operating room when they should be accessible in two minutes. More generally, managers sometimes blame the operators for their own failures when the leadership did not provide the training, the supervision, the information or the incentives required to face critical situations.

Risk analysis can make the cumulative impacts of risks on a company and its employees, customers, and partners more vivid. It can quantify, with emphasis on uncertainties, avoidable possible losses as well as potential changes in insurance premiums and cost of capital, and can highlight cost-effective opportunities for enterprise risk management. Other risk factors are simply facts that can only be accounted for. The realities of shrinking global markets may not be changeable, but some level of diversification, innovation, and decoupling meant to protect a system from cascading failures may go a long way towards reducing risks.

More complex cases are those in which the risk is caused in large part by the activities or the threats of intelligent adversaries such as drug gangs or insurgents. The key to analyzing the risk that they present is to understand who they are, their intent, their capabilities and the types of response that one is willing to implement given the possibilities of deterrence but also escalating conflicts (Paté-Cornell, 2012). The issue here is thus to address not only the symptoms (e.g., immediate threats of attacks) but also the basic problems, although sometimes, as in saving a patient, treating the symptoms may have to come first⁹.
Characterize Risk Magnitudes and Uncertainties
Once a hazard – a possible source of risk – is identified, the next step is to try to figure out what one is dealing with and how large the risk might be (Kaplan and Garrick, 1981). Are probabilities and magnitudes of potential losses large enough, compared to the costs of reducing them, to warrant urgent attention, or are they small enough that waiting to address them implies little possible loss? This is where science reporters often fail as risk communicators, by publishing articles exclaiming that exposures have been “linked” to adverse effects, but without noting the absolute sizes of the risks involved or, often, even failing to check whether the claimed “links” are causal (Gardner, 2009). If the risk is uncertain, can this uncertainty be clarified for a cost that is less than the value of information obtained by additional investigation, and the benefits of improved decisions that it would make possible¹⁰? If so, acting quickly out of concern about uncertain risks may be less prudent than first collecting better information.

This quantification of the risk and of the associated uncertainties may be a difficult task depending on the nature and the relevance of the available evidence. Quantitative risk assessment (QRA) or Probabilistic Risk Analysis (PRA), developed originally for engineered systems, involve all available information that can help to answer practical risk management and uncertainty reduction questions. These methods are based both on systems analysis and on probability, including essential functions, feedback loops and dependencies caused by external events and common causes of failure (Paté-Cornell, 2009). For a structural system, these external events can be earthquakes or flooding that affect simultaneously several subsystems and components. In these cases, the risk analysis is based on an assessment of the probability distributions of loads and capacities, and computation of the chances that the former exceeds the latter.When needed, the results should include, and if needed display separately, the effects of aleatory as well as epistemic uncertainties¹¹ to accurately characterize the limitations of the analytical results.

Realistic PRAs, including those for failures of complex technological systems,must also include human and organizational factors. This analysis can be achieved, starting from a functional and probabilistic analysis of system failures, then considering the potential decisions and actions of the actors directly involved (errors as well as competent moves), andlinking these to the environment created by the management (Paté-Cornell and Murphy, 1996). This requires examining in details the procedures, the structure and the culture of the organization, including the information passed along to operators, the resource constraints and the incentive system.

These risk analyses, imperfect as they are, can be invaluable tools in identifying risks that were not considered or were underestimated before¹², and in setting priorities among safety measures.

The challenge, again, is to ensure that these assessments are as objective as humanly possible. Algorithmic techniques such as those in Chapter 2 may help. Separating facts and values may sometimes require that an analyst waste no time working for someone who will disregard fact-based results, or who insists onconstraining or influencing them based on values and preconceptions, for instance by forcing some inputs. For example, if the U.S. EPA required its experts to express their uncertainty about “lives saved per microgram per cubic meter” of reduction in fine particulate matter by using Weibull distributions, which are constrained to show a 100% probability of positive life savings (no matter what the data say), then analysts might insist on being given the flexibility to use other distributions that could also assign positive probability to zero (or negative) values if that is what the data indicate (Cox, 2012). An illustration of the “risk of no risk analysis” is, again, the choice of a surprisingly low tsunami design criterion at the Fukushima Daiichi nuclear reactor, despite a recorded history of such events over more than a thousand years as mentioned earlier. Insisting that risk management be guided by risk analyses is particularly critical for new nuclear reactors, whose design criteria must meet the characteristics of each site and the local hazards of external loads at a time where 68 new nuclear power plants are under construction across the world.

1. 
   Is the system stable? If not, how quickly is it deteriorating?
   
2. 
   Are the benefits of gathering or waiting for additional information,which might improve the decision,expected to outweigh the costs?
   
3. 
   What does one know (and can expect) of new technologies that may allow elimination of the risk altogether, for instance by replacing a hazardous technology at an acceptable cost?
   

An example of the first consideration –deterioration – is the speed at which one might expect, for instance, deterioration of the climate with and without proposed interventions, with an assessment of its likely impacts (both beneficial and harmful) on human population in different parts of the globe. Examples of the second consideration –value of information and optimal stopping – include the choice of whether to perform additional medical tests before an operation, whether to engage in more invasive medical tests on a routine basis, or whether to delay a repair in a car or a chemical factory to ensure that the potential risk reduction benefits justify the costs of an immediate fix. An example of the third type – risk reduction by the substitution of a new technology – might be the decision to live with the consequence of coal burning to generate electricity, after closing nuclear plants andbefore solar energy becomes truly economical, understanding the pace and the costs of such new development and the actual potential for future risk reduction.

Rare or unknown events for which there is little or no information as to whether or not they can actually occur are especially difficult to manage sensibly. Starting with the most difficult case, genuine “black swans” that one knows nothing about and cannot reasonably anticipate, the best strategy may be to monitor for signals of unusual occurrences (e.g., of new diseases) and to put in place a “resilient” structure of organizational connections, financial reserves and access to human intelligence and knowledge that allows for quick, creative local responses (Paté-Cornell, 2012; Cox, 2012b). For instance, new types of flu occur on average every two years. A system managed by the World Health Organization (WHO) permits monitoring and sharing of information across countries and identification of virus types. Although imperfect, that system allows relatively quick response to new strains of flu viruses such as H1N1. But the slow response to the spread of AIDS illustrates the difficulty of identifying and responding to a new type of pathogen¹³. Managing the more straightforward case of “perfect storms” is easier in that it involves “anticipating the unexpected” but imaginable (Augustine, 1996), and observing conjunctions of dangerous events such as the convergence of storms, loads on a system, or economic problems.

A key part of a safety culture thus involves the incentives provided by the management. The structure and the procedures of organizations such as an oil company reflect an attitude at the top of the corporation that permeates all levels of the organization. Concretely, the incentives, constraints, and directions explicitly communicated to employees shape their decisions, especially when they have little time to react or little information to evaluate their decisions. This was one of many problems at the Fukushima Daiichi nuclear power plant, where operators had to wait for hours before deciding on their own to flood a crippled reactor. It was also true on the Deepwater Horizon platform, where ignoring negative pressure tests results contributed to the already high risks of an accident (NAE, 2012). Economic incentives that encourage motivated reasoning may thus distort risk-taking and risk-management decisions. As pointed out earlier, organizations that reward exclusively a production level and de facto penalize those who slow down production, put at risk not only their employees but also possibly, the general public both from a safety and a financial point of view.

In that context, where operators can face unexpected delays and problems, it is essential to provide people with reasonable amounts of resources and deadlines, and to be willing to make adjustments. Otherwise, agents might satisfy the managers by cutting corners in ways that they may not even imagine until and unless they see consequent failures (Garber and Pate-Cornell, 2012). Therefore, when managers set these constraints they have to ask themselves what are their “shadow price”, i.e., by how much would one reduce the failure risk if one relaxed that constraint by one unit (one more day?); or on the contrary, whether one can tighten these constraints at a net benefit.

Who is responsible for avoiding accidents and mishaps? There are often several lines of responsibility and accountability, which should be properly defined and coordinated. The feeble defense of “responsible but not guilty” was used, for instance, by a high government official head of a health ministry in Europe in 1991, after contaminated blood infected a large number of people. The question of course, is: what constitutes guilt on the part of a leader who fails to define proper procedures and ensure their application? Another failure of leadership can occur when a conflict of authority emerges from a two-head structure. For instance, a surgeon and an anesthesiologist who disagreewhen neither of them has the ultimate decision making power can cause (and have caused) the death of a patient (Paté-Cornell et al., 1997). It may be possible to pinpoint precisely an error at the bottom of the organizational hierarchy that has led to an accident sequence. (In the case of the Piper Alpha accident in 1988, a young worker made the mistake of leaving the work of fixing a pump unfinished at the end of a day and failed to tag the pump as remaining to be fixed.). But, as in the case of rogue traders, the overall question of supervision, incentives and safety culture emanate directly from the leadership of the company and the regulators.

Leadership is thus a key ingredient of a solid system of risk management decision making in which the decision maker hears the message on time, understands it (and the uncertainties involved if any) and is able and ready to act when needed. The decision makers must be willing to know the truth, to make difficult choices and trade-offs of what is tolerable and what is not, and to decide when it is time to shift from regular operations to crisis management with the ability to make quick, well informed decisions. When the risk is born by a group of people, this requires a collective decision process, able to balance the interests and the safety of different groups, and the overall costs and benefits.
Share Knowledge and Experience Across Organizations
Not all risk management responsibilities can or should be defined within a specific organization. Distributed control of risks, shared among multiple organizations or individuals, also creates a need for legal and institutional frameworks to clearly define and enforce rights and duties. Clarifying whose responsibility it is to avoid risks that arise from joint decisions¹⁴can reduce the average costs of risk management. To providea rational basis for coordinating liability and incentives to reduce the costs of risk externalities and jointly caused risks in a society of interdependent agents, one might adopt several possible principles. In the economic analysis of law (Posner 1998), the Learned Hand formula, discussed further in the next chapter, states that parties should take additional care if and only if the expected marginal benefit of doing so exceeds the expected marginal cost (Feldman and Kim, 2005). Similarly, the “cheapest cost avoider” principle states that the party who can most cheaply avoid a jointly created risk should do so.

Accidents sometimes reveal the existence of information in some parts of industry that could have saved others. Some organizations successfully permit sharing that critical information. The Institute of Nuclear Power Operations (INPO) provides a practical example of such an organization (Reilly, 2013). Created in the wake of the Three Mile Island accident, INPO provides a forum where industry managers can discuss existing problemsbehind closed doors with the support of the regulator (in the US, the NRC). It has the role of an internal watchdog, regularly rating each power plant. These ratings, in turn, influence the insurance rate of the plants thus promoting strong incentives for excellence in safety. What makes such an organization successful is the combination of peer pressures, of a forum for internal discussion of potential problems, blunt assessment of plant performance and the “teeth” provided by financial incentives. What sometimes makes it difficult to generalize the model is the competition among the organizations involved and the global nature of some industries such as the oil market.

We propose that improved practices of risk analysis, quantification and management should be built on technical and cultural foundations, which encompass expertise both in reducing routine risks and in responding to novel ones. Such risk management practices should rely less on blame-casting and excuse-making than in the past. They will need to acknowledge that human error is not necessarily the main driver of failures in an increasingly complex and interconnected world, and that systems should be designed to withstand such errors. Unprecedented hazards, fat-tailed distributions, and risk contagion leading to cascading failures are increasingly recognized as drivers of some of the most conspicuous modern risks, from power outages to epidemics to financial failures. Improved risk management practices should thus increasingly rely on intelligent engagement with our uncertain and changing world. They should build on the key principles we have touched upon: leadership and accountability;robust design (decoupling subsystem whenever possible); vigilant and open-minded monitoring; continual active testing of assumptions and systems; deliberate learning; optimal trade-offs of the costs and benefits of gathering further information before acting; well-trained and disciplined habits of coordination; and ability to cooperate quickly and effectively in response to new threats. These principles have been valuable foundations for effective risk management when they were applied in the past. They should become common practice in the future.

We thank Warner North for useful suggestions that led to a shorter, clearer exposition.