Disaster risk assessment through the prism of ISO:31000
I wouldn’t think that this subject could be interesting if not my recent discussion with a group of high-caliber international experts who we are working together on an international project on disaster risk assessment. We wanted to follow the risk assessment processes as described in the ISO 31000:2009 standards (Figure 1) and apply them to the disaster risk management context. The questions raised among us were around the three steps of risk assessment: risk identification, risk analysis, and risk evaluation. What is the focus of each of these steps from disaster risk assessment perspective? Should ‘risk identification’ be already concerned with ‘disaster risk’ including understanding of some impact? What is the difference between the ‘disaster risk analysis’ and the ‘disaster risk evaluation’? Eventually, disaster risk is one of many types of risks and it should be possible for its assessment to follow the logic of risk assessment process described in Figure 1.
Figure 1: Risk Assessment processes
Here is the reflection on how the ISO 31000:2009 flow can be translated into disaster risk assessment.
- Risk Identification: this is the first step to identify an uncertainty, impact of which is important to be aware of and respond to adequately. At this stage, the sources of risk should be identified and a comprehensive list of events that might have negative impact should be designed. This requires understanding the causes of the event and its potential impact. From disaster risk assessment perspective, this stage is concerned with identification of an ‘event’ – that is the hazard event, which should it take place will have negative impact on these exposed. Therefore, this stage is concerned with hazard identification. Focus: hazard identification (including cause analysis).
- Risk Analysis: this step is concerned with more detailed understanding of the risk, including the drivers of its causes and its potential positive or negative impact. It is analyzed in determining the likelihood and the consequences. From disaster risk perspective, this step is concerned with interaction of hazard with exposure  and vulnerability. Each point of interaction creates a unique coupling: a specific likelihood and a specific impact. Specific likelihood refers to specific intensity, magnitude, frequency of hazard – whatever dimension is relevant to describe the range of each hazard that can manifest itself in the target geographic region . Specific impact refers to the impact to be expected from each likelihood value of chosen hazard(s). Focus: impact analysis, i.e. coupling of specific hazard likelihood with a specific hazard exposure and all dimensions of vulnerabilities (physical, ecological, social, economic, cultural, and institutional).
- Risk Evaluation: this step allows for risk prioritization based on risk criticality (a combination of the likelihood and consequences). This is easy to visualize by mapping risks on risk matrix. A very simple example of risk matrix is provided in Figure 2. The risk prioritization requires understanding the risk absorbing capacities and risk appetite. If the former requires due considerations from those accountable for the disaster risk management (national civil protection forces for instance, etc.), the latter is more complex subject and requires whole-of-society deliberation to define what are the priority disaster risks in a society. Only then there is a legitimate basis to define the risks that are in the red zone and therefore, requires immediate attention, the risks that are in the green zone and could be tolerated, or the risks in yellow zone that needs to be closely monitored. Applying similar logic to disaster risk context requires due consideration of resilience capacities factored into disaster risk assessment process. Focus: risk prioritization, i.e. factoring resilience capacities  to each unique combination of specific hazard likelihood with a specific hazard exposure and vulnerabilities. At the end of these three steps the disaster risks (with full characteristics of hazard(s), exposure, vulnerabilities, and resilience capacities) are available for decision-makers to be prioritized and addressed.
Figure 2: Risk Matrix
Thus, if the risk assessment model offers 1) risk identification, 2) risk analysis, and 3) risk evaluation, the disaster risk assessment model requires a) hazard identification (including cause consideration), 2) impact analysis (hazard + exposure and vulnerability), and 3) risk prioritization (hazard + exposure and vulnerability + resilience capacities).
It’s another question on how to operationalize the resilience capacities? This are the capacities that facilitate or hinder resilience in any system and includes the following: a) capacity to anticipate risk, b) capacity to manage risk (reduction, transfer, etc.), c) capacity to respond to a disaster (when the risk is materialized), d) capacity to recover (including recovery & reconstruction), and e) capacity to adapt by learning.
Therefore, the disaster risk is:
Disaster Risk = hazard + exposure and vulnerability + resilience capacities [risk anticipation, risk management, disaster response, disaster recovery & reconstruction, and learning]
Disaster resilience building require addressing each component of disaster risk as relevant.
1: Some would argue not only exposure but also susceptibility analysis. See Framing vulnerability, risk and societal responses: The MOVE Framework, 20132: Important to note that the concept of ‘likelihood’ needs careful consideration to avoid the situations when high-impact/low probability hazards are not captured.3: Ibid.4: Others might call is ‘coping capacities’