Are Standard Risk Acceptability Criteria Applicable to Critical Infrastructure Based on Environmental Security Needs?

Abstract

Risk levels calculated using accepted human health or ecological risk assessment paradigms are often compared to numerical acceptable or unacceptable risk levels found in statutes, administrative rules, guidelines or policies. In practice, the numerical results of systematic, rigorous, and transparent risk analyses are used as inputs into a risk management process that does not have the same performance attributes of the risk assessment process. The risk management process often transforms the definition of acceptable or unacceptable risk in a non-transparent manner resulting in inefficient multi-criteria decision-making and public confusion as to what constitutes acceptable or unacceptable risk. This paper discusses an approach to make such decision-making explicit and suggests that an acceptable/unacceptable risk threshold might be considered for each class of infrastructure based on its critical nature. This paper initiates a policy level analysis and discussion of this issue by presenting arguments to support or refute the contention that critical infrastructure should be held to an explicit and less stringent acceptable/unacceptable risk standard. Strong arguments exist for both sides of the issue. It is the responsibility of risk managers to determine whether arguments for or against flexibility in establishing acceptable or unacceptable risk levels are sufficiently compelling for use in their jurisdiction.