**4. Defining the problem**

The problem we will address in this study is the *allocation of a risk management budget among the possible responses*. The solution to this problem is not only ranking the risks to be dealt with, but also recommending the best risk response investment.

As was mentioned in Section 2, Part 4, responses to identified risks can be divided into two groups: Responses that include a real money investment - like transfer, avoidance and mitigation - and the other responses, which do not require any investment - like accepting the risk or preparing a contingency plan. Our study concentrates on the responses that require an investment and examines how to select the right set of responses when we are limited by a welldefined budget. In order to clarify these issues, let us look at the following theoretical example:

Assume there are two risks in a project - R1 and R2. R1 will occur with probability P1 and the damage in this case will be D1. R2 will occur with probability P2 and the damage in this case will be D2. In order to overcome these risks, we can either transfer the risk R1 (by purchasing insurance), which will cost C11 and the policyholder's participation D11 or respond to risk R1 with a mitigation plan that will cost C12. After its application, the remaining probability to occur is P12 with damage when it occurs of D12. For risk R2, we have one mitigation plan that costs C21; after its application, the remaining probability to occur is P21 with damage when it occurs of D21. We have a risk mitigation budget of B that we can invest to handle these risks and we would like to know what our best policy is (B is usually determined by the project's customer).

In this study, we assume a linear utility function. This means that we will choose the policy that will reduce our expected cost to a minimum. The following table presents a numeric example of the dilemma described above:


**Table 1.** Numeric Example of the Dilemma

Let B=50. In this case, we can either choose the second or the third row. If we choose the second row, we reduce the expected damage of Risk 1 to 100 and stay with Risk 2 at an expected damage of 210. All together, the expected damage of both risks is 310. The same is true if we choose to handle Risk 2 and reduce the expected damage to 110. Since the expected damage of Risk 1 is 200, the total is 310. Let B=80. In this case, we can choose the first row or the previous option of B=50. Choosing Row 1 derives the total expected damage to 90+210=300 (the 210 is from R2). If we choose the second row (mitigating R1), our total expected damage will be 310, and the third row (mitigating R2) will be the same - 310. However, in both mitigation plans we only invest 50, while in the transfer policy we invest a minimum of 80. People who are risk-averse will prefer this option, while others who are attracted to risk might prefer the second or third row. If B=100, then an additional option is open which allows us to choose Rows 2 and 3 and reduce the expected damage to 210. If B=130 and up, we can choose Rows 1 and 3 and reduce the expected damage to 200.

If we try to minimize the expected damage when B=80, then transferring R1 would be optimal, although usually risk management methods will rank R2 higher and recommend treating it first.

In order to define the optimal response problem, we will use the following terminology and symbolization:

There are *n* risks R1,…,R*n*. For each risk R*i*, the probability of its occurrence is Pi and the damage when it occurs is Di. Therefore, for each risk R*i*, the expected damage is *Q*i *= P*i*·D*i*.* Index *i will be used for risks.*

For each risk Ri, there are *k* responses (some can be empty; others can be transfer or mitigation) out of which we can choose, at most, **one**. This can be done by combining mitigation plans together. Index *j will be used for a response plan*.

The response *j* to risk Ri costs Cij; after its implementation, the probability of its occurrence is Pij and the corresponding damage is Dij. The expected damage after its implementation is

$$\mathbf{Q}\_{\overline{\mathbb{H}}} = \mathbf{P}\_{\overline{\mathbb{H}}} \cdot \mathbf{D}\_{\overline{\mathbb{H}}}.$$

A response plan is defined as "worthwhile" only if

58 Risk Management – Current Issues and Challenges

**4. Defining the problem** 

example of the dilemma described above:

**Risk P D Expected** 

**Table 1.** Numeric Example of the Dilemma

evaluation process, in addition to its probability and impact. The controllability of a given risk reflects the ability to control it, mitigate it, or even prevent it. Assessing controllability may reduce the efforts and spending of managerial time and expenses on non-controllable

Controllability adds a new criterion that takes into account the response capability, but still does not propose a method to quantitatively rank the risks. In the current paper, we overcome the problem of ranking risks by utilizing a method of selecting the optimal mitigation plan for a given budget, and therefore, the risks to be mitigated or transferred.

Kutsch et al. [11] have investigated the type of risks that can be deliberately ignored. In the

The problem we will address in this study is the *allocation of a risk management budget among the possible responses*. The solution to this problem is not only ranking the risks to be dealt

As was mentioned in Section 2, Part 4, responses to identified risks can be divided into two groups: Responses that include a real money investment - like transfer, avoidance and mitigation - and the other responses, which do not require any investment - like accepting the risk or preparing a contingency plan. Our study concentrates on the responses that require an investment and examines how to select the right set of responses when we are limited by a welldefined budget. In order to clarify these issues, let us look at the following theoretical example: Assume there are two risks in a project - R1 and R2. R1 will occur with probability P1 and the damage in this case will be D1. R2 will occur with probability P2 and the damage in this case will be D2. In order to overcome these risks, we can either transfer the risk R1 (by purchasing insurance), which will cost C11 and the policyholder's participation D11 or respond to risk R1 with a mitigation plan that will cost C12. After its application, the remaining probability to occur is P12 with damage when it occurs of D12. For risk R2, we have one mitigation plan that costs C21; after its application, the remaining probability to occur is P21 with damage when it occurs of D21. We have a risk mitigation budget of B that we can invest to handle these risks and we would

like to know what our best policy is (B is usually determined by the project's customer).

In this study, we assume a linear utility function. This means that we will choose the policy that will reduce our expected cost to a minimum. The following table presents a numeric

**Damage Response Cost Pij Dij**

Mitigation 50 0.1 500 100

**R1(\*)** 0.2 1000 200 Transfer 80 0.2 50 90

**R2(\*)** 0.3 700 210 Mitigation 50 0.3 200 110

**Expected Damage+Cost** 

risks and, in the end, direct the attention of management solely to controllable risks.

current study, we deal with risks that are not supposed to be ignored.

with, but also recommending the best risk response investment.

$$Q\_l \ge \left(\mathcal{C}\_{lj} + Q\_{lj}\right) \text{ for } l = 1, \dots, n \tag{1}$$

(Only if the investment + the expected damage after the implementation are lower than the original expected damage). A response plan that is not worthwhile will not be included in the list of possible responses. Actually, the savings in selecting response *j* to risk R*i* is:

$$
\mathcal{Q}\_{\ell} - \left( \mathcal{C}\_{\ell j} + \mathcal{Q}\_{\ell j} \right).
$$

Let us now define the decision variables *X*ij as 1, if response j is selected for risk Ri, and 0, otherwise.

Only one response can be selected (if the user wants to enable selecting two responses to risk Ri, he can combine both responses into one plan with the accumulated cost). From the definition of *X*ij, the expected value of all the risks will be:

$$\sum\_{l=1}^{n} \left[ (1 - \sum\_{j=1}^{k} X\_{lj}) Q\_l + \ \sum\_{j=1}^{k} X\_{lj} (C\_{lj} + Q\_{lj}) \right] \tag{2}$$

Selecting a Response Plan Under Budget Constraints 61

(Cij+Qij)

Xij Saving Ratio

3. Calculate the accumulated cost of applying the responses according to the sorted

5. If the accumulated cost of risk responses is less than the budget, go back to Step 1.

In this algorithm, the response savings plays a major role and the decision is made

**Definition**: The ratio between the savings in expected damage and the cost of the response will be called the **savings ratio.** Mathematically, it is defined as (ܳ െ ൫ܥ ܳ൯ሻȀܥ. The economic meaning of this ratio is the amount of savings in expected damage per each unit of

1. Sort the responses according to the savings ratio (Qi-(Cij+Qij))/Cij from higher to lower.

3. Calculate the accumulated cost of applying the responses according to the sorted list.

In the following table (Table 2) there are 6 risks; for each risk there are three possible response plans. The table includes the Pi, Di, Qi, Cij, Pij, Dij, Qij, and both the savings in

1 0.29 133.37 39.20 1 4 35.81 0.02 118.17 2.70 38.50 0.70 X11 0.02 0.29 133.37 39.20 2 4 20.02 0.08 32.41 2.54 22.57 16.64 X12 0.83 0.29 133.37 39.20 3 4 0.67 0.04 116.92 4.20 4.87 34.34 X13 51.35 2 0.85 170.91 144.68 1 1 31.06 0.25 70.48 17.31 48.37 96.31 X21 3.10 0.85 170.91 144.68 2 1 22.28 0.74 149.28 110.87 133.15 11.53 X22 0.52 0.85 170.91 144.68 3 1 120.89 0.11 137.49 14.88 135.77 8.91 X23 0.07 3 0.83 155.09 129.23 1 2 25.79 0.65 136.71 89.54 115.33 13.90 X31 0.54 0.83 155.09 129.23 2 2 14.02 0.73 77.06 56.45 70.47 58.76 X32 4.19 0.83 155.09 129.23 3 2 4.11 0.80 117.19 93.55 97.66 31.57 X33 7.68 4 0.83 19.44 16.10 1 6 12.21 0.54 6.03 3.25 15.46 0.64 X41 0.05 0.83 19.44 16.10 2 6 4.83 0.03 8.48 0.28 5.11 10.99 X42 2.27 0.83 19.44 16.10 3 6 3.85 0.81 2.29 1.84 5.69 10.41 X43 2.71 5 0.19 168.04 31.15 1 5 13.03 0.00 11.51 0.02 13.05 18.11 X51 1.39 0.19 168.04 31.15 2 5 8.00 0.12 30.92 3.76 11.76 19.40 X52 2.43 0.19 168.04 31.15 3 5 1.54 0.06 111.67 7.21 8.76 22.40 X53 14.51 6 0.58 101.83 58.83 1 3 46.87 0.00 2.99 0.01 46.89 11.94 X61 0.25 0.58 101.83 58.83 2 3 37.98 0.30 23.31 6.90 44.88 13.94 X62 0.37 0.58 101.83 58.83 3 3 6.46 0.56 86.35 48.06 54.52 4.30 X63 0.67

Rank Cij Pij Dij Qij Cij+Qij Qi-

5. If the accumulated cost of risk responses is less than the budget, go back to Step 1.

In order to clarify the three algorithms, let us demonstrate them by an example:

list.

according to the possible savings.

investment in the response.

The algorithm will be as follows:

4. Calculate the accumulated savings.

expected damage + cost and the savings ratio.

nse#

Risk # Pi Di (in K \$) Qi Respo

**Table 2.** Numeric Example to compare the three algorithms

4. Calculate the accumulated savings.

**3. The Best Saving Ratio** (BSR) method is defined as follows:

2. Choose the upper risk in the sorted list that was not selected yet.

After opening the equation, it is clear that the expected value of all the risks (that we would like to minimize) is:

$$
\Sigma\_{l=1}^{n} Q\_l - \Sigma\_{l=1}^{n} \Sigma\_{f=1}^{k} X\_{lj} (Q\_l - \left(\mathcal{C}\_{lj} + Q\_{lj}\right)) \tag{3}
$$

Since ∑ �� � ��� does not depend on the selection of risks to be handled, the problem can be defined as an integer programming problem, as follows:

$$\max \{ \Sigma\_{l=1}^{n} \Sigma\_{l=1}^{k} X\_{lj} (Q\_l - \{ \mathcal{C}\_{lj} + Q\_{lj} \}) \} \tag{4}$$

s.t.

$$\Sigma\_{l=1}^{k} X\_{lj} \le 1 \qquad\qquad\text{for } l = 1, \ldots, n \tag{5}$$

$$\sum\_{l=1}^{n} \sum\_{l=1}^{k} X\_{lj} \mathbf{C}\_{lj} \le B \tag{6}$$

(budget constraint)

And ��� can be either 0 or 1 for i=1,…,n and j=1,…, k.

### **5. Solving the problem**

The problem can be solved by Integer Linear Programming (ILP), as was mentioned in [9, 12]. In this paper, we compare 3 heuristic algorithms that solve this ILP. The algorithms are as follows:

1. **The Most Dangerous Risk** (MDR) method (PMI, 2008) is used to show the "naïve" solution. In the current case, the first risk to be handled is the one with maximum Qi. For the selected risk, the most effective response is selected and the accumulated budget is increased by Cij.

For each selected risk, the response with the maximum savings (Qi-(Cij+Qij)) will always be selected. The algorithm that is used is as follows:

	- 1. Sort the responses according to (Qi-(Cij+Qij)) from higher to lower.
	- 2. Choose the upper risk in the sorted list that was not selected yet.

In this algorithm, the response savings plays a major role and the decision is made according to the possible savings.

**3. The Best Saving Ratio** (BSR) method is defined as follows:

**Definition**: The ratio between the savings in expected damage and the cost of the response will be called the **savings ratio.** Mathematically, it is defined as (ܳ െ ൫ܥ ܳ൯ሻȀܥ. The economic meaning of this ratio is the amount of savings in expected damage per each unit of investment in the response.

The algorithm will be as follows:

60 Risk Management – Current Issues and Challenges

like to minimize) is:

(budget constraint)

as follows:

**5. Solving the problem** 

is increased by Cij.

Since ∑ �� �

s.t.

definition of *X*ij, the expected value of all the risks will be:

∑ �� − �

defined as an integer programming problem, as follows:

And ��� can be either 0 or 1 for i=1,…,n and j=1,…, k.

selected. The algorithm that is used is as follows:

4. Calculate the accumulated savings.

1. Sort the risks according to Qi from higher to lower.

2. For each risk, select the response j with the higher (Qi-(Cij+Qij)).

2. **The Most Profitable Response** (MPR) method is defined as follows:

1. Sort the responses according to (Qi-(Cij+Qij)) from higher to lower. 2. Choose the upper risk in the sorted list that was not selected yet.

∑ ��� − ∑ ���)�� + � ��� �

Only one response can be selected (if the user wants to enable selecting two responses to risk Ri, he can combine both responses into one plan with the accumulated cost). From the

��� ∑ ������� + ���) �

After opening the equation, it is clear that the expected value of all the risks (that we would

��� ∑ ∑ ������ − ���� + ����) �

 ����∑ ∑ ������ − ���� + ����) �

 ∑ ��� � � ��� � � �� � � � �

∑ ∑ ������ � � � ��� �

The problem can be solved by Integer Linear Programming (ILP), as was mentioned in [9, 12]. In this paper, we compare 3 heuristic algorithms that solve this ILP. The algorithms are

1. **The Most Dangerous Risk** (MDR) method (PMI, 2008) is used to show the "naïve" solution. In the current case, the first risk to be handled is the one with maximum Qi. For the selected risk, the most effective response is selected and the accumulated budget

For each selected risk, the response with the maximum savings (Qi-(Cij+Qij)) will always be

3. Calculate the accumulated cost of applying the responses according to the sorted list.

5. If the accumulated cost of risk responses is less than the budget, go back to Step 1.

��� does not depend on the selection of risks to be handled, the problem can be

��� �

��� �

��� � (2)

��� (3)

��� � (4)

��� (6)

��� (5)


In order to clarify the three algorithms, let us demonstrate them by an example:

In the following table (Table 2) there are 6 risks; for each risk there are three possible response plans. The table includes the Pi, Di, Qi, Cij, Pij, Dij, Qij, and both the savings in expected damage + cost and the savings ratio.


**Table 2.** Numeric Example to compare the three algorithms

The numeric example is generated by a simulation that will be described later. Table 2 includes all the information needed for applying the algorithms MDR, MPR and BSR.

Selecting a Response Plan Under Budget Constraints 63

Budget Savings Accumulated

Savings

Best Savings Ratio (BSR)

Number Budget Accumulated

1 1 3 0.67 0.67 34.34 34.34 2 5 3 1.54 2.21 22.40 56.73 3 3 3 4.11 6.32 31.57 88.30 4 2 1 31.06 37.38 96.31 184.61 5 4 3 3.85 41.22 10.41 195.02 6 6 3 6.46 47.69 4.30 199.32

In order to compare the three algorithms, a scenario simulation was generated with 15 risks and 3 responses per risk. The simulation draws the probabilities and damages according to

The following chart (Figure 1) shows an example of the behavior of the three algorithms,

Figure 1 is an example of a typical situation in which, for a limited budget the BSR is the best algorithm, while for an unlimited budget, the other algorithms can produce better results. This phenomenon holds in most of the simulation examples, but there are cases

In order to compare the three algorithms, 100 simulations were generated. For each simulation, the maximum needed budget was calculated. (Since the Cij are drawn, the required budget is stochastic and different in each simulation). For each simulation, the savings was calculated for an investment of 20%, 40%, 60%, 80% and 100% of the budget.

For each percentage investment, the savings was calculated for each algorithm. Later, the best algorithm was defined as the successor, for each specific budget, and the frequency of its success was calculated. The following table (Table 6) summarizes the number of

Table 6 shows that for a low budget (20 to 60 percent) the BSR is the best algorithm, while for an unlimited budget the MPR behaves better. In many cases, the MPR and MDR behave

Ranked Risk

the following rules:

2. Draw Di distributed U(10,200) 3. Draw Pij distributed U(0,Pi) 4. Draw Dij distributed U(0,Di)

while the budget increases, step by step.

where the BSR is better for all budgets and cases.

For all i=1,….15, j=1,…,3

successes of each algorithm

the same and reach the same savings.

Risk Number Response

**Table 5.** Solution of the example using the BSR algorithm

1. Draw Pi distributed U(0.01.0.9) (uniform between 0.01 and 0.9)

5. Draw Cij distributed U(0.1, Qi-Qij) where Qi = Pi·Di and Qij=Pij·Dij

**6. Comparison of the three algorithms** 

Tables 3, 4, 5 present the MDR, MPR and BSR solutions accordingly.

In Table 3, the ranked risk =1 means the first risk to respond. The first risk that is handled is Risk number 2, since its Qi is 145 (from Table 2). The response is selected as the highest savings solution. Total handling of the 6 risks requires a budget of 90.1 and saves 236.7 in expected damages, plus the cost of applying the responses.

Table 4 shows that the selection order is different from MDR. However, the accumulated savings converges to the same amount, since at the end both algorithms use the same response plans. The difference is in the selection order.


**Table 3.** Solution of the example using the MDR algorithm


**Table 4.** Solution of the example using the MPR algorithm

Table 5 shows that the BSR uses different response options and therefore converges to different accumulated savings. In this example, the BSR is the worst option out of the 3 algorithms, although this result does not represent the most common situation, as will be seen later.


**Table 5.** Solution of the example using the BSR algorithm
