Risk analysis under attack: How risk science can address the legal, social, and reputational liabilities faced by risk analysts

The role of the risk analyst is critical in understanding and managing uncertainty. However, there is another type of uncertainty that is rarely discussed: The legal, social, and reputational liabilities of the risk analyst. Recent events have shown that professionals participating in risk analysis can be held personally liable. It is timely and important to ask: How can risk science guide risk analysis with consideration of those liabilities, particularly in response to emerging and unprecedented risk. This paper studies this topic by: (1) Categorizing how professionals with risk analysis responsibilities have historically been held liable, and (2) developing a framework to address uncertainty related to those potential liabilities. The result of this framework will enable individual analysts and organizations to investigate and manage the expectations of risk analysts and others as they apply risk principles and methods. This paper will be of interest to risk researchers, risk professionals, and industry professionals who seek maturity within their risk programs.


INTRODUCTION
The practice of risk analysis is critical for directing investments toward prevention and mitigation for uncertain risk events. While the risk analyst role is relatively new in industry, this role has been fundamental for the growth of the risk science discipline. However, the role of the risk analyst is laden with responsibility. Deficiencies in risk activities, such as with accuracy, judgment, decision making, and communication, can be disastrous for societies, businesses, and economies. It is imperative for the risk profession to carefully explore the legal, social, and reputational liabilities of the risk analyst.
Consider the case of a 6.3 magnitude earthquake in L'Aquila, Italy in 2009, resulting in more than 300 deaths. While the region experienced several low-level tremors before the earthquake, these types of tremors were common. Professionals tasked with risk and decision-making responsibilities failed to interpret those low-level tremors as warnings of this larger earthquake. Seven members of the This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited. © 2022 The Authors. Risk Analysis published by Wiley Periodicals LLC on behalf of Society for Risk Analysis.
National Commission for the Forecast and Prevention of Major Risks were convicted of "criminal manslaughter and causing criminal injury" (Sisto, 2012).
Also consider the Flint Water Crisis in Flint, Michigan, USA. A change to the water supply combined with aging infrastructure was associated with elevated levels of lead in the region's water supply (Roy, 2015) and other water quality problems. These deficiencies in water quality led to widespread cases of Legionnaires' disease and multiple deaths (Anderson, 2016;Bellware, 2019). The long-term impacts of this crisis are severe, with severe impacts on children's brain development (Campbell et al., 2016). The timeline of events leading to the crisis suggests that those tasked with analyzing and managing risk for this drinking water system, plant personnel, "were left to attempt to address the plethora of complex water quality issues and complaints by trial and error" (Masten et al., 2016), possibly due to limited experience and information. These issues were coupled with political, legal, and ethical dilemmas. Those tasked with risk analysis and decision-making responsibilities were held responsible, as they were charged on the grounds of perjury, involuntary manslaughter, and others (Booker, 2021).
In a different but related case, consider the Boeing 737 Max Scandal. As a result of pursuits for improved fuel efficiency, Boeing increased engine size and changed the engine placement for their jets. Due to the aircraft instability introduced by this change, Boeing developed an automated system intended to aid in controlling the aircraft angle. However, malfunctioning sensors informing this automated system, inadequate training, and system design deficiencies introduced severe safety concerns, resulting in multiple crashes and 346 fatalities (Johnston & Harris, 2019;Pasztor et al., 2019). The repercussions included a $2.5 billion settlement, fraud charge against a pilot, government investigations, and related lawsuits (Cameron, 2021). The ethics complaints were also severe, as employees criticized the company's decision making and priorities related to safety (Kitroeff et al., 2019).
In all of these cases discussed above, the details are unclear regarding how to distinguish between the role of the risk analyst and the role of the formal decisionmakers. Understanding the specific actions of the analyst versus those of the decisionmakers would better gauge the accountability of the risk analyst in the negative outcome. However, the reality is that even with perfect details and equally perfect risk analyst adherence to professional responsibility, negative outcomes can happen. The repercussions to the risk analyst are exacerbated by uncertainty involved in any risk application. Hindsight bias may influence how we gauge whether the negative outcome could have been foreseen at all.
A single negative outcome cannot prove that a risk analysis was done improperly, but accusations of an improper risk analysis can happen nonetheless. Lawsuits (with and without merit), reputational failures (based on information, misinformation, and disinformation), scapegoating (internal, external, political), and other ramifications presented in this paper can result in liabilities for the risk analyst.
While licensing and other professional standards exist to aid in forming a distinction between professional responsibility and liability (Munneke & Davis, 1998;NSPE, 2021b), no such standards currently exist for the risk analyst. Because risk management involves uncertainty, limited data/information, and unprecedented and understudied situations, it is a challenge to set professional standards for the risk analyst. However, there is an opportunity for the risk science discipline to study this topic and provide additional guidance on this issue. This paper addresses this topic by studying how risk analysts can be held liable for risk decisions. We also develop a framework to address uncertainty related to those potential liabilities. Section 2 discusses principles and events that document potential liabilities for the risk analyst. Section 3 develops and demonstrates a framework to understand and manage the implications of those potential liabilities. Section 4 discusses high-level implications for the risk analysis profession. Section 5 provides conclusions and critical priorities for the risk profession.

PRECEDENT FOR LEGAL, SOCIAL, AND REPUTATIONAL LIABILITIES FOR THE RISK ANALYST
Many professionals in industry make oaths to act with integrity and in accordance with academic training. Consider the Hippocratic oath: In which medical professionals vow to treat the sick, respect patient privacy, and seek opinions of specialists when warranted (Lasagna, 1964). As another example, engineering professionals perform an oath of integrity and the obligation toward the health and safety of the public (Kaplan-Leiserson, 2009).
Within the risk profession, there are training and certification opportunities, such as through ISO 31000 (ISO, 2021) and Enterprise Risk Management frameworks (Aven & Thekdi, 2020;Moeller, 2007). Additionally, the risk science discipline has continued to promote standardization within terminologies and principles, as demonstrated by the Society for Risk Analysis Glossary (SRA, 2015). As the risk science discipline gains momentum, there is also increasing attention toward risk concepts in university curriculums . While such materials and educational opportunities exist, there are currently no oaths or licensures for the risk analyst.
History has shown that there are a variety of ways in which individuals and firms in risk analysis roles could encounter legal, social, and reputational liabilities. These liabilities can emerge from civil or criminal cases, fines/penalties, licensures, and others as described below.
The analyst or firm could potentially encounter civil lawsuits. For example, the National Society of Professional Engineers states that: "when an engineer negligently performs services on behalf of his firm or employer, the individual allegedly suffering damage from the engineer's negligent performance may sue the company and/or the individual engineer" (NSPE, 2021b). Insurance can be used to address this risk, such as professional liability insurance in engineering or malpractice insurance in healthcare (NAIC, 2021). While insurance can be used to address this risk, there may be limitations within the terms of the policies. There may also be some cases of immunity, such as with the United States qualified immunity principle, which allows for public officials to be immune from lawsuits in some cases (Cornell Law School, 2021). Similarly, there is a precedent for granting immunity for healthcare professionals in some situations (AMA, 2020).
As demonstrated in the Flint Water Crisis and the L'Aquila, Italy earthquake examples described earlier, the individual risk analyst can also face criminal charges, such as manslaughter, misconduct, and neglect of duty. In the corporate governance space, violations under Sarbanes-Oxley Act can also result in a prison sentence. Firms may also be subject to other types of repercussions, such as fines (Michaels, 2019).
The experience of dealing with a legal case can be detrimental to both parties. Regardless of the legal outcome, both parties can face substantial legal costs and stress. Handling these legal cases can consume time and energy. Even if a case is settled outside of court, the attorneys and the aggrieved party may benefit from the outcome, suggesting that there could be incentives for pursuing meritless lawsuits.
The risk analyst can also encounter social, professional, or reputational consequences. These consequences could involve revoked licenses (DHP, 2021). For example, following the 1981 Hyatt Regency Walkway Collapse, professionals lost their engineering licenses, in addition to charges of gross negligence, misconduct, and unprofessional conduct. Additionally, the firm's certificate of authority as an engineering firm was revoked (Texas A&M, 2006). Within the realm of social media and journalism, there is also potential to subject the analyst or firm to harassment, defamation, protests, etc.
In a broader sense, business models or strategies pioneered by a firm may no longer be deemed appropriate following a risk event and changing those business models or strategies can be difficult for large firms. For example, consider changes to protocol and regulation following the Exxon Valdez oil spill of 1989 (Brady, 2014). Additionally, vendors and workers may be less willing to work with particular firms following a risk event. Firms may also not be able to financially recover from a risk event, particularly in cases where organizations are underinsured or insurance coverage is lost.

FRAMEWORK AND DEMONSTRATION FOR EVALUATING THE ANALYST OR FIRM'S DUE DILIGENCE TOWARD RISK CHARACTERIZATION AND MANAGEMENT ACTIVITIES
The framework of this paper relates primarily to the risk analyst. The risk analyst can be responsible for activities including performing a risk assessment (understanding the nature of the risk, expressing, and evaluating the risk), coordinating with decisionmakers during the risk management process, coordinating with the development of risk governance policies, and informing risk communication activities (SRA, 2015). Individuals with risk-related responsibilities, but no official title, may serve as the de facto risk analyst in the absence of involvement by an official risk analyst role in the organization. Examples of those with risk analyst responsibilities could include engineers, designers, forecasters, etc.
The risk analysis is distinct from decision making, as decisions involve decisionmaker preferences (Paté-Cornell & Dillon, 2006). The focus of this paper is on the risk analyst who provides inputs to the decisions made by the formal decisionmakers, as the analyst can be held responsible for providing "bad information." In some cases, the risk analyst may also be a decisionmaker. For example, a medical professional could be responsible for performing a risk assessment and also suggesting the most appropriate treatment option. The boundaries may sometimes be blurry among the risk analyst's responsibilities and those of decisionmakers, communicators, and stakeholders.
More formally, the role of the risk analyst is to carefully consider events, consequences, uncertainty, and knowledge. In its broadest sense, risk is characterized by (A',C',Q,K), where A' is a set of specified events, C' some specified consequences, Q a description of uncertainties, and K the knowledge that supports A', C', and Q SRA, 2015). There is little precedent for this characterization to also include aspects related to the risk analyst's responsibility, as described earlier in this paper.
The job of the risk analyst is to be unbiased in their approach to form a risk characterization. We do not suggest that the risk analyst should manipulate, interpret, or perceive scientific findings in a particular way due to the liabilities described earlier in this paper. We also do not suggest that the risk analyst use these types of issues to coerce decisionmakers. Instead, the question lies in how issues related to the due diligence of the risk analyst fit into existing risk analysis and decision making. The analyst has some level of agency when performing their professional role. For example, the analyst may choose to excuse themselves from the role, seek expert opinion, act as a whistleblower, seek additional training or consultation, seek legal advice, or rigorously document activities.
Below we propose a framework that gauges the analyst's due diligence as applied to each dimension of the risk characterization: (A',C',Q,K). For each dimension of this characterization, the analyst can identify the level of concern, in order to guide next steps. This implied level of concern is specific to the risk analyst and the problem setting. The framework includes several steps as described below: Step 1: Develop a set of characteristics to clarify the risk analyst's professional responsibility. We leverage past risk events and existing literature to develop a set of professional responsibility-related characteristics that can inform the risk analyst. These characteristics are found to be the most important and generalizable to a variety of risk applications. The proposed set of characteristics relate only to the role of the risk analyst, and are not exhaustive of all factors that would be included in a risk study.
Step 2: Evaluation of the characteristics in Step 1. We recognize that there may be some overlap among these characteristics. The individual analyst's preferences and the risk application area can help determine the relative importance of each characteristic. We suggest that the analyst evaluate these characteristics using the lens of their individual values and other circumstances.
Step 3: Use the evaluation of characteristics to guide the risk analyst. While the professional responsibility of the analyst is to remain neutral and unbiased in order to maintain professional integrity in the risk pricess, the analyst can invest in activities that can concurrently address the concerns identified in Step 2.

3.1
Step 1: Characteristics to clarify the risk analyst's professional responsibility This step describes characteristics that can be used to gauge concerns related to the risk analyst's responsibility within the context of the problem setting. These characteristics were identified through an evaluation of factors involved in recent risk events that resulted on some form of analyst liability and through examination of related theoretical concepts in the risk literature. Additional characteristics may be yet to be identified through additional discussions and study of this topic area.
In the following steps, these characteristics will be evaluated according to the level of concern, as applied to the elements of the risk characterization. These characteristics relate primarily to the risk analyst, as it is the analyst who is responsible for acting on this information.
We present characteristics that should be considered by the risk analyst when fulfilling their professional duties. These characteristics are labeled as R.1-R.6, with R signifying responsibility, as follows: R.1: Licensures for job duties: The risk analyst may be required to use particular protocols in order to obtain and maintain professional licenses. Examples of licensing include a medical license or a professional engineering license.
R.2: Legal requirements for job duties: The risk analyst may be legally required to fulfill particular obligations as part of their profession. For example, consider nuclear power reactor facilities. Contractors and employees are responsible for maintaining accurate records, and could be criminally prosecuted if there are falsified records (NRC, 1985). Similarly, public water systems have legal requirements for water quality, which translate into strict requirements to actions of workers in water treatment roles (EPA, 2021) and licensing of those roles in some cases (VDH, 2021).
R.3: Visibility or public interest in risk related to the system: Some systems are very high-profile because they involve elements that are highly valued by societies, groups, or interests. Consider for example, environmental interests. Activism is prevalent such as related to drilling in environmentally sensitive areas or the constructions of pipelines, as they can be associated with large consequences related to safety, environment, and wildlife. Additionally, in cases of public interest, there is potential for scapegoating or holding the analyst responsible for the purpose of demonstrating that some party has been held responsible for a negative outcome.
R.4: Political or journalistic motives: Some may seek to benefit from controversy related to the risk area. While these types of accusations may not be proven, information or misinformation related to risk can potentially harm the analyst and the studied system. R.5: Knowledge of the system: Weak knowledge of the system can be challenging for the risk analyst. While it is not uncommon for a risk assessment to be based on poor knowledge strength, the communication of that poor knowledge strength to decisionmakers can be problematic, as demonstration of poor knowledge strength can be confusing and weaken the perceived credibility of the provided information. Also, weak knowledge of the system may imply the absence or scarcity of any legal or licensing-related protocol. This was demonstrated in the Flint Water Crisis example as the decisionmakers appeared to struggle to define the most appropriate solution to water quality issues, in addition to the other shortcomings of their decision making process.
R.6: Ethical and tangential issues: The risk analyst may have values-based concerns over the risk application, such as related to health, safety, and the environment. As a result, the analyst may feel a sense of responsibility for outcomes. Strong concerns may arise when there is a misalignment between the decision-making outcome and the analyst's own values. Additionally, the risk analyst may encounter surprising or unforeseen events, in which situations contribute to burnout (Maslach & Leiter, 2016). Other mental health problems may occur in cases of disasters and other traumatic situations (Goldmann & Galea, 2014;Jones, 2017).

3.2
Step 2: Evaluation of the characteristics in Step 1 Using the characteristics in Step 1, one can identify the analyst's level of concern that is specific to the application area. The level of concern could be measured in a variety of ways. For example, a high, medium, and low scale could be appropriate when subjective judgments are being made. A more refined point system could be applied if the level of concern is informed by voting stakeholders or is based on some other type of quantitative input.
The representation of level of concern could also vary depending on whether the exercise is intended to understand the views of a single analyst, a group of analysts, or some organization/institution. Additionally, there may be need to distinguish between issues with risk assessment and decisionmaking. For example, the level of concern could be classified using dimensions of: • Responsibilities and liabilities: Individual/analyst versus organizational/institutional • Responsibilities and liabilities: Risk assessment versus decision making • Risk assessment characteristics: Individual/analyst versus collective/organizational/institutional This level of concern can be applied individually to each element of the risk characterization (A',C',Q) that is informed by K, as this paper will do in the demonstration. But the analyst may instead choose to not separate the components in (A',C',Q) and conduct a more generic evaluation.
A generic evaluation would be appropriate when the analyst seeks a quick and broad evaluation or when there is strong overlap among (A',C',Q), particularly when the description of A' is highly detailed containing elements of C' and Q. This decision whether to conduct a generic evaluation vs. a detailed evaluation containing elements of (A',C',Q) remains at the discretion of the risk analyst or group performing this exercise.
There may be concern over the analyst's approach toward identifying A' (specified events) that is informed by K (knowledge). The analyst may experience this level of concern over not having identified the risk event. In cases of natural disasters or weather events, the types of risk events can be modeled and understood using past data. Consider risk management approaches to planning for a 100-year flood (USGS, 2021). However, these types of approaches could be based on the observed frequency of occurrence and may not include a necessary understanding of the phenomena and various recent changes to assumptions and conditions. Alternatively, consider applications such as cyber-security, in which attack mechanisms and capabilities for attack change rapidly and are nearly impossible to predict. The risk analyst may have lower concern in cases of natural disaster applications because of the stronger knowledge. However, that level of concern could also be influenced by the L'Aquila earthquake event, concern over the local legal system, and personal values. The analyst may have a higher level of concern in the cyber-security case due to the low knowledge, increasingly strict regulations in the industry (NCSL, 2021), and the need to maintain a professional reputation.
Consider also the level of concern for C' (the specified consequences) that are informed by K (knowledge). The concern for C' is distinct from A' as here, the analyst's level of concern is over not having foreseen particular consequences. The analyst may be able to make better predictions on the consequences for some risk scenarios versus others. For example, when modeling the impact of a severe economic event, the analyst could leverage preexisting data on employment, transactions, and the movement of goods and services. These models could be informed by past data, academic research, and input from experts. Alternatively, when modeling the impact of a new contagion in a pandemic, these consequences can be very challenging to predict, as they contain assumptions related to a minimally-studied contagion, unpredictable population behavior, and physiological knowledge. The analyst may have a low level of concern about the economic case because the models have been vetted and accepted by experts. The analyst may have high level of concern over the pandemic case because of the high level of public scrutiny and visibility of the prediction.
Consider also Q (characterization of uncertainties) that are informed by K (knowledge). The analyst's level of concern arises from an improper or inaccurate characterization of uncertainty. The characterization could be qualitative or be based on a probability (P) (precise or imprecise) and the associated strength of knowledge (SoK), such that Q is (P, SoK). The analyst may be able to characterize uncertainties for an application related to the detection of financial fraud when there is a large amount of data, financial information, and statistical approaches that include aspects of the probability of an accurate model finding. Alternatively, when describing uncertainty related to terrorism activities, there may be very little knowledge strength associated with parsimonious information. The analyst may have a low level of concern over the fraud case because the industry is highly regulated, there are many financial organizations that are also tasked with managing this risk, and there is an abundance of information that can inform the analyst. The analyst may have a high level of concern over the terrorism case due to the lack of information, but also because of the large potential for loss of life and property. While the mental health implications to the risk analyst are unclear, it has been shown that persons across the United States experienced mental health implications following the September 11, 2001 terrorist attacks (Marshall & Galea, 2004). Thus, issues with the risk analysis conducted in relation to a terrorist attack could potentially have a toll on the analyst's own well-being.
Consider a hypothetical example in Table 1. In this case, the analyst is working on behalf of a major energy provider in a highly populated region. The risk study involves maintaining power grid functionality during a winter weather event. The impact of a power loss in a region can be devastating, as the region relies on electricity for many purposes, such as heat during a winter weather event, manufacturing, communications, healthcare, and public water. A related winter weather event in Texas, USA resulted in 210 deaths, due to hypothermia, carbon monoxide poisoning, and accidents (Hauser & Sandoval, 2021). The energy provider has the ability to weatherize facilities using best efforts, which involves a significant investment (Public Utility Commission of Texas, 2021).
The level of concern for the risk analyst in this hypothetical example is shown in Table 1. In the table, we demonstrate only the dimension of the individual analyst performing only a risk assessment role, though this could be expanded to include other dimensions, such as decision making. While the components (A',C',Q) are shown in separate columns, there is little difference in the level of concern among those dimensions. Particularly, this is because many of the characteristics R.1 -R.6 apply similarly to the three components (A',C',Q). However, in the case of public reputational aspects (R.3 and R.4), the analyst senses a relatively lower level of concern over the description of uncertainties, Q. This could be due to relatively scarce information related to Q that is made public.
The analyst may have a low level of concern over issues such as licensing and legal requirements. However, the analyst may have more concern over the visibility or public interest in this system, as a power grid failure would impact many people and invite attention from journalists, political figures, and customers on social media. This type of attention could be devastating for the individual analyst, particularly if they are criticized by name. However, it is possible that the negative visibility would be pointed toward the employer and not the individual analyst. There may be a low level of TA B L E 1 Hypothetical level of concern for a risk analyst concern over knowledge of the system because the system is highly managed by thousands of employees in the region, and the responsibility is spread among those highly qualified individuals. There may be a medium level of concern for the ethical issues involved. While the analyst is accustomed to their role in the larger risk process, the analyst may feel some sense of responsibility if a particularly devasting event were to occur. Table 1 shows that the characteristics are not necessarily mutually exclusive. The interpretation of these characteristics may differ according to the domain area training of the risk analyst and the application area. These characteristics could potentially be re-written to be specific to a particular field, such that refined characteristics in healthcare could widely differ from those of infrastructure management. For the demonstration of this paper, these characteristics will remain general and interpretable across domains.

Use evaluation of characteristics to guide the risk analyst
This section involves calling for the risk analyst to act using the output of Steps 1 and 2. For all of the concerns described in Step 2, the analyst and the organization have standard options as in any risk scenario or situation: Acceptance, Avoidance, Transfer, or Mitigation. Acceptance involves proceeding with the risk analysis and management process as originally intended, accepting the possibility that the issues in Step 1 and Step 2 may arise. The practice of Avoidance typically involves the analyst excusing themselves from the risk analysis and management process or acting as a whistleblower. The organization may exit the practice involving the issues emerging from Step 1 and Step 2. Transfer could involve outsourcing the risk analysis and management process, outsourcing the activity studied in the risk analysis and management process, or purchasing sufficient insurance. Mitigation involves reducing the risk, in particular, the severity of outcomes and/or the likelihood of particular outcomes using particular strategies. More specific options related to each characteristic studied in Step 2 are discussed below.
R.1: Licensures for job duties: It is a necessary and critical job of the risk analyst to know the standards of their licensing. In fact, the analyst is not qualified for their professional position if they are not acutely aware of the standards for held licenses. If there is a high concern in this category, the analyst should seek training and expert advice from their professional licensor.
R.2: Legal requirements for job duties: In cases involving high concern for legal requirements, it is critical for the analyst and the organization to seek and maintain legal advice. If there is a high concern, the analyst may choose to seek legal advice independently from their employer. Legal advice may suggest that there is a strong precedent for a severe outcome for the analyst, in which case the analyst may choose to act on this information, such as by excusing themselves from the risk activity. In cases where there is little to no precedent for a severe outcome for the analyst, the analyst may leverage this information and decide, based on legal advice, how to proceed. In all of these situations, the analyst and organization may also seek a second opinion with this legal advice.
R.3: Visibility or public interest in risk related to the system: Managing reputation in cases of substantial public interest is an increasingly important issue for individuals and organizations. If there is a high concern in this area, the organization can proactively invest in a partnership with the public, such as through reputation management activities including media relations, crisis communication, advertising (Hutton et al., 2001). They may also seek a professional reputation management firm for guidance. The organization may choose to engage in enhanced stakeholder engagement, with activities that include delegating some control of the risk process to stakeholders, keeping stakeholders informed, promoting dialogue, and soliciting feedback (Mease et al., 2018). This type of practice can promote trust, which may be heavily leveraged in cases of a larger risk event. The analyst with a high level of concern over this issue may choose to consult with organizational leaders, show the importance of these issues, and create dialogue for promoting these activities.
R.4: Political or journalistic motives: Many of the issues presented for R.3. also apply to this characteristic. Otherwise, there may not be much recourse for the organization or individual analyst, as the power of political and journalistic motives is strong. The public can be influenced by political attention, media attention, social media, and even the information-sharing algorithms that are used by technology firms. While the impact of this type of attention can have a relatively low impact on the corporation in the long run, poor publicity aimed at the individual analyst can be detrimental to the analyst's career, safety, and livelihood. The analyst may either accept this risk or excuse themselves from the activity in question.
R.5: Knowledge of the system: It is the job of the risk analyst to address issues around insufficient knowledge of the system. The analyst should seek expert opinion, data, and educational materials, as noted in existing risk science practice . If there is a high concern related to this characteristic, the analyst or organization may choose to be relatively more cautious about discussing knowledge used to inform the risk analysis and management process, particularly when communicating with decisionmakers. Clearly articulating the existence of poor knowledge and the resulting implications can be challenging as decisionmakers may misinterpret poor knowledge as poor credibility of the risk analysis. However, the analyst should always maintain transparency of knowledge issues.
R.6: Ethical and tangential issues: The risk analyst is a whole-being with both personal and professional responsibilities. As a result, the analyst may struggle to balance those professional responsibilities with ethical and related issues. Consider the role of the analyst as they provide insights using risk science principles and methods. They provide decision support and are not the decisionmaker. While a risk analyst's professional behavior should not be impacted by a misalignment between decision making and the analyst's personal belief, there may be instances in which conflicts occur. For example, consider a public policy scenario in which the analyst does not agree with an elected leader's decisions. While the analyst can maintain professional neutrality, the analyst may choose to leverage their visibility to promote, and even profit from, publicizing their own personal stances related to the risk context. While this type of public opposition is within the rights of the analyst outside of their professional responsibilities, some may argue that it diminishes the professional integrity of the risk analyst.
Nonetheless, if the decision making does not align with the analyst's beliefs, such as related to the health and safety of people and the environment, the analyst may still feel some sense of responsibility. For example, consider the example of an analyst working in a national security or defense role. Even if risk science principles were perfectly followed, the resulting decisions might involve loss of life, property, and other ethical dilemmas. As another example, consider the role of the risk analyst in modeling population risk in relation to the COVID-19 pandemic. The results of these models could provide strong justification for risk mitigation measures, but also personal values could influence stances related to individual freedoms and associated sociopolitical issues surrounding those mitigation measures.
Additionally, even if the risk assessment and management process is perfectly implemented, adverse outcomes can and do occur. The risk analyst may feel a sense of responsibility for those types of adverse outcomes and this sense of responsibility may surface in the form of issues with wellness and mental health. The reality is that the job of the risk analyst is very difficult from this perspective. The analyst must weigh these issues carefully before even entering the risk profession. The analyst may choose to proactively seek support from their professional network in the same profession and seek professional help when navigating these ethical issues. Employers should also recognize this issue and make resources available to those in risk functions in the organization.
When applied to the hypothetical example in Table 1, the level of public interest in the system may prompt the risk analyst (or organization) to be more proactive in public outreach. For example, they may seek public input from stakeholders and include that type of input in the risk process, if they do not do so already. There may be a precedent for public input from customers and stakeholders (Pacificorp, 2021). Once risk decisions are made, there can be public outreach or marketing strategies that can demonstrate transparency to the public and also demonstrate that the organization does have a documented and state-of-the-art risk program. Of course, this type of practice must be implemented in a collaborative and honest manner.
Given that the analyst is concerned with R.3 and R.4, the analyst may invest in the ability to react if a risk event were to occur. For example, consider guidance on crisis management (Forbes, 2017), promoting best practices for reacting to a public relations crisis. Best practices involve calling on the analyst (or organization) to have a crisis management plan, taking responsibility, getting ahead of the story by addressing the risk event early, having a social media plan, apologizing, and others. Some of these best practices may work better than others for a single analyst. For example, many analysts can benefit from having a crisis management plan. However, the issue of apologizing is not without controversy. Often, apologies imply regret, such as resulting from the analyst conducting a poor risk assessment. The question of whether an apology would be in order if the analyst correctly fulfilled their job functions, but a risk event happened anyway, is a matter is personal preference and further debate.

DISCUSSION
This section discusses several underlying issues that emerge in the framework and demonstration. The issues primarily address how the risk analyst may view their personal and professional roles, noting the separation between the two; and critical needs for the risk community to support the risk analyst in their pursuit of promoting active risk management. First, there is a distinction to be made between the analyst and the employer. While the employer may be insured, it is not necessarily obligated to act in such a way that favors or protects the analyst. In some ways, this can be seen as a conflict of interest on behalf of both the employer and the risk analyst. For example, consider the Volkswagen emissions scandal in which employees acting on behalf of their employers faced severe penalties, including imprisonment (Shepardson & Poltz, 2020). Despite the severe and irreversible fallout for Volkswagen employees, the corporation can recover based on learnings from the risk event (Sun & Hagel, 2020).
There is also a strong argument to be made for risk analyst certification or licensing that requires ongoing training. A high level of concern over various characteristics presented in Table 1 is a symptom of a larger problem. Risk analysts have varying levels of training, experience, and responsibilities. Because organizations, professionals, and regulatory bodies may have differing timelines and requirements to adopt emerging risk methods and principles (Apostolakis, 2004), training is one method to promote familiarity with these methods and principles. A resulting improvement in risk analysis capabilities could result in more advanced decisionmaking criteria and improved decision support in general (Borgonovo et al., 2018).
In addition to legal issues, licensing, or standardization of risk science could formalize standardization across disciplines, for example, building on the progress made through the Society for Risk Analysis (SRA, 2021a). The risk field can look to other related fields that have been successful in standardizing practices through certification. For example, the field of epidemiology benefits from the Certification Board of Infection Control and Epidemiology that administers 5-year certifications using an application process and an exam (CBIC, 2022). Having a licensing body could also create additional opportunities for advocacy in regulation. For example, consider advocacy toward how to address emerging concerns and support for license-holders (NSPE, 2021c). As the utilization of risk science becomes more widespread, advocacy will become increasingly critical.
Risk analysts are also not attorneys and often may not understand the boundaries around what constitutes professional responsibility versus legal responsibility. In cases of severe liability, such as related to infrastructure (e.g., the Flint Water Crisis), the employers themselves may be underfunded and have little guidance on how to manage legal issues beyond those found in regulations.
The framework of this paper also prompts discussion around the importance and limitations of the risk analyst. The framework assumes the perspective of the risk analyst, though in some cases, the risk analyst may also serve as a decision-maker. The decision-makers may instead be some other entity inside or outside of the analyst's organization. While the analyst has control of the risk process, they do not have control over the outcome. The analyst cannot prescribe decisions for the decisionmakers, but does have some control over how information is presented. The decisionmakers themselves also may have little control. For example, consider the COVID-19 pandemic in which policy and riskcommunication efforts attempted to control human behavior, but were largely ineffective.
The risk analyst may also have a role in public outreach. Working with the public includes the very challenging tasks of both listening and communicating. This is particularly difficult because the risk analyst is tasked with communicating topics of uncertainty. There is a careful balance between acknowledging values and uncertainty involved with risk decisions while also ensuring that the public views the risk analysis as being credible and rational (Clarke, 1988). It is also a challenging exercise to communicate technical topics to a nontechnical audience, recognizing that the perception of a risk message can be influenced by a variety of factors, including words, format, visuals, the demeaner of the speaker, and many other nonverbal cues. These issues are compounded by other obstacles including distrust, selective reporting in the media, psychological factors related to the processing of risk-related information, reluctance to change beliefs, and the public's demand for certainty in information (Covello & Sandman, 2001).
It should be noted that the R.6: Ethical and tangential issues was very broadly defined. While standards are being developed in the risk science discipline, and there is discussion around ethical issues (Doorn, 2015;Keeney, 1984), there remain many questions around how to handle these ethical issues, which are constantly evolving with developing technologies and widespread use of risk science practices. The risk field can look to other fields for domain-specific guidance and adapt those principles to risk science topic areas. For example, healthcare ethics involve the study of procedural justice when studying whether standards, procedures, policies, or processes were fair and without biases, regardless of the outcome. Also, consider distributive justice when studying how costs and benefits are distributed. While these issues are being discussed in various contexts (Summers & Morrison, 2009;SRA, 2021b), more work can be done to engage analysts in understanding how to address these issues within their application of risk science principles and methods.
Bordering on ethical principles is the issue of understanding risk issues from a holistic viewpoint. The risk-related examples in this paper (e.g. Flint Water Crisis) involved systems with many metrics of concern (e.g. financial, health/safety, public perception, political ties, etc.). A narrow focus on a single metric, like saving money in a city with severe financial issues, can misguide decisionmakers. In addition, a narrow focus on a limited number of stakeholders can lose sight of the wide impact a firm has on various individuals. Decision making with consideration of the many stakeholders can promote innovation (Harrison et al., 2010) and enable the firm to better address future risk stemming from uncertainty. However, in cases of quantifying uncertainties for major societal issues, the consideration of multiple stakeholders greatly complicates the task (Apostolakis, 1990).

CONCLUSIONS
The risk analyst is individually vulnerable to a variety of factors, including legal, professional, and ethical principles. The characteristics studied in this paper suggest that conflicts of interest can and do exist when comparing the expectations of the risk analyst, employer, regulators, and society. This is a precarious position for both the analyst and the employer. This is also a serious situation for systems being analyzed within risk assessment and management. If analysts are encountering an explicit or implicit conflict of interest, this can potentially undermine the integrity of the entire risk process, with implications for societial safety and security. There is potential for the issues discussed in this paper to become even more pressing. For example, the role of the risk analyst can increasingly seep into other pofessions. With the rise of artificial intelligence and machine learning, the developers of these systems could also face related issues as those discussed in this paper. This paper has contributed to the risk literature by leveraging existing literature and significant risk events to identify areas of concern for the risk analyst. The methods also provide a systematic manner in which the analyst can understand the importance of each area of concern and leverage that understanding to act and address the contributing factors. This gives the analyst a new power in undressing uncertainties related to their role.
The methods of this paper are a critical first step in acknowledging and treating these issues for the risk analyst. It is expected that the risk field, which is still being developed, has not yet developed standards for addressing the areas of concern presented in this paper. However, as the risk field develops, there is need for leadership in promoting visibility, dialog, and treatment of these issues. With leadership, there is a large potential for the risk field to benefit from certification, licensing, and standardized training for the risk analyst and those in risk-related roles.

A C K N O W L E D G M E N T S
The authors would like to thank the anonymous reviewers for their insightful feedback on this work. The manuscript was significantly improved using this feedback.