Management and the Technology Professional – B302
Risk analysis using maximin criterion, minimax regret criterion and expected value criterion
Conceptual foundations of decision and risk analysis.
Common
decision analysis criteria depends on
certainty and
probabilities of outcomes.
The following table is an example for a person who is starting a new business. The person has to decide which method to use for server hosting. After a year of operation, let's say that 3 outcomes might be possible. Each outcome affects which server hosting method the business will use in the second year of operation.
Actions are:
- Web hosting
- Grid server
- Dedicated server
Outcomes are:
- Close business
- Continue business
- Expand business
| | Close business | Continue business | Expand business |
| Web hosting | – £110 | – £110 and – £600 | – £110 and – £840 |
| Grid server | – £600 | – £600 and – £600 | – £600 and – £840 |
| Dedicated server | – £840 | – £840 and – £600 | – £840 and – £840 |
Maximin criterion is a conservative criterion which identifies the worst outcome for each action and selects the action with the best worst outcome.
In the example above, the worst outcome for web hosting is – £950, worst outcome for grid server is – £1,440 and the worst outcome for dedicated server is – £1,680. The maximin criterion indicates that the best action would be web hosting.
Minimax regret criterion considers the result of selecting the wrong action. For each outcome,
find the difference between the best value and each action to construct a regret table.
Select the action with the best regret value.
| | Close business | Continue business | Expand business |
| Web hosting | 0 | £110 | £110 |
| Grid server | £600 | 0 | £600 |
| Dedicated server | £730 | £840 | 0 |
Using the regret table above,
the minimax regret criterion indicates that the best action would be web hosting.
The expected value criterion may be used when estimates of probabilities are available to assist risk analysis.
A decision tree provides more information for risk analysis.
All outcomes for an event must be exclusive. If one outcome occurs, then it should not be possible for any of the other outcomes from the same event to occur. For example, after installing Skype, these are not outcomes: "add more users" and "have security problem". The reason is that it is possible that both could happen at once. Instead, possible outcomes could be, "no security problem" and "have security problem".
Expected value criterion uses the probability weighted average value of each event and selects the action with the highest value. Calculations are made for all nodes in the decision tree using these rules:
- For event nodes, the expected value is the sum of the probability weighted values of the outcomes.
- For action nodes, the expected value is the best value of all actions connected to that node. Best is the lowest value when analyzing expenses or the highest value when analyzing income.
Net present value is the sum of the present value for all the money received and paid on one specific path of a decision tree.
The server decision example above converted from a table to a decision tree format, including example of
probabilities for each outcome.
Common decision scenarios involving risk analysis:
- use vs. build
- buy vs. build
- buy vs. lease
- insurance premium vs. cost of actual problem
- invest now vs. savings later
- invest now vs. income later
- spend on testing vs. spend on quality
Layers of analysis in increasing order of value:
We will build a decision tree to support the analysis of a decision whether to buy an anti-virus solution for 40 computers at a small business. The tree starts on the left hand side with the decision.
The first action is to select which operating system to install on the computers.
The second action is to select an anti-virus solution for computers. Notice that a valid action is to not buy any software. Additionally, there is more purchase options when using Microsoft Windows.
Please note that there are other possible actions which may be worth considering, but, were not included in this example. For example, the computers could be partitioned into groups, such as 10 computers for the management team and 30 computers for the office staff. The managers might prefer Windows due to the use of Excel spreadsheets with macros already developed. In comparison, the office staff could be trained to use Open Office on Linux (they might not like it). Additionally, there are managed/hosted anti-virus solutions offered by vendors such as Trend Micro which was not included. Your analysis should provide supporting reasons for including relevant actions.
Then we identify possible events that may happen in 6 months. A
critical problem is if the computers are infected with a virus which causes financial damage. A
minor problem is if the computers are infected with a benign virus which has to be patched, but does little damage. We assume that the possible events apply for all actions.
Note that an indication of time is added at the bottom to help later with present value calculations.
Please note that there are other possible events which may be worth considering, but, were not included in this example. For example, it might be useful to provide 4 possible levels of damage from a virus infection instead of just 2 levels (critical and minor). Additionally, the damage levels could be linked to the excess value of a company insurance policy. In other words, above the excess amount, the insurance company would pay and thus limit the out of pocket cost of the company. Similar to identification of actions, your analysis should provide supporting reasons for including relevant events.
Next, we allocate the probabilities for each event. Starting at the top, we assign probabilities when using
Symantec with Linux.
Then, we assign probabilities when using F-Prot with Linux.
Then, we assign probabilities when using Linux without anti-virus software.
Then, we assign probabilities when using AVG with Windows.
Then, we assign probabilities when using Symantec with Windows.
Then, we assign probabilities when using F-Prot with Windows.
Then, we assign probabilities when using Windows without anti-virus software.
Next, we assign the cost of purchasing licenses for the operating system. There is
no licensing cost for Linux. Let's assume that a
Windows XP license costs £50/each for 40 computers.
Then, we assign the cost of purchasing licenses for Linux anti-virus software. Let's assume that a
Symantec license costs £60/each for 40 computers and F-Prot licenses cost £100 for a 40-computers site license.
Then, we assign the cost of purchasing licenses for Windows anti-virus software. The vendor costs are the same for Linux and Windows. Additionally, a
40-computers site license for AVG costs £650.
Then, we estimate the cost of problems that might be caused by a computer virus problem. Let's assume that the estimated
costs are the same regardless of operating system or anti-virus software.
The complete decision tree with all of the information from the previous steps.
To start the process of calculating the expected value associated with each action, we start at the right side. Let's start at the top and calculate the expected value of using Symantec with Linux:
EV = (£5000 x 0.02) + (£300 x 0.05) + (£0 x 0.93) = £115
Next, calculate the
expected value of using F-Prot with Linux:
EV = (£5000 x 0.02) + (£300 x 0.07) + (£0 x 0.91) = £121
Next, calculate the expected value of using Linux without an anti-virus solution:
EV = (£5000 x 0.05) + (£300 x 0.09) + (£0 x 0.86) = £277
Next, calculate the
expected value of using AVG with Windows:
EV = (£5000 x 0.04) + (£300 x 0.08) + (£0 x 0.88) = £224
Next, calculate the expected value of using Symantec with Windows:
EV = (£5000 x 0.04) + (£300 x 0.08) + (£0 x 0.88) = £224
Next, calculate the
expected value of using F-Prot with Windows:
EV = (£5000 x 0.04) + (£300 x 0.09) + (£0 x 0.87) = £227
Next, calculate the expected value of using Windows without an anti-virus solution:
EV = (£5000 x 0.15) + (£300 x 0.25) + (£0 x 0.60) = £825
Then, we substitute the expected values into the corresponding event nodes to create this intermediate decision tree:
To evaluate the possible actions, we add the values associated with each possible action and select the best value at each node. In this example, we are dealing with expenses, so the best value is the lowest value. Let's start with the "Install Linux operating system" node:
Buy Symantec for use with Linux = £2400 + £115 = £2515
Buy F-Prot for use with Linux = £100 + £121 = £221
Use with Linux without an anti-virus solution = £0 + £277 = £277
According to the expected value criterion, we would select the action of purchasing F-Prot if we decide to use Linux for the computers. Thus, the value of £221 is now associated with the "Install Linux operating system" node.
We continue with the "Install Windows operating system" node:
Buy AVG for use with Windows = £650 + £224 = £874
Buy Symantec for use with Windows = £2400 + £224 = £2624
Buy F-Prot for use with Windows = £100 + £227 = £327
Use with Windows without an anti-virus solution = £0 + £825 = £825
According to the expected value criterion, we would select the action of purchasing F-Prot if we decide to use Windows for the computers. Thus, the value of £327 is now associated with the "Install Windows operating system" node.
Then, we substitute the expected values into the corresponding action nodes to create this intermediate decision tree:
We repeat the process for the main decision node, starting with the top:
£0 + £221 = £221
The value of £221 is the expected value of installing Linux on the 40 new computers including consideration for anti-virus solutions.
Continuing on:
£2000 + £327 = £2327
The value of £2327 is the expected value of installing Windows on the 40 new computers including consideration for anti-virus solutions.
Replacing the expected values into the tree allows us to apply the expected value criterion again, which indicates that the best action would be to install Linux and buy F-Prot anti-virus software.
After further consideration of other relevant information, let's say we decide to go with the action indicated by the decision tree expected value criterion. Now let's calculate the net present value:
If we use the current bank loan interest rate from Natwest of 8.4% per annum, then we can calculate the effective rate for 6 months by solving for this equation where the variable W is the 6-months rate and the power of 2 represents the fact that there are 2 six-months investment periods in 1 annual period:
(1 + W)^2 = (1 + 0.084)^1
6 months discount rate = W = (1 + 0.084)^(0.5) – 1 = SQRT(1 + 0.084) – 1 = 0.041 = 4.1%
Net present value (NPV) = £0 + £100 + (0.02 * (£5000 ÷ (1 + 0.041))) + (0.07 * (£300 ÷ (1 + 0.041))) + (0.91 * (£0 ÷ (1 + 0.041))) = £0 + £100 + £96.06 + £20.17 + £0 = £216.23
When calculating with probability, interest rates or discount rates,
be careful to accurately convert the probability into its decimal equivalent. For example:
8.4% is equivalent to 0.084
84% is equivalent to 0.84
8.4% is NOT equivalent to 8.4
After further consideration of other relevant information, let's say we decide to use Windows because the users would require less training. Now let's calculate the net present value for using F-Prot with Windows:
Use the same discount rate as calculated above, 4.1%
Net present value (NPV) = £2000 + £100 + (0.04 * (£5000 ÷ (1 + 0.041))) + (0.09 * (£300 ÷ (1 + 0.041))) + (0.87 * (£0 ÷ (1 + 0.041))) = £2000 + £100 + £192.12 + £25.94 + £0 = £2318.06
Knowing that the NPV associated with using Linux is £216.23 and the NPV associated with using Windows is £2318.06, we now have a quantitative estimate that the cost of satisfying the user preference for Windows is approximately £2101.83 with consideration for anti-virus solutions and financial risk.
Calculate the present values for a path of the decision tree after an action has been selected.
These are quantitative input for analysis, which should be evaluated with other qualitative considerations.
