Assessing the risk posed by natural hazards to infrastructures

This paper proposes a model for assessing the risk posed by natural hazards to infrastructures, with a focus on the indirect losses and loss of stability for the population relying on the infrastructure. The model prescribes a three-level analysis with increasing level of detail, moving from qualitative to quantitative analysis. The focus is on a methodology for semi-quantitative analyses to be performed at the second level. The purpose of this type of analysis is to perform a screening of the scenarios of natural hazards threatening the infrastructures, identifying the most critical scenarios and investigating the need for further analyses (third level). The proposed semi-quantitative methodology considers the frequency of the natural hazard, different aspects of vulnerability, including the physical vulnerability of the infrastructure itself, and the societal dependency on the infrastructure. An indicator-based approach is applied, ranking the indicators on a relative scale according to pre-defined ranking criteria. The proposed indicators, which characterise conditions that influence the probability of an infrastructure malfunctioning caused by a natural event, are defined as (1) robustness and buffer capacity, (2) level of protection, (3) quality/level of maintenance and renewal, (4) adaptability and quality of operational procedures and (5) transparency/complexity/degree of coupling. Further indicators describe conditions influencing the socio-economic consequences of the infrastructure malfunctioning, such as (1) redundancy and/or substitution, (2) cascading effects and dependencies, (3) preparedness and (4) early warning, emergency response and measures. The aggregated risk estimate is a combination of the semiquantitative vulnerability indicators, as well as quantitative estimates of the frequency of the natural hazard, the potential duration of the infrastructure malfunctioning (e.g. depending on the required restoration effort) and the number of users of the infrastructure. Case studies for two Norwegian municipalities are presented for demonstration purposes, where risk posed by adverse weather and natural hazards to primary road, water supply and power networks is assessed. The application examples show that the proposed model provides a useful tool for screening of potential undesirable events, contributing to a targeted reduction of the risk.

Abstract.This paper proposes a model for assessing the risk posed by natural hazards to infrastructures, with a focus on the indirect losses and loss of stability for the population relying on the infrastructure.The model prescribes a three-level analysis with increasing level of detail, moving from qualitative to quantitative analysis.The focus is on a methodology for semi-quantitative analyses to be performed at the second level.The purpose of this type of analysis is to perform a screening of the scenarios of natural hazards threatening the infrastructures, identifying the most critical scenarios and investigating the need for further analyses (third level).The proposed semi-quantitative methodology considers the frequency of the natural hazard, different aspects of vulnerability, including the physical vulnerability of the infrastructure itself, and the societal dependency on the infrastructure.An indicator-based approach is applied, ranking the indicators on a relative scale according to pre-defined ranking criteria.The proposed indicators, which characterise conditions that influence the probability of an infrastructure malfunctioning caused by a natural event, are defined as (1) robustness and buffer capacity, (2) level of protection, (3) quality/level of maintenance and renewal, (4) adaptability and quality of operational procedures and (5) transparency/complexity/degree of coupling.Further indicators describe conditions influencing the socio-economic consequences of the infrastructure malfunctioning, such as (1) redundancy and/or substitution, (2) cascading effects and dependencies, (3) preparedness and (4) early warning, emergency response and measures.The aggregated risk estimate is a combination of the semiquantitative vulnerability indicators, as well as quantitative estimates of the frequency of the natural hazard, the potential duration of the infrastructure malfunctioning (e.g.depending on the required restoration effort) and the number of users of the infrastructure.
Case studies for two Norwegian municipalities are presented for demonstration purposes, where risk posed by adverse weather and natural hazards to primary road, water supply and power networks is assessed.The application examples show that the proposed model provides a useful tool for screening of potential undesirable events, contributing to a targeted reduction of the risk.

Introduction
Modern society is increasingly dependent on infrastructures to maintain critical societal functions such as supply of food, water and energy, and security.Disruptions in one of the infrastructure systems, such as water and energy supply, transport or communication, may have severe consequences.With a changing climate, the frequency and intensity of some extreme weather events (e.g.intense precipitation) and related hazards (e.g.landslides and floods) are expected to increase (Hanssen-Bauer et al., 2015), creating challenges for the infrastructure providers.Challenges include, for example, landslides threatening transportation lines, increased contamination of water sources due to intense rain and flooding or storms leading to loss of power supply.
Since the financial and workforce resources available to operators to protect their infrastructure systems are limited, it is especially important to use resources efficiently.To do so, it is essential to be aware of the threats and risks and to assess and compare risk in order to set priorities.This will be the basis for implementing targeted protection measures, as stated by the Federal Ministry of the Interior (2008).
The main purpose of performing risk assessment related to infrastructure affected by natural events is to support wellfounded risk management.An extensive risk assessment is indispensable in order to identify adverse events and vulner-abilities and evaluate the impact on infrastructures and their users, taking into account the probability of the occurrence of these adverse events.The risk assessment gives decision makers a better understanding of risks and its uncertainties, describing and comparing the vulnerability and resilience and potential risks related to the effects on infrastructures from natural events.Careful assessment of risk and informed analysis of dependencies between infrastructures can significantly contribute to effective investment in planning and design and facilitate preparedness actions in the event of failure.With regard to risk reduction, discussion about acceptable levels of risk and of potential mitigation measures to reduce the risk is required.Cost-benefit analyses could be used to assess the feasibility and adequacy of mitigation measures.Optimal decisions require that decision makers are aware of how their decisions may affect the expected loss.
By law, the Norwegian municipalities are required to carry out a risk and vulnerability analysis and plan and prepare for emergencies from a short-and long-term perspective.The purpose of the duty/legislation is to ensure that the municipalities are working holistically and systematically with societal safety and preparedness across sectors in the municipality.Knowledge about risk and vulnerability is important to reduce the probability of undesirable events and to reduce the consequences should the event occur (DSB, 2015a).The current format of the municipal risk and vulnerability assessments is very similar to a preliminary hazard analysis (PHA; IEC/FDIS 31010, 2009), where the starting point is the identification of adverse events, followed by a simple probability and consequence assessment of each event.In the municipal analysis, adverse events refer to events in the municipality that may result in loss of life, health or stability, monetary losses or damage to the environment.Through the municipal involvement in the implementation of the risk and vulnerability analysis, the stakeholders in the municipality obtain a better overview over, and an increased consciousness about, the relevant risks and vulnerabilities.In addition, the municipality can acquire knowledge about how risks and vulnerabilities can be managed.The analysis is intended to form a basis for an overall emergency plan that must be coordinated with other relevant emergency and contingency plans.The ultimate goal of the analyses is to help maintain important socioeconomic functions and safeguard citizens' lives, health and basic needs under various forms of stress.This goal is further specified by defining four societal values with corresponding consequence types as shown in Table 1.Vulnerability analysis of the infrastructures and their interdependencies is an essential part of the municipal risk and vulnerability analysis for the societal value named stability, i.e. referring to consequences such as lack of basic provisions and disruptions in daily life.

Terminology
The terminology used in this paper is according to the definitions listed below.The definitions are adapted from DSB (2014), Birkmann et al. (2013), the National Academy of Sciences (2012), ISSMGE ( 2004) and Corominas et al. (2014).
-Adverse event: an event that may result in loss of life, health or stability, monetary losses or damage to the environment, DSB (2014).In this paper the focus is on adverse events in terms of malfunctioning of infrastructure (caused by natural events).
-Consequence: the outcomes or potential outcomes arising from the occurrence of an adverse event, expressed qualitatively in terms of loss, disadvantage or gain; or quantitatively in terms of damage, injury or loss of life, adapted from Corominas et al. (2014).Vulnerability is an important component of the consequence.Consequences could be characterized as direct and indirect.Direct consequences refer to the physical destruction of exposed elements, and indirect consequences refer to the consequences of that destruction, adapted from the Committee on Assessing the Costs of Natural Disasters (1999).In this paper the focus is on the indirect consequences/indirect losses.
-Exposed elements: population, buildings and engineering works, infrastructure, environmental features and economic activities in the area affected by the adverse event (ISSMGE, 2004).
-Resilience: the ability to prepare and plan for, absorb, recover from or more-successfully adapt to actual or potential adverse events (National Academy of Sciences, 2012).
-Risk: measure of the probability and severity of an adverse effect to life, health, property, economic activities or the environment.Quantitatively, Nat.Hazards Earth Syst.Sci., 17, 481-504, 2017 www.nat-hazards-earth-syst-sci.net/17/481/2017/risk = hazard • potential worth of loss.This can be also expressed as the "probability of an adverse event times the consequences if the event occurs" (ISSMGE, 2004).
-Vulnerability: vulnerability refers to the propensity of exposed elements such as physical or capital assets, as well as human beings and their livelihoods, to experience harm and suffer damage and loss when impacted by single or compound hazard events (Birkmann et al., 2013).
Dimensions of vulnerability, adapted from Birkmann et al. (2013), are as follows.
-Physical dimension refers to conditions of physical assets -including built-up areas, infrastructure and open spaces that can be affected by natural hazards.
-Social dimension refers to human welfare, including social integration, mental and physical health, both at an individual and collective level.
-Economic dimension refers to the productive capacity, unemployment and low-income conditions.
-Physical vulnerability indicators refer to properties or characteristics of the infrastructure affecting the probability of malfunctioning (here, due to the occurrence of a natural event).
socio-economic vulnerability indicators refer to factors for human welfare and the productive capacity of the society in relation to the malfunctioning of the infrastructure.
2 State-of-the-art assessment of infrastructure vulnerability and risk

Overview and gaps
Infrastructures have some basic traits in common, such as large size, wide-area coverage, complexity and interconnectedness, but show significant differences in detail.Methods for vulnerability assessment vary with the type of system, the objective of the analysis, the analysis steps and the available information.No all-encompassing method exists, but rather an interplay of methods is necessary to provide trustworthy information about vulnerabilities within and among infrastructures, including the effect of (inter)dependencies (Kröger and Zio, 2011).Methods used for vulnerability and risk assessment of infrastructure include susceptibility functions, economic theory-based approaches, probabilistic modelling, statistical analyses of past events, empirical approaches, risk analysis of technological systems, network-based approaches, agent-based approaches, system dynamics-based approaches, relational databases and use of vulnerability and risk indices (Yusta et al., 2011;Kröger and Zio, 2011;Ouyang, 2014).Meyer et al. (2013) give a broad review of the assessment of costs of natural hazards affecting infrastructure (considering both direct and indirect costs).There are several ways to classify levels and scopes for assessment of infrastructure.Bouchon (2006) divides this into three levels: (i) the level of the infrastructure itself (which could further be subdivided into component level and network level), (ii) the level of the interdependent infrastructures and (iii) the level of dependent territorial, socio-economic, politically dependent sub-systems.Similarly, Giannopoulos et al. (2012) distinguish between sectorial level, when each sector is treated separately and system approaches that assess the infrastructures as an interconnected network and use a system of systems topology.Yusta et al. (2011) refer to two different scopes of modelling infrastructure vulnerability and risk, namely methods and tools to describe the current state of the infrastructure and methodologies and tools that focus on the understanding of the dynamic behaviour of the infrastructure systems, which is based on simulation techniques.The first scope focuses on the study, analysis and understanding of the infrastructure from the earliest stages of construction and assembly.This scope identifies methods, techniques, tools and charts to describe the current state of the infrastructure, and it uses methods of evaluating the threat to obtain a clearer view on the operation of infrastructure.For this, it takes into account each of the possible risks that affect a system and determines their possible consequences.It should be noted that although many of the potential causes of hazards can be detected with this approach, their consequences or impacts are not necessarily perceived or understood.In resilience models for assessing the interaction between hazard and engineered systems, the properties of infrastructure, like robustness, redundancy, resourcefulness, and rapidity, reduce the probability of failures in the systems (Cutter et al., 2008).Solano (2010) reviews and evaluates methodologies to assess vulnerabilities of infrastructures across a number of characteristics.
The second scope focuses on understanding the dynamic behaviour of the infrastructure systems and uses simulation techniques (systems dynamics, Monte Carlo simulation, multi-agent systems, etc.) with which it explores both processes and operation in order to identify the causes of instability in a system infrastructure.Rinaldi et al. (2001) provide an overview of how to identify, understand and analyse interdependencies between infrastructures.To provide a detailed description and modelling of interdependent infrastructures, many relevant data are required and often are inaccessible due to, for example, confidentiality and privacy issues and a reluctance to share data (Ouyang, 2014).In many cases, the risk assessment methodologies for infrastructures are an adaptation of methodologies that have been used for assessing risks within an organization.As a consequence, these methodologies are tailored to the particular needs of this organization and biased to consider only part of relevant threats.Giannopoulos et al. (2012) have identified two main commonly used approaches for the assessment of sectors for a variety of hazards: aggregated impact, where the impact of infrastructure disruption is expressed in terms of aggregated figures that account for the economic losses, and indicatorbased scoring approaches, which resemble a multi-criteria decision analysis in the sense that the final score produced is the weighted mean of several scores.
In the following, special attention is given to methods that apply vulnerability and risk indices or identify factors relevant for vulnerability and risk for infrastructures affected by adverse weather and natural hazards, in particular those of the Federal Ministry of the Interior (2008), Lenz (2009), Merz et al. (2010), Vatn et al. (2009) and Kröger (2008).The Federal Ministry of the Interior (2008) provides guidelines for operators of critical infrastructures, providing a management strategy to identify risks, implement preventive measures and handle crises effectively.Lenz (2009) provides a detailed overview of the vulnerability of critical infrastructures, distinguishing between indicators relevant for vulnerability of critical infrastructure and for coping capacity.Merz et al. (2010) go through various aspects of the assessments of economic flood damage.Vatn et al. (2009) has developed a methodology that identifies adverse events as well as risk and vulnerability factors which may affect the likelihood and consequences of undesirable events.Kröger (2008) discusses the most significant factors related to the risks faced by critical infrastructures.These include societal, system-related, technological, institutional and natural factors, with a special focus on issues associated with the increasing interdependence between infrastructures.Even if these methods identify vulnerability indicators, they do not contain explicit procedures for estimation of risk levels based on the indicators, lacking either schemes for ranking or aggregation of the indicators or for the relation between risk levels and vulnerability indicators.

Scope of study
To utilise resources efficiently, the risk assessment is performed at different levels of detail, starting with a coarse analysis to decide for which areas or scenarios further analyses are necessary and subsequently increase the degree of detail and limit the scope to the most critical scenarios or areas.The coarsest analyses include methods like structured interview and brainstorming, checklists, preliminary hazard analysis, hazard and operability study (HAZOP), What If Technique (SWIFT) and scenario analysis (IEC/FDIS 31010, 2009).In these methods, subjective assessments and considerable use of expert judgment are necessary.For such analyses, both diversity and depth of expertise are essential to ensure satisfactory quality and consistency of the analysis results, avoiding too-coarse assessments or overlooking important events.On the other hand, detailed quantitative analyses for the assessment of the interdependent infrastructures and society depending on the infrastructures, e.g.simula-tion techniques or economic theory approaches, are often too complex and time consuming to be applied as a tool to identify the most critical risk scenarios.An alternative tool for screening the potential scenarios in a systematic, transparent and repeatable way could bridge this gap.This paper proposes an explicit methodology for such screenings, with the purpose of comparing scenarios and providing an overview of the risks associated with each of the identified scenarios.The application of the method within the municipal risk and vulnerability analysis in Norway will be described in the next section.
The aim of the work presented in this paper is to propose a comprehensive and user-friendly method for identification and assessment of natural events leading to the malfunctioning of infrastructure.The method is designed to be consistent with, and a supplement to, the guidelines for municipal risk and vulnerability analysis in Norway, provided by the Norwegian Directorate for Civil Protection, DSB (2014).According to these guidelines, the analysis consists of the following stages: 1. identifying adverse events (considering threats within or outside the municipality, but with consequences for the municipality), 2. assessing risk and vulnerability of adverse events, 3. providing an overview of the risks associated with each of the identified adverse events (stage 1 above), 4. following-up and 5. reporting.
The explicit method proposed in this paper targets the second and third stages in the municipal risk and vulnerability analyses: assessing risk and vulnerability of adverse events and providing an overview of the risks associated with each of the identified adverse events in the municipality.The proposed method is used to give a coarse overview of the risks used for preliminary sorting of the adverse events.A more-detailed analysis of the events is used as basis for decisions regarding risk acceptance, follow-up and mitigation.We chose not to include explicit criteria or risk thresholds for recommendations regarding the follow-up, both because each municipality must adapt the criteria for follow-up to their own situation and capacity (scenarios with the highest risk must be prioritised regardless of risk acceptance), and because the method is a coarse analysis where the scale is relative and difficult to link to quantitative risk acceptance criteria.
The proposed method is applicable to the main infrastructures (electricity supply, water supply, transportation, and information and communications technology, ICT) and to provide support for analysis of threats from natural events, for planning and preparedness, and for prioritisation of riskreduction measures.The focus will be on the infrastructures of electricity supply, water supply and transportation.They share a number of similarities such as large size, wide-area coverage, complexity and interconnectedness.
Strategies for risk reduction fall into two categories: those that minimise the probability of infrastructure malfunctioning, and those that minimise the negative effects of a malfunctioning (IRGC, 2007).The proposed method takes into account the vulnerabilities of infrastructure and barriers that affect the probability of infrastructure malfunctioning.It also considers factors affecting the socio-economic consequences of malfunctioning of the infrastructure.The scope is schematically illustrated in Fig. 1, using and demonstrating terminology defined in the following.
Figure 1 shows a cause and effect diagram with causes of the infrastructure malfunctioning, influenced by the physical vulnerability of the infrastructure to the natural event on the left side, and consequences of this malfunctioning, influenced by the socio-economic vulnerability on the right side.Malfunctioning of infrastructure refers to an interruption (partly or fully) of the services provided by the infrastructure.The scenarios could be controlled using barriers which could prevent causes of malfunctioning of the infrastructure and barriers for mitigation and recovery controls, i.e. barriers that limit the consequences of the malfunctioning.Barriers could be physical or organisational, including human behaviour.
The indicators identified as the most important for the scope of this paper are based on generic indicators from the literature, as described in Sect.2.1.The indicators were thought to be relevant for assessing the exposure and vulnerability levels and for the resulting risk level (Institute of Operational Risk, 2010).They should be measurable, at least on a relative scale, in order to enable comparison between different times or different study areas.The ranking of the indicators should be based on data available to the stakeholders or on the local knowledge of the stakeholder.The selected indicators are summarised below.
-Robustness: the physical robustness of risk elements (in particular facilities, equipment, buildings) is an important factor determining damage levels caused by an extreme event (Federal Ministry of the Interior, 2008; Lenz, 2009).
-Buffer capacity: buffer capacity means that the systems impacted by an event have redundancy or auxiliary capacity to sustain service to a certain degree and for a certain time (Federal Ministry of the Interior, 2008; Lenz, 2009).
-Level of protection: robustness/strength of barriers protecting an exposed element (i.e. a structure or a lifeline) from a threat (Federal Ministry of the Interior, 2008;Lenz, 2009).
-Quality level/level of maintenance and renewal: to ensure appropriate quality of the infrastructure, it needs to be maintained and renewed systematically (Lenz, 2009;Vatn et al., 2009).
-Adaptability: ability to adapt to changing framework conditions makes the infrastructure less vulnerable (Federal Ministry of the Interior, 2008).
-Quality in operational procedures: the vulnerability of the infrastructure depends on how well it is operated (Vatn et al., 2009;Kröger, 2008).
-Transparency/complexity/degree of coupling: the complexity of the infrastructure and its dependency on single components to work, contributes to a higher vulnerability (Perrow, 1984;Federal Ministry of the Interior, 2008;Vatn et al., 2009;Kröger, 2008).
U. M. K. Eidsvig et al.: Assessing the risk posed by natural hazards to infrastructures -Redundancy/substitutes: if there is an outage or reduced capacity in the infrastructure, it is easier to handle if there are back-ups or substitutes for the infrastructure (Federal Ministry of the Interior, 2008;Vatn et al., 2009;Lenz, 2009).
-Restoration effort/duration: restoration effort refers to the effort needed to restore a damaged element including monetary costs as well as time and staff resources needed (Federal Ministry of the Interior, 2008;Vatn et al., 2009;Lenz, 2009).
-Preparedness: an outage of an infrastructure is easier and more-quickly restored or better handled if the situation has been prepared for (Lenz, 2009;Vatn et al., 2009;Merz et al., 2010).
-Early warning, emergency response and measures: if the warning time is sufficiently long, an early warning system combined with emergency response and measures may reduce the consequences of an infrastructure outage (Merz et al., 2010).
-Cascading effects and dependencies: the definition and content of the term cascading effects are discussed by Pescaroli and Alexander (2015) and, in short, referred to as a "chain sequence of interconnected failures" or as second-order/higher-order effects (Rinaldi et al., 2001).
Cascading effects and dependencies of other societal functions on the infrastructure increase the societal consequences of the infrastructure loss (Vatn et al., 2009Federal Ministry of the Interior, 2008;Lenz, 2009).

Methodology
The method presented in this paper covers Level 2 of a threelevel analysis for risk identification and risk assessment, with an increasing degree of detailing and quantification.
-Level 2: semi-quantitative analysis to rank the risk, i.e. screening of the scenarios of natural events threatening the infrastructures (identified in the level 1 analysis), in which the scenarios with potential highest risk are identified.
-Level 3: quantitative analysis, i.e. detailed analysis of the scenarios identified in the level 2 analysis.
The second level consists of a semi-quantitative ranking of the risk and is a mixture of a quantitative approach and an indicator-based approach.The quantitative part of the approach is anchored in the probability and consequence categories suggested by DSB (2014) (Tables 1 and 2).As illustrated in Fig. 1, the risk is governed by causal factors, influencing the likelihood of the malfunctioning of the infrastructure, as well as factors relevant for the socio-economic

Physical vulnerability indicators
Step 1 Step 2 Step 3 Figure 2. Illustration of the method for semi-quantitative analyses.The indicators with dotted frames are assessed quantitatively for an initial categorisation of the probability and consequence (Step 1).The physical and socio-economic vulnerability indicators (dash-dot frames) are assessed semi-quantitatively (Step 2).The information from the first two steps is aggregated in the third step to assess the probability of infrastructure malfunctioning and the severity of the consequences.
out being affected, is sufficiently protected against the natural event, fulfils high quality requirements (i.e. is new or well maintained), has the ability to adapt to changing framework conditions, is well operated and is not dependent on single components to work.The chosen indicators for the socio-economic vulnerability in this study include the following: redundancy/substitutes of the infrastructure in the study; cascading effects and dependencies; preparedness; early warning, emergency response and measures.
The duration of the infrastructure malfunction is included quantitatively in the consequence assessment (see Fig. 2 and Table 3).Thus, the indicator restoration effort/duration is omitted here to avoid double counting.Risk managers could look to optimise the values of the socio-economic vulnerability indicators (as listed above) by ensuring that there are back-ups or substitutes to the infrastructure that could provide the same service, that there are minimum dependencies of other societal functions on the infrastructure, that the malfunctioning of the infrastructure has been prepared for and that there is an early warning system combined with an emergency response and measures to mitigate the consequences.
Figure 2 shows that risk could be decomposed into the probability of an adverse event and the consequences if the event occurs, as in traditional risk assessment approaches and in accordance with the definitions in the terminology section.However, here, the adverse event is not the natural event itself, in contrast to what is usual within natural science, but rather the malfunctioning of infrastructure caused by a natural event.The methodology presented in this paper is adapted to be in accordance with the guidelines of the Norwegian Directorate for Civil protection (DSB, 2014).In these guidelines, the addressed probability is the probability of an adverse event involving, for example, a natural event causing material destruction, i.e. not the probability of the natural event itself.Similar subdivisions are found in DSB (2014), Lenz (2009), IRGC (2007), and the Committee on Assessing the Costs of Natural Disasters (1999): "It is useful to distinguish between the physical destruction caused by natural disasters to human beings and property and the consequences of that destruction".The consequences referred to are indirect consequences in terms of the societal value "stability".Figure 2 illustrates the content of the explicit proposed method for semi-quantitative risk assessment.The next subsection presents a more-detailed description of the analysis steps of that method.

Methodology for semi-quantitative risk assessment
(level 2 analysis) The method proposes to perform the semi-quantitative risk assessment in three steps (Fig. 2) outlined in the following. - Step 1: initial categorisation of the probability and consequence of the top event (natural hazards causing malfunctioning of the infrastructure). - Step 2: vulnerability assessment, i.e. the ranking of the vulnerability indicators and estimation of the physical and socio-economic vulnerability scores.
-Step 3: final categorisation of probability and consequence, based on the initial categorisation and results from the vulnerability assessment.

3.1.1
Step 1: initial categorisation of probability and consequence of the top event (natural hazards causing malfunctioning of the infrastructure) In the initial probability classification, the analyst needs to assign the probability of the natural event into one of five quantitatively defined probability categories.The categories range from an annual probability lower than 0.1 % (probability category A) to an annual probability higher than 10 % (probability category E).Table 2 shows the scheme for the categorisation into categories A-E.These probability categories correspond to the categories suggested in DSB (2014).
In the initial consequence categorisation, the analyst needs to assign the consequences into one of five consequence categories.In this step, the consequences are determined by the combination of duration of the infrastructure malfunctioning and the number of users served by the infrastructure.The lowest consequence category (consequence category 1) corresponds to relatively few users combined with short duration, while the highest consequence category (consequence category 5) corresponds to a relatively high number of users combined with a long malfunction duration.The boundary of the categories of users and duration are defined such that the number of person days (i.e. the product of persons and days) increases exponentially with the consequence categories.Table 3 shows the scheme for the categorisation of consequence into consequence categories 1-5.

3.1.2
Step 2: vulnerability assessment, i.e. the ranking of the vulnerability indicators, estimation of the physical and socio-economic vulnerability scores The vulnerability assessment is performed using an indicator-based approach.This type of approach enables the combination of information from different sources and different formats, e.g.qualitative and quantitative data.The indicators are grouped into physical vulnerability indicators and socio-economic vulnerability indicators.First, in the vulnerability assessment, each of the vulnerability indicators are assigned an integer score value on the scale 1-5, with 1 meaning the lowest vulnerability and 5 meaning the highest vulnerability.To limit the use of subjective interpretation of the user, and to make the method easy to use, a description for each score level for each indicator is provided in Tables 4  and 5. Second, it is beneficial, both for the sake of simplicity and in order to formulate user-friendly explicit procedures, to estimate one aggregated physical vulnerability score and one aggregated socio-economic vulnerability score.There are different ways of performing such a combination.The Department for Communities and Local Government (2009) and JRC (2008) give an overview on how to undertake and make the best use of multi-criteria analysis techniques.Approaches for combining the indicators may be to, for example, estimate arithmetical or geometric averages, to perform a fuzzy set analysis or to apply a multi-criteria decision approach.In this paper it is chosen to aggregate the indicator scores into two vulnerability scores: (i) a physical vulnerability score, estimated as a weighted average of the individual score of the physical vulnerability indicators, and (ii) a socio-economic vulnerability score, estimated as a weighted average of the individual score of the socio-economic vulnerability indicators.Each indicator is weighted based on its overall degree of influence.The weights vary with the scale, type and importance of the infrastructure in the study.The weighting system is introduced to account for the relative importance of each indicator for the total vulnerability level.If all the indicators are believed to be of equal significance, equal weighting should be applied.Techniques to determine weights include expert judgment, the analytical hierarchy process (AHP), principal component analysis and factor analysis (JRC, 2008).In the case examples presented in this paper, the weights are chosen based on experience and local knowledge, on the scale of 1 (least influential), 2 (moderately influential) or 3 (most influential).The final vulnerability estimate is formulated as a weighted average of the individual indicator scores, where the score for each indicator is multiplied with its corresponding weight: (1)

Weighted average vulnerability =
Table 4. Criteria for ranking of the physical vulnerability indicators and barriers affecting the probability of infrastructure loss.For each indicator, the criteria for score values 1-5 are described, where score value 1 corresponds to the lowest vulnerability and 5 to the highest vulnerability.

Physical vulnerability indicator
Criteria for choice of score value 1-5

Robustness and buffer capacity 1
The infrastructure is robust towards the natural event and/or could withstand the natural event for a duration more than 2 times the median duration of the natural event. 2 The infrastructure is quite robust towards the natural event and/or could withstand the natural event for 1-2 times the median duration of the natural event. 3 The infrastructure could withstand the natural event if the intensity is low-medium and/or the duration is 0.5-1 times the median duration of the natural event. 4 The infrastructure could only withstand the natural event if the intensity is low and the duration is less than 0.5 times the median duration of the natural event.
5 The infrastructure is fragile to the natural event.

Level of protection (including physical 1
Infrastructure is not exposed to, or well protected from, the mitigation measures and exposure) natural event.3 Some planning of renewal and maintenance.

4
Scarce planning of renewal and maintenance.Shortage of resources.
5 Corrective maintenance only and ageing infrastructure.

Adaptability and quality in operational 1
Infrastructure is operated by an operator and staff with long procedures experience and/or a high ability to adapt to changing framing conditions.

2
Infrastructure is operated by an experienced operator and/or ability to adapt to changing framing conditions.

3
Infrastructure is operated by an operator with some experience and/or some ability to adapt to changing framing conditions.

4
Infrastructure is operated by an operator with very limited experience and/or a low ability to adapt to changing framing conditions.

5
The infrastructure is operated by an unexperienced operator/staff and/or a minimum ability to adapt to changing framing conditions.
Transparency/complexity/degree of 1 The system is not dependent on the exposed part of the coupling infrastructure to work and is, to a low extent, dependent on single components to work.

2
The exposed component interacts with a few other components with a low degree of coupling. 3 The exposed component interacts with many components and the system has a high degree of coupling.

4
The exposed component is part of a system with a high degree of complexity.

5
The exposed part of the infrastructure is a component in a system with a high degree of complexity and coupling.
The flexibility introduced by allowing weight adjustments, combined with the generic formulation of the indicators, makes the method suitable to different types of infrastructures and different types of natural events.All the steps of the procedure are implemented on an Excel work sheet to provide a simple and user-friendly tool for the risk assessments, described below.
a. Physical vulnerability assessment: score values 1-5 need to be assigned to each of the physical vulnerability indicators.A choice of score value 1 implies a low physical vulnerability of the infrastructure, indicating high robustness and high buffer capacity, a high level of protection against the analysed natural event, a high quality level, a new or very well-maintained infrastructure, a high degree of adaptability and quality in operational procedures, a high degree of transparency and that the infrastructure system has a manageable degree of complexity and coupling.Score value 5 implies that the analysed infrastructure has a severe weakness with respect to the analysed indicator, which means that the indicator contributes to a high physical vulnerability.The criteria chosen to describe the physical vulnerability for each indicator are outlined in Table 4.After the scoring of the indicators, the physical vulnerability score is estimated using Eq. ( 1) for the physical vulnerability indicators.
b. Socio-economic vulnerability assessment: score values 1-5 need to be assigned to each of the socioeconomic vulnerability indicators.A choice of score value 1 implies that the society has an optimized solution with respect to the analysed indicator and infrastructure, contributing to lower socio-economic vulnerability.This is the case if the society has parallel systems to the infrastructure or substitutes that could offer the same services as the analysed infrastructure, if the infrastructure is less important for the society and the malfunctioning is not associated with potential cascading effects, and if there are routines for preparedness and an emergency response to mitigate the consequences.Score value 5 implies that the society is especially vulnerable to the malfunctioning of the infrastructure with respect to the analysed indicator, i.e. the indicator contributes to a higher socio-economic vulnerability.The criteria chosen to describe the socio-economic vulnerability for each indicator are outlined in the scheme in Table 5.After the scoring of the indicators, the socioeconomic vulnerability score is estimated using Eq. ( 1) for the socio-economic vulnerability indicators.

Step 3: final categorisation of probability and consequence, based on the initial categorisation and results from the vulnerability assessment
The aggregation of steps 1 and 2 into final probability and consequence categories is described below.
a. Final probability category of the adverse event: the difference between the probability of the natural event (as assessed in Step 1) and the probability of the adverse event (i.e.infrastructure malfunctioning) is assessed using the physical vulnerability score.The assessment is based on the definition of conditional probability and a quantitative interpretation of the vulnerability score, as a proxy for the probability that the natural event in study will lead to infrastructure malfunctioning.Expressing the relation between the probability of the adverse event and the natural event using conditional probability, yields: P (infrastructure malfunctioning caused by natural event) = P (natural event) • P (infrastructure malfunctioning| natural event). (2) The physical vulnerability score could serve as a proxy for the conditional probability P (infrastructure malfunctioning|natural event).  2 There are alternatives or back-up systems for the infrastructure, which implies few disadvantages for the users.

3
There are alternatives or back-up systems for the infrastructure, but with limited capacity or which implies disadvantages for the users.

4
There exist alternatives, but with low (insufficient) capacity or which imply major disadvantages to the users.
5 There are no back-up systems or practical alternatives.

Cascading effects and 1
The exposed infrastructure is of negligible importance for societal dependencies functions, with no potential cascading effects.

2
The exposed infrastructure has little importance for societal functions, with potentially small cascading effects.

3
The exposed infrastructure has moderate importance for societal functions, with potentially moderate cascading effects.

4
The exposed infrastructure has considerable importance for societal functions, with potentially considerable cascading effects.
5 Important societal functions depend on the exposed infrastructure.Malfunctioning of the infrastructure would potentially have large cascading effects.
Preparedness 1 Very high risk awareness regarding the natural event, exhaustive emergency response plans are available and frequent targeted drills.
2 High risk awareness regarding the natural event, emergency response plans are available and targeted drills are performed.
3 Some risk awareness regarding the natural event and simple emergency response plans are available.
4 Low risk awareness and insufficient emergency response plans.

5
Lack of risk awareness and knowledge about the natural event, with no explicit emergency response plans.
Early warning, emergency 1 The event is usually predictable well ahead of time and there is enough response and measures time for early warning.Thoroughly prepared routines exists for warning and the implementation of measures to mitigate the consequences of the natural event. 2 The event is usually predictable in time for early warning.There exist routines for warning and the implementation of measures to limit the consequences of the natural event. 3 The natural event can potentially be predicted, but the routines for warning are insufficient; the warning time is short or the mitigation action could potentially only have a small mitigating effect on the consequences.

4
Low predictability and very short warning time or mitigation action could potentially only have a minor mitigating effect on the consequences.

5
It is not possible to predict the natural event or there exist no known mitigation measures to limit the consequences.
Table 6.Indicative criteria for determining the probability category using vulnerability indicators and adaptation of initial categorisation to final categorisation.

Physical Adjustment of probability category vulnerability score
Low (e.g.< 2) The final probability category is two categories lower than the initial one.Medium (e.g.2-3.5)The final probability category is one category lower than the initial one.High (e.g.> 3.5) The final probability category is equal to the initial one.
a high physical vulnerability score, then this probability is approximately 1 and Eq. ( 2) reads P (infrastructure malfunctioning caused by natural event) ≈ P (natural event). (3) The probability that the infrastructure will fail (due to the natural event) is thus similar to the probability of the natural event and, consequently, the final probability categorisation is equal to the initial one (assessed in Step 1).
On the other extreme, if the physical vulnerability score is very low, the conditional probability, P (infrastructure malfunctioning|natural event), is low -e.g. in the order of 10 %, the relation yields P (infrastructure malfunctioning caused by natural event) ≈ 0.1 • P (natural event).( 4) Accordingly, a multiplication of the probability with 0.1 corresponds to a reduction in probability category (A-E, as shown in Table 2) of 1-2 categories, based on the quantitative relationship between the probability categories, i.e.P (infrastructure malfunctioning caused by natural event) is 1-2 probability categories lower than P (natural event).The step from the P (natural event), used in the initial categorisation, to P(infrastructure malfunctioning caused by natural event), assessed in the final categorisation, is thus accounted for through an adjustment of the probability categories.The physical vulnerability score is applied to adjust the probability category according to the suggested criteria shown in Table 6.However, judgment should be used when applying these criteria, taking into account, for example, whether the probability of the natural event belongs to the lower range within the category or to a higher range and whether one of the vulnerability indicators is considered as having a much higher importance than the others in the analysed case.
b. Final consequence categorisation: the socio-economic vulnerability score affects the socio-economic consequences of the infrastructure malfunctioning.The final consequence category depends on the duration of the infrastructure malfunctioning and the number of infrastructure users (as assessed in Step 1) as well as the socio-economic vulnerability score.
Adjustment of the consequence category: the number of people affected by the malfunctioning infrastructure could be higher or lower than the number of infrastructure users, depending on how the situation is handled and how important the malfunctioning infrastructure is for the society.The socio-economic vulnerability score is a proxy for the societal capacity to maintain its functions without the specific infrastructure and to cope with malfunctioning infrastructure.Accordingly, if the socio-economic vulnerability score is low, then the number of affected people will be lower than the number of infrastructure users, e.g. if the infrastructure malfunctioning is managed well and substitutes for the service provided by the malfunctioning infrastructure are established.Accordingly, the final consequence category should be adjusted down from the initial consequence category, as assessed by using Table 3.However, if the socio-economic vulnerability score is high, then the number of affected people will be higher than the number of infrastructure users, e.g. if there are large cascading effects.Then, the final consequence category could be higher than the initial one.The socio-economic vulnerability score is applied to adjust the consequence category according to the suggested criteria in Table 7.
When steps 1-3 are performed, each analysed scenario is assigned a probability category (A-E) and a consequence category (1-5).The risk level is determined by the combination of these, subdivided into seven risk levels as shown in Table 10.Even if the vulnerability is assessed relatively, the initial classification is quantitative and each cell could therefore be anchored in quantitative risk estimates.By applying the quantitative criteria as a basis to assign a risk range to each cell in the risk matrix, it may be shown that the diagonal lines in the risk matrix approximately represent equivalent risk levels, i.e. that the risk is largely equal along diagonal lines.The approach is useful for prioritisation of mitigation measures, e.g.those that give priority to a certain sector ahead of another.Explicit criteria or risk thresholds for recommendations regarding the follow-up and risk acceptance are not given, both because each municipality must adapt the Table 7. Indicative criteria for determining the consequence category using vulnerability indicators and adaptation of initial categorisation to final categorisation.

Socio-economic Adjustment of consequence category vulnerability score
Low (e.g.< 2) The final consequence category is one category lower than the initial one.Medium (e.g.2-3.5)The final consequence category equals the initial one.High (e.g.3.5-5) The final consequence category is one category higher than the initial one.criteria for follow-up to their own situation and capacity (scenarios with the highest risk must be prioritised regardless of risk acceptance) and because the method is coarse, with a relative risk scale making it difficult to relate to objective risk acceptance criteria.

Demonstration examples for the municipalities of Stryn and Hornindal
The methodology proposed in Sect. 3 was tested and demonstrated through application examples for the municipalities Stryn and Hornindal.Stryn and Hornindal are municipalities in the county Sogn og Fjordane in Western Norway.The characteristics for the area are the combination of fjords, glaciers, rivers and lakes.There are tall and steep mountains, deep valleys with forested and fertile mountainsides and valley floors.The municipalities are situated just west of the water divide separating Western and Eastern Norway (Fig. 3), with strong orographic effects on precipitation and weather.The industries are varied, but consist mainly of small and medium size industrial establishments.The main road overcrossing the mountain has a rather high proportion of utility transportation (Fakta om Stryn, 2017).The study area is exposed to different types of natural hazards, especially landslides and avalanches, including floods and storms, which need to be considered during the development of infrastructure and residential and commercial buildings in the municipality.Natural hazards have affected infrastructure repeatedly in the past (Stryn kommune Rådmannsavdelinga, 2014).
Based on the qualitative municipal risk and vulnerability analysis for Stryn and Hornindal, as described in Stryn kommune Rådmannsavdelinga (2014), the following site-specific scenarios were selected for testing of the proposed method:  3. snow avalanche overrunning main road 724 to Oldedalen; 4. storm leading to failure in electricity distribution and communication to the municipal centre; 5. landslide across main road E39 at Skredestranda; 6. ice jam breakup in the Storelva river in Hornindal and failure in sewage system; 7. storm leading to the closure of the ferry service between Anda and Lote.
The location of these scenarios is indicated in Fig. 4. As Fig. 4 shows, the analysis also considers scenarios located outside the municipalities that may affect the municipalities.Explanations for the risk assessment of the scenarios are provided in Appendix A.

Results
The main aim of the analyses was to demonstrate the methodology and test its usefulness, rather than the actual results.The results are, to a large extent, based on expert judgment and should be considered as preliminary.The ranking was performed together with a representative for the stakeholders in Stryn, who was leading the municipal risk and vulnerability analyses in Stryn and Hornindal in 2014 and who was knowledgeable about the hazard and risk situation in the area.
The resulting ranking of the vulnerability indicators for each of the scenarios are presented in Table 8.The initial and final categorisation of probability and consequence, as well as the basis for the categorisation (i.e. the frequency or probability of the natural event, the duration and number of people served by the infrastructure), are shown in Table 9. Explanation of and reasoning for the ranking is given in Appendix A. The method has been implemented in an Excel sheet in which the ranking, weighting and calculations have been performed.
The results of the analyses are placed in a matrix with increasing severity of consequence along the first axis and increasing probability along the second axis (Table 10).The corresponding risk level is determined by location in the matrix, subdividing the risk into seven risk levels illustrated with colour codes.In this way, the risk associated with each of the scenarios could easily be compared and the most critical scenarios identified.
As Table 10 shows, the ranking of the risk associated with the analysed scenarios is as follows.
-Risk level 7: storm leading to failure in electricity distribution and communication to the municipal centre; landslide across main road E39 at Skredestranda.
-  -Risk level 4: ice jam breakup in the Storelva river in Hornindal; failure in sewage system; storm leading to closure of the ferry service between Anda and Lote.
None of the analysed scenarios ended up being low risk scenarios.This is unsurprising, since the selected scenarios are based on generic scenarios, identified in Stryn kommune Rådmannsavdelinga (2014), that are believed to pose significant risk to the municipalities.In addition, in order to facilitate the data collection for the site-specific scenarios, previ-ous events were tested to demonstrate the application of the model.
The results of the analyses provide a better overview of the relevant risks and vulnerabilities and contribute to an increased awareness in the municipalities.Knowledge about risk and vulnerability associated with the identified scenarios is an important first step to reduce the risk.Risk reduction is especially important for the scenarios with the highest risk, e.g. at risk level 6 and risk level 7.All the three scenarios with a landslide or avalanche across roads emerge as  the most critical scenarios, in addition to the failure in electricity and communication caused by storms.The risk could either be reduced by reducing the probability of the scenario (e.g. through implementation of physical mitigation measures for landslides on the most exposed parts of the road) by reducing the associated consequences (e.g. through an improvement of the socio-economic vulnerability indicators, such as establishing redundant infrastructure systems).Through systematic and repeated risk analyses, as described in Sect.2.2 and in DSB ( 2014), followed by associated risk management actions, the municipality can move step by step towards increased safety and stable infrastructure services for the inhabitants.

Usefulness and advantages
The purpose of the municipal vulnerability and risk analysis is, among others, to provide an overview of adverse events that pose a risk to the municipality, assess risk and vulnerability across sectors, and provide a basis for objectives, priorities and decision making for civil protection and emergency planning in the municipality.It is also within the responsibility of the municipalities to help maintain critical societal functions during and after adverse events.The proposed method is designed to be consistent with, and a supplement to, the guidelines for municipal risk and vulnerability analysis in Norway provided by the Norwegian directorate for Civil Protection, DSB (2014).The focus of the method, as described in Sect.3, is to propose a tool for the screening of the potential scenarios of malfunctioning infrastructure caused by natural events in an explicit, systematic, transparent and repeatable way that could be applied at the semiquantitative second level in a three-level approach.Due to interdependencies between the infrastructures and societal dependencies, a full analysis of risk associated with infrastructure systems is a complicated and labour intensive task.The three-level strategy offers a practical approach to reduce the analysis effort related to the risk assessment (Liu et al., 2015;Bowles et al., 2013).The proposed method is a risk assessment method with low to intermediate precision and resolution.Application of the method assigns a relative risk level to each of the scenarios, where risk level 1 implies the lowest risk and risk level 7 the highest risk.
The risk ranking provides a useful basis for prioritisation, where the scenarios with the highest risk levels should be analysed further and followed up, e.g. by giving priority to one sector over another.The scenarios associated with the highest risk also form the basis for the allocation of resources to preparedness in the municipality, including execution of emergency management drills.The risk expressed by risk levels serve, due to their simplicity, as a good tool to compare risk between different scenarios and thus also to communicate the risk (Oboni and Oboni, 2013).
There is no all-encompassing method available to analyse all aspects of infrastructure risks, but different methods serve different purposes and have different advantages (and disadvantages).The advantages with the proposed method is that it is generic and has a very broad scope (applicable for assessment of socio-economic risk associated with malfunctioning in different infrastructure sectors).It aims to be applicable within the main types of infrastructure (electricity supply, water supply and transportation).Methods are often tailored to the particular needs of the sector they are defined within (Giannopoulos et al., 2012).Risk assessment methods are a compromise between the time and cost (and data) necessary to perform the analysis, and its ability to offer information at a level of detail allowing the risk manager to understand the risk (and resilience) and allowing informed and efficient decision making.Indicator approaches applying a weighted mean of several scores (as in this method) are often used in sectorial approaches (Giannopoulos et al., 2012).Indicators are useful for reducing complexity, measuring progress, mapping and setting priorities and they could serve as an important tool for decision makers (Cutter et al., 2008).The proposed method serves the purpose of screening scenarios of natural events threatening critical infrastructure in a municipal risk and vulnerability analysis, even if it does not allow a detailed study of the risk and vulnerability.The method is comprehensive, yet fast.It does not require a large amount of data.The indicator-based approach for the vulnerability assessment enables a combination of different types of data from different sources and knowledge domains and on different formats.However, the user needs to have a comprehensive knowledge of the local conditions, properties of the infrastructure and how the infrastructure is operated.The user also needs to be aware of the hazard situation in the area, with respect to natural events, and be capable of assessing the frequency of the hazard and the importance of the various vulnerability factors for the infrastructure.
The method's purpose is to invite municipal stakeholders with different types of expertise to a collaborative effort.A representative for the stakeholders in Stryn helped in testing the method and found it (and the excel sheet in which the method was implemented) useful.It is desirable that the municipalities lead this analysis themselves, in order to ensure that the analysis is followed up and forms an integrated part of municipal risk management.The preparation of the municipal risk and vulnerability analysis is also a learning process, which may increase risk awareness.The proposed method guides the user with respect to which vulnerability factors to assess, both for assessment of the probability of the infrastructure malfunctioning and the societal consequences.It provides, through the explicit ranking criteria, guidance for the assessment of how each indicator contributes to the overall vulnerability and how to aggregate the information into a final result, even if some judgment is required when using the method.
The proposed method could, in addition to the risk ranking, provide implicit guidance on how to reduce the vulnerability and, consequently, also the risk.The method assesses several aspects of vulnerability and resilience, and the results from the physical and socio-economic vulnerability assessment could be used to identify the indicators contributing most to the vulnerability for each case.Special attention should be paid to indicators with a high vulnerability score, especially in combination with high importance, i.e. a high weight.The identification of the most critical indicators helps identify where to focus further efforts.Within the application examples in Sect.4, the scenarios with the highest risk were scenario 4, storm leading to failure in electricity distribution and communication to the municipal centre, and scenario 5, landslide across main road E39 at Skredestranda.For scenario 4, almost all of the physical vulnerability indicators were assigned a score value of 3, except for the transparency/complexity/degree of coupling indicator, which was assigned a value of 2. The most important physical vulnerability indicators were considered to be related to robustness and buffer capacity and level of protection.In order to reduce the probability of infrastructure malfunctioning in the most efficient way, measures involving an increase in the robustness and/or buffer capacity of the electricity network as well as measures involving protection of the network should be considered.The socio-economic vulnerability indicators, redundancy/substitutes and cascading effects and dependencies were assigned a score of 4 and were both considered to be of high importance.To efficiently reduce the socio-economic consequences, measures to reduce these vulnerabilities should be considered, e.g.investing in substitutes to the electricity distribution, like gasoline, diesel or wind power generators, batteries or solar panels.Today, society is highly dependent on electricity.Reduction of this dependency will be complicated in general, but it can also cover a wide range of distributed initiatives, e.g.implementing electricity-independent central heating systems.

Limitations, uncertainties and future needs
Semi-quantitative, indicator-based methods will necessarily require the use of (knowledge-based) judgment and accord-ingly be associated with subjectivity and uncertainties, both within the definition of the method and the use of the method.Indicators are commonly used in vulnerability and resilience assessment, since it is often difficult to quantify vulnerability and resilience in absolute terms without any external reference with which to validate the calculations.Indicators are typically used to assess relative levels of vulnerability and resilience, either to compare between places or to analyse trends over time (Cutter et al., 2008).Assigning score values to the indicators requires interpretation and subjective judgment.This is thought to reduce the effect of subjective interpretation through descriptions of the different score levels for each indicator.The method is applicable for different infrastructures (electricity supply, water supply and transportation) and uses generic factors for infrastructure vulnerability.Therefore, the need for precise descriptions of criteria for ranking of the indicators to limit the effect of subjectivity, needs to be balanced against descriptions that are general enough to be valid for the different infrastructures.In addition, the interpretation of the data used to rank the indicators requires subjective judgment, especially when using qualitative data.In this paper, an indicator-based approach is combined with an initial quantitative categorisation, based on explicit quantitative criteria, with the purpose of increasing transparency and reducing the effect of individual interpretation on the results.The anchoring of the risk categories in the quantitative categories enables and justifies the comparison between risk levels resulting from the use of the method for different scenarios.However, in this study, the quantitative, initial categorisation of probability and consequence governs the outcome of the risk analysis, and this categorisation is dependent on the quality of the background knowledge.
The weighting system and linear weighted average approach to aggregate the indicators could be improved and made more sophisticated.However, the level of sophistication need to be balanced against the user friendliness with respect to the use of the method and understanding of the results.Linear averaging (as applied in this method) implicitly assumes that the indicators are independent of each other and that their influence is independent of the scoring of other indicators.Accordingly, a high vulnerability associated with one indicator could be compensated by a low vulnerability associated with another indicator.This is only partly true.A mixture of geometric and linear averaging will be considered in further developments of the method, where (partly) dependent indicators will be averaged geometrically, e.g.indicators for preparedness and early warning systems.The weighting system will also be redefined to allow weights that express a larger difference in importance than the choice between integer weights 1, 2 or 3 does.These weights were introduced for simplicity, to make the method easy to use.A possible improvement of the method would be to allow a continuous range of weights, i.e. in the range between 0 and 1, e.g. as applied by Kappes et al. (2012) and Nadim et al. (2006).In addition, these weights could be determined through an an-alytical hierarchy process, rather than by direct expert judgment.
Finally, there are uncertainties associated with the interpretation of the results, as each risk level corresponds to a range of risks.The uncertainty within each risk level should be kept in mind when interpreting the results and comparing risk levels.The accuracy of the method is lower than for a purely quantitative assessment and cannot be immediately used for cost-benefit analyses for mitigation strategies.Whenever possible, the method should be compared with and calibrated against quantitative data from real events corresponding to the scenario.The probability of infrastructure malfunctioning obtained by the method could be calibrated against empirical data on the frequency of infrastructure malfunctioning, where such data exist.For the socioeconomic consequences, however, a calibration is more difficult, as they refer to indirect consequences and not to a measurable quantity.The most relevant data for comparison and calibration would be other estimated data after an occurred event, such as indirect economic losses or a combination of data on the duration of the infrastructure malfunctioning and estimated numbers of people affected by the malfunctioning.

Conclusions
This paper shows the development and demonstration of a method for screening of scenarios posing a potential high risk in terms of stability for the local society in accordance with the Norwegian guidelines from the Norwegian Directorate for Civil Protection, DSB (2014).The method is intended to be the second level of a three-stage methodology for risk assessments, where level 1 consists of risk identification and level 3 consists of a detailed quantitative risk analysis.While the proposed methodology could be applied to all types of natural events and all types of infrastructures, level 3 analyses will, to a larger extent, need to be adapted to the specific infrastructure and types of hazard.The analysis may be part of a municipal risk and vulnerability analysis.It can be used on different scales by adapting the consequence categories and can be adapted to different infrastructures through the flexible weighting system.
The indicator approach and ranking criteria for the physical as well as the socio-economic indicators make the model easy to use for people knowledgeable of the municipality and its infrastructures.The proposed method is seen as a useful screening tool for the identification of the most critical scenarios and produces results that are easy to understand and to communicate.
The assessment of potential threats and their related risks, including the identification of the most critical scenarios, is essential for setting priorities for more-detailed risk analyses and infrastructure protection.The risk assessments contribute to targeted investment in planning and design and facilitate preparedness actions in the event of failure.

Figure 1 .
Figure 1.Schematic representation of the scope.Factors that affect the probability of the adverse event (malfunctioning of infrastructure) are shown on the left side (i.e.causes, barriers and physical vulnerability of the infrastructure).Factors that affect the socio-economic consequences of the adverse event are shown on the right side.

Figure 3 .
Figure 3. Location of the study area in Norway (left panel source: ESRI) and the spatial extent of Stryn and Hornindal municipalities in Western Norway (right panel source: The Norwegian Mapping Authority).

Figure 4 .
Figure 4. Overview of the locations of the site-specific scenarios.The location of each scenario is identified with a red star, referring to the scenario number in the list above.Star 1 shows the location of RV 15 in Stryn, but the actual scenario is located at a part of the road outside the map.Source: The Norwegian Mapping Authority.

Table 1 .
Safety of the population specified through socio-economic values and corresponding consequence types(DSB, 2014).

Table 2 .
Categorisation of the probability: application of the annual probability of the natural event as an initial categorisation of the top event, simplified from the guidelines from the Norwegian Directorate for Civil Protection (DSB, 2014).Each category is described both with the frequency and the annual probability of the natural event.
robustness and buffer capacity, level of protection, quality level/age/level of maintenance and renewal, adaptability and quality in operational procedures, and transparency/complexity/degree of coupling.functioning caused by loss of other infrastructures or by lack of resources.Infrastructure owners/operators would look to improve values for the physical vulnerability indicators to ensure that their infrastructure is physically robust, can tolerate the effects of the natural event for a certain time with-

Table 3 .
Initial categorisation of consequence based on the number of infrastructure users and duration of the outage, simplified from the guidelines from the Norwegian Directorate for Civil Protection; DSB (2014).The consequence categories are indicative and should be adapted to the municipality's size, i.e. in terms of number of inhabitants.
It is well adapted both to the current and future climate.
2Infrastructure has a low exposure to or protected from the natural event in the study.Well adapted to current climate and partially adapted to future climate.3Partiallyprotected from the natural event in the study.Well adapted to current climate, but not to future climate.

Table 5 .
Criteria for ranking of socio-economic vulnerability indicators.For each indicator, the criteria for score values 1-5 are described, where score value 1 corresponds to the lowest vulnerability and 5 to the highest vulnerability.

Table 8 .
Ranking of indicators and determination of physical and socio-economic vulnerability scores.The first column shows the indicator group (i.e.physical or socio-economic vulnerability), the second column the vulnerability indicator and the next columns the score values for the scenarios.

Table 9 .
Initial and final categorisation of probability and consequence.The difference between the final and initial probability category is determined by the physical vulnerability score.The difference between the final and initial consequence category is determined by the socio-economic vulnerability score.Sc. means scenario.

Table 10 .
Results from the semi-quantitative analyses.