Risk ManagementRelevance to PAS 55 (ISO 55000)Deciding on processes to implement risk
management
Jeff Hollingdale
DQS South Africa
PAS 55 – Risk Management
• The organization shall establish, implement and maintain documented process(es) and /or procedures for the on-going identification and assessment of asset-related and asset management – related risks, and the identification and implementation of necessary control measures throughout the life cycles of the assets
• Risk management is an important foundation for proactive asset management
• Its overall purpose is to understand the cause, effect and likelihood of adverse events occurring
• To optimally manage such risks to an acceptable level
• Provide an audit trail for the management of risks
The guideline states: (4.4.7); 6.1 (ISO 55000)
Asset Management – Risk Management
We achieve this by:
• Identifying potential risks associated with the assets, and making an estimate of the associated risk levels based on existing or proposed risk controls
• Determining whether the risks are tolerable
• Devise risk controls where these are found to be necessary or desirable
Risk Identification and Assessment
• Physical failure risks
• Operational risks
• Natural environment
• Factors outside organization’s control
• Stakeholder risks
• Associated with the different life cycle phases of assets– Acquisition
– Utilization
– Maintenance
– Disposal/Decommissioning
What should you already be doing?
• You probably have some ISO standards?
– ISO 14000 (EMS),
– OHSAS 18001 (SHE)
• Risk Analysis?
– Failure Mode & Effect Analysis (FMEA)
– Failure Mode and Criticality Analysis (FMECA)
– Root Cause Analysis (RCA)
– HAZOP (Hazard & Operability Studies)
• Reliability Centred Maintenance?
• Condition Based Maintenance?
Using ISO 31000
• ISO 31000 is a Risk Management Standard
• It operates regardless of an organizations products,
size, structure, location and existing asset
management & accounting systems
• You can’t get certified to ISO 31000 – it’s a guide
only
• It is entirely suitable for asset risk management
policies and procedures
Framework for Managing Risk
Plan
Do
Check
Act
Risk Management Process
To successfully implement, support and sustain the risk management process, a structure is required. ISO 31000 refers to this structure as the risk management process
Enterprise Risk Management Framework
Basic Questions to Ask
• What could occur?
• Where could it occur?
• When would it occur?
• How could it occur?
• What would be the impact if it were to occur?
• Who would be affected and to what extent?
• What do we have to do to either prevent it occurring or enhance its chances of occurring?
Risks vs. Opportunities
Risks may have a negative impact OR a positive impact OR both.
• Risks with a potentially negative impact represent risks that will require management’s assessment and response.
• Risks with a potentially positive impact represent opportunities to offset the negative impacts of risks.
• Positive Risks are channelled back to the organisation’s strategy or objective-setting processes in order to optimise opportunities as well as to be considered in management’s risk assessment and response strategies.
Analyse the Risks
• Develop an understanding of the risk – enabling treatment.
• Inherent vs Residual Risk
• Provides an input to decisions on whether risks need to be treated
• Consider contexts and causes
• Consideration of the positive and negative consequences and their likelihood.
• Taking into account existing controls and their effectiveness
• Consequences and likelihoods may be derived from
– Qualitative analysis: High, Medium, Low
– Semi-quantitative analysis: Severity X Probability
– Quantitative analysis: Scientific formulas and statistics
Impact X Likelihood
Evaluate the Risks
Likelihood
Im
pact
High
Low
Low High
Moderate Risks
Lower likelihood, but could have a
significant adverse impact on
business objectives
Significant / Critical
Risks
Critical risks that potentially
threaten the achievement of
business objectives
Low Priority Risks
Significant monitoring not
necessary, unless change in
classification. Periodically re-
assess.
Moderate Risks
Lower impact, but could be highly
likely and happen often
Treat the Risks
• Avoiding the risk by ceasing the activity creating the exposure;
• Reducing the risk through improvements to the control environment;
• Transferring the risk exposure, for example insurance or outsourcing;
• Accepting the risk, where the level of exposure is as low as reasonably practicable, or where exceptional circumstances prevail;
• Exploiting the risk, where the exposure represents a potential missed or poorly realised opportunity;
• Integrating a series of the risk responses outlined above.
• Each treatment action should be considered with regard to:
– Reducing the consequence if the risk were to occur
– Reducing the probability of the risk occurring
Monitoring and Review
• Risk management and the progress in achieving objectives is to be monitored and reviewed.
• The functioning of each component of Risk Management is to be determined and evaluated to ensure Risk Management continues to be effective.
• Monitoring Activities:– Ongoing Monitoring
– Separate Evaluations
– Annual Review of the Risk Management Framework
– Risk Profile Analysis
– Risk Management Plans
Control Assurance
• Preventive controls: prevent risks from occurring by preventing the cause from leading to the risk occurring.
• Mitigatory controls: detect and mitigate risk to reduce significant impacts and losses.
• The effectiveness is to be measured– plans put in place for the improvement of effectiveness.
• Controls must be linked to causes and impacts to ensure gaps or weaknesses can be identified.
• People, Process and System based Controls
• Control Self Assessment Questionnaire
Levels and Reliability
Implementation Considerations
• Knowing the current state of Risk Management in the organisation and the need for detailed methodologies
• Having a clear set of objectives to define the requirements for methodologies
• Identifying relevant stakeholders and role players and the potential need for culture change and engagement sessions
• Communicating the benefits that the methodology will bring to the organisation to assist with the buy in process.
• Knowing the required level of complexity of the methodology
• Correct implementation of procedures through communication, performance measurement and continual improvement
Information Management
• Compatibility with international best practice standards and guidelines
• Support multiple methodologies for risk management across a number of organisational and process levels.
• Capturing of all risk information and the setting of tasks and actions with notifications and escalations to facilitate progress monitoring.
• Easy extraction of relevant and on-time risk information with customisable views and level of detail.
• Reporting tools that extract information, present it, be customisable, able to be embedded in other documents, such as annual reports.
Implementation Considerations
• Risk management must be implemented and a risk culture developed first
• Ensure the attitude of embracing change is cultivated, especially if risk management is new to the organisation
• Information system must be fit for purpose for the organisation.– Not too simple or too complex
• Information system must be easy to use and understand and to use to support the risk management processes
• The business requirements must be met, and the system flexible for future enhancement, scalability and integration.
Implementation Considerations
• Ensure actions for improvement are allocated to the right people and progress is monitored
• Ensure appropriate commitment of human and financial resources for improvement activities is obtained
• If buy-in to risk management as a whole is not in place, there will be little commitment to sustainable improvement
• Ensure there is a culture of openness, accountability and no blame
• Ensure KPIs are driving the right behaviour
Any Questions?
Big Mistake!