The Fundamentals of Asset Integrity Management

Online Training Series Course Summary

COURSE A: THE FUNDAMENTALS OF ORGANISATIONAL

INTEGRITY

Module 2: Risk Management and Organisational Integrity

What is Risk Management?
Risk management concerns itself with the identification, assessment and prioritization
of risks. It is followed by coordinated applications of resources, e.g. the
implementation of preventative measurements.
We also need to take the economical applications of these measurements into
account. Is the cost of risk reduction lower than the gained results? Why are we doing
that?
We are doing the identification, assessment and prioritization and taking actions to
minimize, monitor and control the probability and/or the impact of adverse events, or
we want to maximize the realizations of opportunities.
Risk management is not only intended to focus on the negative outputs, its also the
positive outputs. For instance, are we going to do an investment project? YES or NO

What is the difference between a hazard and a risk?

A Hazard is something that can cause adverse effects such as an object, a property, a
substance or an activity.
Examples of these are:
o Chemical hazards - storage of products, reactions of chemical products
o Physical hazards - corrosion of valves, storage of explosives
o Environmental hazards - dust heat hurricanes
o Stress hazards - pressure at work
o Procedure/System hazards - incorrect use of instructions
o Operational hazards - operations in densely populated areas
A Risk is the likelihood that the hazard will actually cause its adverse effects, with the
measure of that effect.
Risk is associated with the probability of a negative or positive outcome of an event or
situation.
Risk is probability/likelihood in relation of its consequence or outcome - the higher the
probability and the higher importance of its effects, the higher the risk.
Examples of these probabilities are:
o Personal harm - injury/fatality
o Environmental damage - oil spills
o Property damage - loss of equipment, destruction of platform
o Image damage - local global damage to company image
o Penalties from the Government - penalties to loss of license to operate

Risk management as the backbone for Organisational Integrity

We need to understand Organisational Integrity, and as we know from before, it is
defined as "knowing what the right things to do are and doing the right things".

Course summary developed by Michelle McIntyre on behalf of Oil and Gas Fundamentals Oil and Gas Fundamentals 2012

THIS IS A CONFIDENTIAL SUMMARY OF THE CONTENTS OF AN ONLINE TRAINING COURSE FOUND AT WWW.OILANDGASFUNDAMENTALS.COM.
IT IS FOR THE REVIEW OF COURSE PARTICIPANTS ONLY AND IS NOT FOR DISSEMINATION COPYRIGHT RESTRICTIONS APPLY
The Fundamentals of Asset Integrity Management
Online Training Series Course Summary

Risk Management is used to:

Let us know the right things to do: actions or measurements need to add value or
they need to reduce risk
Help us in monitoring whether or not we are doing the right things
Support the decision making process of the organisation - is the decision adding
value or reducing risk?
Helps evaluate the effectiveness of the organisation integrity by monitoring and
implementing review processes

Risk Management Methodology

There are several Risk Management models, but all models have started with:
o Establishing the context: what are the objectives that need to be achieved, the
company's policy and strategy is the starting point of Risk Management.
o Then we need to identify the risks - if we dont identify the risks, we will not
implement proper control measurements. A clear system and systematically
approach of identifying risks is crucial.
o Once the risk is identified, we need to analyse these: what is the probability
that the hazard can be realized and what are then the consequences?
o If you know the risks, we then evaluate it. Is it really necessary to implement
preventative measures in order to reduce the risks, or do we accept the risk
what will be the residual risk after implementation and so on.
o In the ISO 31000 - 3 previous steps are called the Risk Assessment. It does not
stop here, the measurements need to be implemented and executed - the real
management of risks.
o The whole process has to be communicated throughout the organisation
because every individual needs to understand the concepts of integrity
management.
o So he/she needs to know the risks and understand the Risk Management
approach. He/she is confronted on a daily basis with hazards and they have a
good idea of potential risks in the work environment.
o Finally, and critically: the whole process has to be monitored and reviewed on
a regular basis.

Risk recognition
Every company needs to set up a Risk Register which helps identify risks such as
financial risks, operational risks, strategic risks and compliance risks. As well as general
risks such as:
o The responsibility of the employer versus employees, contractors and third
parties the so called duty of care, needs to be identified.
o The legal conformity with regards to HSE, the compliance to regulations,
compliance to company policies and or branch standards and/or rules such as
meeting the requirements of the API standards.

Course summary developed by Michelle McIntyre on behalf of Oil and Gas Fundamentals Oil and Gas Fundamentals 2012

THIS IS A CONFIDENTIAL SUMMARY OF THE CONTENTS OF AN ONLINE TRAINING COURSE FOUND AT WWW.OILANDGASFUNDAMENTALS.COM.
IT IS FOR THE REVIEW OF COURSE PARTICIPANTS ONLY AND IS NOT FOR DISSEMINATION COPYRIGHT RESTRICTIONS APPLY
The Fundamentals of Asset Integrity Management
Online Training Series Course Summary

o Risks are not only seen in the perspective of HSE consequence, but also in the
broader business aspect for example what are the asset required performances in
relation with customer demands.

We will focus on the hazards of the assets related to the operations and the management
of the assets and the facilities. Specific causes for hazard realizations are:
o Asset and/or control system failures - the assets or its control systems for example
the fire protection system didnt work.
o Human failures - people can make mistakes and these mistakes contribute to the
realization of incidents.
o Unexpected releases of energy - Mechanical, chemical reaction and/or unstable
conditions. To not control the release of energy can lead to major incidents.
o Influences from other systems and/or external events - such as collision of a ship or
and explosion at another refinery in the vicinity close by.
o Environmental influences such as Fukushima on the 11th March 2011, where in
there was a major nuclear release that will have effects decades later.
o The Risk register can also be populated with other useful information such as in
which part(s) of the facilities are the hazards located within the installation e.g.
pressure vessels, cranes, storage.

We stated that we need to have a Risk Register - how can we identify these risks ensuring
that ALL risks are realized and identified? There are several ways to identify Risks:
Risk Checklists: checklists based on the experience that you have or the available
experience within your company or experience that you have had with previous
projects.
You can also get information from specialists and research sites and integrate these
into checklists. Besides this insurance companies can help you as well as you can use
your own network to provide information on risks.
Risk analysis on current or previous incidents and project evaluations are a good source
of this type of information. This type of return of experience has to be part of the Risk
Management approach. Another useful tool/instrument is benchmarking - this helps
you to collect risk info from other companies in your branch/field.
If you dont find good information because you are confounded with potential new
risks or you're implementing new projects, brainstorming or workshops helps to find or
determine new risks involving people from different departments with innovative new
insights so it helps to bring up new or unusual risks.

Risk Identification Methods

o HAZID: A Hazard Identification Study or HAZID is a tool for hazard analysis, used early in
a project to help project planners identify, analyse and evaluate the potential for
hazards and to allow them to take corrective measures.
o HAZOP: The Hazard and Operability Study is a qualitative risk analysis technique used to
identify weaknesses and hazards that may represent risks to personnel or equipment,
or prevent efficient operation in a systematic way.
o SWIFT: is a risk analysis method where the lead question What If is used to

Course summary developed by Michelle McIntyre on behalf of Oil and Gas Fundamentals Oil and Gas Fundamentals 2012

THIS IS A CONFIDENTIAL SUMMARY OF THE CONTENTS OF AN ONLINE TRAINING COURSE FOUND AT WWW.OILANDGASFUNDAMENTALS.COM.
IT IS FOR THE REVIEW OF COURSE PARTICIPANTS ONLY AND IS NOT FOR DISSEMINATION COPYRIGHT RESTRICTIONS APPLY
The Fundamentals of Asset Integrity Management
Online Training Series Course Summary

systematically identify deviations from normal conditions. SWIFT is similar to HAZOP

but is more flexible than HAZOP
o FMEA: Failure Mode and Effect Analysis is a method used to reveal failures and to
predict failure effects on the system as a whole. For each component, you investigate
what happens to the system if this component fails.
o FMECA: If you describe and rank the criticalities of the failures in the FMEA, the analysis
is often referred to as a Failure Mode, Effect and Criticality Analysis. The criticality is
functional to the frequency or the probability.

Risk Analysis
After the identification of Risk and Hazards, we need to analyse these.
What is the associated risk with the hazard? The risk is the likelihood that the hazard
will actually cause an adverse effect or risk is the combination of likelihood and
consequence.
Several approaches are possible:
The first one being the Intuitive approach that everyone uses. For example when
crossing the road, we use our experience and intuition to know how to cross so as not
to get run over by a bus. And also in our daily business, employees are making
decisions daily based on a non-explicit risk analysis based on their experience.
Systematic approaches can be divided in to 2 main approaches - Qualitative and
Quantitative and the third one which is a mixture of both.
Risk analysis based on Qualitative judgments most of the times are executed in

structured sessions with multi-discipline experience. The judgments can be made on

for example a Risk matrix
The Quantitative approach is executed most of the times by specialists for a
quantitative Fault Tree analysis supported with the detailed information and a
calculated judgment/outcome is an example of this.
The Quantitative/Qualitative approach is a mixture of both is supported by structured
sessions with multi-discipline experience as well as specialists if needed and can be
very detailed and in-depth if needed.

The Risk Analysis Method - RISK MATRIX

Once the hazard is identified, we have to analyse the risk, what are the root causes of that
hazard leading to an incident.
What is the probability or likelihood that these root causes would lead to the hazards, its
adverse effects or the probability that an asset fails - negligible, low, medium or high?
Every day a failure or every 1000 years a failure and what is then the consequence of this
failure - that is if the hazard would have an adverse effect or a negligible effect.
The combination of both the probability and the consequence will categorize the risk - from
negligible/low risks, medium risks, high risks to extremely high risks.
The consequence on several domains. The important thing is that these domains need to
represent the business values such as:
Health, Safety and the Environmental and community,

Course summary developed by Michelle McIntyre on behalf of Oil and Gas Fundamentals Oil and Gas Fundamentals 2012

THIS IS A CONFIDENTIAL SUMMARY OF THE CONTENTS OF AN ONLINE TRAINING COURSE FOUND AT WWW.OILANDGASFUNDAMENTALS.COM.
IT IS FOR THE REVIEW OF COURSE PARTICIPANTS ONLY AND IS NOT FOR DISSEMINATION COPYRIGHT RESTRICTIONS APPLY
The Fundamentals of Asset Integrity Management
Online Training Series Course Summary

Financial
Legal and Compliance
Customer relations
Reputation and so forth
The Risk Matrix presents in a comprehensive manner the business values and risks. The weight
of the business values are so comparable with each other that the production loss of one
month has to have the equal safety value of a safety incident with no personal harm. For
example every decision to be taken can be checked against its added value with the help of the
risk matrix to ensure that decisions are in line of sight with the company's values.

The Risk Analysis Method - BOW TIE METHOD

This is an excellent method to identify the required barriers in order to prevent the
incident (left side) and identify the mitigation barriers after the realization of the
incident (the right side). The left side is the Casual Analysis side and the right side is the
Consequence Analysis side.
If we examine the costs, we need to define barriers or measurements in order to
prevent that the potential cost will lead to the incident. Some prevention barriers are
design standards, mechanical instruments, controls, processes, operating procedures,
alarms, trip systems and human factors.
If even then the hazard leads to an incident, you would need to install additional
barriers to mitigate consequence as far as possible. Some mitigation measurements are
fire detection systems, emergency shut- down systems, water spray systems, alarm
systems, pressure relief and flaring systems, safety integrity systems and emergency
incidents scenario plan including evacuation.

Risk Evaluation - Acceptable Risks

We will need to evaluate and categorize our risks - whether or not it is acceptable or do we
need to do something to reduce the probability/consequence. Its quite clear that for high/not
acceptable risks, we need to install measurements and for the low risks we will do nothing or
we will continue to execute the measurements to ensure that the risks stay acceptable. For
medium risks we will use a method ALARP (As Low As Reasonably Practicable) to determine
what our course of actions to keep the risk manageable will be.

Managing Risks - Decision - Implementation

In order to manage our risks, countermeasures must be implemented in order to bring
unacceptable risks to an acceptable level. We will use the 4 T's
methods:
Terminate - implement measures to prevent a hazard from
leading to an incident or eliminate the hazard
Treat the risk by implementing measurements that mitigate
the impact, and/or
Tolerate the risk - but this is for acceptable risks only,
and/or
Transfer the risk e.g. taking insurance, for in this instance the loss will be compensated by the insurance.

Course summary developed by Michelle McIntyre on behalf of Oil and Gas Fundamentals Oil and Gas Fundamentals 2012

THIS IS A CONFIDENTIAL SUMMARY OF THE CONTENTS OF AN ONLINE TRAINING COURSE FOUND AT WWW.OILANDGASFUNDAMENTALS.COM.
IT IS FOR THE REVIEW OF COURSE PARTICIPANTS ONLY AND IS NOT FOR DISSEMINATION COPYRIGHT RESTRICTIONS APPLY