Risk Management Section 1

MSc Maintenance Management
Module: Reliability and Availability Assessment

Lecturer: Dr Babakalli Alkali
1. Risk Management Process
Risk Management Section 1
Risk Management Process
Basic terminology
Hazard is any source of potential damage, harm or adverse
effects on something or someone under certain conditions at
work.
Basically, a hazard can cause harm or adverse effects (to
individuals as health effects or to organizations as property or
equipment losses).
Risk is the possibility of a loss or other adverse event that has

the potential to interfere with an organizations ability to fulfill its
mandate.
Risk is unavoidable and present in virtually every human
situation. It is present in our daily lives, public and private sector
organisations.
Common risks and possible responses

Area of Risk
Examples
Response
Type of response
Governance
The governing body

may not meet its
responsibilities
Training and
orientation
Directors insurance
Reduce risk through

changed practice
Transfer risk
Strategic
directions
The organisation may

loose its way in a
constantly changing
environment
Strategic planning
Reduce risk through

changed work practice
Clients may receive

an inappropriate
service causing harm
Professional indemnity
insurance
Transfer risk
Staff may not

understand what they
need to do in a given
set of circumstances
Organisational manual
Reduce risk through
changed work practice
Common risks and possible responses (cont.)

Area of Risk
Physical risks
Legal
Examples
Response
Type of response
Office equipment may
Occupational health
and safety
committee and
processes
Avoid risk through not

providing service
Staff or clients may be

involved in a car
accident
Insurance
Transfer risk
Legal requirements may

not be met
Register of all
relevant legislation
Avoid risk through

compliance
be unsafe
Compliance plan

Area of Risk
Examples
Response
Type of response
Financial risks
Finances may be
insufficient to meet
operational expenses
Financial planning
Reduce risk through

changed work
practices
Fraud
Financial systems
Audit
Reduce risk through

changed work
practices
Provision of fire
extinguishers;
marked exits
Reduce risk through

changed work
practices
Insurance
Transfer risk
Insurance
Transfer risk
Property
Fire
Earthquake

Area of Risk
Examples
Response
Environmental
Tree damage to
buildings from fallen
Tree maintenance plan Reduce risk through

changed work
practices
trees or branches
Type of response
Tree damage during

storm
Insurance
Transfer risk
Earthquake
Insurance
Transfer risk
What is Risk Management ?

Risk management should be central part of any organisations
strategic management.
It is the process whereby organisations methodically address the
risks attaching to all their activities with the goal of achieving
sustained benefit within each activity and across the portfolio of
all activities.
Risk management is an integral component of good
management and decision making at all levels.
The focus of good risk management is the identification and
treatment of risk. Its objective is to add maximum sustainable
value to all the activities of the organisation.
Risk management should take into account human factors.
What is Risk Management ? (cont.)

Risk management should be a continuous and developing
process which runs throughout the organisations strategy and
the implementation of that strategy.
It should address methodically all the risks surrounding the
organisations activities past, present and in particular, future.
It must be integrated into the culture of the organisation with an
effective policy and a programme led by the most senior
management.
It must translate the strategy into tactical and operational
objectives, assigning responsibility to managers and employee to
manage risk as part of their job description.
Risk management should be transparent and inclusive.
External & Internal drivers contributing to Risk
10
Types of Risk Management

There are many forms of risk management, for example, financial
risk management, occupational health and safety risk
management, crisis risk management.
The emphasis and models of risk management can vary with the
type of organisation.
For example the construction industry has a big emphasis on risk
management in relation to worker safety, whereas a financial
investment agency puts emphasis on financial risk management.
11
Risk Management Process

Risk Management process can
be summarised in the Flowchart.
The stages are:
1. Establish the context,
2. Identify risks,
3. Analyse risks,
4. Evaluate risks,
5. Treat risks,
6. Monitor and review, and
7. Communicate and consult.
These will be considered in more
detail later.
12
Risk Management Process (cont.)

1. Establishing a context for risk management in the organisation
Establishing the context includes:
clarifying the vision, mission and goals of your organisation.
Identification of risk in a selected domain of interest
identifying the wider environment within which your organisation
operates.
setting the scope and objectives for the risk management process.
identifying how risks will be measured.
identifying what will be involved in the risk assessment process.
Defining a framework for the activity and an agenda for identification.
13

2. Identifying risks in your organisations
After establishing the context, the next step to identify potential risks.
Risks are about events that, when triggered, cause problems. Hence, risk
identification can start with the source of problems, or with the problem itself.
Source analysis: Risk sources may be internal or external to the system.
Examples of risk sources are: stakeholders of a project, employees of a company
or the weather over an airport.
Problem analysis: Risks are related to identified threats. For example: the threat
of losing money or the threat of accidents and casualties. The threats may exist
with various entities, most important with shareholders, customers and legislative
bodies such as the government.
When either source or problem is known, the events that can lead to a problem
can be investigated. For example: stakeholders withdrawing during a project may
endanger funding of the project; lightning striking a Boeing 747 during takeoff
may make all people onboard immediate casualties.
14

2. Identifying risks in your organisations (cont.)
The aim is to develop a comprehensive list of the sources of risks and
their consequences. There is no one right way to do this. Some
strategies are:
brainstorming at a staff meeting.
brainstorming with stakeholders with knowledge and experience.
systematic analysis, e.g. flow charting systems and processes.
development of 'what if' scenarios.
researching relevant data, such as injury rates, insurance claims,
death rates, etc.
Risk Identification and evaluation methods detailed in Section 2 and 3
15

3. Analysing risks in your organisations
Some of the key questions in analysing the risks are:
What is the likelihood of the risk?

What is the consequence?
What is the level of risk (combination of likelihood & consequence)?
What factors affect the likelihood or consequences?
What is the level of uncertainty?
What are the limitations to the analysis?
Questions can also be asked in relation to opportunities (ie risks with positive
consequences):
What is the likelihood of the opportunity?
What is the consequence?
What is the level of opportunity/risk (combination of likelihood and
consequence)?
16

4. Evaluating risks in your organisations
Risks must be assessed as to their potential severity of loss and to the
probability of occurrence. This can be simple to measure, for example the
value of a lost building, or impossible to know for sure like in the case of an
unlikely event occurring (e.g. Bhopal). Therefore, in the assessment process it
is critical to make the best educated guesses possible in order to properly
prioritize the implementation of the risk management plan.
The fundamental difficulty in risk assessment is determining the rate of
occurrence since statistical information is not available on all kinds of past
incidents. Furthermore, evaluating the severity of the consequences (impact) is
often quite difficult for immaterial assets. Nevertheless, risk assessment should
produce such information for the management of the organization that the
primary risks are easy to understand and that the risk management decisions
may be prioritized.
17

4. Evaluating risks in your organisations (cont.)
Numerous different risk formulae exist, but perhaps the most widely accepted
formula for risk quantification is:
Rate of occurrence multiplied by the impact of the event equals risk
Risk = Rate of occurrence X impact of the event
This simple computation enables a rough and ready comparison of risks.
Some of the key questions in risk evaluation are:
What are acceptable levels of risk?
What are intolerable levels of risk?
Does the risk need treatment?
What are the priorities for treatment of risks?
18

5. Treating risks in your organisations
Once risks have been identified and assessed, they have be managed.
Strategies to manage risks fall into one or more of the four major categories:
Avoidance (eliminate)
Reduction (mitigate)
Transference (outsource or insure)
Retention (accept and budget)
Risk Avoidance:
Includes not performing an activity that could carry risk. An example would be
not buying a property or business in order to not take on the liability that
comes with it.
19

5. Treating risks in your organisations (cont.)
Risk Reduction:
Involves methods that reduce the severity of the loss or the
likelihood of the loss from occurring. For example, sprinklers are
designed to put out a fire to reduce the risk of loss by fire. This
method may cause a greater loss by water damage and therefore
may not be suitable. Fire suppression systems
may mitigate that risk, but the cost may be prohibitive as a
strategy.
20

Risk Retention:
Involves accepting the loss when it occurs. Risk retention is a viable
strategy for small risks where the cost of insuring against the risk
would be greater over time than the total losses sustained.
All risks that are not avoided or transferred are retained by default.
If the risk is to be retained, then it should be controlled. Risk control
is looked at later.
21

Risk Transference:
It is possible to transfer the risk or its financial consequences to someone else.
There are two main methods of transfer:
Transfer by contract: the risk is transferred by contracting out the activity or
the cost of the loss may be passed on by an exclusion clause in a contract or a
limitation of liability.
Transfer by insurance: this very common method of risk treatment passes the
financial consequences of the risk to an insurer in return for a payment of a
premium.
Key question: What is the acceptable level of risk?

22

5. Treating risks (cont.)
The diagram opposite shows the
tolerability of risk in a company.
Top zone is unacceptable region.
Risks falling in here are
unacceptable, whatever the level
of benefit.
Middle zone is tolerable region.
Risks falling in this region are
tolerable to secure the benefits.
Bottom zone is acceptable
region. Risks in this region are
insignificant and controllable.
Companies will set their own
boundaries for the zones.
23

Create a risk management plan for Implementation:
The stage immediately after completion of the Risk Assessment phase
consists of preparing a Risk Treatment Plan, which should document the
decisions about how each of the identified risks should be handled. A good risk
management plan should contain a schedule for implementation and
responsible persons for those actions.
Risk mitigation needs to be approved by the appropriate level of management.
For example, a risk concerning the image of the organisation should have top
management decision behind it whereas IT management would have the
authority to decide on computer virus risks.
Implementation
Follow all of the planned methods for mitigating the effect of the risks.
Purchase insurance policies for the risks that have been decided to be
transferred to an insurer, avoid all risks that can be avoided without sacrificing
the entity's goals, reduce others, and retain the rest.
24

6. Monitoring and reviewing risks in your organisation
Initial risk management plans will never be perfect. Practice, experience, and
actual loss results will necessitate changes in the plan and contribute
information to allow possible different decisions to be made in dealing with the
risks being faced.
Risk analysis results and management plans should be updated periodically.
There are two primary reasons for this:
1. To evaluate whether the previously selected controls are still applicable
and effective.
2.
To evaluate the possible risk level changes in the business

environment.
Above all Risk management is a continuous and ongoing process.

25

7. Communicating and consulting risk to your organisations
Good communication and consultation is essential and attempts to:
improve people's understanding of the risk management processes.
ensure all relevant stakeholders are heard.
ensure that everyone is clear on their roles and responsibilities.
Different levels within an organisation need different information from the risk
management process.
The Board of Directors should:
know about the most significant risks facing the organisation.

ensure appropriate levels of awareness throughout the organisation.
know how the organisation will manage a crisis.
know the importance of stakeholder confidence in the organisation.
be assured that the risk management process is working effectively.
publish a clear risk management policy covering risk management
philosophy and responsibilities.
26

7. Communicating and consulting risk to your organisations (cont.)
The Business Units should:
be aware of risks which fall into their area of responsibility, the possible
impacts these may have on other areas and the consequences.
have performance indicators which allow them to monitor the key business
and financial activities, progress towards objectives and identify
developments which require intervention (e.g. forecasts and budgets).
report systematically and promptly to senior management any perceived
new risks or failures of existing control measures
Individuals should:
understand their accountability for individual risks.
understand how they can enable continuous improvement of risk
management response.
understand that risk management and risk awareness are a key part of the
organisations culture.
27
Risk Control
When a risk assessment has identified a hazard as having
unacceptable risks we have to put in place control measures to
eliminate the risk or reduce the risk to an acceptable level. This is a
must if the risk is to be retained.
Hazards can arise from:
the workplace environment

the use of plant and equipment
poor work design or practices
inappropriate management systems and procedures
human behaviour
Risk Control is the measures we take to eliminate or reduce the risk to

an acceptable level. There is a Hierarchy of control which should be
followed when choosing methods for controlling a particular risk.
28
Hierarchy of Control
When selecting appropriate measures to control a risk a control
measure should be selected from as high on the hierarchy of control list
as practicable. The Hierarchy of Control list usually comprises:
1.
2.
3.
4.
5.
6.
Elimination
Substitution
Isolation
Engineering Controls
Administrative Controls
Personal Protective Equipment
The list may be customised for each industry or application, however

the basic order of priorities shown above should not be changed.
29
Hierarchy of Control (cont.)

1. Elimination
The best method of dealing with a hazard is to eliminate it. Once the
hazard has been eliminated the potential has for harm has gone.
Example: The job is redesigned or the substance is eliminated so as to
remove the hazard. However, the alternative method should
not lead to a less acceptable product or less effective process.
2. Substitution
This involves substituting a dangerous process or substance with one
that is not as dangerous. This may not be as satisfactory as elimination
as there may still be a risk (even if it is reduced).
Example: Many chemicals can be substituted with other safer chemicals
which perform in the same manner but do not have the same
dangers. e.g. water based paints instead of those that contain
lead.
30

3. Isolation
Isolate the hazard from people. This method has its problems in that the
hazard has not been removed. The guard or separation device is always
at risk of being removed or circumvented.
Example: A guard is placed over a piece of moving machinery. If the
guard is removed for maintenance and not replaced people are
again at risk.
4. Engineering Controls
Structural changes to the work environment or work process can be
made to interrupt the path between the worker and the risk. Well
designed work areas minimize exposure to materials which are
hazardous.
Example: Exhaust systems and wetting systems designed to control
dust.
31

5. Administration
Administration solutions usually involve modification of the likelihood of
an accident happening. This can be done by reducing the number of
people exposed to the danger and providing training to those people who
are exposed to the hazard.
Example: Reduce the time the worker is exposed to the hazard. Prohibit
eating, drinking and smoking in the laboratory areas. Provide
training. Perform risk assessments. Increase safety
awareness signage.
6. Personal Protective Equipment
Provision of protective equipment should be considered when all other
control methods are Impractical, or to increase control when used with
another method higher up the Hierarchy of Control.
Example: It is impractical to secure every movable object large enough
to do damage if it fell on a persons foot. The practical solution
is to provide every person at risk with safety footwear.
32
Structure and Administration of Risk Management

Risk Management Policy
An organisations risk management policy should set out its approach to risk
and its approach to risk management. The policy should also set out
responsibilities for risk management throughout the organisation.
Furthermore, it should refer to any legal requirements for policy statements
e.g. for Health and Safety.
Risk management process is an integrated set of tools and techniques for use
in the various stages of the process. To work effectively, the risk management
process requires:
commitment from the chief executive and executive management of the
organisation.
assignment of responsibilities within the organisation.
allocation of appropriate resources for training and the development of an
enhanced risk awareness by all stakeholders.
33

Role of the Board
The Board has responsibility for the strategic direction of the organisation and
for creating the environment for risk management to operate effectively.
This may be through an executive group, an audit committee or such other
that suits the organisations way of operating and is capable of acting as a
sponsor for risk management.
The Board should, as a minimum, consider:
the nature and extent of downside risks acceptable for the company.
the likelihood of such risks becoming a reality.
how unacceptable risks should be managed.
the costs and benefits of the risk and control activity undertaken.
the effectiveness of the risk management process.
the risk implications of board decisions.
34

Role of the Business Units
This includes the following:
have primary responsibility for managing risk on a day to day basis.
business unit management is responsible for promoting risk awareness
within their operations.
risk management should be a regular management meeting item to allow
consideration of exposures and to reprioritise work in the light of effective
risk analysis.
business unit management should ensure that risk management is
incorporated at the conceptual stage and throughout the projects.
35

Role of the Risk Management Function
Depending on the size of the organisation the risk management function may
range from a single risk manager, a part time risk manager, to a full scale risk
management department.
The role of the Risk Management function should include the following:
setting policy and strategy for risk management.
primary champion of risk management at strategic and operational level.
building a risk aware culture within the organisation including education.
establishing internal risk policy and structures for business units.
designing and reviewing processes for risk management.
developing risk response processes, including contingency and business
continuity programmes.
preparing reports on risk for the board and the stakeholders.
36

Role of the Internal Audit
The role of Internal Audit is likely to differ from one organisation to another. In
practice, Internal Audits role may include some or all of the following:
focusing the internal audit work on the significant risks, as identified, and
auditing the risk management processes across an organisation.
providing assurance on the management of risk.
providing active support and involvement in the risk management process.
facilitating risk identification/assessment and educating line staff in risk
management and internal control.
co-ordinating risk reporting to the board, audit committee, etc.
In determining the most appropriate role for a particular organisation, Internal
Audit should ensure that the professional requirements for independence and
objectivity are not breached.
37
Contingency Planning
As seen, large-scale disasters have occurred across the
world. Earthquakes, spectacular fires, large-scale floods,
Bhopal etc. are events to hit the headlines.
Some may have been unavoidable but many could have
been prevented. Many disasters are shown at later
public enquiries to have been accidents which were
waiting to happen.
Some of these may be due to technological failure, some
to natural events, some to human error and some to a
combination of all three.
One question which organisations must ask is:
Could it happen to us?
38
Contingency Planning (cont.)

Aims of Contingency Planning:
to minimise the effects of an unwanted occurrence on the business.
to have a specific disaster action plan to eliminate floundering and
inefficiency and to minimise material damage, loss of life and profit.
to establish an organisation with specific tasks to function
immediately before, during and following a disaster.
to establish a method for utilising resources and for obtaining
additional resources at the time of a disaster
An alternative approach defines the aims as:
protection of life and property
preservation of the organisational structure.
continuity of, or early resumption of, production or services.
39

Need for Contingency Planning:
Just think of Bhopal!

The process of risk management has been described as prevention
rather than cure. By identifying and analysing the threats to the
business enterprise a company can take steps to control these threats.
However, it is impossible to reduce risk to absolute zero and some
provision must be made for the financing of the remaining risk and at
the same time plans should be drawn up to deal with any unexpected
event.
Stephen Fink, author of Crisis Management believes that disasters
are not unexpected. His view is that such events are usually preceded
by a number of warning signals (or prodromes), warning signals which
are either ignored or undervalued at the time.
40

Stages of Contingency Planning:
Contingency planning can be considered under three main headings:
Pre incident planning:- to minimise the effect of any incident through
risk identification, analysis and control and to create written plans to
deal with the unexpected.
Emergency Handling:- detailing the actions and responsibilities of
individual managers/employees during the incident.
Post loss recovery:- getting the organisation back to full operation as
soon as possible after the loss.
Contingency planning cannot be undertaken by one individual. It is a
team exercise. The core team should comprise personnel with varied
experience and technical knowledge, led by a coordinator.
41

Contingency Planning Process:
If a contingency plan is to be effective, it must be tailored to the specific
facility for which it is intended.
The team will therefore require to:
Identify the potential threats or hazards.
Assess the risk in terms of probability of occurrence and likely
financial consequences of each threat
Prioritise need for action and control
Ensure these needs will be met quickly in the event of an incident.
42

Contingency Planning Process (cont.):
Once the threats have been identified and evaluated the team can:
Produce a draft plan.
Circulate the draft to appropriate people for comment.
Amend the plan following this consultation period.
Circulate it under the authority of the Chairman/Managing Director.
Contingency planning is not a static exercise, it is dynamic. It is
important that the plan is:
tested regularly by means of desk-top or other simulated exercises.
reviewed as to its effectiveness.
amended as required and subsequently retested.
43

Risk Management Section 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management Section 1

Uploaded by

Copyright:

Available Formats

MSc Maintenance Management

Module: Reliability and Availability Assessment

1. Risk Management Process