Risk is defined in ISO 31000 as:
Effect of uncertainty on objectives
Key processes in risk management are risk assessment and risk treatment; together these comprise the four steps of risk identification, risk analysis and risk evaluation and risk treatment. These aim to determine:
- What could happen, where and when?
- Why and how it could happen?
- What could be the consequences if it happened?
- What controls are in place to enhance gains and prevent or minimise adverse impacts?
- How effective are these controls?
- What is the level of risk?
- How do we best treat the risk further?
There is no one method for risk assessment and treatment. As a general rule, the type and rigour of the risk assessment process adopted depends on the potential severity of the consequences and their likelihood. For the greatest severity consequences or where there are high levels of risk, very rigorous risk assessment is required. On the other hand, where the consequences are less serious or the level of risk is low, simpler techniques can be used
Risk Management Process Overview
In Broadleaf we normally advocate an approach to managing risk that is based on ISO 31000:2009. The process is depicted in outline below.
Continuous process elements
Communication and consultation
Managing risk necessarily involves people because:
- The interests of people are part of the organization’s objectives
- People will need to take (or not take) particular actions in order for risk to be managed effectively
- People have most of the knowledge and information on which effective risk management relies
- Some people might have a right to be informed or consulted.
Communication and consultation are therefore key supporting activities for all parts of the risk management process. Communication and consultation are processes and not outcomes. They normally take place with stakeholders, defined as those persons or organizations that can affect, be affected by or perceive themselves to be affected by a decision or activity.
Monitoring and review
Monitoring and review are two distinct processes intended to detect change and determine the ongoing validity of assumptions. Both are necessary to ensure that an organisation maintains a current and correct understanding of its risks, and that those risks remain within its risk criteria. Both require a systematic approach, integrated into an organisation’s management systems, that reflects the speed at which change occurs within the internal and external environment.
Step-wise process elements
Establishing the context
Before any risk management activity takes place and especially before risk assessment occurs, the external, internal and risk management contexts should be established.
A key aim of the ‘establish the context’ step in the risk management process is to identify the organization’s objectives, and those external and internal factors that could be a source of uncertainty, so that risks can be identified more readily.
Establishing the context also provides the information that allows the other steps of the risk management process to occur.
Carried out thoroughly, the risk identification step reveals what, where, when, why and how something could happen or occur and the range of possible effects on objectives. In some cases, these effects or consequences might only occur at some future point or they might be experienced, at a fixed or variable rate, over time.
Risk identification would normally occur in a workshop involving appropriate stakeholders. A trained facilitator and recorder should normally be present.
Risk analysis investigates and draws upon:
- The information on risks generated during risk identification
- The effectiveness and reliability of controls
- Additional information from the statement of context
- Supporting statistical data, results of predictive modelling or expert judgement
- The risk criteria developed during establishing the context.
The aim of risk analysis is to gain an understanding of the nature of each risk, including the magnitude of its consequences and their likelihoods, and therefore to derive the level of risk.
Risk analysis enables each risk (or group of risks when considered in the aggregate) to be evaluated in order to determine whether risk treatment is needed.
Risk evaluation uses the information generated by risk identification and risk analysis to make decisions about whether each risk falls within an organisation’s risk criteria and whether it requires treatment.
Normally organisations specify the actions required by managers for risks at each level of risk and the time allowed for their completion. They also specify which levels of management will be permitted to accept the continued exposure and tolerance of certain levels of risk.
At its simplest, risk treatment involves a process to modify a risk by changing the consequences that could occur or their likelihood. This process requires creative consideration of options and detailed design, both inputs being necessary to find and select the best risk treatment.
Once implemented, risk treatments will either create new controls or amend existing controls.
Risk treatment takes place in two distinctive contexts:
- In the proactive context, where an organisation has successfully integrated risk management into a system of management, risk treatment is integral to and effectively indistinguishable from decision-making. Therefore, at the time a decision is finalised the risk created by the decision will be within the organisation’s risk criteria.
- In a reactive context, the organisation is looking retrospectively at the risk created by decisions taken and implemented previously, and so any risk treatments found necessary will be remedial in nature.
In both contexts, those risks that the organisation judges are unacceptable should be treated.
Preparing for risk assessment
Establishing the context
It is impossible to conduct an efficient and effective risk assessment unless there is suitable preparation. This involves the 'establishing the context' step of the risk management process, which is normally conducted through discussions with the sponsor of the risk assessment and selected stakeholders.
We would normally establish the context by considering the following discrete activities:
- Gaining agreement on the scope and objectives for the risk management process
- Analysing important stakeholders to determine their objectives and the preferred means to communicate and consult with them
- Identifying the significant factors in the external environment that give rise to uncertainty. This could include, for example, the social, regulatory, cultural, physical, financial and political environment, external stakeholders and key external organizational drivers.
- Identifying the significant factors in the internal environment that give rise to uncertainty. This could include, for example, the organisation’s culture, internal stakeholders, the capabilities, strengths and weaknesses of he organisation in terms of resources, people, systems and processes, and the relevant organizational goals and objectives.
- Setting the scope and boundaries of a risk assessment by defining the organizational part, project, activity or change and its goals and objectives, specifying the nature of the decisions that have to be made based on the risk assessment outcomes, defining any specific criteria that will be used as part of risk evaluation, defining the extent of the change or activity or function in terms of time and location, and any boundaries, identifying any scoping studies needed and their scope, objectives and the resources required, and defining the depth, breadth and rigour of the risk assessment, including specific inclusions and exclusions.
Establishing the context is normally conducted several days before risk identification. It is not advisable to undertake it in the same session.
To ensure that those who participate in the risk assessment are properly prepared, it is normal that the information gathered during 'establishing the context' is summarised in a briefing note that is sent to them prior to the workshop.
The briefing note and the context information it contains should be preserved as part of the risk assessment record.
Identifying the risks
Risk assessment involves the identification of what, why, where, when and how events or situations could either harm or enhance the ability of the organisation to achieve its objectives. Comprehensive identification using a well-structured and systematic process is critical, because risks not identified at this stage are excluded from further analysis and treatment. Identification should include all risks, whether or not they are under the direct control of the organsiation.
Broadleaf uses many methods for risk identification from brainstorming to more rigorous and highly-structured processes such as HAZOP and FMEA.
Whichever method we use, we follow the same general process for risk identification given below. In all cases, the key element structure prepared during the context step should be followed.
What could happen, where and when?
Our aim is to generate a comprehensive list of events, situations or circumstances that might have an impact on the achievement of each of the relevant objectives. The events or circumstances might prevent, degrade, delay or enhance the achievement of the objectives. They are then considered in more detail to identify what could happen.
How and why could it happen?
Having identified what might happen, we help our client consider possible causes. There are many ways an event could occur or a circumstance might arise. It is important that no significant causes, particularly root causes, are omitted.
This information is recorded in a risk register.
It is normally inefficient for one person to facilitate the workshop and record the outcomes at the same time. We use Excel or Word templates to capture the information. It is normally not efficient to attempt to input the information directly into a risk management database during the workshop session.
Analysing the risks
Risk analysis is about developing an understanding of each risk. It provides an input to decisions on whether risks need to be further controlled and the most appropriate and cost-effective treatment actions to take.
Risk analysis involves consideration of the positive and negative consequences and the likelihood that those consequences may occur. Factors that affect consequences and likelihood may be identified. Risk is analysed by combining consequences and likelihood, taking into account the existing controls.
Broadleaf uses a qualitative method of risk analysis to prioritise risks for attention, at least initially. Even if quantitative analysis is required later, we normally find it efficient to use a qualitative system for screening purposes.
Quantitative approaches can be used when more definition and rigour are needed. In general they are only used:
- Where the most likely consequence is high
- Where reliable quantitative data is available or can be generated
- Where the level of definition required by decision makers is high.
We often conduct the risk rating process during the workshop used for risk identification. However, sometimes it is preferable to analyse the risks at another time using subject matter specialists, and then reconvene the original workshop team to agree and verify the ratings.
We always analyse the risk in terms of how the organisation currently operates, and in particular taking into account existing controls and their effectiveness. We use control effectiveness (CE) to take into account both the adequacy and effectiveness of the controls for a particular risk.
We also determine a measure of potential exposure (PE) that represents the total plausible maximum impact on the organisation arising from a risk without regard to controls. This is estimated by considering the consequences that could arise if all existing controls were ineffective or missing. This measure is use to identify the key controls that should be subject to assurance and, in particular, monitored continuously for effectiveness.
From the risk analysis output we can advise clients on:
- The preferred strategies for risk treatment
- The priority with which risks should be considered for treatment
- Those risks that should be the subject to senior level oversight, particularly in terms of monitoring the progress of risk treatment plans
- The risks and the associated controls that should be subject to planned assurance, particularly through continual monitoring as well as periodic review.
It is usually not cost-effective or even desirable to implement all possible risk treatments. It is, however, necessary to choose, prioritise and implement the most appropriate combination of risk treatments. Treatment options, or more usually combinations of options, are selected by considering factors such as costs and benefits, effectiveness and other criteria of relevance to the organisation. Factors such as legal, social, political and economic matters may need to be taken into account.
Treatment of individual risks seldom occurs in isolation, and options should be considered together as part of an overall treatment strategy. Having a clear understanding of a complete treatment strategy is important to ensure that critical dependencies and linkages are not compromised and to ensure the use of resources and budgets is efficient. For this reason development of an overall treatment strategy should be a top-down process, driven jointly by the need to achieve objectives and satisfy organizational and budgetary constraints while controlling uncertainty to the extent that this is desirable.
We advise our clients to be flexible about risk treatment options and consult broadly with stakeholders as well as with peers and specialists. Many treatments need be acceptable to stakeholders or those who are involved in implementation if they are to be effective and sustainable.
We often use bow-tie analysis to help our clients identify possible risk treatment measures based on control gaps.
Cost benefit analysis
The primary consideration for most risks is whether the risk can be further treated in a way that is reasonable and cost effective.
In general this involves considering:
- Whether the risk is being controlled to a level that is reasonably achievable
- Whether it would be cost-effective to further treat the risk
- The organisation’s willingness to tolerate risks of that kind.
Determining the cost-effectiveness of further treatment involves the application of cost benefit analysis. This should consider all direct costs and ancillary costs (dis-benefits) as well as all the direct benefits and ancillary benefits (opportunities). If most of the costs or the benefits are unlikely to be experienced within the first year or so then it may be necessary to discount the benefits and costs to allow the assessment to be made ‘in today’s money’.
We help our clients identify possible options for risk treatment and then test each of these using cost benefit analysis. As with risk assessment, preparation for a risk treatment workshop is vital if it is to be effective and efficient.
The table below contains an example of cost benefit analysis applied to risk treatment options.
Table 1: Treatment options associated with surface traffic accidents at a mine site
Survey current rules and variations across company. Develop a standard for safe driving in mines and safe behaviours. Consider the role of despatch on each mine.
Understand the current situation and the potential for confusion. Move to understand the need for despatch or the alternatives. Ultimately it will reduce the likelihood of accidents that can cause death and serious injury and plant damage.
Will require some effort to achieve. May conclude that the removal of despatch is not desirable from a safety perspective.
Conduct a study to determine safe speeds below and above ground. Develop a strategy to limit speeds through blocking gears etc.
Currently there are no standards or rules. Many vehicles do not have speedos. Speeds are enforced by removal of gears which places motors under stress.
Will require effort to achieve (but could be conducted at the same time as 1).
Survey pedestrian and vehicle interactions below and above ground. Consider proximity devices as part of the solution. Develop standards in terms of delaminated areas, walking areas etc. Train all mine staff on rules and enforce.
Development of a solution that is suitable for all mines. Consistency between mines and avoidance of ambiguity. Provide a basis for training and enforcement of standards.
Will take some effort to achieve. Will lead to some opposition as it may restrict where people walk.
Risk treatment plans
We help our clients generate and record potential options for risk treatment as that shown above. For each option, the benefit and costs or disadvantages are expressed and a decision is placed in the final column. The decision is either ‘yes’ because the risk treatment option is value accretive, or ‘no’ because it is not. If the evaluation in inconclusive, a ‘maybe’ is recorded and more detailed benefit-cost analysis may be required.
All those options marked ‘yes’ go ahead as risk treatment measures and plans are developed for their implementation.
All members of Broadleaf are highly proficient in preparing for and conducting risk assessment workshops and risk treatment workshops. Every client’s needs are different, and we are able to tailor the basic process and utilise the appropriate tools and methods to generate the most efficient process and most reliable outcomes.
We also specialise in training our clients to conduct risk assessments for themselves. This training is highly intensive and practical so that participants quickly learn the skills they require and gain the confidence to facilitate their own workshop sessions.