Risk is defined in ISO 31000 as:
Effect of uncertainty on objectives
Key processes in risk management are risk assessment and risk treatment; together these comprise the four steps of risk identification, risk analysis and risk evaluation and risk treatment. These aim to determine:
- What could happen, where and when?
- Why and how it could happen?
- What could be the consequences if it happened?
- What controls are in place to enhance gains and prevent or minimise adverse impacts?
- How effective are these controls?
- What is the level of risk?
- How do we best treat the risk further?
There is no one method for risk assessment and treatment. As a general rule, the type and rigour of the risk assessment process adopted will depend on the potential severity of the consequences and their likelihood. For the consequences with the greatest severity or where there are high levels of risk, rigorous risk assessment is required. On the other hand, where the consequences are less serious or the level of risk is low, simpler techniques can be used.
Risk management process overview
In Broadleaf we normally advocate an approach to managing risk that is based on ISO 31000, shown in outline in Figure 1.
Figure 1: Risk management process
Continuous process elements
Communication and consultation
Managing risk necessarily involves people because:
- The interests of people are part of the organization’s objectives
- People will need to take (or not take) particular actions in order for risk to be managed effectively
- People have most of the knowledge and information on which effective risk management relies
- Some people might have a right to be informed or consulted.
Communication and consultation are therefore key supporting activities for all parts of the risk management process. Communication and consultation are processes and not outcomes. They normally take place with stakeholders (i.e. those persons or organizations that can affect, be affected by or perceive themselves to be affected by a decision or activity).
Monitoring and review
Monitoring and review are two distinct processes intended to detect change and determine the ongoing validity of assumptions. Both are necessary to ensure that an organisation maintains a current and correct understanding of its risks, and that those risks remain within its risk criteria. Both require a systematic approach, integrated into an organisation’s management systems, that reflects the speed at which change occurs within the internal and external environment.
Step-wise process elements
Establishing the context
Before any risk management activity takes place and especially before risk assessment occurs, the external, internal and risk management contexts should be established.
A key aim of the ‘establish the context’ step in the risk management process is to identify the organization’s objectives, and those external and internal factors that could be a source of uncertainty, so that risks can be identified more readily.
Establishing the context also provides the information that allows the other steps of the risk management process to occur.
Carried out thoroughly, the risk identification step reveals what, where, when, why and how something could happen or occur and the range of possible effects on objectives. In some cases, these effects (the consequences) might only occur at some future point or they may be experienced, at a fixed or variable rate, over time.
Risk identification should always occur as a workshop involving appropriate stakeholders. A trained facilitator and recorder should normally be present.
Risk analysis investigates and draws upon:
- The information on risks generated during risk identification
- The effectiveness and reliability of controls
- Additional information from the statement of context
- Supporting statistical data, results of predictive modelling or expert judgement
- The risk criteria developed during establishing the context.
The aim of risk analysis is to gain an understanding of the nature of each risk, including the magnitude of its consequences and the likelihood of those consequences, and therefore to derive the level of risk.
Risk analysis enables each risk (or group of risks when considered in the aggregate) to be evaluated in order to determine whether risk treatment is needed.
Risk evaluation uses the information generated by risk identification and risk analysis to make decisions about whether each risk falls within an organisation’s risk criteria and whether it requires treatment.
Normally organisations specify the actions required by managers for risks at each level of risk and the time allowed for their completion. They also specify which levels of management will be permitted to accept the continued exposure and tolerance of certain levels of risk.
At its simplest, risk treatment involves a process to modify a risk by changing the consequences that could occur or their likelihood. This process requires creative consideration of options and detailed design, both inputs being necessary to find and select the best risk treatment.
Once implemented, risk treatments will either create new controls or amend existing controls.
Risk treatment takes place in two distinctive contexts:
- In the proactive context, where an organisation has successfully integrated risk management into a system of management, risk treatment is integral to and effectively indistinguishable from decision-making. Therefore, at the time a decision is finalised, the risk created by the decision will be within the organisation’s risk criteria.
- In a reactive context, the organisation is looking retrospectively at the risk created by decisions taken and implemented in the past and so any risk treatments that are necessary will be remedial in nature.
In both contexts, those risks that the organisation judges to be unacceptable should be treated.
Preparing for risk assessment
Establishing the context
It is impossible to conduct an efficient a reliable risk assessment unless there is suitable preparation. This involves the step of the risk management process called ‘establishing the context’ which is normally conducted through discussions with the sponsor of the risk assessment and selected stakeholders.
We normally establish the context by considering the following discrete activities:
- Gaining agreement on the scope and objectives for the risk management process
- Analysing stakeholders to determine, for all material stakeholders, their objectives and the preferred means of communicating and consulting with them
- Identifying the significant factors in the external environment that give rise to uncertainty. This could include, for example: the social, regulatory, cultural, physical, financial and political environment; external stakeholders; and key external organizational drivers
- Identifying the significant factors in the internal environment that give rise to uncertainty. This could include, for example: the organisation’s culture; internal stakeholders; capabilities, strengths and weaknesses in terms of resources, people, systems and processes; and the relevant organizational goals and objectives
- Setting the scope and boundaries of a risk assessment by: defining the organizational part, project, activity or change and its goals and objectives; specifying the nature of the decisions that have to be made based on the risk assessment outcomes; defining any specific criteria that will be used as part of risk evaluation; defining the extent of the change or activity or function in terms of time and location, and any boundaries; identifying any scoping studies needed and their scope, objectives and the resources required; and defining the depth, breadth and rigour of the risk assessment, including specific inclusions and exclusions.
Establishing the context is normally conducted several days before risk identification. It is not advisable to undertake it in the same session.
To ensure that those who participate in the risk assessment are properly prepared, it is normal that the information gathered during establishing the context is summarised in a briefing note that is sent to them prior to the workshop.
The briefing note and the context statement it contains should be preserved as part of the risk assessment record.
Identifying the risks
This involves the identification of what, why, where, when and how events or situations could either inhibit or enhance the ability of the organisation to achieve its objectives. Comprehensive identification using a well-structured systematic process is critical, because risks not identified at this stage are excluded from further analysis and treatment. Identification should include all risks, whether or not they are under the direct control of the organisation.
Broadleaf uses many methods for risk identification, from structured brainstorming to more rigorous and detailed processes such as HAZOP (hazard and operability) and FMEA (failure modes and effects analysis).
Whichever method we use, we follow the same general process for risk identification given below. In all cases, the key element structure prepared as part of establishing the context should be followed.
What could happen, where and when?
Our aim is to generate a comprehensive list of events, situations or circumstances that might have an impact on the achievement of each of the relevant objectives. These events or circumstances might prevent, degrade, delay or enhance the achievement of the objectives. They are then considered in more detail to identify what could happen.
How and why could it happen?
Having identified what might happen, we help the workshop team consider possible causes. There are many ways an event could occur or a circumstance might arise. It is important that no significant causes, particularly root causes, are omitted.
This information is recorded in a risk register template.
It is normally highly inefficient for one person to facilitate the workshop and record the outcomes. Broadleaf can provide a professional recorder or can train a member of the organisation to assist in the role. We use Excel or Word templates to capture the information. It is rarely efficient to attempt to input the information directly into a risk management database during the workshop session.
Analysing the risk
Risk analysis is about developing an understanding of the risk. It provides an input to decisions on whether risks need to be further controlled and the most appropriate and cost-effective treatment actions to take.
Risk analysis involves consideration of the positive and negative consequences and the likelihood that those consequences may occur. Factors that affect consequences and likelihood may be identified. Risk is analysed by combining consequences and likelihood, taking into account the existing control measures.
We normally use qualitative risk analysis to prioritise risks for attention. Even if quantitative analysis is required later, we find it efficient to use a qualitative system for screening purposes.
Quantitative approaches can be used when more definition and rigour are needed and in general are used:
- Where the most likely consequence is high
- Where reliable quantitative data is available or can be generated
- Where the level of definition required by decision makers is high.
We often conduct the risk rating process during the workshop used for risk identification. However, sometimes it is preferable to analyse the risks at another time using specialists and then reconvene the original workshop team to agree and verify the ratings.
We always analyse the risk in terms of how the organisation currently operates, and in particular taking into account existing controls and their effectiveness. We try to use control effectiveness (CE) to into account both the adequacy and effectiveness of the controls for a particular risk.
We also prefer to determine a measure of potential exposure (PE) that represents the total plausible maximum impact on the organisation arising from a risk without regard to controls. This is estimated by considering the consequences that could arise if all existing controls were ineffective or missing. PE is used to identify the key controls that should be subject to assurance and, in particular, continuously monitored for effectiveness.
From the risk analysis output we can advise clients on:
- The priority with which risks should be considered for treatment
- Those risks that should be the subject to senior level oversight, particularly in terms of risk treatment plan progress
- The risks and the associated controls that should be subject to planned assurance, particularly through continuous monitoring as well as periodic review.
It is usually not cost-effective or even desirable to implement all possible risk treatments. It is, however, necessary to choose, prioritise and implement the most appropriate combination of risk treatments. Treatment options, or more usually combinations of options, are selected by considering costs and benefits, effectiveness and other criteria of relevance to the organization. Factors such as legal, social, political and economic considerations may also need to be taken into account.
Treatment of individual risks should be part of an overall treatment strategy rather than addressed in isolation. Having a clear understanding of a complete treatment strategy is important to ensure that critical dependencies and linkages are not compromised and to ensure the use of resources and budgets is efficient. For this reason development of an overall treatment strategy should be a top-down process, driven jointly by the need to achieve objectives and satisfy organizational and budgetary constraints while controlling uncertainty to the extent that is desirable.
We advise our clients to be flexible and consult broadly about risk treatment with stakeholders as well as with peers and specialists. Many treatments need be acceptable to stakeholders or those who are involved in implementation if they are to be effective and sustainable.
We often use bow-tie analysis to help our clients identify possible risk treatment measures based on control gaps.
Cost benefit analysis
The primary consideration for most risks is whether the risk can be further treated in a way that is reasonable and cost effective. In general this involves considering:
- Whether the risk is being controlled to a level that is reasonably achievable
- Whether it would be cost-effective to treat the risk further
- The organisation’s willingness to tolerate risks of that kind.
Determining the cost effectiveness of further treatment involves the application of cost benefit analysis. This should include the consideration of all costs and ancillary costs (dis-benefits) as well as all the benefits and ancillary benefits (advantages). If most of the costs or the benefits are unlikely to be experienced within the first year or so then it may be necessary to discount them to allow the assessment to be made ‘in today’s money’.
We help our clients identify possible options for risk treatment and then test each of these using cost benefit analysis. Table1 shows an example of cost benefit analysis applied to risk treatment options.
Table 1: Cost benefit analysis of treatment options
Survey current rules and variations across company. Develop a standard for safe driving in mines and safe behaviours. Examine the role of despatch on each mine.
Understand the current situation and the potential for confusion. Move to understand the need for despatch or the alternatives.
Ultimately it will reduce the likelihood of accidents that can cause death and serious injury and plant damage.
Will require some effort to achieve.
May conclude that the removal of despatch is not desirable from a safety perspective.
Conduct a study to determine safe speeds below and above ground. Develop a strategy to limit speeds through blocking gears etc.
Currently there are no standards or rules. Many vehicles do not have speedometers.
Speeds are enforced by removal of gears which places motors under stress.
Will require effort to achieve (but could be conducted at the same time as the previous option).
Survey pedestrian and vehicle interactions below and above ground. Examine proximity devices as part of the solution. Develop standards in terms of delaminated areas, walking areas etc. Train all mine staff on rules and enforce.
Development of a solution that is suitable for all mines.
Consistency between mines and avoidance of ambiguity Provide a basis for training and enforcement of standards.
Will take some effort to achieve.
Will lead to some opposition as it may restrict where people walk.
Risk treatment plans
We help our clients generate and record potential options for risk treatment using templates like that in Table 1. For each option, the benefits or advantages and the costs or disadvantages are discussed and recorded, and a decision is noted in the final column. The decision is either ‘yes’ because the risk treatment option is value accretive, or ‘no’ because it is not. If the evaluation in inconclusive, a ‘maybe’ is recorded and more detailed benefit-cost analysis may be required.
All those options marked ‘yes’ go ahead as risk treatment measures and plans are developed for their implementation.