Models

Quality
Framework
Lifecycle Processes
& Practices
  • Novice
  • Aware
  • Competent
Home > Generic AM Guidelines > Core Lifecycle Guidelines > Risk Management > Risk Management & AAM

Quality Elements

Risk management is impacted by various factors, each of which contributes to best practice:

These factors are complementary. Their quality dictates the ultimate quality of the risk assessment and management practices in the organization.

Processes and practices

An organization should be able to identify risks to the business through a set of guidelines and process maps that are well documented and easily accessible by staff, who need to be aware of the appropriate actions for risk management.

Risk identification

Processes and practices should be able to cover the various types of risks, which include, but are not limited to:

  • Commercial Business Risks, including:
    • Global risks such as change in market demand, foreign exchange, political stability etc
    • National risks such as change in government assistance allowance, competition policy etc
    • Local risks such as community pressure groups.
  • Business risks of achieving adequate return on capital investment, which are related to the efficiency in investment, the optimized renewal, augmentation or building of new assets.
  • Operational risk relating to life cycle asset management issues, such as adequate or appropriate maintenance and the impact of lack of maintenance on the operating business.
  • Regulatory risks - in spite of the commercialization and privatization of many community services there are still regulatory bodies which lay down the ground rules for the operation of the business such as the standards which have to be met (e.g. the EPA) or the setting of tariff. Viable businesses need to be able to operate within this regulatory framework and understand the risks involved.
  • Customer expectations of the level of service are always changing, depending on the ability, affordability and willingness to pay principle. Best practice risk management should involve basic understanding of the economic forces driving market demand for services and where necessary the political implications.
  • Like industry practice standards - businesses can face pressures through benchmarking. These pressures can sometimes lead to improvement of the efficiency, effectiveness and productivity of the organization, if the benchmarking is premised on legitimate comparison of the inputs and outputs. On the other hand, ill-conceived benchmarking may put an organization under pressure if the input variables used for comparison are wrongly assessed and outside the control of the business. In this case, the risks to the organization are depressed staff morale, and unrealistic and non-achievable production targets.
  • Service delivery failure, including:
    • Service outage or full failure
    • Response times to restore failures
  • Product quality failures
    The organization will identify and manage risks related to "asset failures" (for example: Y2K, and old age) and "operator errors".
    Processes and practices should be able to adequately assess the impact of service delivery issues such as the availability, the quantity, the quality of the product and the reliability (in terms of outages). Failure to deliver the above may be due to asset failure or under performing or operator error.
  • External system support failures - sometimes it is not the asset itself which fails, but the external support systems such as the electrical /power system, the control and communication system, gas or chemical supplies. Processes need to be in place to assess these.
  • External / force majeur - external natural forces which can cause unexpected failures include:
    • Wind / storms
    • Floods
    • Bushfire
    • Earthquake
    • Criminal activities including vandalism and terrorism.
  • Occupational health and safety (OHS)
    There are high costs associated with OHS accidents and these include:
    • Workers compensation insurance premiums
    • Damage to plant, product, environment and reputation
    • Lost profitability through lost time / production
    • Litigation
    • Loss of image to business.
  • Life cycle asset management and risks - the organization's processes will enable it to manage the key risks associated with creating and operating assets throughout their life cycles, covering the key risk of:
    • Capital Investment — The risks associated with the creation of new assets and renewals or life extensions.
    • Appropriate Maintenance — Poor maintenance practices can result in poor performance and the accelerated consumption of assets.

All of these factors are dynamic, for example, the regulations governing the operations of an organization may be changing, the ad hoc occurrence of a freak storm, the asset itself may be suddenly deteriorating.

The organization needs to:

  • Assess the level of its risk exposure
  • Understand the current level and prime cause of litigation, and past experience in any legal problems related to the operations of the assets
  • Determine whether current practices are adequate to defend liability claims
  • Send a clear message to the staff about what sort of risks should be avoided at all cost, what sort of risk should be reduced, the level of insurance and the residual risk which can be carried.

Organizations can adopt one of the following three options in carrying out risk assessment, depending on the level of sophistication required, the capability of the organization and the return on these assessments:

  • Simple point score (basic).
  • Complex point score or matrix (intermediate).
  • Economic ($ cost) values (advanced).

Data and knowledge

Risk management is management for the future. Although some form of value judgment and experience is called for, a scientific and auditable approach that can stand the scrutiny of the people when necessary is required. Data and documented knowledge should be available and analyses completed. These include:

Consequences of failure

The organization has a three-tiered system for assessing risk:

  • Basic — An initial risk assessment based on a simple risk matrix, for example: 0 — 9.
  • Intermediate — A more complex system where the score relates to the key cost drivers. It records the impacts of failure, but is still a points system, for example: 0 — 100.
  • Advanced (economic) — The data allows users to access the overall economical costs of the consequences of failure. It records the failure mode types, and the likely impacts of failure. It enables sensitivities and risk profiles to be established.

Full economic (business) costs include:

  • Environmental impact
  • Direct repair cost to asset
  • Degree of or standard loss of service
  • Time and number customer supply affected
  • Public image to business
  • Third party property damage
  • System disturbance
  • Production loss
  • Potential injury/ fatality.

In the case of a monopoly service, the impact on the customers could be tremendous. Commercial businesses using the services as the main input to their business may suffer falls in sales.

Risk reduction business cases should use some accepted economic cost models, so the business can be sure of the benefit of the costs of reducing the risk, either in whole or part.

Probability of failure

As with the consequence of failure, the probability of failure may be assessed either:

  • Qualitatively, in terms of the likelihood
  • Quantitatively, using the probability theory as the more advanced form of analysis.

The probability of failure may be expressed qualitatively as either ‘most likely’, ‘likely’, or ‘unlikely’.

Semi-quantitative analysis usually estimates probability of failures within 1 year, within 5 years, within 10 years, or more than 10 years etc.

In the more advanced quantitative analysis, the probability of failures would be developed on fault-event tree analysis.

The probability of failure should relate to the type of failure modes.

For dynamic assets, data from a maintenance management system can provide useful information on the mean time between failures.

For a typical passive asset in average condition the probability of failure can be related to the condition of the asset in an empirical way. It can be related to the age of the asset. So for critical assets with little or no recorded failure histories, the probability of failure can be related to the age, as shown below:

 

 

 

Business risk exposure

Total business risk exposure should include:

  • Direct and indirect costs of failure
  • Long-term damage to the corporate image of the business
  • Loss of market share
  • Cost of litigation
  • Adverse regulatory pressures.

Records should be maintained of similar business risk costs incurred internally or by other organizations. This information shows the trends in the business risk environment.

Risk reduction options

Broadly, the type of risks an organization is exposed to can be classified as follows:

  • Avoidable risk
  • Insurable risk
  • Controllable risk
  • Residual risk.

The organization should have adequate data and a knowledge base that allows staff to identify the various risk reduction treatments to avoid or reduce the risks, including asset and non-asset solutions:

  • More maintenance
  • Rehabilitation
  • Renewal
  • Replacement
  • Operate the assets differently.

Risks that cannot be avoided or reduced can be:

  • Controlled (monitored) in a systematic way
  • Insured through an insurance underwriting company
  • Managed internally through an emergency response plan or disaster plan.

Information (Support) Systems

The information (support) systems will determine the level of sophistication of the risk assessment and management. The extent of analysis may range from a risk area at the macro level, to detailed analysis of asset types or even the modes of failure.

In the more advanced system, it should be possible to predict the probability of failure based on the past failure /maintenance histories, the condition of the assets, or the operating environment.

Information support systems should be able to generate the risk assessment. This will then feed into the risk reduction business case assessments and then tie into the finally adopted strategies. Information will be come from:

  • Operations manuals
  • Emergency response plans
  • Maintenance strategies
  • Capital investment (renewal) strategies
  • Non-asset solutions.

Commercial Tactics

Appropriate commercial tactics can enhance the cost effectiveness of risk management.

Commercial tactics should include the ability to identify the various risk assessment and management tasks, and allocate these tasks to:

  • In-house resources
  • Specialist risk management staff or team
  • External risk management consultants.

A prudent but cost effective approach is to have a documented ranking system and delegated authorities to:

  • Carry out the initial filter on the overall risk areas
  • Instigate a delegated authority to oversee the responsibility
  • Apply high priorities and urgent actions to those risks deemed critical.

It is also essential that the organization have an appropriate panel of skilled service providers with contracts or alliance agreements to ensure that externally commissioned work can be completed quickly and efficiently.

Organizational Issues

It is of paramount importance that risk management is included in the corporate policy documents and be an integral part of all-total asset management plans.

The organization will continuously review the risk assessment process and develop risk criteria that take account of economic thresholds for general application in the decision making process. A strategy for introducing risk management throughout the organization should be in place. Guidelines on risk management should be developed and be made readily available to staff.

The risk management program should be monitored and reviewed to take account of changing conditions by a peer group that co-ordinates all asset management activities and risk management.

For better accountability, risk areas and responsibilities for risk management should be clearly related to the individual business units.

Resources commensurate with the risk priority should be made available to:

  • Comply with all statutory requirements
  • Ensure health and safety of all staff and public
  • Ensure all business obligations are met
  • Undertake and maintain an effective risk management program.

The organization is responsible for its risk management decisions. It should take steps to ensure that its statutory duties as a responsible corporate citizen with regard to safety and business obligations are met at all times.

The organization should:

  • Communicate information on risk in accord with its duty of care
  • Make risk management decisions which reflect input from stake-holders where appropriate
  • Keep stakeholders, including regulators, customers and the community in general, informed of its processes and practices and outputs in this area.

People Issues

Staff duty statements should clearly indicate risk assessment/management roles and responsibilities. Staff should be made aware of where risk management authority sits.

All staff responsible for, and involved in management activities should be trained to ensure that risk management practices can be effectively applied.

At regular intervals, specialist risk consultants should be commissioned to:

  • Review risk management activities carried out by internal staff
  • Provide refresher courses on risk management to keep staff abreast of current thinking, philosophies and risk management tools and techniques available.
previous home next
Best Practice Risk Management   Risk Management Functions