A Practical Approach to Risk Management Stan O Neill

A practical approach to Risk Management

Stan O’NeillManaging Director,

The Compliance Group

Risk Management - definitionRisk Management ≠ Risk Elimination

risk analysis+ risk evaluation

+ controlling risks= risk management

Identifying what might go wrong

Calculating the size of the risk

Doing something about it

Risk Assessment A basic human instinct Therefore subject to human subjectivity and variability

Risk Assessment Methodologies Rigorous and Systematic Documented (and therefore able to be reviewed) Acted upon

Risk Analysis Methodology

constant ratios

Fatality

SeriousAccidentMinorIncidentLearningEvent

The most effective way to tackle the size of the top of the pyramid is to tackle the bottom of the pyramid

Risk Management - basis

Almost all RA methods derived from FMEA

FMEA Developed by US Aerospace Industry in 1940s (“how can we stop our rockets falling out of the skies?”)

Variants on a theme Failure Modes, Effects and Consequences Analysis

(FMECA) Hazard Analysis and Critical Control Points (HACCP) Hazard and Operability Studies (HazOp, CHazOp)

Failure Modes and Effects Analysis

Risk Management - process

First understand Hazards

Hazards are potential sources of harm. Hazards are things which present risk Hazards are easier to define than risks - risks

are more abstract We can define risk by categorising hazards.

Risk Management – standard approach

Risk has two components Chance of Harm Occurring Consequences of that HarmHow likely is it that the hazard or harm will occur?If it does occur, what are the consequences? Key Considerations: The probability of occurrence of harm, (chance,

possibility, uncertainty, etc.) The consequences or severity of that harm,

(injury, cost, supply issues, etc.)

Risk - definition

Risk is the combination of the probability of occurrence of harm and the severity of that harm

Risk = Probability x Severity Risk = (P x S)

• Risk can be Quantified or Qualified

Risk = (4 x 3) = 12 Risk = Medium… or Green… or….

Risk – definition (contd.)

Probability This Means the Hazard…

Frequent … is Very Likely to Occur, > 20%

Probable … will Probably Occur, 5 – 20%

Occasional … should Occur at Some Time, Infrequently, 0.1 – 5%

Remote … Unlikely to Occur in Most Circumstances < 0.1%

Levels of Probability of Hazard Occurrence

Severity This Means the Hazard May Result in….

Critical Very Significant Impact on Agency, Stakeholders, Very Costly, Very Damaging Effects

Major Significant Impact on Agency, Stakeholders, Costly, Damaging Effects

Minor Minor Impact on Agency, No Expected Stakeholder Impact

Hazard Severity Levels

Determines if a risk is acceptable or notA method which…• identifies hazards in an organisation, process,

product*• estimates or calculates the risk associated with

these hazards*• assesses that risk by comparing it against

predefined risk acceptability criteria*** aka Risk Analysis ** aka Risk Evaluation

Risk Assessment

Hazard Minor Severity (1)

Major Severity (2)

Critical Severity (3)

Frequent (4) 4 8 12

Probable (3) 3 6 9

Occasional (2) 2 4 6

Remote (1) 1 2 3

Estimating Risk

Hazard Minor Severity Major Severity Critical Severity

Frequent

Probable

Occasional

Remote

Estimating Risk

Hazard Minor Severity Major Severity Critical Severity

Frequent Unacceptable Intolerable Intolerable

Probable Unacceptable Unacceptable Intolerable

Occasional Acceptable Unacceptable Unacceptable

Remote Acceptable Acceptable Unacceptable

Estimating Risk

Red Means… The Risk is Intolerable. Eliminate the Hazard or

build in systems/controls to ensure the effects of the hazard are not realised (e.g. install redundant systems)

Amber Means… The Risk is Unacceptable. The Risk must be

Reduced or Controlled to an acceptable levelGreen Means… The Risk is Acceptable. No Reduction or New

Controls are Required

Estimating Risk

Risk Control performed after Risk AssessmentAims to reduce the risk associated with a hazard by putting additional controls in placeMay permit maintenance of the risk within specified levels… risk cannot be reduced but the hazard (or its effects) can be detected when it occurs.

Risk Control

Detection

High High Likelihood that Controls will Detect the Hazard or its Effects

Medium Medium Likelihood that Controls will Detect the Hazard or its Effects

Low Low Likelihood that Controls will Detect the Hazard or its Effects

None Detection Controls are Absent

Detection Controls

The combination of Risk Assessment & Risk ControlRisk Management allows for mechanisms to communicate Risk knowledge to the right people/stakeholders, and for the Periodic Review of the Risk Assessment processPerforming Periodic Review uses additional data (experience) to revisit hazards and their probabilitiesRisk Management should be viewed as an on-going Quality Management process

Risk Management

Risk AssessmentHazards identified, risk estimated, decision re. risk

acceptability made

Risk ControlRisk Reduction or Risk Maintenance Controls Initiated until Risk is Acceptable or Adequately

Controlled

Risk Knowledge Is Communicated

Periodic Review

Ris

k M

anag

emen

t

Many formal tools are available…

• HACCP - Hazard Analysis and Critical Control Points• HAZOP – Hazard Operability Analysis• FTA – Fault Tree Analysis• FMEA – Failure Mode & Effects Analysis• FMECA - Failure Mode, Effects & Criticality Analysis• PHA - Preliminary Hazard Analysis

Risk Assessment & Risk Management Tools

multi-discipline team

decompose the system

Identifywhat could go wrong :‘Hazards’

Assess seriousness

of each Hazard

Design measures to

contain each

Hazard

Risk Management Methodology

Define the Scope Site / Organisation Business Process Specific Operation Corporate entitySplit into more managable sub-systems, e.g. Organisation – into business processes Business Process – into process steps Specific Operation – into major systems Systems – into functional componentsList the components

decompose the system

Identifywhat could go

wrong :‘Hazards’

Assess seriousness

of each Hazard

Design measures to contain each

Hazard

multi-discipline team

Decompose the system

Brainstorm what couldgo wrongList potential failure modes‘Hazards’Hazards are not always obviousUse system history as well as team’s imaginationand expertiseVarious simple question based tools, e.g.: Word Models (HazOp) Cause / Consequence Diagram

decompose the system

Identifywhat could go

wrong :‘Hazards’

Assess seriousness

of each Hazard

Design measures to contain each

Hazard

multi-discipline team

Identify what can go wrong

A Difficult StepDifferent Methods Breakthis step into varioussub-questions, e.g. Severity of Consequence Likelihood of hazard occurring Probability of detection System redundancySimple tools provide good guidance on relative risk within a system, but not absolute risk. What can help? Word models, Team’s experience

decompose the system

Identifywhat could go

wrong :‘Hazards’

Assess seriousness

of each Hazard

Design measures to contain each

Hazard

multi-discipline team

Assess seriousness of each hazard

Use Relative Seriousness as guide for controlling measures:

Highest level risks – look for intrinsically safe solutions Lowest level risks – perhaps these are risks that we can

live withDesign it Away, e.g. Build redundancy into systems Simplify a business process to remove unnecessary

human interventionTest it AwayManage it Away, e.g. Implement additional inspections or verification processes

decompose the system

Identifywhat could go

wrong :‘Hazards’

Assess seriousness

of each Hazard

Design measures to contain each

Hazard

multi-discipline team

Design measures to contain each hazard

Important to test allchanges to a system:

May remove one hazardto introduce ten new!

Testing with the risk assessment method can be used to select best candidate solution

decompose the system

Identifywhat could go

wrong :‘Hazards’

Assess seriousness

of each Hazard

Design measures to contain each

Hazard

multi-discipline team

Design measures to contain each hazard

Cascaded risk assessments

RA of whole system

RA of sub-system C

su b -sys te m AM e d iu m R isk

su b -sys te m BN o R isk

su b -syste m C 1L o w R isk

su b -s yste m C 2L o w R isk

su b -syste m C 2H ig h R isk

su b -sys te m CH ig h R isk

T h e S ys tem

Improved understanding of a processIdentification and understanding of process limitationsAcceptance by organisation or process limitations

Risk Management Benefits

RA is completed as a ‘tick-in-the-box’Report then written, approved and filedFull-stop.Failure to identify significant risks – undermines confidence in the organisation (hero to zero)Lack of return from investment in the processInappropriate inputs into process

Risk Management “Hazards”

FMEA for parametric releaseRisk management for non-dedicated premisesAssessing equipment for preventative maintenance and calibration programme

Good examples

Assessment of inherent weakness of a piece of equipment (focus of document)Assessment of incorrect filter integrity test cycle parameters (inappropriate supportive information)Poorly structured risk assessmentsUse of the phrase “there is no risk”Lack of lateral thinking (pressure differential example)Failure to manage, only assess.

Not so good examples

Risk Assessment ≠ Risk ManagementRisk Management ≠ Risk EliminationRisk assessments are invariably qualitative and subjective.Less can be more

Take away messages

Quality Risk Management ICH Q9 Briefing Pack http://www.ich.org/cache/html/3158-272-1.html

Further reading

Thank you

Questions?

Contact details: stanoneill@compliancegroup.eu