Embed Size (px)
DESCRIPTION
A Practical Approach to Risk Management
Citation preview
A practical approach to Risk Management
Stan O’NeillManaging Director,
The Compliance Group
Risk Management - definitionRisk Management ≠ Risk Elimination
risk analysis+ risk evaluation
+ controlling risks= risk management
Identifying what might go wrong
Calculating the size of the risk
Doing something about it
Risk Assessment A basic human instinct Therefore subject to human subjectivity and variability
Risk Assessment Methodologies Rigorous and Systematic Documented (and therefore able to be reviewed) Acted upon
Risk Analysis Methodology
constant ratios
Fatality
SeriousAccidentMinorIncidentLearningEvent
The most effective way to tackle the size of the top of the pyramid is to tackle the bottom of the pyramid
Risk Management - basis
Almost all RA methods derived from FMEA
FMEA Developed by US Aerospace Industry in 1940s (“how can we stop our rockets falling out of the skies?”)
Variants on a theme Failure Modes, Effects and Consequences Analysis
(FMECA) Hazard Analysis and Critical Control Points (HACCP) Hazard and Operability Studies (HazOp, CHazOp)
Failure Modes and Effects Analysis
Risk Management - process
First understand Hazards
Hazards are potential sources of harm. Hazards are things which present risk Hazards are easier to define than risks - risks
are more abstract We can define risk by categorising hazards.
Risk Management – standard approach
Risk has two components Chance of Harm Occurring Consequences of that HarmHow likely is it that the hazard or harm will occur?If it does occur, what are the consequences? Key Considerations: The probability of occurrence of harm, (chance,
possibility, uncertainty, etc.) The consequences or severity of that harm,
(injury, cost, supply issues, etc.)
Risk - definition
Risk is the combination of the probability of occurrence of harm and the severity of that harm
Risk = Probability x Severity Risk = (P x S)
• Risk can be Quantified or Qualified
Risk = (4 x 3) = 12 Risk = Medium… or Green… or….
Risk – definition (contd.)
Probability This Means the Hazard…
Frequent … is Very Likely to Occur, > 20%
Probable … will Probably Occur, 5 – 20%
Occasional … should Occur at Some Time, Infrequently, 0.1 – 5%
Remote … Unlikely to Occur in Most Circumstances < 0.1%
Levels of Probability of Hazard Occurrence
Severity This Means the Hazard May Result in….
Critical Very Significant Impact on Agency, Stakeholders, Very Costly, Very Damaging Effects
Major Significant Impact on Agency, Stakeholders, Costly, Damaging Effects
Minor Minor Impact on Agency, No Expected Stakeholder Impact
Hazard Severity Levels
Determines if a risk is acceptable or notA method which…• identifies hazards in an organisation, process,
product*• estimates or calculates the risk associated with
these hazards*• assesses that risk by comparing it against
predefined risk acceptability criteria*** aka Risk Analysis ** aka Risk Evaluation
Risk Assessment
Hazard Minor Severity (1)
Major Severity (2)
Critical Severity (3)
Frequent (4) 4 8 12
Probable (3) 3 6 9
Occasional (2) 2 4 6
Remote (1) 1 2 3
Estimating Risk
Hazard Minor Severity Major Severity Critical Severity
Frequent
Probable
Occasional
Remote
Estimating Risk
Hazard Minor Severity Major Severity Critical Severity
Frequent Unacceptable Intolerable Intolerable
Probable Unacceptable Unacceptable Intolerable
Occasional Acceptable Unacceptable Unacceptable
Remote Acceptable Acceptable Unacceptable
Estimating Risk
Red Means… The Risk is Intolerable. Eliminate the Hazard or
build in systems/controls to ensure the effects of the hazard are not realised (e.g. install redundant systems)
Amber Means… The Risk is Unacceptable. The Risk must be
Reduced or Controlled to an acceptable levelGreen Means… The Risk is Acceptable. No Reduction or New
Controls are Required
Estimating Risk
Risk Control performed after Risk AssessmentAims to reduce the risk associated with a hazard by putting additional controls in placeMay permit maintenance of the risk within specified levels… risk cannot be reduced but the hazard (or its effects) can be detected when it occurs.
Risk Control
Detection
High High Likelihood that Controls will Detect the Hazard or its Effects
Medium Medium Likelihood that Controls will Detect the Hazard or its Effects
Low Low Likelihood that Controls will Detect the Hazard or its Effects
None Detection Controls are Absent
Detection Controls
The combination of Risk Assessment & Risk ControlRisk Management allows for mechanisms to communicate Risk knowledge to the right people/stakeholders, and for the Periodic Review of the Risk Assessment processPerforming Periodic Review uses additional data (experience) to revisit hazards and their probabilitiesRisk Management should be viewed as an on-going Quality Management process
Risk Management
Risk AssessmentHazards identified, risk estimated, decision re. risk
acceptability made
Risk ControlRisk Reduction or Risk Maintenance Controls Initiated until Risk is Acceptable or Adequately
Controlled
Risk Knowledge Is Communicated
Periodic Review
Ris
k M
anag
emen
t
Many formal tools are available…
• HACCP - Hazard Analysis and Critical Control Points• HAZOP – Hazard Operability Analysis• FTA – Fault Tree Analysis• FMEA – Failure Mode & Effects Analysis• FMECA - Failure Mode, Effects & Criticality Analysis• PHA - Preliminary Hazard Analysis
Risk Assessment & Risk Management Tools
multi-discipline team
decompose the system
Identifywhat could go wrong :‘Hazards’
Assess seriousness
of each Hazard
Design measures to
contain each
Hazard
Risk Management Methodology
Define the Scope Site / Organisation Business Process Specific Operation Corporate entitySplit into more managable sub-systems, e.g. Organisation – into business processes Business Process – into process steps Specific Operation – into major systems Systems – into functional componentsList the components
decompose the system
Identifywhat could go
wrong :‘Hazards’
Assess seriousness
of each Hazard
Design measures to contain each
Hazard
multi-discipline team
Decompose the system
Brainstorm what couldgo wrongList potential failure modes‘Hazards’Hazards are not always obviousUse system history as well as team’s imaginationand expertiseVarious simple question based tools, e.g.: Word Models (HazOp) Cause / Consequence Diagram
decompose the system
Identifywhat could go
wrong :‘Hazards’
Assess seriousness
of each Hazard
Design measures to contain each
Hazard
multi-discipline team
Identify what can go wrong
A Difficult StepDifferent Methods Breakthis step into varioussub-questions, e.g. Severity of Consequence Likelihood of hazard occurring Probability of detection System redundancySimple tools provide good guidance on relative risk within a system, but not absolute risk. What can help? Word models, Team’s experience
decompose the system
Identifywhat could go
wrong :‘Hazards’
Assess seriousness
of each Hazard
Design measures to contain each
Hazard
multi-discipline team
Assess seriousness of each hazard
Use Relative Seriousness as guide for controlling measures:
Highest level risks – look for intrinsically safe solutions Lowest level risks – perhaps these are risks that we can
live withDesign it Away, e.g. Build redundancy into systems Simplify a business process to remove unnecessary
human interventionTest it AwayManage it Away, e.g. Implement additional inspections or verification processes
decompose the system
Identifywhat could go
wrong :‘Hazards’
Assess seriousness
of each Hazard
Design measures to contain each
Hazard
multi-discipline team
Design measures to contain each hazard
Important to test allchanges to a system:
May remove one hazardto introduce ten new!
Testing with the risk assessment method can be used to select best candidate solution
decompose the system
Identifywhat could go
wrong :‘Hazards’
Assess seriousness
of each Hazard
Design measures to contain each
Hazard
multi-discipline team
Design measures to contain each hazard
Cascaded risk assessments
RA of whole system
RA of sub-system C
su b -sys te m AM e d iu m R isk
su b -sys te m BN o R isk
su b -syste m C 1L o w R isk
su b -s yste m C 2L o w R isk
su b -syste m C 2H ig h R isk
su b -sys te m CH ig h R isk
T h e S ys tem
Improved understanding of a processIdentification and understanding of process limitationsAcceptance by organisation or process limitations
Risk Management Benefits
RA is completed as a ‘tick-in-the-box’Report then written, approved and filedFull-stop.Failure to identify significant risks – undermines confidence in the organisation (hero to zero)Lack of return from investment in the processInappropriate inputs into process
Risk Management “Hazards”
FMEA for parametric releaseRisk management for non-dedicated premisesAssessing equipment for preventative maintenance and calibration programme
Good examples
Assessment of inherent weakness of a piece of equipment (focus of document)Assessment of incorrect filter integrity test cycle parameters (inappropriate supportive information)Poorly structured risk assessmentsUse of the phrase “there is no risk”Lack of lateral thinking (pressure differential example)Failure to manage, only assess.
Not so good examples
Risk Assessment ≠ Risk ManagementRisk Management ≠ Risk EliminationRisk assessments are invariably qualitative and subjective.Less can be more
Take away messages
Quality Risk Management ICH Q9 Briefing Pack http://www.ich.org/cache/html/3158-272-1.html
Further reading
