Compliance to Risk Management - CII-Safety€¦ · risk management process as they form the pivot of an occupational health and safety management plan. The entire workforce (including

Technical Partner

Compliance to Risk Management

Encashing your rewards

DisclaimerUsers of this report shall take their own independent business decisions at their own risk and, in particular, without undue reliance on this report. Nothing in this report shall constitute professional advice, and no representation or warranty, express or implied, is made in respect to the completeness or accuracy of the contents of this report. Confederation of Indian Industry (CII) and Consultivo Business Solutions Pvt. Ltd. (Consultivo) do not accept any liability whatsoever for any direct or indirect damages resulting from use of this report or its contents. The views expressed do not necessarily represent the views or policy of either CII or Consultivo.

Introduction ...........................................................................................2

The risk of non-compliance ................................................................4

Compliance is actually the threshold limit of

common minimum acceptance limit ...............................................6

Why OHS risk management is required ...........................................8

Principles of risk management ....................................................... 10

ISO 45001: Risk management in context of

OHS Management System .............................................................. 12

Risk management methodologies & guidelines .......................... 14

Measuring and monitoring .............................................................. 19

Embedding risk-aware culture in the organization ..................... 20

2 | Compliance to Risk Management: Encashing your Rewards

Business priorities are ever-changing based on the market situation & need of the industry. Attention is focused on the areas that the company perceives to have a higher business risk.

In practice, this is not so well structured when compared to the concept and very often, business risks are not properly visualized or understood. There is also a possibility of not realizing what the higher risks are and which of them must be focused on by the organization.

Understanding, realization and identification of business risks is the most important thing. If it is identified & analyzed, then only adequate control measures can be taken.

Compliance can be defined as meeting the requirements against established guidelines or specifications. Non-Compliance is a prevalent business risk, partly because of an ever-increasing number of regulations and not having the basic level of controls.

Occupational Health and Safety (OHS) related issues have become more and more predominant in today’s world. Compliance with legal and other requirements as well as established safety standards & regulations has become a minimum requirement to any organized industry or organization. Mostly, it is regulated by government legislations. The noncompliance of safety rules will lead to financial loss, litigation, loss of reputation, brand image and ultimately it will be a business risk.

OHS risk management has started taking prime importance for management decision making. Now, it’s time to come out from operational risk management to strategic risk management in terms of OHS. Managing new risk realities while guaranteeing consistency & improving business results is the topmost priority in every organization’s list of objectives.

Introduction



The Risk of Non-Compliance

Compliance requirements generally find its root from regulators, investors and stakeholders. OHS compliance for an organization also follows the same path.

Noncompliance itself is a significant risk that can result in a multitude of negative outcomes for an organization (e.g., loss of life, injury, brand reputation, fines & penalties, business disruption). However, entities often confuse having robust compliance functions with having a developed risk management program.

As one of many risks, OHS compliance risk is also a part of the larger slate of operational, strategic, financial & market risks.

To further complicate matters, compliance efforts often fail in the absence of prediction mechanism.

OHS Risk management & compliance are interrelated and must also be considered together. While risk management & compliance are often appropriately handled by two separate groups within an organization, the pitfall is that this separation can lead to a fragmented approach whereby compliance risk is isolated from other enterprise risks.

Risk Management System

Source: CII Survey


67% of the responding organizations are having a

formal OHS risk management system in place and

33% of the organizations are having informal OHS risk

management system.

Risk professionals must understand the risks of OHS non-compliance along with other business risks to shape the enterprise strategy. Risk appetite (the amount of risk, the organization is willing to accept to meet its business goals) is also to be considered to make the appropriate decisions vis-a-vis the compliance function.

Survey Highlight


Compliance is actually the threshold limit of common minimum acceptance limit

Compliance risk leads to loss of life, injury, ill health, legal penalties, financial forfeiture and loss of the brand image when it fails to act as per industry laws & regulations, internal policies or prescribed best practices. The increase in global regulations is compelling boards of directors to take active role in all matters of the company’s business, especially in the areas of compliance with the law & industry regulations. Stakeholders and investors also wish to invest in companies with a strong reputation for regulatory compliance. Increased pressure has motivated Board of Directors to work diligently towards reciprocal relationship with their managers & risk management teams.

The transformation from good business practice to a legal requirement has blurred the lines between risk management & compliance. At the same time, disclosure of risk information has become a requirement.

Most of the Board of Directors are keenly aware that they need to oversee compliance of OHS regulations to protect the company from risks.


Risk management across four major types of industries

One of the primary duties of board is strategic planning, which is a continual process. As the board explores new avenues for the company to increase its market share, new risks are bound to accompany those new opportunities.

The OHS risk management team needs to work in tandem with the board of directors as they discuss strategic plans. Risk managers have the task of asking and evaluating the hard questions about who, what, where, how and why new planning strategies pose new risks to the company.

Their findings form a new basis for discussion for management and the board of directors from the perspective of whether certain new directions are worth pursuing.

Source: CII Survey


Why OHS risk management is required

The sole purpose of risk management is to identify potential problems before they occur so that risk handling activities may be planned and invoked as needed across the life of the product or project to mitigate any adverse impacts on achieving objectives.

OHS risk assessment is crucial to the risk management process as they form the pivot of an occupational health and safety management plan. The entire workforce (including contractor workforce) should be protected from potential occupational risks to which they could be exposed to.

This could be achieved through a risk management process, which involves risk analysis, risk assessment & risk control practices. In order to carry out an effective risk management process, it is necessary to have a clear understanding of the legal context, concepts, risk analysis, assessment & control processes and the role played by all involved in the process. It is also desirable to base risk management on robust & tested methodologies.


OHS risk management helps to:

� Create awareness of potential hazards & risks

� Identify who may be at risk (e.g., employees, cleaners, visitors, contractors, the public, etc.)

� Determine whether a control program is required for a particular hazard

� Determine if existing control measures are adequate or if more should be done

� Prevent injuries or illnesses, especially when done at the design or planning stage

� Prioritize hazards and control measures

� Meet legal requirements where applicable

OHS Managers’ Perception on OHS Risks’ Impact on Business

80% of the respondents (OHS management level) believe that OHS risks impact the overall business. If an organization fails to address OHS risks, it leads to even business loss, loss of brand image, litigation issue.

Survey Highlight

Strongly Disagree

Disagree

Not very sure

Agree

Strongly agree

Source: CII Survey


Principles of Risk Management

a. Risk management creates and protects value. Risk management contributes to the demonstrable achievement of objectives and

improvement of performance in, for example, human health & safety, security, legal & regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance & reputation.

b. Risk management is an integral part of all organizational processes. Risk management is not a stand-alone activity that is separate from the main activities

& processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project & change management processes.

c. Risk management is part of decision making. Risk management helps decision-makers make informed choices, prioritize actions and

distinguish among alternative courses of action.

d. Risk management explicitly addresses uncertainty. Risk management explicitly takes account of uncertainty, the nature of that uncertainty,

and how it can be addressed. Sensitivity analysis in risk assessment is also very critical. The best-laid plans of mice and men can go awry. A well-done risk assessment can prove to be hopelessly inadequate when the ground rules change.

e. Risk management is systematic, structured & timely. A systematic, timely & structured approach to risk management contributes to efficiency

and consistent, comparable & reliable results.

f. Risk management is based on the best available information. The inputs to the process of managing risk are based on information sources such as


historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision-makers should inform themselves of, and should take into account, any limitations of the data or modeling used or the possibility of divergence among experts.

g. Risk management is tailored. Risk management is aligned with the organization’s external & internal context and risk

profile.

h. Risk management takes human and cultural factors into account. Risk management recognizes the capabilities, perceptions & intentions of external & internal

people that can facilitate or hinder the achievement of the organization’s objectives.

i. Risk management is transparent and inclusive. Appropriate and timely involvement of stakeholders and, in particular, decision-makers at

all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria.

j. Risk management is dynamic, iterative and responsive to change. Risk management continually senses and responds to change. As external & internal events

occur, context and knowledge change, monitoring & review of risks take place, new risks emerge, some change, & others disappear.

k. Risk management facilitates continual improvement of the organization. Organizations should develop and implement strategies to improve their risk management

maturity alongside all other aspects of their organization.


ISO 45001: Risk management in context of OHS Management System

The purpose of an OHS management system is to provide a framework for managing OH&S risks and opportunities. It is critically important for the organization to eliminate hazards and minimize OH&S risks by taking effective preventive & protective measures.

When the organization applies these measures through its OH&S management system, they improve its OH&S performance and reduce the organization’s risk exposure. An OHS management system can be more effective & efficient when early actions are taken to address opportunities for improvement.

The OH&S management system, ISO 45001, is an international standard that provides a framework for an organization to manage risks & opportunities to help prevent work-related injury & ill health to workers. All of its requirements are designed to be integrated into an organization’s management & risk management of business processes.

The context of the organization is one of the cornerstones of ISO 45001 standard. It demands consideration of the internal and external influences, the organization is required/chooses to respond to concerning its OH&S management system. The influences can be positive (risk) or negative (reward) and may come from a range of sources.



Risk Management Methodologies & Guidelines

Standards available for risk managementRisks can impact an organization in the short, medium & long term. These risks are related to operations, tactics & strategy, respectively. Strategy sets out the long-term aims of the organization, and the strategic planning horizon for an organization will typically be three, five or more years. Tactics define how an organization intends to achieve change. Therefore, tactical risks are typically associated with projects, mergers, acquisitions & product developments.There are a number of standards around the world but the most used are:

� AIRMIC/ALARM/IRM

� Australia/New Zealand (AS/NZS) Standard 4360

� COSO Enterprise Risk Management – Integrated Framework

� ISO 31000:2018

ISO 31000:2018, Risk management – Guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.

Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.

However, ISO 31000 cannot be used for certification purposes but does provide guidance for internal or external audit programs. Organizations using it can compare their risk management practices with an internationally recognized benchmark, providing sound principles for effective management & corporate governance.

Not Sure 56%

No 6%

Yes 38%

Source: CII Survey

Adoption of ISO 31000 standard by the industries


In recent times, most of the management system standards have been modified in high level

structure and risk assessment methodology has been redefined in line with ISO 31000 standard.

This is even true for OHS risk management which has been embedded in ISO 45001 standards.

ISO 31000, first published in November 2009 is the result of four years of consultation between

risk & standards experts in 30 countries.

ISO 31000 is complemented by:

� ISO Guide 73:2009 ‘Risk Management Vocabulary’ which establishes a revised vocabulary

to accompany ISO 31000

� ISO/IEC 31010 ‘Risk Management – Risk Assessment Techniques’ which contains a

collection of tools used for risk assessment.

ISO 31000 describes the components of a risk management implementation framework. The

initial component of the ISO 31000 framework is ‘mandate and commitment’ by the Board and

this is followed by:

� design of framework

� implement risk management

� monitor and review framework

� improve framework

Risk assessmentRisk identification establishes the exposure of the organization to risk and uncertainty. This

requires an intimate knowledge of the organization, the market in which it operates, the legal, social,

political and cultural environment in which it exists, as well as an understanding of strategic and

operational objectives. This will include knowledge of the factors critical to success and the threats

and opportunities related to the achievement of objectives. It should be approached methodically

to ensure that all value-adding activities within the organization have been evaluated and all the

risks flowing from these activities defined. The result of the risk analysis can be used to produce

a risk profile that gives a rating of significance to each risk and provides a tool for prioritizing risk

treatment efforts. This ranks the relative importance of each identified risk. This process allows

the risks to be mapped to the business area affected, describes the primary control mechanisms

in place and indicates where the level of investment in controls might be increased, decreased

or reapportioned. The risk analysis activity assists the effective and efficient operation of the

organization by identifying those risks that require attention by management. This will facilitate

the ability to prioritize risk control actions in terms of their potential to benefit the organization.

The ranges of available risk response treatments include tolerate, treat, transfer and terminate.

An organization may decide that there is also a need to improve the control environment.


Risks should be assessed considering the likelihood and impact of such risks with specific objectives.

Likelihood Definition Description

1 Unlikely The risk is seen as unlikely to occur within the time horizon contemplated by the objective

2 Likely The risk is seen as likely to occur within the time horizon contemplated by the objective

3 Certain/Imminent The risk is expected to occur within the time horizon contemplated by the objective

Impact Definition Description

1 Negligible The risk will not substantively impede the achievement of the objective, causing minimal damage to the organization’s reputation

2 Moderate The risk will cause some elements of the objective to be delayed or not be achieved, causing potential damage to the organization’s reputation

3 Critical The risk will cause the objective to not be achieved, causing damage to the organization’s reputation

Types of Risk Assessment Techniques used by Industries

Survey InsightDifferent risk assessment techniques are being used by the industries for OHS risk assessment. Mostly these techniques are used in combinations as per the requirement of the industry, process & task. 85.7% of companies are using HIRA (Hazard Identification and Risk Assessment). These companies are also using QRA or HAZOP for analyzing process related risks. HIRA is the most widely used risk assessment technique because of its ease of understanding and applicability on various kind of industries.

Source: CII Survey


Risk Response Strategies

Involvement of people in OHS risk review

Survey InsightThe data shows that mostly safety managers (87.5%) are involved in OHS risk review. Few companies (52.3%) involve production or unit head in the risk review process. However, OHS risk review should be a board-level agenda. The leadership team and board members must be involved in this process. The insights of leadership team on OHS risks will not only help in safety excellence journey of the organization, it will also help the board to mitigate business risks and redefine risk strategy.

Source: CII Survey


Risk treatment Risk treatment is presented in ISO 31000 as the activity of selecting and implementing appropriate control measures to modify the risk.

Risk treatment includes as its major element, risk control (or mitigation), but extends further to, for example, risk avoidance, risk transfer and risk financing. Any system of risk treatment should provide efficient & effective internal controls. Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control measures.

The cost-effectiveness of internal control relates to the cost of implementing the control compared to the risk reduction benefits achieved. Compliance with laws & regulations is not an option. An organization must understand the applicable laws and must implement a system of controls that achieves compliance.

One method of obtaining financial protection against the impact of risks is through risk financing, including insurance. However, it should be recognized that some losses or elements of a loss may be uninsurable, such as life, injury, employee morale & the reputation of the organization.

Risk appetite/acceptance level It is important that the Board sets rules for risk-taking in respect of all types of risk, and some organizations have produced a risk appetite statement that applies to all classes of risk including OHS risks. It is fairly easy for an organization to confirm that it has no appetite for causing injury & ill health.

In practice, however, this may need to be developed into a set of targets for health & safety performance. There is a danger that risk appetite statements fail to be dynamic, and they can constrain behavior & rapid response.

At the Board level, risk appetite is a driver of strategic risk decisions. At the executive level, risk appetite translates into a set of procedures to ensure that risk receives adequate attention when making tactical decisions. At the operational level, risk appetite dictates operational constraints for routine activities.

Evaluate existing controls Monitoring and measuring extend to the evaluation of culture, performance & preparedness of the organization. The scope of activities covered by monitoring and measuring also includes monitoring of risk improvement recommendations and evaluation of the embedding of risk management activities in the organization including preparedness of the organization to cope with major disruption.


Measuring and monitoring

It is frequently the case that risk assessments are recorded in a risk register.

The risk register should not become a static record of the significant risks faced by the organization.

The OHS risk register should be viewed as a dynamic risk profile consisting of an action plan that includes details of the current controls and details of any further actions that are planned.

These further actions should be written as measurable milestones that must be completed within a defined time scale by identified individuals. This will enable the internal audit function to monitor the existing controls and monitor the implementation of any necessary additional controls.

The resources required to implement the OHS risk management policy should be clearly established at each level of management and within each business unit. OHS Risk management should be embedded within the strategic planning & budget processes.

Effectiveness of the existing controls and the implementation of additional controls, the cost-effectiveness of the existing controls should also be monitored.

Monitoring & measurement include evaluation of the risk-aware culture, framework, and extent to which risk management tasks are aligned with other corporate activities.

54.2% of the responding organizations are having OHS risk management review system at a frequency of six months or less.

Review of Risks Management System

Source: CII Survey

Survey Highlight


Changes in the organization & the environment in which it operates must be identified and appropriate modifications made to protocols.

Monitoring activities should provide assurance that there are appropriate controls in place and that the procedures are understood and followed. Any monitoring & measuring process should also determine whether the measures adopted achieved the intended result. The procedures adopted should also be efficient.

Sufficient information should be available as an input for the risk assessments as a well-done risk assessment can prove to be hopelessly inadequate when the ground rules change. Improved knowledge and information help to reach better decisions and lessons can be learned for future assessments and controls.

Embedding risk management involves an environment or climate that can demonstrate leadership from senior management, involvement of staff at all levels, a culture of learning from experience, appropriate accountability for actions (without developing an automatic blame culture) & good communication on risk issues.

Embedding risk-aware culture in the organization

Behaviour Based Safety (BBS): Baseline Assessment 21

Corporate Office:82A, Rashbehari Avenue, 2nd Floor Kolkata 700 026, India+91 33 4066 4066 | [email protected] www.consultivo.in

Audit & Assurance | Research & Study | Training & Capacity Building | Consulting & Handholding

TOGETHER FOR A BETTER TOMORROW

AboutSustainability, Business Excellence & Risk Management advisory, assurance and consulting firm helping global businesses at strategic and operational level.

With access to wealth of intellectual capital, Consultivo delivers Advisory, Research, Assurance & Training services in the areas like Sustainability, Environment & Energy, Management Systems, CSR, Safety, Organizational Development and Human Capital Development.

Sustainability services include development of sustainability strategy, voluntary sustainability standard (VSS), sustainability reporting as per GRI standard, materiality assessment & study, stakeholder engagement, water sustainability management, carbon footprint, energy audit & conservation, ethical supply chain management, due diligence and related services.

Major industry sectors where Consultivo has worked with:

Metal & Mining Engineering Cement Oil & Gas Chemical Construction Hospital

Mall & Hypermarket Warehouse FMCG Supply Chain Agribusiness

Consultivo works with 100+ National and International Sustainability related codes, standards and guidelines.

Partnership with academic institutions, research organizations & industrial associations is a significant activity to create powerful business solutions bespoke to customer needs.

� Approved safety, environment & social consultant of International Finance Corporation (World Bank Group)

� Global approved auditor of Pharmaceutical Supply Chain Initiative (PSCI), UK

� Approved audit body for CORE (Code of Responsible Extraction)

� Partner of CII, training & knowledge partner of Indian Chamber of Commerce (ICC)

� Approved audit partner of Ethical Tea Partnership (ETP), UK

Consultivo is uniquely placed to offer advisory and assurance services free from commercial constraints and conflict of interest to find ways to improve business performances.

Consultivo Academy is the strategic business unit for training and capacity building services. It nurtures and enrich people potentials through interactive & solutions oriented course design in both conventional and new age e-learning platforms.

About CII

The Confederation of Indian Industry (CII) works to create and sustain an environment conducive to the development of India, partnering industry, Government, and civil society, through advisory and consultative processes.

CII is a non-government, not-for-profit, industry-led and industry-managed organization, playing a proactive role in India’s development process. Founded in 1895, India’s premier business association has around 9000 members, from the private as well as public sectors, including SMEs and MNCs, and an indirect membership of over 300,000 enterprises from around 276 national and regional sectoral industry bodies.

CII charts change by working closely with Government on policy issues, interfacing with thought leaders, and enhancing efficiency, competitiveness and business opportunities for industry through a range of specialized services and strategic global linkages. It also provides a platform for consensus-building and networking on key issues.

Extending its agenda beyond business, CII assists industry to identify and execute corporate citizenship programmes. Partnerships with civil society organizations carry forward corporate initiatives for integrated and inclusive development across diverse domains including affirmative action, healthcare, education, livelihood, diversity management, skill development, empowerment of women, and water, to name a few.

India is now set to become a US$ 5 trillion economy in the next five years and Indian industry will remain the principal growth engine for achieving this target. With the theme for 2019-20 as Competitiveness of India Inc - India@75: Forging Ahead, CII will focus on five priority areas which would enable the country to stay on a solid growth track. These are - employment generation, rural-urban connect, energy security, environmental sustainability and governance.

With 66 offices, including 9 Centres of Excellence, in India, and 10 overseas offices in Australia, China, Egypt, France, Germany, Singapore, South Africa, UAE, UK, and USA, as well as institutional partnerships with 355 counterpart organizations in 126 countries, CII serves as a reference point for Indian industry and the international business community.

Reach us via our Membership Helpline: : 00-91-124-4592966 / 00-91-99104 46244CII Helpline Toll Free No. : 1800-103-1244

HeadquartersThe Mantosh Sondhi Centre

23, Institutional Area, Lodi Road, New Delhi – 110 003 (India)T: 91 11 45771000 / 24629994-7 • F: 91 11 24626149

E: [email protected] • W: www.cii.in

Eastern Region Headquarters6, Netaji Subhas Road, Kolkata 700 001

T: 033 2230 7727/28/1434/3354 F: 033 2230 1721/ 2231 2700E: [email protected] W: www.cii.in

Follow us on:

facebook.com/followcii twitter.com/followcii www.mycii.in

Documents

Compliance to Risk Management - CII-Safety€¦ · risk management process as they form the pivot of an occupational health and safety management plan. The entire workforce (including