Embed Size (px)
DESCRIPTION
Risk Management, implementing ISO 31000 Principles and Guidelines
Citation preview
RISK ASSESSMENT
SHOOTING TIGERS
IMPLEMENTING ISO 31000:2009
RISK MANAGEMENT
PRINCIPLES AND GUIDELINES
Michael E Wilkinson
SalusCP Publications
RISK ASSESSMENT
© Michael Wilkinson 2010
All Rights Reserved In accordance with the Copyright, Designs and Patents Act 1988
No part of this book may be reproduced in any form,
by photocopying or by any electronic or mechanical means,
including information storage or retrieval systems,
without permission in writing from both the copyright
owner and/or the publisher of this book.
RISK ASSESSMENT Shooting Tigers
Implementing ISO 31000:2009
Risk Management
Principles and Guidelines
ISBN 9780954263102
First Published in the United Kingdom in 2010 by
SalusCP Publications
Printed in Great Britain by FastPrint
www.fast-print.net
Publisher’s note Every possible effort has been made to ensure that the
information contained in this book is accurate at the time
of going to print, and the publishers and author cannot
accept responsibility for any errors or omissions, however
caused.
No responsibility for loss or damage occasioned to any
person acting, or refraining from action, as a result of the
material in this publication can be accepted by the
publisher or the author.
RISK ASSESSMENT
SHOOTING TIGERS
IMPLEMENTING ISO 31000:2009
RISK MANAGEMENT
PRINCIPLES AND GUIDELINES
Business Risk System
The Business Risk System has been developed, by Michael Wilkinson,
over a number of years to provide a modular set of methods and tools
for identifying and effectively controlling those underlying business
and process risks. The idea is that the system can be used to pick and
mix only those methods and tools needed for a given
industrial/process operation, set of job tasks and/or commercial
activity. In addition, the Business Risk System provides several choices
of communication media and training support packages and model
document sets.
Business Risk System comprises of:
Books
• Risk Assessment – Shooting Tigers - Implementing ISO
31000:2009 (this book)
• Safety Environment & Quality Integration System (SEQIS)
(due November 2010)
eBooks
• Office Risk Assessment
• Safety Instrumented Systems (SIS)
• Process Risk Barrier Control
• Business Risk Impact Analysis
• Fault Tree Analysis
• Bow-Tie Method
• Cause and Effects
• Risk Flow Charting
• HAZOP Studies
Audio CDs
• Risk Assessment – Taming Tigers(set of 4 CDs)
• Book Chapters 1 to 10
• Business Risk Assessment – An Overview
• Job Safety Analysis
Training Packs
• PowerPoint slide presentations
• Trainers Guides
• Delegate Workbooks and handouts
For more details visit my Business Risk System website
www.businessrisksystem.com
Contents
Preface
So why is this book called Risk Assessment – Shooting Tigers -
Implementing ISO 31000:2009, well if we look around our business,
be it small or large, with a real-world perspective, we start to become
alarmingly aware that there many underlying business risks lurking
within our day-to-day operations. These latent business risks are
laying under the surface just waiting for the right initiating event (IE)
and set of failure circumstances to come together for them to threaten
our business survival through major injuries and/or asset damage or
even to destroy our business processes thus preventing us from
producing our products and services.
The approach taken in this book is based on the new international
standard ISO 31000:2009 Risk Management Principles and Guidelines.
Issued in December 2009, this new international standard provides us
with a practical and structured framework for identifying, assessing
and effectively managing all the different types of business risks, as
applicable to our particular organisation’s business activities. The
standard is unique, in that the risk management principles and
approach can be used in all parts of the world and by all types of
businesses.
Business risks are all potential threats to the life of any business,
therefore, part of the book will cover the subject of business
continuity planning, which is based on the approach recommended
in the code of practice BS 25999:2006 Business Continuity
Management.
To ensure the continued survival of an organisation’s business
activities it is essential to have in place realistic business continuity
and disaster recovery plans to assist the business in resuming its
operations within a critically acceptable time frame.
Whether we accept it or not there are many hidden tigers lurking in
our workplaces, operating processes and even inside our employees
and, in others who visit our premises. Most organisations will
already have carried out some sort of business risk and impact
assessment in an attempt to identify and deal with obvious risks to
their business. However, many of these assessments are normally
driven by the need to reduce costs and/or comply with legal
obligations, rather than with an appetite to understand what can
actually cause serious harm and, perhaps even threaten the life of
the business itself.
The threat from these underlying business risks lurking within our
business operations take many forms, including financial,
information security, industrial processes, health and safety,
environmental and organisational risks. What we need to keep in
mind is the potential damage that they can cause to our business if
these threats are realised through inadequate and weak risk control
barriers.
So business risk management is about standing back from our daily
jungle of business pressures and financial demands and taking time
out to carefully identify where these underlying business risks
could be lurking and practically evaluating the potential
consequences on the business and, to its people should a threat be
realised.
We should be very realistic and accept that we can never completely
eliminate the presence of hidden tigers within our business
operations. We can only hope to place effective defensive risk
treatment barriers and business continuity plans in place to prevent
these tigers getting through the long grass and suddenly pouncing
on us and making a successful kill. Sounds dramatic! Well you may
think so, but every day we face many potential threats to our ability
to sustain our business, such as people being seriously injured,
significant damage caused to process equipment, key business
assets, our customer perceived market image. So ‘Shooting Tigers’
that are lurking within our business operations not only makes
good business and financial sense, it is an essential strategy if we are
serious about protecting our business from significant business risk
exposures that could potentially take us out of business.
About The Author
Michael Wilkinson has
years hands-on experience in risk
based approach relating to the
management of business
PhD in negligence law
degree in the ap
technology to process plant risk,
together with a number of
professional qualifications related to
business risk management, including
being a chartered member of the
Institution of Occupational Safety and
Health (CMIOSH).
Michael has travelled worldwide, to such countries as South Africa,
UAE, Kuwait, Qatar, Bahrain, Oman, Holland, Switzerland, Hong
Kong, Malaysia, France, Japan, USA and the UK, where he has
presented many key-note talks, seminars, courses and workshops to a
diverse range of companies, including oil and gas, industrial and
commercial organisations. These successful talks, presentations,
seminars, workshops and courses are based on his unique
approach for effectively managing the different types of business risks
and, on developing integrated business risk and continuity
management systems, including risk-based auditing and process
plant safety systems.
Michael Wilkinson has gained over 30
on experience in risk-
based approach relating to the
business risks. He has
law, a BA(Hons)
degree in the application of
technology to process plant risk,
together with a number of
professional qualifications related to
risk management, including
being a chartered member of the
Institution of Occupational Safety and
ed worldwide, to such countries as South Africa,
UAE, Kuwait, Qatar, Bahrain, Oman, Holland, Switzerland, Hong
Kong, Malaysia, France, Japan, USA and the UK, where he has
note talks, seminars, courses and workshops to a
companies, including oil and gas, industrial and
commercial organisations. These successful talks, presentations,
unique risk-based
the different types of business risks
business risk and continuity
based auditing and process and
The idea for this book came about as a result of the numerous
questions that Michael was being asked by delegates that attended his
worldwide speaking and training risk management presentations.
These questions were always concerning how can they identify,
analyse the many types of business risks that their organisations face
and subsequently ensure the business continuity in today’s global
based market. From his vast experience and practical approach
Michael developed the comprehensive Business Risk System. This
unique system is based on a modular set of business risk assessment
processes and business continuity tools to allow the user to pick and
mix the methods needed for the particular type of business risk
assessment required to be carried out. This book is the culmination of
that modular system and provides a unique set of methods and tools
for identifying and managing the underlying business risks that are
normally missed during conventional risk assessment and
management programmes.
Michael is the author of a number of eBooks, audio CDs, articles,
model documents packs and training guides and kits. Michael is
currently working on his next book entitled Safety Environmental and
Quality Integration System (SEQIS).
Terms and Definitions
Risk Assessment Principles 1
Chapter 1
RISK ASSESSMENT PRINCIPLES
The new international risk management standard ISO 31000:2009
Risk Management – Principles and Guidelines on Implementation, states in
the introduction, that “Organisations of all types and sizes face a range
of risks that can affect the achievement of their objectives”. It goes on
to state that “These objectives can relate to a range of the
organisation’s activities, from strategic initiatives to its operations,
processes and projects, and be reflected in terms of strategic,
operational, financial and reputational outcomes and impacts”.
‘Risk’ - how many of us understand what this term ‘Risk’ really means
and more importantly what devastating potential effects risks can have
on our business operation. As we know, there are many types of
business risk, but the term risk, is only used as generic descriptive
term to describe a multitude of situations or events that have the
potential to result in serious damage to an organisation, harm to
people and/or to the environment.
In this book, we shall be concentrating primarily on how potential
business risks are identified, together with associated underlying
causes and consequences. We will look at how to determine practical
effective business risk treatment options and the subsequent risk
control barriers and business continuity plans that we need to put in
2 Risk Assessment Principles
place to protect and sustain our company operations, its people and, of
course the environment that we work in. As we have already said risk
can cover a multitude of underlying cause and consequence levels, for
example we could be doing a business risk impact assessment in an oil
refinery, large manufacturing plant or small business operation. In
each case the principles remain the same and that is to identify
significant business risks and, quantify their potential business impact
and, then to put in place adequate risk treatment and business
continuity measures to prevent these risks being realised.
During the writing of this book I realised that to effectively manage
our potential business risks we also need to use a whole range of
different risk assessment and impact analysis tools for identifying and
evaluating these surface and underlying risks. So, I have developed my
integrated business risk assessment system, which, I have called the
Risk Assessment Made Easy ‘RAME’ system. This system is designed
to assist you by providing a comprehensive set of business risk
assessment and impact analysis tools, with supporting guidance, based
on ISO 31000 risk management principles and approach.
The book comprises of 10 chapters and each of these chapters forms a
step on the path of identifying significant business risks. Each one of
these 10 steps is designed to take you through a simple, but systematic,
process that enables you to effectively and efficiently understand those
significant risks within your business operation.
So let's start with looking at what we mean by the term risk. There are
currently many approaches and methods of risk assessment and impact
analysis, none of which, however, make it very clear how to actually
carry out the assessment and subsequent analysis. They give you
Risk Assessment Principles 3
simple steps to follow but are mostly very shallow in the way that they
address the risks, for example, many of these methods have the same
principles of identify the risks evaluating those risks, implement risk
control measures, monitor the effectiveness of those control measures
and carry out a periodic review. Which is great if you are a small
business with low risk operations or, if you are assessing an office
environment. However, most of these assessment methods are
insufficient for identifying those underlying business risks that have
the potential to cause major emergency events and disasters. In
addition, none of these current methods go into any depth concerning
human behavioural factors. If we think about all our risk control and
business continuity measures, whether they be hardware driven safety
devices, formal procedural and/or maintenance programmes, all are
operated and maintained by people. This is where our problem begins.
It is people that carry out the initial risk assessment and impact
analysis, it is people who decide on what risk control and business
continuity measures to put in place, and it is people who we rely to
then follow our risk control measures and execute our business
continuity plan. So 80% of our solutions for effectively managing our
potential business risks rely on people! History has shown us that
through investigation that many past business failure disasters are
attributable to the behaviour of people. Behaviour such as human
error which include memory slips, concentration lapses, procedural
violations and cultural factor differences in the value of life. These are
all major factors in controlling the significant business risks present
within our company operations.
So when we asked a question "what is risk" we need to think about
what we are actually saying. Many would agree that the term risk is
made up of a number of factors, the first factor being the nature and
4 Risk Assessment Principles
type of harm (the hazard), the second factor is the level of
consequences that potentially can be realised and, the third factor is
the likelihood that harm will actually occur (the risk level). In other
words, how could it happen! The first factor, the hazard, we cannot do
anything about as the nature and type of the harm will always remain a
threat. We cannot change the potential harm that a hazard can
potentially cause, because the threat of danger will always be there. For
example, petrol is always giving off a flammable vapour, even on the
coldest day, so the hazard is that if that flammable vapour finds a
source of ignition (open flame, hot surface, static electricity, etc) it will
ignite and cause fire.
Let us look at the various terms used in the field of risk assessment:
• Hazard o Something with the potential to cause harm
• Risk • Likelihood • Probability • Assessment
ISO 31000:2009
