Upload
mindgenius
View
216
Download
0
Embed Size (px)
Citation preview
8/3/2019 Risk Management with Gordon Wyllie
1/7
MindGenius is a registered Trade Mark of MindGenius Ltd. Copyright MindGenius Ltd. 2011.
Risk Management with Gordon Wyllie
In this article I am going to discuss risk management. In particular, how to
understand the risk that you are facing so that you can decide whether or not the
risk is acceptable to you and if not, how you can take appropriate steps to reduce
the risk to an acceptable level.
We all face risks each day in some shape or form. Some we know about. Others we
don't. Of those risks that you know about, how do you actually manage them so
they are at an acceptable level?
The acceptable level is specific to a person or an organisation. It depends on their
risk appetite. The level of risk they are willing to carry.
Risk matrices based on the likelihood of the risk being realised and the severity of the ensuing consequences
are often used to rate risks. Superimposed on these are bands which indicate the desired level of action to be
taken and reflect the risk appetite of the person/organisation.
http://2.bp.blogspot.com/-tJfwCbWjiIo/TayNmQ96zaI/AAAAAAAAAjQ/lKy5UnNTfv4/s1600/Gordon_Wyllie.jpghttp://2.bp.blogspot.com/-tJfwCbWjiIo/TayNmQ96zaI/AAAAAAAAAjQ/lKy5UnNTfv4/s1600/Gordon_Wyllie.jpghttp://2.bp.blogspot.com/-tJfwCbWjiIo/TayNmQ96zaI/AAAAAAAAAjQ/lKy5UnNTfv4/s1600/Gordon_Wyllie.jpghttp://2.bp.blogspot.com/-tJfwCbWjiIo/TayNmQ96zaI/AAAAAAAAAjQ/lKy5UnNTfv4/s1600/Gordon_Wyllie.jpg8/3/2019 Risk Management with Gordon Wyllie
2/7
MindGenius is a registered Trade Mark of MindGenius Ltd. Copyright MindGenius Ltd. 2011.
The risk rating and risk band is dependent on the likelihood and severity ratings you assign to it. To assign these
with any level of accuracy, you need to understand the nature of the risk that you face.
I use an approach to understanding risk which is based on the bow-tie methodology.
Having identified a risk, I start with identifying the event that would cause the risk to be realised, the
undesirable event. Let's take the case of a container of a toxic chemical. As long as the toxic chemical is
contained within the container, it will not do damage to people, assets or the environment outwith the
container. However, should a leak develop in the container, the toxic chemical will be released into the external
environment where it could cause damage or harm. So my undesirable event is a spillage of toxic chemical as at
this point the toxic chemical is no longer under my control.
In this case I have also identified the hazard associated with the risk, the toxic chemical.
There will be a number of failure modes and harm mechanisms associated with the risk so I set about identifying
these in turn.
First, I consider what might be the possible failure mechanisms that would cause the toxic chemical to be
spilled. In doing this I consider what might be some vulnerabilities that would be a contributing factor to the
undesirable event and what might be threats which would exacerbate such vulnerabilities.
The container is outside exposed to the elements. As it is made of mild steel it is prone to corrosion in the
presence of water. Also it does rain quite a lot in Scotland. So rain (weather) is a threat as the container is
vulnerable to corrosion I have a threat and a vulnerability in alignment, so I have identified a potential fault
mechanism.
Other failure mechanisms could be:
Container dropped and suffers damage
Container not manufactured to specification Container struck by vehicle
http://3.bp.blogspot.com/-tdqfLBtmXkI/Tas5D4882hI/AAAAAAAAAhs/L9NxziTGbp4/s1600/undesirable+event.pnghttp://3.bp.blogspot.com/-tdqfLBtmXkI/Tas5D4882hI/AAAAAAAAAhs/L9NxziTGbp4/s1600/undesirable+event.pnghttp://3.bp.blogspot.com/-tdqfLBtmXkI/Tas5D4882hI/AAAAAAAAAhs/L9NxziTGbp4/s1600/undesirable+event.png8/3/2019 Risk Management with Gordon Wyllie
3/7
MindGenius is a registered Trade Mark of MindGenius Ltd. Copyright MindGenius Ltd. 2011.
However there may be barriers in place to prevent such failure mechanisms from occurring and causing the
undesirable event. These are called Prevention Controls.
Lets take the case of the corrosion failure mechanism. To prevent this the container has a coating of protective
paint. This protective paint is also reapplied every 2 years.
I then identify and add other preventive controls that might exist.
Next I look at the harm mechanisms that could exist should the undesirable event happen. It is interesting to
note that there is not a one-to-one relationship between the failure mechanisms and the harm mechanisms.
So what might be some harm mechanisms if there is a spillage of the toxic chemical? Well people could be
harmed if they are present when the undesirable event occurred, especially if they come into contact without
8/3/2019 Risk Management with Gordon Wyllie
4/7
MindGenius is a registered Trade Mark of MindGenius Ltd. Copyright MindGenius Ltd. 2011.
appropriate protective equipment (PPE). If the toxic chemical is not removed in a timely manner then assets in
contact with it, or the environment could suffer damage.
As before, there may be barriers in place which may mitigate the consequences. These are referred to a
Recovery Controls. By adding these, you can build up a picture of the consequences associated with the risk.
Now that you have mapped out the key factors associated with the risk you can quantify the risk using the risk
matrix methodology from a position of knowledge rather than gut feel.
You should have more confidence in your rating and it will also provide evidence of what your risk assessment
was based on if questioned at a later date.
If you felt the risk was unacceptable what could you do to treat the risk and make it more acceptable? Looking
at the map you can see that there is no preventive control associated with the forklift operations and their
potential to damage the container. So a risk treatment option could be to erect protective barriers around the
container. This would reduce the likelihood of the undesirable event occurring from this fault mechanism.
8/3/2019 Risk Management with Gordon Wyllie
5/7
MindGenius is a registered Trade Mark of MindGenius Ltd. Copyright MindGenius Ltd. 2011.
Now this is all very fine in an ideal world, but things change or do not always operate in the way they were
intended.
Your risk is effectively being managed by the controls, preventive and recovery, that you have in place. Will they
always remain effective? That can depend on many things.
Let's look at the Preventive Controls scenario. The corrosion is prevented by the protective paint covering which
is reapplied every 2 years. What happens if the repainting of the container doesn't happen? What if the paint
gets scratched just after it has been re-painted?
These scenarios would reduce the effectiveness of the controls thereby increasing (escalating) the likelihood of
corrosion occurring. One way over this is to schedule a 6 monthly inspection of the protective paint covering of
the container. This is called an Escalation Preventive Control.
8/3/2019 Risk Management with Gordon Wyllie
6/7
MindGenius is a registered Trade Mark of MindGenius Ltd. Copyright MindGenius Ltd. 2011.
Likewise the effectiveness of the Recovery Controls may degrade over time. For example, the neutralising
chemicals may have a limited shelf life. So you would put in a place a schedule of replacing these chemicals at
appropriate intervals.
'Emergency' procedures are activities which are not part of normal business. Therefore people do not get a
chance to practice using them therefore can become rusty. You would introduce a series of 'Emergency'
procedure training/simulation events.
8/3/2019 Risk Management with Gordon Wyllie
7/7
MindGenius is a registered Trade Mark of MindGenius Ltd. Copyright MindGenius Ltd. 2011.
As an added advantage, these controls and escalation control activities can feed directly into your audit, inspection
and training programs to give them a more targeted and focused outcome.
Here are some additional things I do with MindGenius:
Add branch notes to provide more details descriptions of activities
Use attachments to link to procedures, guidelines, work instructions
Apply categories (H,M,L) to identify the key mechanisms which effect likelihood and severity. I use the filter tofocus in on the key failure and harm mechanisms.
Add a title for the risk using Floating Text. In describing the risk I use the X, Y, Z approach to describe the risk.
The issue/concern X that happens because of Y resulting in Z. E.g. People harmed and assets/environment
damaged because of a spillage of toxic chemical due to the container being ruptured.
Copy map and use for what-if scenarios for risk treatment, impact of change
Use bowtie template map for ensure a consistent approach to analysing risk Can start with a harm mechanism,
hazard, undesirable event, consequence. The others will emerge as the analysis progresses
Use question lists to cover different perspectives on severity so I take a comprehensive view. E.g. dont just
consider injury. What about financial impact, bad publicity, loss of production/capability, legal and regulatory
consequences?
So there you have it. An approach to documenting and understanding the mechanisms associated with the risks that
you face and have to manage.
Using this approach you will be more aware of the controls that you have in place to manage risk. If you share this
information with others, then they will understand why such controls are in place, what these controls are intended
to achieve, how they should use/operate these controls and the potential ramifications if they are not implemented
or applied properly.
Such an approach increases people's awareness of risk and increases the knowledge and ownership of risk within an
organisation.
I hope this article will encourage you to use MindGenius to help you better understand the risks you face and
ultimately manage them more effectively.