Risk Management Relevance to PAS 55 (ISO 55000) Deciding on processes to implement risk management

Transcription

1 Risk Management Relevance to PAS 55 (ISO 55000) Deciding on processes to implement risk management Jeff Hollingdale DQS South Africa

2 PAS 55 Risk Management The guideline states: (4.4.7); 6.1 (ISO 55000) The organization shall establish, implement and maintain documented process(es) and /or procedures for the on-going identification and assessment of asset-related and asset management related risks, and the identification and implementation of necessary control measures throughout the life cycles of the assets Risk management is an important foundation for proactive asset management Its overall purpose is to understand the cause, effect and likelihood of adverse events occurring To optimally manage such risks to an acceptable level Provide an audit trail for the management of risks

3 Asset Management Risk Management We achieve this by: Identifying potential risks associated with the assets, and making an estimate of the associated risk levels based on existing or proposed risk controls Determining whether the risks are tolerable Devise risk controls where these are found to be necessary or desirable

4 Risk Identification and Assessment Physical failure risks Operational risks Natural environment Factors outside organization s control Stakeholder risks Associated with the different life cycle phases of assets Acquisition Utilization Maintenance Disposal/Decommissioning

5 What should you already be doing? You probably have some ISO standards? ISO (EMS), OHSAS (SHE) Risk Analysis? Failure Mode & Effect Analysis (FMEA) Failure Mode and Criticality Analysis (FMECA) Root Cause Analysis (RCA) HAZOP (Hazard & Operability Studies) Reliability Centred Maintenance? Condition Based Maintenance?

6 Using ISO ISO is a Risk Management Standard It operates regardless of an organizations products, size, structure, location and existing asset management & accounting systems You can t get certified to ISO it s a guide only It is entirely suitable for asset risk management policies and procedures

7 Framework for Managing Risk Plan Act Do Check

8 Risk Management Process To successfully implement, support and sustain the risk management process, a structure is required. ISO refers to this structure as the risk management process

9 Enterprise Risk Management Framework

10 Basic Questions to Ask What could occur? Where could it occur? When would it occur? How could it occur? What would be the impact if it were to occur? Who would be affected and to what extent? What do we have to do to either prevent it occurring or enhance its chances of occurring?

11 Risks vs. Opportunities Risks may have a negative impact OR a positive impact OR both. Risks with a potentially negative impact represent risks that will require management s assessment and response. Risks with a potentially positive impact represent opportunities to offset the negative impacts of risks. Positive Risks are channelled back to the organisation s strategy or objective-setting processes in order to optimise opportunities as well as to be considered in management s risk assessment and response strategies.

12 Analyse the Risks Develop an understanding of the risk enabling treatment. Inherent vs Residual Risk Provides an input to decisions on whether risks need to be treated Consider contexts and causes Consideration of the positive and negative consequences and their likelihood. Taking into account existing controls and their effectiveness Consequences and likelihoods may be derived from Qualitative analysis: High, Medium, Low Semi-quantitative analysis: Severity X Probability Quantitative analysis: Scientific formulas and statistics Impact X Likelihood

13 Impact Evaluate the Risks High Moderate Risks Lower likelihood, but could have a significant adverse impact on business objectives Significant / Critical Risks Critical risks that potentially threaten the achievement of business objectives Low Low Priority Risks Significant monitoring not necessary, unless change in classification. Periodically reassess. Moderate Risks Lower impact, but could be highly likely and happen often Low Likelihood High

14 Treat the Risks Avoiding the risk by ceasing the activity creating the exposure; Reducing the risk through improvements to the control environment; Transferring the risk exposure, for example insurance or outsourcing; Accepting the risk, where the level of exposure is as low as reasonably practicable, or where exceptional circumstances prevail; Exploiting the risk, where the exposure represents a potential missed or poorly realised opportunity; Integrating a series of the risk responses outlined above. Each treatment action should be considered with regard to: Reducing the consequence if the risk were to occur Reducing the probability of the risk occurring

15 Monitoring and Review Risk management and the progress in achieving objectives is to be monitored and reviewed. The functioning of each component of Risk Management is to be determined and evaluated to ensure Risk Management continues to be effective. Monitoring Activities: Ongoing Monitoring Separate Evaluations Annual Review of the Risk Management Framework Risk Profile Analysis Risk Management Plans

16 Control Assurance Preventive controls: prevent risks from occurring by preventing the cause from leading to the risk occurring. Mitigatory controls: detect and mitigate risk to reduce significant impacts and losses. The effectiveness is to be measured plans put in place for the improvement of effectiveness. Controls must be linked to causes and impacts to ensure gaps or weaknesses can be identified. People, Process and System based Controls Control Self Assessment Questionnaire

17 Levels and Reliability

18 Implementation Considerations Knowing the current state of Risk Management in the organisation and the need for detailed methodologies Having a clear set of objectives to define the requirements for methodologies Identifying relevant stakeholders and role players and the potential need for culture change and engagement sessions Communicating the benefits that the methodology will bring to the organisation to assist with the buy in process. Knowing the required level of complexity of the methodology Correct implementation of procedures through communication, performance measurement and continual improvement

19 Information Management Compatibility with international best practice standards and guidelines Support multiple methodologies for risk management across a number of organisational and process levels. Capturing of all risk information and the setting of tasks and actions with notifications and escalations to facilitate progress monitoring. Easy extraction of relevant and on-time risk information with customisable views and level of detail. Reporting tools that extract information, present it, be customisable, able to be embedded in other documents, such as annual reports.

20 Implementation Considerations Risk management must be implemented and a risk culture developed first Ensure the attitude of embracing change is cultivated, especially if risk management is new to the organisation Information system must be fit for purpose for the organisation. Not too simple or too complex Information system must be easy to use and understand and to use to support the risk management processes The business requirements must be met, and the system flexible for future enhancement, scalability and integration.

21 Implementation Considerations Ensure actions for improvement are allocated to the right people and progress is monitored Ensure appropriate commitment of human and financial resources for improvement activities is obtained If buy-in to risk management as a whole is not in place, there will be little commitment to sustainable improvement Ensure there is a culture of openness, accountability and no blame Ensure KPIs are driving the right behaviour

22 Any Questions? Big Mistake!