Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards

Transcription

1

2 Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards A framework for the integration of risk management into the project and construction industry, following the principles and guidelines of the ISO 31000:2009 standard. 2nd Project And Construction Management Professions Conference Gallagher Convention Centre, Midrand, October 2014

3 Master Class Curriculum 1. Overview of key risk management terms and definitions in ISO 31000, ISO Guide 73 and ISO Guide Overview of the risk management principles, framework and process in the ISO guidelines 3. Discussion on the criteria for the selection of suitable risk assessment techniques, as described in IEC/ISO Practical guidance on designing and implementing a suitable enterprise risk management framework in project and construction management organisations 3

4 1. Overview - Terms and Definitions Key risk management terms and definitions in ISO 31000, ISO Guide 73 and ISO Guide 51 4

5 Vocabulary ISO 31000:2009 Risk management - Principles and guidelines ISO Guide 73:2009 Risk management Vocabulary ISO Guide 51:1999 Safety aspects Guidelines for their inclusion in standards Out of 51 terms and definitions contained in the ISO Guide 73, only 29 are used in ISO excluded, e.g.: Risk Appetite Risk Tolerance Risk Management Audit etc. 5

6 Terms and Definitions Risk effect of uncertainty on objectives NOTE 1 - An effect is a deviation from the expected positive and/or negative. NOTE 2 - Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organisation-wide, project, product and process). NOTE 3 - Risk is often characterized by reference to potential events and consequences, or a combination of these. NOTE 4 - Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence. NOTE 5 - Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood. Risk management (RM) the coordinated activities to direct and control an organisation with regard to risk An integral part of organisational processes as well as a part of decision making Can be applied across an entire organisation, to its many areas and levels, as well as to specific functions, projects and activities. 6

7 Terms and Definitions Risk assessment overall process of risk identification, risk analysis and risk evaluation Risk source element which alone or in combination has the intrinsic potential to give rise to risk Risk owner person or entity with the accountability and authority to manage a risk Accountability = Authority + Resources (e.g. human, technology, information, Finance, etc.) + Competence Stakeholder person or organisation that can affect, be affected by, or perceive themselves to be affected by a decision or activity 7

8 Terms and Definitions Likelihood chance of something happening NOTE 1 - In risk management terminology, the word likelihood is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period). NOTE 2 - The English term likelihood does not have a direct equivalent in some languages; instead, the equivalent of the term probability is often used. However, in English, probability is often narrowly interpreted as a mathematical term. Therefore, in risk management terminology, likelihood is used with the intent that it should have the same broad interpretation as the term probability has in many languages other than English. Consequence outcome of an event affecting objectives NOTE 1 - An event can lead to a range of consequences. NOTE 2 - A consequence can be certain or uncertain and can have positive or negative effects on objectives. NOTE 3 - Consequences can be expressed qualitatively or quantitatively. NOTE 4 - Initial consequences can escalate through knock-on effects 8

9 Risk analysis Terms and Definitions process to comprehend the nature of risk and to determine the level of risk NOTE 1 Risk analysis provides the basis for risk evaluation and decisions about risk treatment. NOTE 2 Risk analysis includes risk estimation. Level of risk magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood 9

10 Terms and Definitions Risk criteria terms of reference against which the significance of a risk is evaluated NOTE 1 - Risk criteria are based on organisational objectives, and external and internal context. NOTE 2 - Risk criteria can be derived from standards, laws, policies and other requirements. Risk evaluation process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable NOTE - Risk evaluation assists in the decision about risk treatment 10

11 Terms and Definitions Control measure that is modifying risk NOTE 1 - Controls include any process, policy, device, practice, or other actions which modify risk. NOTE 2 - Controls may not always exert the intended or assumed modifying effect. Residual risk risk remaining after risk treatment NOTE 1 - Residual risk can contain unidentified risk. NOTE 2 - Residual risk can also be known as retained risk. 11

12 Terms and Definitions Risk treatment process to modify risk NOTE 1 - Risk treatment can involve: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; taking or increasing risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changing the consequences; sharing the risk with another party or parties (including contracts and risk financing); and retaining the risk by informed decision. NOTE 2 - Risk treatments that deal with negative consequences are sometimes referred to as risk mitigation, risk elimination, risk prevention and risk reduction. NOTE 3 - Risk treatment can create new risks or modify existing risks. 12

13 2. Overview - Relationships Relationships between the risk management principles, framework and process in the ISO guidelines 13

14 ISO Relationships Principles: Why risk management? Framework: How to integrate risk management in the existing management system? Process: How to integrate risk management in the existing management practices and processes? 14

15 3. Principles a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation 15

16 4. Risk Management Framework Risk management framework set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation NOTE 1 - The foundations include the policy, objectives, mandate and commitment to manage risk. NOTE 2 - The organisational arrangements include plans, relationships, accountabilities, resources, processes and activities. NOTE 3 - The risk management framework is embedded within the organisation's overall strategic and operational policies and practices. 16

17 5. Risk Management Process Risk management process systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk Communication & Consultation (5.2) Establishing the Context (5.3) Ris k Asse ssment (5.4) Risk Identification (5.4.2) Risk Analysis (5.4.3) Risk Evaluation (5.4.4) Risk Treatment (5.5) Monitoring and Review (5.6) 17

18 5.1 General Existing management practices might include components of RM: critical review of existing practices and processes to assessment and determine adequacy and effectiveness adapt and extend existing processes to cover missing elements Parameters might be similar to those considered during the design of the framework, for the RM process they need to be considered in greater detail: scope of the particular instance of the RM process 18

19 5.2 Communication & Consultation Communication and consultation with external and internal stakeholders should take place during all stages of the RM process. Therefore, plans should be developed at an early stage. 19

20 5.3 Establishing the Context Parameters might be similar to those considered during the design of the framework, for the RM process they need to be considered in greater detail; i.e. scope of the particular instance of the RM process General Establishing the external context Establishing the internal context Establishing the context of the RM process Defining risk criteria 20

21 5.4 Risk Assessment Purpose: Provide information to make informed decisions understanding the risk and impact upon objectives providing information for decision makers contributing to the understanding of risks identifying weak links in systems and organisations comparing of risks in alternative approaches assisting with establishing priorities contributing towards incident prevention selecting different forms of risk treatment meeting regulatory requirements 21

22 5.5 Risk Treatment Options avoiding the risk (do not start / stop the activity) increasing the risk to pursue an opportunity removing the risk source changing the likelihood changing the consequences sharing the risk with another party or parties retaining the risk by informed decision Option selection cost / benefit analysis justifiable on economic grounds combination of treatment is better values and perceptions of stakeholders if impacted, involve stakeholders in the decision be aware of the introduction of new risks 22

23 5.6 Monitoring and Review Purpose : regular checking or surveillance Ensuring that controls are effective and efficient (in design and operation) Analyzing and learning lessons from events & changes Detecting changes in the internal & external context Identify emerging risks Further improvements 23

24 Health and Safety Risk Assessment Many texts deal only with the analytical processes of RA Omitting the management and organisational aspects of their implementation: establishing the context, communication and consultation, and monitoring and review This trend is particularly valid for the field of H&S risks. 24

25 3. Discussion Selecting a Technique The criteria for the selection of suitable risk assessment techniques, as described in IEC/ISO Annex A correlate some potential techniques and their categories for illustrative purposes. 25

26 Selection based on Risk Criteria For a specific instance of the risk management process, establishing the context should include the definition of the external, internal and risk management context and classification of risk criteria Risk assessment may be undertaken in varying degrees of depth and detail and using one or many methods ranging from simple to complex. The form of assessment and its output should be consistent with the risk criteria developed as part of establishing the context. 26

27 Defining Risk Criteria Defining risk criteria involves deciding: the nature and types of consequences to be included and how they will be measured, the way in which probabilities are to be expressed, how a level of risk will be determined, the criteria by which it will be decided when a risk needs treatment, the criteria for deciding when a risk is acceptable and/or tolerable, whether and how combinations of risks will be taken into account. 27

28 Sources of Risk Criteria Criteria can be based on sources such as agreed process objectives, criteria identified in specifications, general data sources, generally accepted industry criteria such as safety integrity levels, organisational risk appetite, legal and other requirements for specific equipment or applications. 28

29 Applicability 29

30 Techniques and Tools Covered 1. Look-up methods 1. Checklists 2. Preliminary hazard analysis (PHA) 2. Supporting methods 3. Brainstorming 4. Structured or semi-structured interviews 5. Delphi technique 6. SWIFT (Structured what-if ) 7. Human reliability analysis (HRA) 3. Scenario analysis 8. Root cause analysis (single loss analysis) 9. Scenario analysis 10. Toxicological risk assessment 11. Business impact analysis (BIA) 12. Fault tree analysis (FTA) 13. Event tree analysis (ETA) 14. Cause/consequence analysis 15. Cause-and-effect analysis 30

31 Techniques and Tools Covered 4. Function analysis 16. Failure mode and effects analysis (FMEA) and Failure mode, effects and criticality Analysis (FMECA) 17. Reliability-centred maintenance (RCM) 18. Sneak analysis (Sneak circuit analysis) 19. Hazard and operability study (HAZOP) 20. Hazard analysis and critical control points (HACCP) 5. Controls assessment 21. Layers of protection analysis (LOPA) 22. Bow tie analysis 6. Statistical methods 23. Sneak circuit analysis 24. Markov analysis 25. Monte Carlo analysis 26. Bayesian analysis 7. Presenting results and decision-making 27. FN Curve 28. Risk Indices 29. Consequence-probability matrix 30. Cost-benefit analysis (CBA) 31. Multi-criteria decision analysis (MCDA) 31

32 Factors influencing selection of RA techniques 1. Complexity of the problem and the methods needed to analyse it, 2. The nature and degree of uncertainty of the risk assessment based on the amount of information available and what is required to satisfy objectives, 3. The extent of resources required in terms of time and level of expertise, data needs or cost, 4. Whether the method can provide a quantitative output. 32

33 Attributes Description A general process of risk identification to define possible deviations from the expected or intended performance. It uses a guideword based system. The criticalities of the deviations are assessed. HAZOP Relevance of influencing factors Resources and capability Nature and degree of uncertainty Complexity Can provide quantitative output Medium High High No 33

34 Description A simple inductive method of analysis with the objective to identify the hazards and hazardous situations and events that can cause harm for a given activity, facility or system Attributes Preliminary Hazard Analysis Relevance of influencing factors Resources and capability Nature and degree of uncertainty Complexity Can provide quantitative output Low High Medium No 34

35 Construction Project Risks Construction is undeniably a risky business and risks are unavoidable in any project. Risks such as tax risks, interface risks and local site risks are the most common and inevitable risks in construction projects. Other risks that may be less likely to occur are force majeure events or changes in law; but should these risks occur, they will have significant impact on the project. Delays, claims for increased costs, injuries to workers and so on are common risks in construction projects. The accumulation of all these risks or the combination of them can be termed project risks. Construction project risks are interrelated and interdependent. The customary origins for project risks are the following (U.S. Department of Transportation, 2006): Performance, scope, quality, or technology issues; Environment, safety, and health concerns; Scope, cost, and schedule uncertainty; Political concerns 35

36 Construction Project Risks Risks in construction projects may be classified in a number of ways according to their source. Naturally, risk will be peculiar to each particular project and each project participant, however, it is recognised that all construction projects share common risks that can broadly be classified as follows: 1. Construction 2. Financial and economic 3. Performance 4. Security 5. Contractual and legal 6. Physical 7. Political and societal 8. Technical risks 9. External risks 10. Organisational risks 11. Project management risks 36

37 What next? In the spirit of ISO 31000, one may decide to review the foundations of existing processes and practices regarding the H&S risk assessment and management. While it is not specific to a particular industry or sector, the standard can be applied to any organisational entity regardless of the type and nature of the risks. Despite this, the standard is not about promoting uniformity in risk management, because the design and implementation of the framework and management plans should take into account the specific needs of the organisation s particular objectives, structure, operations, processes, functions, projects, products, services, goods, and specific practices employed. Legal compliance Some areas, such as in H&S, require regulatory criteria that reflect an aversion to the predominantly negative consequences of risk. Resorting to the approach proposed in the standard proposed enables the identification and application of such criteria. 37

38 4. Practical guidance Designing and implementing a suitable enterprise risk management framework in project and construction management organisations 38

39 4. Risk Management Framework The framework supports the organisation to effectively manage risks, applying risk management process on different levels, in the specific context, at a given moment. 39

40 4. Risk Management Framework This framework is to be embedded within the organisation's overall strategic and operational policies and practices It includes a "set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. It is worth noting that the risk management framework proposed in the ISO 31000:2009 follows the Deming cycle (Plan-Do-Check-Act: PDCA). 40

41 4.1 General A risk management framework links the management of risk with other management activities within the organisation. Therefore, the framework should be embedded in the overall strategy of the organisation, in its policies and practices, as well as throughout the organisation at all levels. In particular, the risk management framework should ensure: continual improvement; full accountability for risks; application of risk management in all decision making; clear and continual communications; and full integration in the organisation governance structure. 41

42 4.2 Mandate and commitment Management must initiate risk management and also ensure its efficiency. This requires a strong and sustained commitment, as well as a rigorous design of a strategic plan to obtain involvement at all organisation levels. In this regard, the management should: define and endorse the risk management policy; ensure alignment between organisation's culture and risk management policy; define risk management performance indicators that are aligned with organisational performance indicators; align risk management objectives organisational objectives and strategies; assign accountabilities and responsibilities and empower individuals at appropriate levels of the organisation, ensuring adequate competences; ensure that the necessary resources are allocated to risk management; communicate the benefits of risk management to all stakeholders; and ensure that the framework for managing risk continues to remain appropriate. 42

43 4.3 Framework design Understanding the organisation and its context includes the evaluation and understanding of "both the external and internal context of the organisation - aimed at identifying external and internal parameters that influence the pursuit of the organisation s objectives and, therefore, must be taken into consideration while managing risks Establishing the risk management policy a statement of the overall intentions and direction of an organisation related to risk management Integration into organisational processes For its efficiency, effectiveness and, also, for the sake of simplicity, risk management should be integrated with management systems or practices that already are familiar to the organisation Most construction-related companies have already adopted management processes addressing quality, environment, occupational safety and health, social responsibility, and others, along with the current practices of cost, time and scope management. 43

44 4.3 Framework design Accountability and resources the organisation should ensure that there is accountability, authority and appropriate competence for managing risk, including implementing and maintaining the risk management process and ensuring the adequacy, effectiveness and efficiency of any controls For construction projects, the following key players concerning risk management should be identified: company risk coordinators accountable for ensuring the uniformity of the operational context and the compatibility of the risk criteria throughout the company and its projects; project risk managers accountable for developing, applying, reviewing and updating the risk management plan as a result of implementing the risk management process; risk owners that have the accountability and authority to manage risks through the implementation of the risk treatment procedures/measures. Regarding risk management, the link between the constructionrelated company and the construction projects is established through the communication between risk coordinators and risk managers. 44

45 4.3 Framework design - Participation To identify and manage H&S risk associated with a project, an organisation requires involvement and participation of the project manager, the project team members, the risk management team, customers, experts, end users, stakeholders and the specialists in risk analysis. All decision-making processes in the organisation, regardless of the level of importance or relevance, must explicitly consider risks and the implementation of risk management. 45

46 4.3 Framework design - Risk Owners A risk owner is the person with the obligation to manage risks (or the state of its management) relating the area of the construction project over which it is accountable and exercises authority. Risk owners should be accountable for: the execution of risk management activities and risk-related documentation (including for the activities and documentation generated by hierarchically dependent risk owners); and for reporting threats and opportunities and for validating and implementing risk treatments activities. Risk owners are allies of the risk manager in the sense that their expertise and knowledge support the application of the risk management process. Especially regarding the risk assessment (risk identification, risk analysis and risk evaluation) and risk treatment stages, to all activities of the construction project, within or outside their particular area of influence. 46

47 4.3 Framework design Communication and consultation Continual and iterative processes that the organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders regarding the management of risk. Stakeholders in the construction industry range from authorities and official bodies, to owners and their representatives, banks and insurance companies, conformity assessment bodies, designers, contractors, subcontractors and suppliers, and, finally but definitely not the least, end-users. 47

48 4.4 Implementation Implement 1. the RM Process; and 2. the RM Framework Implementation of risk management in the construction industry can be envisaged at two complementary levels: 1. Company level: Integrate risk management into the existing overall management system, by adapting components of the ISO 31000:2009 standard to your specific needs. 2. Projects level: Project owners should ensure that a risk management plan is designed and implemented throughout the various phases (lifecycle) of the construction projects they oversee, in order to establish the approach, the management components and the resources to be applied to manage risk. 48

49 4.5 Monitoring and review Alike other elements of overall management, risk management culminates with concrete proposals for amendment of policies, strategies, processes, projects, operations or activities. At company level, monitoring should cover the status of risk and its management and check if the level of performance complies or deviates from what is established in the risk management framework. On the other hand, review should determine the appropriateness, adequacy and effectiveness of the risk management framework to achieve the objectives laid down in the risk management policy. 49

50 4.6 Continual improvement Review should also promote the necessary changes, if necessary, towards continual improvement. The suggested framework includes monitoring and reviewing activities that, alongside with communication and consultation, provide a solid ground for enhancing a risk management culture within the construction industry. 50

51 Integration There are three perspectives to establish the structural relation between the organisation s management and risk management, namely: consider risk management as a component of the organisation management, with top management delegating the responsibility for it (Fig. 1); consider risk management to be incorporated within the organisation top management, so that risk management is not reduced to an administrative task (Fig. 2); or consider risk management throughout all aspects of the organisation management, including the possibility of delegating risk management task to external entities (Fig. 3). 51

52 Integration The first perspective, somehow, isolates risk management as a separated, additional task. The second perspective is more applicable for sectors such as insurance. For the construction industry, risk management should be integrated according to the last perspective. It is important to capture all potential risks in a project and undertake all necessary actions or make provisions for eliminating or preventing them from occurring. Alternatively, the effects of risks may be reduced and allocated to the party best prepared for managing them. This requires a systematic approach to risk management. 52

53 A Proposed RM Model for Projects / Construction Industry 53

54 Traditional - Project H&S Specifications EPCM H&S Plan PC1 H&S Plan PC2 - H&S Plan C1.1 H&S Plan C1.2 - H&S Plan C2.1 - H&S Plan SC1.1.1 H&S Plan SC1.1.2 H&S Plan SC2.1.1 H&S Plan 54

55 Risk-based Project H&S Specification EPCM Consultant Project H&S Plan Principal Contractor 1 Site H&S Plan 1 PC2 Site H&S Plan 2 Contractor 1.1 Contract H&S Plan Contractor 1.2 Contract H&S Plan Contractor 2.1 Contract H&S Plan Subcontractor Activity Safety Plan Subcontractor Activity Safety Plan Subcontractor Activity Safety Plan 55

56 Conclusion From a project standpoint, the successful implementation of risk management should be started and guided by the owner and their representatives, in order to capture the full spectrum of interested parties involved and focus the product performance on the end user demands. Following this, the designers, the contractors and others, should then implement the risk management based on the owner s guidelines, in order to ensure that the objectives of the end users are met. 56

57 57

58