SRM

Risk

Likelihood X impact

ISO 31000:2018

ISO: Principles for effective risk management

ISO 31010:2019

ISO: Techniques for risk assessment

Principles of risk management

1. integrated (part of all organizational activities)
2. Structured and comprehensive (leads to consistent and comparable results)
3. Customized (to the organizations external and internal context related to its objectives)
4. Inclusive (appropriate and timely involvement of stakeholders enables their knowledge, views, and perceptions to be considered)
5. Dynamic (anticipates, detects, acknowledges, and response to those changes and events in an appropriate and timely manner)
6. Best available information (information should be timely, clear, and available to stakeholders)
7. Human and cultural factors (significantly influence all aspects of RM)
8. Continual improvement through (learning and experience)
8. Continual improvement

Scope, context, and criteria

Scope: what decisions need to be made?
Context: what are the alternatives? what is affected?
Criteria: based on what?

Communication and consultation

- happens at the beginning of the process
- The purpose is to assist relevant stakeholders in understanding risks, the basis on which decisions are made, and why particular actions are required

Risk assessment

1. Risk identification
2. Risk analysis
3. Risk evaluation

Risk identification

To find, recognize, and describe risks that might help or prevent an organization achieve its objectives.
Can involve historical data, theoretical analysis, informed and expert opinions, and stakeholders’ needs.

Risk analysis

To comprehend the nature of risk and its characteristics, including the level of risk if appropriate.
Level of risk, factors affecting the risks

Risk evaluation

To support decisions.
Involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required.

Risk treatment

To select and implement options for addressing risks.
Avoid, accept , share the risk.

Recording and reporting

Tell everyone about your decision regarding risk management

Monitoring and review

Keep an eye on changes and review your assessment and decisions if necessary

Methods for eliciting views

- brainstorming
- nominal group technique
- interviews
- surveys

Brainstorming Delphi technique

1. Ask a group of experts to answer a questionnaire.
2. After each round, an anonymous summary of the experts’ answers and reasoning is shared with everyone.
3. The experts get time to change their answers.
4. After several rounds, it is expected that the experts start agreeing on similar answers

Delphi technique applications and limitations

- Useful when there is no scientific consensus or prior experience.
- If you want to hear unpopular opinions.
- To avoid hierarchical decision making.
- Can be done online/over multiple days.

- results not always reliable
- time consuming
- needs a capable moderator or facilitator

Independent failure

A failure of one or more components that happens independently of failures of other components.

Cause —> component failure

Dependent failure

A failure of one or more components that happens due to some relationship between the components or their cause of failure.

Component failure —> component failure/cause —> component failure/component failure

Cascading failure

A failure that occurs because of the failure of another component.

Component failure —> component failure

Common cause failure (CCFs)

An event where multiple failures occur due to a shared cause.

Cause —> component failure/component failure

Common mode failure (CMFs)

An event where multiple failures occur due to a shared cause and failure mode.
Cause —(same mode)—> component failure/component failure

Systematic failures

Failure of a whole system
(Ex: due to a lack of redundancy)

Single point failure

Component failure that will lead to the failure of a whole system.

Cause —> system failure

Checklists

- checklists based on previous experience
- SWOT (strengths, weaknesses, opportunities, threats)
- PESTLE, STEEP, STEEPLED (political, economical, social, technological, environmental, legal, ethical, demographic)
- hazard overviews (mechanical, biological, chemical, pressure, fire, electrical)

Checklists advantages and disadvantages

- Easy
- can be used by anyone
- especially relevant in standard situations

- ignores interaction between different elements and systems
- no checklist for new technology or circumstances
- often ignores human and organizational factors

Failure mode and effect analysis (FMEA)
Failure mode, effect, and critically the analysis (FMECA)

1. Divide a system or process into elements for analysis
2. For each element, write down function, failure mode, the cause of the failure, the consequence, the significance of the failure, detection of their failure, and compensation measures
3. Define the criticality of each failure mode
4. Define actions to address failure modes

FMEA/FMECA advantages and disadvantages

- structured assessment useful for many kinds of systems and components
- can be used during design and operation
- pays attention to failure modes, causal relationships, detection, and monitoring

- can only be used for single failure modes, not combinations
- can be time-consuming and costly

Hazard and operability analysis (HAZOP)

- Structured meetings with a multidisciplinary team to identify deviations from intended design
- Documented in writing
1. Divide the system, process, or procedure into smaller elements
2. Agree on the design intent and design parameters
3. For each parameter, use guide-works to think about possible deviations from design intent and the possible consequences
4. Agree on causes, consequences, and want to do about it

HAZOP advantages and disadvantages

- Detailed and thorough
- multidisciplinary
-can be used at the design stage
- generates suggestions for solutions
- can be used for systems, processes, procedures
- good for accounting for human error

- Time, cost
- needs lots of information
- often focused on details, not fundamentals
- relies heavily on expertise of the team and the facilitator

Scenario analysis

- Range of techniques that involve developing models of how the future might turn out
- consists of defining a plausible scenario and working through what might happen given various possible future developments

Structured what-if technique (SWIFT)

- Discussion among experts on ex: known risks, sources, drivers
- Facilitator follows the discussion and ask structure “what if” questions to collect a list of risks

Ishikawa method / Fishbone diagram

- used for a root cause analysis (RCA)
- also known from quality management
- review and identify priorities
1. Decide what event you want to analyze.
2. Agree on categories (methods, materials)
3. Ask “why”, “how could that (not) happen?”

Fishbone diagram advantages and disadvantages

- easy, similar to brainstorming
- can be used before or after events
- can be easily done in groups
- structured and graphical result

- not useful when working with probabilities
- not useful when different factors interact
- factors outside of categories may simply be forgotten

Consequences

No/negligible consequences —> acceptable consequences —> near miss —> injuries —> serious injuries —> casualties —> catastrophic failure

Probability

(What is your reference frame?)
Absolutely impossible —> unlikely —> 50-50 chance —> likely —> absolutely certain

Business impact analysis

- Used to understand what your critical processes are, what you need to run them, and how you can recover them adequately
- Basic questions:
What is your risk capacity?/ What are your critical processes?/ How fast does a process need to be recovered?/ To what point does the process need to be recovered?

Bayesian network / belief network

- Used to understand the variables and their dependencies for a given event
- Useful for predicting the likelihood that any of the known causes contributed to the event
- This is only useful if you know the variables, their relationships, and probabilities
- Correct application and interpretation requires reliable knowledge of probability theory

The forgotten half of safety management

- provide: procedures, equipment, economics, availability, competence, communication, commitment, conflict resolution
- maintain
- use
- monitor

Bowtie analysis advantages and disadvantages

- easy to use and understand
- you can tell a story
- can be combined with extra data (responsibilities, probabilities)

- may be to simple for complex situations
- dependent clauses cannot be modeled

Layer of protection analysis

- Often used to gain a better understanding of a single path of an event three, the results of a HAZOP study
- Limited to one cause and one consequence
- Not useful for complex interactions
- Can be used with or without probabilities, but might not account for common mode failures

Swiss cheese model criticism

- no distinction between different types of errors (latent or active, lapse, mistake)
- often used too broadly and without theoretical support
- does not account for interaction between system layers

Risk evaluation

- You need to risk criteria and decision
- The purpose is to support decisions
- involves comparing the results of the risk analysis with the established risk criteria to determine where additional action is required
- can lead to: do nothing further/consider risk treatment options/undertake further analysis/maintain existing controls/reconsider objectives

= risk appetite, values, economics, law, politics, knowledge, uncertainty

Risk criteria

Consider:
- The nature and type of uncertainties that can affect outcomes
- how consequences and likelihood will be defined and measured
- Time related factors
- consistency in the use of measurements
- how the level of risk is to be determined
- how combinations of multiple risks will be taken into account
- The organization’s capacity

Hierarchy of controls

1. Elimination (physically remove the hazard)
2. Substitution (replace the hazard)
3. Engineering controls (isolate people from the hazard)
4. Administrative controls (change the way people work)
5. PPE (protect the workers with PPE)

Laws and standards

- ex: decree on external safety of installations
- Dutch law requires distances around activities with external safety risks that in any single location, the probability of dying in a related accident is one in 1 million per year

Risk matrix

- common way of comparing risks
- only useful if you know what the numbers in the words mean
- relationship between numbers should be consistent
- colors should have a clear meaning
- matrix must be in line with your criteria

Choosing treatment options

- how: based on criteria risk, decide if to accept, transfer, mitigate, avoid
- different treatment options are available
- tools to help: cost/benefit analysis, decision three analysis, game theory, multi criteria analysis

Cost/benefit analysis

- weight the total expected cost of options against their total expected benefits in order to choose the most profitable option
- Direct costs = directly associated with the action
- indirect costs = additional opportunity costs (loss of utility, distraction of management time, or the diversion of capital away from other potential investments)
- benefits = reduction of consequences, probability

Why record risks

- to ensure consistent treatment across different risks
- to avoid having to do the same risk assessment twice or more
- to allow for business continuity
- to keep evidence of your risk management
- required by most standards

Why report risks

- to get a management decision
- to get funding or budget
- to make sure everyone is aware of risks and upcoming risk treatments
- to receive feedback from other involved persons
- required by most standards