RISK ASSESSMENT SHOOTING TIGERS IMPLEMENTING ISO 31000:2009 RISK MANAGEMENT PRINCIPLES AND GUIDELINES
Michael E Wilkinson
SalusCP Publications
RISK ASSESSMENT Shooting Tigers Implementing ISO 31000:2009 Risk Management Principles and Guidelines
Š Michael Wilkinson 2010 All Rights Reserved In accordance with the Copyright, Designs and Patents Act 1988 No part of this book may be reproduced in any form, by photocopying or by any electronic or mechanical means, including information storage or retrieval systems, without permission in writing from both the copyright owner and/or the publisher of this book.
ISBN 9780954263102
First Published in the United Kingdom in 2010 by SalusCP Publications
Printed in Great Britain by FastPrint www.fast-print.net
RISK ASSESSMENT SHOOTING TIGERS IMPLEMENTING ISO 31000:2009 RISK MANAGEMENT PRINCIPLES AND GUIDELINES
Publisher’s note Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to print, and the publishers and author cannot accept responsibility for any errors or omissions, however caused. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.
Business Risk System
The Business Risk System has been developed, by Michael Wilkinson, over a number of years to provide a modular set of methods and tools for identifying and effectively controlling those underlying business and process risks. The idea is that the system can be used to pick and mix
only
those
methods
and
tools
needed
for
a
given
industrial/process operation, set of job tasks and/or commercial activity. In addition, the Business Risk System provides several choices of communication media and training support packages and model document sets. Business Risk System comprises of: Books ·
Risk Assessment – Shooting Tigers - Implementing ISO 31000:2009 (this book)
·
Safety Environment & Quality Integration System (SEQIS) (due November 2010)
eBooks ·
Office Risk Assessment
·
Safety Instrumented Systems (SIS)
·
Process Risk Barrier Control
·
Business Risk Impact Analysis
·
Fault Tree Analysis
·
Bow-Tie Method
·
Cause and Effects
·
Risk Flow Charting
·
HAZOP Studies
Audio CDs ·
Risk Assessment – Taming Tigers(set of 4 CDs)
·
Book Chapters 1 to 10
·
Business Risk Assessment – An Overview
·
Job Safety Analysis
Training Packs ·
PowerPoint slide presentations
·
Trainers Guides
·
Delegate Workbooks and handouts
For more details visit my Business Risk System website www.businessrisksystem.com
Contents
Preface
So why is this book called Risk Assessment – Shooting Tigers Implementing ISO 31000:2009, well if we look around our business, be it small or large, with a real-world perspective, we start to become alarmingly aware that there many underlying business risks lurking within our day-to-day operations. These latent business risks are laying under the surface just waiting for the right initiating event (IE) and set of failure circumstances to come together for them to threaten our business survival through major injuries and/or asset damage or even to destroy our business processes thus preventing us from producing our products and services. The approach taken in this book is based on the new international standard ISO 31000:2009 Risk Management Principles and Guidelines. Issued in December 2009, this new international standard provides us with a practical and structured framework for identifying, assessing and effectively managing all the different types of business risks, as applicable to our particular organisation’s business activities. The standard is unique, in that the risk management principles and approach can be used in all parts of the world and by all types of businesses.
Business risks are all potential threats to the life of any business, therefore, part of the book will cover the subject of business continuity planning, which is based on the approach recommended in the code of practice BS 25999:2006 Business Continuity Management.
To ensure the continued survival of an organisation’s business activities it is essential to have in place realistic business continuity and disaster recovery plans to assist the business in resuming its operations within a critically acceptable time frame. Whether we accept it or not there are many hidden tigers lurking in our workplaces, operating processes and even inside our employees and, in others who visit our premises. Most organisations will already have carried out some sort of business risk and impact assessment in an attempt to identify and deal with obvious risks to their business. However, many of these assessments are normally driven by the need to reduce costs and/or comply with legal obligations, rather than with an appetite to understand what can actually cause serious harm and, perhaps even threaten the life of the business itself. The threat from these underlying business risks lurking within our business operations take many forms, including financial, information security, industrial processes, health and safety, environmental and organisational risks. What we need to keep in mind is the potential damage that they can cause to our business if these threats are realised through inadequate and weak risk control barriers. So business risk management is about standing back from our daily jungle of business pressures and financial demands and taking time out to carefully identify where these underlying business risks could be lurking and practically evaluating the potential
consequences on the business and, to its people should a threat be realised. We should be very realistic and accept that we can never completely eliminate the presence of hidden tigers within our business operations. We can only hope to place effective defensive risk treatment barriers and business continuity plans in place to prevent these tigers getting through the long grass and suddenly pouncing on us and making a successful kill. Sounds dramatic! Well you may think so, but every day we face many potential threats to our ability to sustain our business, such as people being seriously injured, significant damage caused to process equipment, key business assets, our customer perceived market image. So ‘Shooting Tigers’ that are lurking within our business operations not only makes good business and financial sense, it is an essential strategy if we are serious about protecting our business from significant business risk exposures that could potentially take us out of business.
About The Author
Michael Wilkinson has gained over 30 years hands-on on experience in risk riskbased
approach
relating
to
the
management of business risks. He has PhD in negligence law law, a BA(Hons) degree
in
the
ap application
of
technology to process plant risk, together
with
a
number
of
professional qualifications related to business risk management, including being a chartered member of the Institution of Occupational Safety and Health (CMIOSH). Michael has travelled ed worldwide, to such countries as South Africa, UAE, Kuwait, Qatar, Bahrain, Oman, Holland, Switzerland, Hong Kong, Malaysia, France, Japan, USA and the UK, where he has presented many key-note note talks, seminars, courses and workshops to a diverse range of companies, including oil and gas, industrial and commercial organisations. These successful talks, presentations, seminars, workshops and courses are based on his unique risk-based approach for effectively managing the different types of business risks and, on developing integrated business risk and continuity management systems, including risk-based based auditing and process and plant safety systems.
The idea for this book came about as a result of the numerous questions that Michael was being asked by delegates that attended his worldwide speaking and training risk management presentations. These questions were always concerning how can they identify, analyse the many types of business risks that their organisations face and subsequently ensure the business continuity in today’s global based market. From his vast experience and practical approach Michael developed the comprehensive Business Risk System. This unique system is based on a modular set of business risk assessment processes and business continuity tools to allow the user to pick and mix the methods needed for the particular type of business risk assessment required to be carried out. This book is the culmination of that modular system and provides a unique set of methods and tools for identifying and managing the underlying business risks that are normally
missed
during
conventional
risk
assessment
and
management programmes. Michael is the author of a number of eBooks, audio CDs, articles, model documents packs and training guides and kits. Michael is currently working on his next book entitled Safety Environmental and Quality Integration System (SEQIS).
Terms and Definitions
Risk Assessment Principles
1
Chapter 1
RISK ASSESSMENT PRINCIPLES
The new international risk management standard ISO 31000:2009 Risk Management – Principles and Guidelines on Implementation, states in the introduction, that “Organisations of all types and sizes face a range of risks that can affect the achievement of their objectives”. It goes on to state that “These objectives can relate to a range of the organisation’s activities, from strategic initiatives to its operations, processes and projects, and be reflected in terms of strategic, operational, financial and reputational outcomes and impacts”. ‘Risk’ - how many of us understand what this term ‘Risk’ really means and more importantly what devastating potential effects risks can have on our business operation. As we know, there are many types of business risk, but the term risk, is only used as generic descriptive term to describe a multitude of situations or events that have the potential to result in serious damage to an organisation, harm to people and/or to the environment. In this book, we shall be concentrating primarily on how potential business risks are identified, together with associated underlying causes and consequences. We will look at how to determine practical effective business risk treatment options and the subsequent risk control barriers and business continuity plans that we need to put in
2
Risk Assessment Principles
place to protect and sustain our company operations, its people and, of course the environment that we work in. As we have already said risk can cover a multitude of underlying cause and consequence levels, for example we could be doing a business risk impact assessment in an oil refinery, large manufacturing plant or small business operation. In each case the principles remain the same and that is to identify significant business risks and, quantify their potential business impact and, then to put in place adequate risk treatment and business continuity measures to prevent these risks being realised. During the writing of this book I realised that to effectively manage our potential business risks we also need to use a whole range of different risk assessment and impact analysis tools for identifying and evaluating these surface and underlying risks. So, I have developed my integrated business risk assessment system, which, I have called the Risk Assessment Made Easy ‘RAME’ system. This system is designed to assist you by providing a comprehensive set of business risk assessment and impact analysis tools, with supporting guidance, based on ISO 31000 risk management principles and approach. The book comprises of 10 chapters and each of these chapters forms a step on the path of identifying significant business risks. Each one of these 10 steps is designed to take you through a simple, but systematic, process that enables you to effectively and efficiently understand those significant risks within your business operation. So let's start with looking at what we mean by the term risk. There are currently many approaches and methods of risk assessment and impact analysis, none of which, however, make it very clear how to actually carry out the assessment and subsequent analysis. They give you
Risk Assessment Principles
3
simple steps to follow but are mostly very shallow in the way that they address the risks, for example, many of these methods have the same principles of identify the risks evaluating those risks, implement risk control measures, monitor the effectiveness of those control measures and carry out a periodic review. Which is great if you are a small business with low risk operations or, if you are assessing an office environment. However, most of these assessment methods are insufficient for identifying those underlying business risks that have the potential to cause major emergency events and disasters. In addition, none of these current methods go into any depth concerning human behavioural factors. If we think about all our risk control and business continuity measures, whether they be hardware driven safety devices, formal procedural and/or maintenance programmes, all are operated and maintained by people. This is where our problem begins. It is people that carry out the initial risk assessment and impact analysis, it is people who decide on what risk control and business continuity measures to put in place, and it is people who we rely to then follow our risk control measures and execute our business continuity plan. So 80% of our solutions for effectively managing our potential business risks rely on people! History has shown us that through investigation that many past business failure disasters are attributable to the behaviour of people. Behaviour such as human error which include memory slips, concentration lapses, procedural violations and cultural factor differences in the value of life. These are all major factors in controlling the significant business risks present within our company operations. So when we asked a question "what is risk" we need to think about what we are actually saying. Many would agree that the term risk is made up of a number of factors, the first factor being the nature and
4
Risk Assessment Principles
type of harm (the hazard), the second factor is the level of consequences that potentially can be realised and, the third factor is the likelihood that harm will actually occur (the risk level). In other words, how could it happen! The first factor, the hazard, we cannot do anything about as the nature and type of the harm will always remain a threat. We cannot change the potential harm that a hazard can potentially cause, because the threat of danger will always be there. For example, petrol is always giving off a flammable vapour, even on the coldest day, so the hazard is that if that flammable vapour finds a source of ignition (open flame, hot surface, static electricity, etc) it will ignite and cause fire. Let us look at the various terms used in the field of risk assessment: • • • • •
Hazard o Something with the potential to cause harm Risk Likelihood Probability Assessment
ISO 31000:2009