OPERATIONAL RISK MANAGEMENT
Operational risk is that risk which arises during performance of work in industry. All work is a process. Projects undertaken by organisations consist of many interlinked processes, designed to produce a net benefit for stakeholders (interested parties such as shareholders, employees, customers, etc.).
During execution of these processes, the organisation and its employees are exposed to hazards.
These hazards usually have some form of energy associated with them. Energy comes in many forms e.g. chemical, electrical, kinetic, potential, nuclear, electromagnetic radiation, (even money can be considered to be a form of energy).
A hazard is a source of potential harm or a situation with a potential to cause loss.
Hazards can be identified by the energy they possess. For example radioactive isotopes have a nucleus which is unstable, and will release energy in the form of radiation. This radiation adversely affects living organisms (people), however if there is no exposure of these organisms to it, there is no risk.
RISK = HAZARD + EXPOSURE
What is ‘risk’?
Risk may be assessed in terms of exposure to a hazard (an incident), likelihood of an incident occurring, and the consequences of the incident. It should be noted that the ‘outrage factor’ must be considered as part of the consequences of an incident. Public perceptions of an organisation can be greatly affected by the way it manages its risk,( especially in the area of Occupational Health & Safety). The outrage factor can greatly magnify risk.
Generally we cannot predict the consequences of an incident, so it is difficult to rate risks in order of importance, to provide a basis for allocation of resources to control risk. We can however, assess the likelihood of an incident by using statistics to measure probability in many cases.
In practice it is usually sufficient to identify hazards and take appropriate action to minimise the associated risk, based on reasonable expectation of the outcomes of exposure.
The term ‘safe’ is used to denote a situation or condition where there is minimal acceptable risk, i.e. where the risk is tolerable to stakeholders.
What is ‘risk management’
Risk management is the culture, processes and structures that are directed towards the management of potential opportunities and adverse effects.
The risk management process is the systematic application of management policies, procedures and practises to the tasks of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk.
Australian Standard AS/NZS 4360:1999 – Risk Management, gives guidance in this area.
What is ‘risk assessment’ ?
Risk assessment is the overall process of risk analysis and risk evaluation.
What is ‘risk analysis’
Risk analysis is a systematic use of available information to determine how often specified events (incidents) may occur and the magnitude of their consequences. The objectives of risk analysis are to separate the minor acceptable risks from the major risks, and to provide data to assist in the evaluation and treatment of risks.
Risk analysis involves consideration of the sources of risk, their consequences and the likelihood that those consequences may occur.
Risk is analysed by combining estimates of likelihood and consequences in the context of existing control measures. A risk analysis is essentially a ‘what if’ analysis where various scenarios are visualised. It is a proactive activity based partly on experience.
Australian Standard AS/NZS 3931:1998 Risk Analysis of Technological Systems – Application Guide, gives guidance in this area.
What is Operational Risk?
There are four main areas of operational risk associated with industrial processes:
Quality - the risk of supplying a nonconforming product or service to a customer. (That is, one which does not meet customer needs.)
Safety - the risk of injuring employees or other parties during production, or supplying an unsafe product.
Environment - the risk of damaging the environment during production, or providing an environmentally unfriendly product.
Security - the risk of criminal activity during production or provision of a service.
It is common practice within organisations, to administer these risk areas separately without recognising the interrelationship between them.
There is a difficulty, which lies in the fact that there are usually tradeoffs between the four areas. For example, a simple process of electroplating high tensile screws with cadmium involves several problems – some processes cause hydrogen embrittlement (quality problem) , cadmium plating must be used to stop corrosion (quality problem), it is toxic (safety problem) ,the baths contain cyanide (safety problem), both cadmium and cyanide present environmental problems, cyanide presents a security problem.
Managing the process so that all legal requirements are met requires a juggling act (substitution of a different type of plating simply introduces a whole new set of problems). The use of engineering controls such as isolation may solve safety problems, but not the pollution problems.
The occurrence of this type of conflict arising from the four risk areas, is not often recognised by employees. (It occurs in every industry.) The answer is to use a documented procedure (code of practice), which is accepted by employees and customers.
The ‘trade-offs’ arising must be reconciled, and where residual risk is not adequately controlled it must be ‘tolerable’ to all stakeholders.
What is Management System Integration?
The primary objective of an organisation should be to provide a product or service that is ‘fit for purpose’, ‘safe’, ‘environmentally friendly’, and ‘secure’, under conditions which are conducive to efficiently fulfilling these requirements.
A prime requirement for control of these risk areas is a documented Management System, to provide guidance (training) of employees, and a basis for audit by customers and certification bodies.
Australian Standard AS/NZS 4581:1999 – Management System Integration – Guidance to business, government and community organisations, provides guidance for implementation of an Integrated Risk Management System (IRMS) to control the four major operational risk areas. This is the ‘top level’ standard for Management Systems.
How is ‘quality risk’ controlled ?
Australian Standard AS/NZS ISO 9000 – Quality Systems , provides guidance on implementation of a Management System to control ‘quality risk’. AS/NZS ISO 9001 prescribes the use of twenty ‘elements’ which form the basis of the system. Suppliers (manufactures) are required to state their policies incorporating these twenty elements.
One of the twenty elements is ‘Process Control’. The standard defines a requirement for performance of work under controlled conditions including documentation of work practices ‘where lack of such documentation could adversely affect quality’ (safety, environment, security). This is the basis of administrative risk control.
Administrative risk control is the technique of controlling risk by use of appropriate documented procedures. An example is the common ‘recipe’ used by cooks, other examples include ‘use lists’ such as those attached to LPG dispensers, laboratory methods, operating procedures, process specifications, and documented work instructions.
(It should be noted that AS/NZS ISO 9004.1 Guide to ISO9000 defines ‘Requirements of Society’ as safety, protection of the environment, security, conservation of natural resources and energy, and requires that these areas are taken into consideration when implementing a Quality System.)
How is ‘OHS risk’ controlled ?
Australian Standard AS/NZS 4804:1997
– Occupational Health and safety management systems – General guidelines on principles, systems and supporting techniques, gives guidance on OHS Management Systems. It calls for risk assessments and implements the ‘hierarchy of controls’, which includes administrative control to mitigate ‘residual risk’, i.e. the risk left after elimination, substitution, and engineering controls have been applied.Australian Standard AS/NZS 4801 – Occupational Health and Safety management systems – certification, is currently being prepared. This will provide the basis for certification audits by bodies accredited by the Joint Accreditation System Australia and New Zealand (JASANZ) (third party audits). It also provides guidance for second party audits (where customers audit supplier’s management systems).
How is ‘environmental risk’ controlled?
Australian Standard AS/NZS ISO 14000 – Environmental Management Systems is similar to AS4804, and calls for risk assessments and application of administrative control for residual risk.
AS/NZS ISO 14004 – Environmental Management Systems Guidelines gives guidance on EMS.
AS/NZS ISO 14001 – Environmental Management Systems – Certification, gives guidance on both second and third party audits, (similar to AS4801).
How is ‘security risk’ controlled?
There are currently no standards for implementation or audit of Security Management Systems.
This matter is to be addressed beyond year 2000.
What is certification?
Certification is performed by bodies, accredited by JASANZ. It is an activity where an organisation’s documented mission and vision statement, management policies, and procedures are subjected to scrutiny to:
Although JASANZ is a government authority it does not compel compliance by statute. Certification of organisations is purely on a voluntary basis. However loss of certification by organisations probably holds severe implications in some cases where customers (especially government purchasing authorities) require certification of suppliers, before they will buy from them.
Bodies accredited by JASANZ include:
Quality Assurance Services (Standards Australia)
Lloyds
Bureau Veritas
Det Norske Veritas
The certificates issued by these bodies are recognised by the world trade groups (such as the European Community), through the treaties JASANZ has with other certifying bodies. This means that suppliers who are certified have unrestricted access to several global markets. (This matter is subject also to the General Agreement on Tariffs and Trade (GATT)).
The matter of OHS, Environmental and Security Management Systems certification may eventually have similar implications to Quality Management Systems certification, as far as trade with other nations is concerned.
There is a very strong argument for consumers to ‘show preference’ to organisations which are certified to AS/NZS ISO 9000, AS/NZS ISO 14000, and AS4801. These certifications show that the Chief Executive Officer and all other employees are committed to systematically and continually improving in the areas of quality, safety, and environmental management
Second party audit of organisation’s management systems by stakeholders is an important influence for systems improvement.
What is a ‘Nonconformance (Opportunity for Improvement) Report’?
The document, which is used by internal auditors to report nonconformance with policy or procedure, is the Nonconformance (Opportunity for Improvement) Report.
When certifying bodies assess organisations the Nonconformance (Opportunity for Improvement) Reports are requested, inspected and personnel are questioned where the report has not been adequately ‘closed out’. This means that problems in certified organisations are formally addressed, and are visible.
The traceability requirements of AS/NZS ISO 9000 mean that problems are ‘slated home’ to the accountable person in the organisation.
There will probably be a new requirement relevant to the use of Nonconformance (Opportunity for Improvement) Reports in the year 2000 version of AS/NZS ISO9000. It should require suppliers to empower every employee to raise the report to have their concerns formally addressed.
Alan Cotterell
7th September 1999