Executive Summary / Abstract
Risk management is an integral part of the management of an organization. A management plans, organizes, directs and controls to achieve stated objectives. Planning is associated with uncertainty as it is done for future events. Risk management tries to understand uncertainties associated with an event or action. It assists management in achieving objectives of the organization by acting on the causes of deviation. It tries to mitigate adverse effects that can cause losses by identifying, analysing, evaluating and managing the risk. Risk management is a dynamic and continous process. Its success depends on the risk culture prevalent in the organization and involvement of all staff. Monitoring, reviewing and communicating risk issues are also functions of the risk management. An organization faces different types of risk such as financial risk, operational risk, perimeter risk, and strategic risk. A modern organization establishes a comprehensive risk management for the entire organization. Operation of an industrial plant has high risk potential as an accident causes financial losses and loss to reputation to the organization. An accident may also lead to human fatalities and casualties, which are unacceptable losses. Techniques and tools have evolved that helps risk management such as Hazard and Operability (HAZOP) studies, Job Hazard Analysis (JHA), fault tree analysis, management oversight and risk tree, and failure modes effects of analysis (FMEA).
Risk Management
INTRODUCTION
Risk is inherent to every situation in daily life, public or private sector enterprises. Outcome of an event or action may not be certain. It may fail or succeed. Uncertainty leads to occurrence of risk. Risk can be expressed as the uncertainty associated with the outcome. Risk is also expressed as a function of probability and outcome. A running machine fails. Probability denotes the likelihood of occurrence of failure. It is in generally expressed as ‘very likely’, ‘likely, or ‘unlikely’. Severity denotes the impact of the failure on the system. Risk has been defined in various ways based on the contexts. In the context of risk management, risk has been considered as manageable that may not be eliminated but can be controlled. In technical approach, risk taking is related to safety benefits. (Glendon, Clarke, & Mckenna 17). However, in spite of technical progress and all efforts to design safer systems, large-scale accidents are occurring. Rapid technological changes, increase in competition, higher expectations and change in regulatory practices are some the reasons that can be attributed for system failures (Rasmussen 183). There are few technologies that are productive, but on failure cause immense destruction. Nuclear power plant, air traffic control, and safety of bridge and dams are some of the examples. The cost of failure is immense. A failure in nuclear power plant is unacceptable. (LaPorte, & Consolini 19).
RISK MANAGEMENT
A business organization or enterprise functions to attain certain objectives. Deviations occur from attaining those objectives. Management tries to take actions to remove the causes that lead to deviation. Risk Management assists management in attaining the objectives. Risk management can be defined as an activity which identifies the risks, assesses the risk, and develops strategies to manage the risk. Managerial resources are applied to mitigate risk (Berg 79). The risk management has been defined variously based on context. ISO 31000 which relates to Risk Management, defines it in generic terms as identification, assessment and listing risks based on priority, followed by coordination, monitor and control. ISO 31000 also defines risk as ‘the effect of the uncertainty on objective’ where uncertainty has been defined as ‘the state of deficiency of knowledge, understanding or information’ and effect as ‘deviation of the expected result’ (“ISO 31000:2009”). Risk management has been defined based on its goal - direct risk management that operates within the framework of a risk management policy and indirect risk management using a security policy that is adapted to possible risks (Method commission 14).
Developing a risk management culture throughout the organization is necessary for its effectiveness. Risk practices and outcomes are required to be communicated to all stakeholders. Planning is done for future event. This implies risk associated with planning process. All individuals of the organization require to be involved with risk management. An organization faces different types of risk such as financial risk, operational risk, perimeter risk, and strategic risk. A modern organization establishes a comprehensive risk management for the entire organization.
Operation of an industrial plant has high-risk potential. An accident may be disastrous for the organization leading to closure or huge financial losses. It may cause human causalities, injuries, and loss of reputation. Safety management is entrusted with task of safe operation of the plant. However, it requires contribution from individuals as well as all levels of management. Risk management and safety management are sometime perceived as same. However, safety management is an important part of risk management.
STEPS IN RISK MANAGEMENT
An organization does not operate in isolation but in an environment. Planning for effective risk management system starts with understanding the environment. The environment puts constraints and offers opportunities. SWOT (Strength, Weaknesses, Opportunities and Threats) analysis and PEST (Political, Economic, Societal and Technological) analysis are used for scanning environment to determine macro-environmental factors. .Some factors show opportunity and some show threat.
Identification, analysis, evaluation, managing, monitoring, reviewing and communicating are the steps in the risk management as shown in following diagram.
Source: (Method commission 18)
Risk Identification: In this phase risks are identified that has potential to affect the achievement. The tools and techniques have been developed to help in identification of risks. Some of them are Scenario planning, process mapping, documentation (audit report, study reports, program evaluation), and checklist of possible sources of risk. Experienced persons working in the organization having fair knowledge of the different fields of the organization, should be involved in identification of sources of internal risks. This is most critical stage in the risk assessment process. Understanding source or events and its relation to potential risk and its impact on the objectives are means for risk identification. Out of very large events, events associated with inconsequential risk are dropped by applying screen process. Detailed quantitative analysis is applied to events that may give rise to higher level of risk. Hazard and Operability (HAZOP) studies, fault tree analysis, management oversight and risk tree, and failure modes effects of analysis (FMEA) are tools used for identification of risks and possible outcome (Berg 84).
Risk analysis and evaluation: Risk analysis uses qualitative, semi-quantitative and quantitative techniques depending on the type of risk, source of risk and the information and data availability. Qualitative and semi-quantitative techniques are in generally used as screening process and higher risks are subjected to rigorous quantitative technique. Job hazard analysis (JHA), risk graphs, risk matrices or monographs are some of the tools used for analysis of risk. Risk matrix is widely used for risk analysis and evaluation. It determines size of the risk and checks whether the risk is controllable. Risk matrix is shown in two dimensions – X-axis represents probability or likelihood of occurrence of an unwanted event and Y-axis shows severity.
.
Source: “Risk Matrices”.
The low probability, low severity area is shown in green. The events falling in this area are low risk. These events in generally require no action. Red area indicates high-risk event. These events require more control to bring down the probability or severity down and may require further analysis. The medium category, indicated in yellow, is in between these two areas. The events falling in the area is controlled ‘as low as reasonably practicable’ often denoted by acronym ‘ALARP’ (“Risk Matrices”). It may be mentioned that risk matrix is a subjective and best suited for ranking of events. It should be avoided for decision-making.
Job Hazard Analysis: A job hazard analysis (JHA) is applied to high priority events (job tasks) first. Step by step, the selected event is broken down. Hazards associated with each basic step are identified. Different types of hazard are chemical, biological, physical, ergonomic, and safety. Sources of hazards can be people, materials, equipment, environment, and process. The risk potential is accessed by the formula:
Risk = Frequency x Probability x Consequences.
Frequency can be taken as number of times job task is done or number of injury resulted from performing the job task. Consequence is taken as worst thing to happen without control in place. Identified hazard can be eliminated or minimized by initiating control. Control can applied at source, along the path or at the worker level to eliminate, substitute, or isolate the hazard (“Job Hazard Analysis”).
Next, a list of recommended safe operating procedure is prepared which includes required personal protective equipments and recommended procedure to eliminate or lower the scope of hazard. JHA should be reviewed for accuracy. Job procedure should be prepared and communicated to all staff likely to be involved with the task.
Monitoring the risk: An organization is dynamic entity. Identified risks require regular monitoring. New risks may arise due to changes in work procedure, from failure of equipments, or accidents. Signs of failure need to be indentified and reviewed on continous basis (Berg 86). A thorough review of risk management process is in generally done every five year.
Communication and Reporting: A shared knowledge is an effective step for success of risk management. Risk associated with an event or an action requires to be communicated. This ensures support of the operator and supervisor and generates a conductive working environment.
Documentation of risk management framework is required. It may be in the form of management handbook containing basic policies, categorization of risks, risk management process, and risk organization. It should be easy to understand and is auditable. A risk register is generally kept to record on going processes and for regulatory compliance.
CONCLUSION
Human errs. To avoid accidents from happening, complex safety features are incorporated in the systems. Major accidents are taking place despite sophisticated multilayered safety features. Failures in the nuclear reactors at Three Mile Island or at Chernobyl, or gas leak incident in Bhopal caused many fatalities and human sufferings. Yale sociologist Charles Perrow thinks these failures occurred due to system failure. He faults the conventional engineering approach that makes safety system more complex and tightly coupled by building multilayered safety features. Operators fail to comprehend fully the complex systems. A small mechanical or technical mishap starts a chain that system itself fails to stop. Operator also fails to intervene manually due to complexity of the system (Perrow 5). Improvement in management approach and extensive operator training can eliminate catastrophic accidents from happening.
Works cited
Berg, Heinz-Peter. “Risk Management: Procedures, Methods And Experiences”. RT&A: 2(17)
(Vol.1), 79-95, June 2010. Web. 24 Feb. 2016.
Glendon, A. Ian, Sharon G. Clarke, and Eugene F. Mckenna. Human Safety and Risk Management, Second edition, Taylor & Francis, 2006. Print.
“ISO 31000:2009”. Risk Management, International Organization for Standardization, ISO Central Secretariat, Geneva, Switzerland, 2009. Print.
“Job Hazard Analysis”. U.S. Department of Labor, Occupational Safety & Health Administration, Washington, DC, n.d. Web. 26 Feb. 2016.
LaPorte,Todd R., and Paula M. Consolini. “Working in Practice but Not in Theory: Theoretical Challenges of High-Reliability Organizations". Journal of Public Administration Research and Theory: J-Part, 1 (1): 19-48, Jan., 1991. Web. 25 Feb. 2016.
Method commission. “Risk Management – Concept and Methods”. Clusif, Club de la Securite de L’information Francais, Paris, 2009. Web. 25 Feb. 2016.
Perrow, Charles. Normal Accidents: Living with High Risk Technologies, updated edition. Princeton, NJ: Princeton University Press, Sept. 1999. Web. 24 Feb. 2016.
Rasmussen, J. “Risk management in a dynamic society: a modeling problem”. Safety Science, 27 (2-3): 183-213, November-December 1997. Web. 25 Feb. 2016.
“Risk Matrices”. CGE Risk Management Solutions B.V, Leidschendam, The Netherlands, 2016. Web. 26 Feb. 2016.
