Stan O’Neill Managing Director, The Compliance Group
Risk Management ≠ Risk Elimination risk analysis + risk evaluation + controlling risks = risk management Identifying what might go wrong Calculating the size of the risk Doing something about it
Risk Assessment A basic human instinct Therefore subject to human subjectivity and variability Risk Assessment Methodologies Rigorous and Systematic Documented (and therefore able to be reviewed) Acted upon
constant ratios The most effective way to tackle the size of the top of the pyramid is to tackle the bottom of the pyramid
Almost all RA methods derived from FMEA FMEA Developed by US Aerospace Industry in 1940s (“how can we stop our rockets falling out of the skies?”) Variants on a theme Failure Modes, Effects and Consequences Analysis (FMECA) Hazard Analysis and Critical Control Points (HACCP) Hazard and Operability Studies (HazOp, CHazOp)
First understand Hazards Hazards are potential sources of harm. Hazards are things which present risk Hazards are easier to define than risks - risks are more abstract We can define risk by categorising hazards.
Risk has two components Chance of Harm Occurring Consequences of that Harm How likely is it that the hazard or harm will occur? If it does occur, what are the consequences? Key Considerations: The probability of occurrence of harm, (chance, possibility, uncertainty, etc.) The consequences or severity of that harm, (injury, cost, supply issues, etc.)
Risk is the combination of the probability of occurrence of harm and the severity of that harm Risk = Probability x Severity Risk = (P x S) Risk can be Quantified or Qualified Risk = (4 x 3) = 12 Risk = Medium… or Green… or….
ProbabilityThis Means the Hazard… Frequent… is Very Likely to Occur, > 20% Probable… will Probably Occur, 5 – 20% Occasional… should Occur at Some Time, Infrequently, 0.1 – 5% Remote… Unlikely to Occur in Most Circumstances < 0.1%
SeverityThis Means the Hazard May Result in…. CriticalVery Significant Impact on Agency, Stakeholders, Very Costly, Very Damaging Effects MajorSignificant Impact on Agency, Stakeholders, Costly, Damaging Effects MinorMinor Impact on Agency, No Expected Stakeholder Impact
Determines if a risk is acceptable or not A method which… identifies hazards in an organisation, process, product* estimates or calculates the risk associated with these hazards* assesses that risk by comparing it against predefined risk acceptability criteria** * aka Risk Analysis ** aka Risk Evaluation
HazardMinor Severity (1) Major Severity (2) Critical Severity (3) Frequent (4)4812 Probable (3)369 Occasional (2)246 Remote (1)123
HazardMinor SeverityMajor SeverityCritical Severity Frequent Probable Occasional Remote
HazardMinor SeverityMajor SeverityCritical Severity FrequentUnacceptableIntolerable ProbableUnacceptable Intolerable OccasionalAcceptableUnacceptable RemoteAcceptable Unacceptable
Red Means… The Risk is Intolerable. Eliminate the Hazard or build in systems/controls to ensure the effects of the hazard are not realised (e.g. install redundant systems) Amber Means… The Risk is Unacceptable. The Risk must be Reduced or Controlled to an acceptable level Green Means… The Risk is Acceptable. No Reduction or New Controls are Required
Risk Control performed after Risk Assessment Aims to reduce the risk associated with a hazard by putting additional controls in place May permit maintenance of the risk within specified levels… risk cannot be reduced but the hazard (or its effects) can be detected when it occurs.
Detection HighHigh Likelihood that Controls will Detect the Hazard or its Effects MediumMedium Likelihood that Controls will Detect the Hazard or its Effects LowLow Likelihood that Controls will Detect the Hazard or its Effects NoneDetection Controls are Absent
The combination of Risk Assessment & Risk Control Risk Management allows for mechanisms to communicate Risk knowledge to the right people/stakeholders, and for the Periodic Review of the Risk Assessment process Performing Periodic Review uses additional data (experience) to revisit hazards and their probabilities Risk Management should be viewed as an on- going Quality Management process
Risk Assessment Hazards identified, risk estimated, decision re. risk acceptability made Risk Control Risk Reduction or Risk Maintenance Controls Initiated until Risk is Acceptable or Adequately Controlled Risk Knowledge Is Communicated Periodic Review Risk Management
Many formal tools are available… HACCP - Hazard Analysis and Critical Control Points HAZOP – Hazard Operability Analysis FTA – Fault Tree Analysis FMEA – Failure Mode & Effects Analysis FMECA - Failure Mode, Effects & Criticality Analysis PHA - Preliminary Hazard Analysis
multi-discipline team decompose the system Identify what could go wrong : ‘Hazards’ Assess seriousness of each Hazard Design measures to contain each Hazard
Define the Scope Site / Organisation Business Process Specific Operation Corporate entity Split into more managable sub-systems, e.g. Organisation – into business processes Business Process – into process steps Specific Operation – into major systems Systems – into functional components List the components decompose the system Identify what could go wrong : ‘Hazards’ Assess seriousness of each Hazard Design measures to contain each Hazard multi-discipline team
Brainstorm what could go wrong List potential failure modes ‘Hazards’ Hazards are not always obvious Use system history as well as team’s imagination and expertise Various simple question based tools, e.g.: Word Models (HazOp) Cause / Consequence Diagram decompose the system Identify what could go wrong : ‘Hazards’ Assess seriousness of each Hazard Design measures to contain each Hazard multi-discipline team
A Difficult Step Different Methods Break this step into various sub-questions, e.g. Severity of Consequence Likelihood of hazard occurring Probability of detection System redundancy Simple tools provide good guidance on relative risk within a system, but not absolute risk. What can help? Word models, Team’s experience decompose the system Identify what could go wrong : ‘Hazards’ Assess seriousness of each Hazard Design measures to contain each Hazard multi-discipline team
Use Relative Seriousness as guide for controlling measures: Highest level risks – look for intrinsically safe solutions Lowest level risks – perhaps these are risks that we can live with Design it Away, e.g. Build redundancy into systems Simplify a business process to remove unnecessary human intervention Test it Away Manage it Away, e.g. Implement additional inspections or verification processes decompose the system Identify what could go wrong : ‘Hazards’ Assess seriousness of each Hazard Design measures to contain each Hazard multi-discipline team
Important to test all changes to a system: May remove one hazard to introduce ten new! Testing with the risk assessment method can be used to select best candidate solution decompose the system Identify what could go wrong : ‘Hazards’ Assess seriousness of each Hazard Design measures to contain each Hazard multi-discipline team
RA of whole system RA of sub- system C
Improved understanding of a process Identification and understanding of process limitations Acceptance by organisation or process limitations
RA is completed as a ‘tick-in-the-box’ Report then written, approved and filed Full-stop. Failure to identify significant risks – undermines confidence in the organisation (hero to zero) Lack of return from investment in the process Inappropriate inputs into process
FMEA for parametric release Risk management for non-dedicated premises Assessing equipment for preventative maintenance and calibration programme
Assessment of inherent weakness of a piece of equipment (focus of document) Assessment of incorrect filter integrity test cycle parameters (inappropriate supportive information) Poorly structured risk assessments Use of the phrase “there is no risk” Lack of lateral thinking (pressure differential example) Failure to manage, only assess.
Risk Assessment ≠ Risk Management Risk Management ≠ Risk Elimination Risk assessments are invariably qualitative and subjective. Less can be more
Quality Risk Management ICH Q9 Briefing Pack
Questions? Contact details: