Risk Management Relevance to PAS 55 (ISO...
Transcript of Risk Management Relevance to PAS 55 (ISO...
![Page 1: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/1.jpg)
Risk ManagementRelevance to PAS 55 (ISO 55000)Deciding on processes to implement risk
management
Jeff Hollingdale
DQS South Africa
![Page 2: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/2.jpg)
PAS 55 – Risk Management
• The organization shall establish, implement and maintain documented process(es) and /or procedures for the on-going identification and assessment of asset-related and asset management – related risks, and the identification and implementation of necessary control measures throughout the life cycles of the assets
• Risk management is an important foundation for proactive asset management
• Its overall purpose is to understand the cause, effect and likelihood of adverse events occurring
• To optimally manage such risks to an acceptable level
• Provide an audit trail for the management of risks
The guideline states: (4.4.7); 6.1 (ISO 55000)
![Page 3: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/3.jpg)
Asset Management – Risk Management
We achieve this by:
• Identifying potential risks associated with the assets, and making an estimate of the associated risk levels based on existing or proposed risk controls
• Determining whether the risks are tolerable
• Devise risk controls where these are found to be necessary or desirable
![Page 4: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/4.jpg)
Risk Identification and Assessment
• Physical failure risks
• Operational risks
• Natural environment
• Factors outside organization’s control
• Stakeholder risks
• Associated with the different life cycle phases of assets– Acquisition
– Utilization
– Maintenance
– Disposal/Decommissioning
![Page 5: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/5.jpg)
What should you already be doing?
• You probably have some ISO standards?
– ISO 14000 (EMS),
– OHSAS 18001 (SHE)
• Risk Analysis?
– Failure Mode & Effect Analysis (FMEA)
– Failure Mode and Criticality Analysis (FMECA)
– Root Cause Analysis (RCA)
– HAZOP (Hazard & Operability Studies)
• Reliability Centred Maintenance?
• Condition Based Maintenance?
![Page 6: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/6.jpg)
Using ISO 31000
• ISO 31000 is a Risk Management Standard
• It operates regardless of an organizations products,
size, structure, location and existing asset
management & accounting systems
• You can’t get certified to ISO 31000 – it’s a guide
only
• It is entirely suitable for asset risk management
policies and procedures
![Page 7: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/7.jpg)
Framework for Managing Risk
Plan
Do
Check
Act
![Page 8: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/8.jpg)
Risk Management Process
To successfully implement, support and sustain the risk management process, a structure is required. ISO 31000 refers to this structure as the risk management process
![Page 9: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/9.jpg)
Enterprise Risk Management Framework
![Page 10: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/10.jpg)
Basic Questions to Ask
• What could occur?
• Where could it occur?
• When would it occur?
• How could it occur?
• What would be the impact if it were to occur?
• Who would be affected and to what extent?
• What do we have to do to either prevent it occurring or enhance its chances of occurring?
![Page 11: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/11.jpg)
Risks vs. Opportunities
Risks may have a negative impact OR a positive impact OR both.
• Risks with a potentially negative impact represent risks that will require management’s assessment and response.
• Risks with a potentially positive impact represent opportunities to offset the negative impacts of risks.
• Positive Risks are channelled back to the organisation’s strategy or objective-setting processes in order to optimise opportunities as well as to be considered in management’s risk assessment and response strategies.
![Page 12: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/12.jpg)
Analyse the Risks
• Develop an understanding of the risk – enabling treatment.
• Inherent vs Residual Risk
• Provides an input to decisions on whether risks need to be treated
• Consider contexts and causes
• Consideration of the positive and negative consequences and their likelihood.
• Taking into account existing controls and their effectiveness
• Consequences and likelihoods may be derived from
– Qualitative analysis: High, Medium, Low
– Semi-quantitative analysis: Severity X Probability
– Quantitative analysis: Scientific formulas and statistics
Impact X Likelihood
![Page 13: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/13.jpg)
Evaluate the Risks
Likelihood
Im
pact
High
Low
Low High
Moderate Risks
Lower likelihood, but could have a
significant adverse impact on
business objectives
Significant / Critical
Risks
Critical risks that potentially
threaten the achievement of
business objectives
Low Priority Risks
Significant monitoring not
necessary, unless change in
classification. Periodically re-
assess.
Moderate Risks
Lower impact, but could be highly
likely and happen often
![Page 14: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/14.jpg)
Treat the Risks
• Avoiding the risk by ceasing the activity creating the exposure;
• Reducing the risk through improvements to the control environment;
• Transferring the risk exposure, for example insurance or outsourcing;
• Accepting the risk, where the level of exposure is as low as reasonably practicable, or where exceptional circumstances prevail;
• Exploiting the risk, where the exposure represents a potential missed or poorly realised opportunity;
• Integrating a series of the risk responses outlined above.
• Each treatment action should be considered with regard to:
– Reducing the consequence if the risk were to occur
– Reducing the probability of the risk occurring
![Page 15: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/15.jpg)
Monitoring and Review
• Risk management and the progress in achieving objectives is to be monitored and reviewed.
• The functioning of each component of Risk Management is to be determined and evaluated to ensure Risk Management continues to be effective.
• Monitoring Activities:– Ongoing Monitoring
– Separate Evaluations
– Annual Review of the Risk Management Framework
– Risk Profile Analysis
– Risk Management Plans
![Page 16: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/16.jpg)
Control Assurance
• Preventive controls: prevent risks from occurring by preventing the cause from leading to the risk occurring.
• Mitigatory controls: detect and mitigate risk to reduce significant impacts and losses.
• The effectiveness is to be measured– plans put in place for the improvement of effectiveness.
• Controls must be linked to causes and impacts to ensure gaps or weaknesses can be identified.
• People, Process and System based Controls
• Control Self Assessment Questionnaire
![Page 17: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/17.jpg)
Levels and Reliability
![Page 18: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/18.jpg)
Implementation Considerations
• Knowing the current state of Risk Management in the organisation and the need for detailed methodologies
• Having a clear set of objectives to define the requirements for methodologies
• Identifying relevant stakeholders and role players and the potential need for culture change and engagement sessions
• Communicating the benefits that the methodology will bring to the organisation to assist with the buy in process.
• Knowing the required level of complexity of the methodology
• Correct implementation of procedures through communication, performance measurement and continual improvement
![Page 19: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/19.jpg)
Information Management
• Compatibility with international best practice standards and guidelines
• Support multiple methodologies for risk management across a number of organisational and process levels.
• Capturing of all risk information and the setting of tasks and actions with notifications and escalations to facilitate progress monitoring.
• Easy extraction of relevant and on-time risk information with customisable views and level of detail.
• Reporting tools that extract information, present it, be customisable, able to be embedded in other documents, such as annual reports.
![Page 20: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/20.jpg)
Implementation Considerations
• Risk management must be implemented and a risk culture developed first
• Ensure the attitude of embracing change is cultivated, especially if risk management is new to the organisation
• Information system must be fit for purpose for the organisation.– Not too simple or too complex
• Information system must be easy to use and understand and to use to support the risk management processes
• The business requirements must be met, and the system flexible for future enhancement, scalability and integration.
![Page 21: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/21.jpg)
Implementation Considerations
• Ensure actions for improvement are allocated to the right people and progress is monitored
• Ensure appropriate commitment of human and financial resources for improvement activities is obtained
• If buy-in to risk management as a whole is not in place, there will be little commitment to sustainable improvement
• Ensure there is a culture of openness, accountability and no blame
• Ensure KPIs are driving the right behaviour
![Page 22: Risk Management Relevance to PAS 55 (ISO 55000)saama.org.za/wp-content/uploads/2014/06/1215.Jeff-Hollingdale.Risk... · Risk Management Relevance to PAS 55 (ISO 55000) Deciding on](https://reader034.fdocuments.net/reader034/viewer/2022051800/5ac463707f8b9ae06c8d37c3/html5/thumbnails/22.jpg)
Any Questions?
Big Mistake!