What is Risk Management? (and Why It’s Important)
Risk management is simply the identification, assessment and prioritization of risks, followed by a coordinated and economical application of resources to minimize or control the probability of occurrence and the impact of negative events, as well as to maximize the realization of opportunities. What is considered a risk? Risks can come from uncertainty in financial markets, project failures, legal actions, regulatory liabilities, accidents, and natural disasters as well as simple human error.
The definition of risk is generally compartmentalized based upon whether the risk is in the context of business continuity, project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. The potential list is finite, but is certainly overwhelming. Within the context of Reliability Excellence and effective continuous improvement, risk management can be limited to two major categories: business and asset risk.
Risk Management and Business Continuity
All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks, but it is imperative that all risks are isolated and clearly defined and managed within financial and practical constraints.
Business risks management must include all financial, market loss and business continuity risks as well as well-planned emergency response plans to catastrophic events that could affect the health and safety of the workforce or public. These risks must also include product-related liabilities.
Risk management tends to be preemptive and must be augmented with business continuity planning (BCP) to deal with the consequences of realized residual risks. The necessity of business continuity planning arises because even very unlikely events will occur if given enough time. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied together that such separation seems artificial.
Asset Risk Management
The physical assets that comprise the installed capacity of plants have inherent risks or the potential for failure. In addition, they have the potential for off-specification operation that could result in poor product quality, lower output or increased production costs. These risks must also be clearly understood and managed to assure cost-effective business continuation.
In addition to the inherent risks of catastrophic failure risk management must also consider the relative importance, e.g. criticality, of each asset on the plant’s ability to meet delivery commitments and the business plan. This type of risk cannot be resolved solely by applying preventive or predictive maintenance technologies. Too many of the risks are the result of inherent design deficiencies, mode of operation and operating practices. Therefore, risk management must address all forcing functions and triggers that would result in risk.
Risk Management Plan
Ideal risk management follows a prioritization process whereby the risks with the greatest loss and the greatest probability of occurring are handled first, then risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process can be very difficult, and balancing between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. In addition to those risks that can be easily identified, an effective risk management plan must address:
Intangible risk: Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materializes.
Relationship risk: Relationship risk appears when ineffective collaboration occurs. Coordination between engineering, procurement, production and maintenance is the primary source of these relationship risks.
Process-engagement risk: Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost-effectiveness, profitability, service, quality, reputation, brand value and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity.
Risk management also faces difficulties allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending and minimizes the negative effects of risks.
The International Organization for Standardization (ISO) in ISO 31000 identifies the following principles of risk management:
Risk management should:
- Create value
- Be an integral part of organizational processes
- Be part of decision-making
- Explicitly address uncertainty
- Be systematic and structured
- Be based on the best available information
- Be tailored
- Take into account human factors
- Be transparent and inclusive
- Be dynamic, iterative and responsive to change
- Be capable of continual improvement and enhancement.
To create an effective risk management plan, select appropriate controls or countermeasures to measure each risk. Risk mitigation needs to be approved by the appropriate level of management. For example, a risk concerning the image of the organization should have top management decision behind it whereas information technology management would have the authority to decide on computer virus risks.
The risk management plan should propose applicable and effective security controls for managing the risks. For example, an observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions.
Finally, risk management is multi-dimensional and requires the direct support of most business and plant functions, as well as the entire workforce. The most effective approach to risk management is to integrate all facets into a single, manageable process in which roles, responsibilities, expectations and single-point accountability are clearly defined. For example, Environmental, Health and Safety may retain the responsibility for regulatory compliance, occupational health and safety, etc. but a central function, usually reliability engineering, has single-point accountability for the overall risk management process.
Risk management is not limited to catastrophic failures of assets or processes. To be effective, risk management must acknowledge that risks takes many forms and that all must be clearly understood and effectively managed. Do not become fixated on asset-related risks—they are important, but have much less impact on overall performance than less spectacular failures in the business and work processes that dictate your ability to meet market, financial and overall business goals. Business success and continuation depends on your ability to recognize and manage these less visible risks.
By R. Keith Mobley, Principal SME, Life Cycle Engineering, www.LCE.com