• AS/NZS 4360


  •   
  • FileName: Cross2006.pdf [read-online]
    • Abstract: AS/NZS 4360Risk ManagementJean CrossSchool of Safety ScienceUniversity of New South Wales Why write a standard1992– Terminology getting more and more confused– Organisations wanting to integrate risk

Download the ebook

AS/NZS 4360
Risk Management
Jean Cross
School of Safety Science
University of New South Wales
Why write a standard
1992
– Terminology getting more and more confused
– Organisations wanting to integrate risk
– Federal Government push for common approach
– Too many people selling everything and anything
under the name of risk management
Purpose
Managing risk in organisations
– Risks to an organisations objectives
– Strategic level
Uncertainty during strategic planning
Balancing opportunities and negative risk
Managing things that are a major threat to the
organisation as a whole
– Operational level
Risks to departments, activities and projects
Principles
Integration
– Same process for all decisions involving
uncertainty – different tools of
assessment
Business
Engineering
Environment
Emergency management
Terminology 1
Risk Analysis =
– Risk Assessment = the scientific work understanding
risk
– Risk Evaluation = identifying risks, setting priorities
commissioning and reviewing risk
assessment
– Risk Management = the decision making step and
managing unacceptable risks
US EPA, WHO, UN Food and Agriculture Organisation
Terminology 1 Risk Analysis =
Initiation
Hazard Identification
Risk Assessment
– Probability, consequences,
uncertainty
Risk Management
– Efficacy, feasibility, impacts
Risk communication
US EPA, WHO, UN Food and Agriculture Organisation
http://www.wto.org/english/tratop_e/sps_e/risk00_e/griff1_e/griff1_e.ppt#24
Risk Evaluation
– identifying risks, setting priorities
commissioning and reviewing risk
assessment
Terminology 2 Risk Management =
Context
Risk Identification
Risk analysis = scientific work within risk
management
Risk Evaluation = decision making step
Risk Assessment = combination of Risk
identification, risk analysis
and risk evaluation
Risk treatment = managing unacceptable risks
(or control)
ISO draft Risk Management standard, AS/NZS4360, Canadian
Standards Association, UK Orange Book other UK Publications,
Problem/Context
Evaluation
Monitor Risks
Engage
Stakeholders
Actions Options
Decisions
Evaluate
COSO
framework for implementing
Sarbanes Oxley Act in US
HM treasury USA
PROCESS
COMMUNICATE AND CONSULT
ESTABLISH CONTEXT
MONITOR AND REVIEW
IDENTIFY RISKS
ASSESS
ANALYSE RISK
EVALUATE RISK
TREAT RISKS
Other Conflicts in terminology
The distinction between hazard and risk
The opportunity side of risk
Risks as a measure or as what might happen
Hazard = source of harm
Risk = The chance of something happening that will
impact objectives. Measured in terms of
consequences and the likelihood they will happen
BASIC PROCESS AS/NZS4360
IDENTIFY RISKS Anticipate
ASSESS
ANALYSE RISK Understand
EVALUATE RISK
Decide
TREAT RISKS Act
Risk = what might happen to impact objectives
Does it matter ?
Problems with terminology 1
Separates risk assessment from the
decision
– The person who makes the decision is often
not the analyst
– But analysis method must be tailored to the
decision to be made and the context
Does not work sensibly for business risks so
integration difficult
Ties you to hazard based decision model
Control based
– One control for multiple hazards
– Limited number of available controls so assess cost benefit
of controls not risk
Vulnerability based
– Priorities could be based on vulnerability of an ecosystem
or industrial sector rather than the threats to it
Consequence based
– Some consequence sufficiently serious probability is
secondary
PROCESS
COMMUNICATE AND CONSULT
ESTABLISH CONTEXT
MONITOR AND REVIEW
IDENTIFY RISKS
ASSESS
ANALYSE RISK
EVALUATE RISK
TREAT RISKS
Risk and Decision Making
Decision making Risk Management
– Define the problem – Define Context
– Identify Issues – Identify Risks
– Analyse Issues – Analyse Risks
– Decide whether to act and
– Define Options set priorities
– Set priorities – Define treatment options
– Select and implement – Select and implement
Actions treatments
– Monitor – Monitor
Communication/consultation
Identify stakeholders
what and how to communicate
How to involve
Why
– Understand the basis on which decisions
are made
– Perception of risk
– Developing trust
Context = Back ground
WTO and other international agreements
The specific industry context
The eco system in Australia
Government objectives and philosophy
Scope
– Eg consequences locally or nationally
Context
Objectives
Risk is what might happen to affect objectives
– Objective of government
– Objective of community
– Objective of industry
– Objective of project
– Objective of risk assessment exercise
Criteria - Decide criteria against which
risk will be evaluated
The kinds of consequence to be included
How likelihood will be defined
How it is decided whether treatment is
needed or not
Decisions may be based on
Level of risk Defined qualitatively ,
quantitatively or semi-quantitatively
Specified consequences
Cumulative effect of multiple events
the range of uncertainty for a risk level
(expressed as a confidence level)
A balance between negative and positive risk
Cost effectiveness of controls
Identify Risk
What might happen when where why
and how
Does not say must identify Hazards
– May be relevant but not always
Analysis is about
Understanding Risk-
Providing information for deciding
– Whether risk is acceptable
– Whether treatment is required
– Most cost effective treatment
Analysis involves considering
Sources of risk and the magnitude of their positive
and negative consequences
The likelihood those consequences will occur
factors that affect consequence and likelihood
How to combine likelihood and consequences
Uncertainty and Sensitivity analysis
Qualitative analysis
Initial screening to see what needs
further analysis
Where there is inadequate data
A ranking tool - not a decision tool
– Highly subjective
– Needs to be tailored -cannot be universal
– Poor estimates of likelihood – experts can estimate costs and
conequences they have experience cannot assess likleihood of
rare serious events because have no experience
– Doesn’t allow proper consideration of benefits
– Doesn’t encourage trust
Consequence
Likelihood 1 2 3 4 5
A S S H E E
B M S S H E
C L M S H E
D L L M H H
E L L M S S
When I hear a physician speak of risk
I think they mean the following probabilities
Descriptor average highest lowest
High 1/3 – 1/14 1/1 1/ 10 – 1 / 100
Medium 1/16 –1 /20 1/2 1 /100 – 1/1000
Low 1/149 – 1/2256 1/5 1/1000-
1/10,000
V low 1/1902 – 1/25957 1/10 – 1/20 1/10,000-
1/100,000
Minimal 1/21773 – 1/223821 1/20 – 1/100 1/100,000-
1/1million
Negligible 1/279000 – 1/100 – 1/1000 1/1million –
1/46,709,000 1/1000million
Risk
R=CxL
R = ΣC m x Ln
Usually an event has multiple consequences
measured in different terms some positive some
negative
Semiquanitative analysis
Normal rules apply
– Cannot carry out mathematical functions
with ordinal scales
ranking scale 1, 2, 3,4
1 + 1 does not equal 2
Treatment
Need to understand cause and risk
factors to implement best controls
May need to revisit analysis
Different opportunities to intervene
Monitor
Do treatments work
What data did we not have that we
need to collect?
Issues
How to analyse risk when no or limited data
Human factors and risk
Not a set of tools on a bookshelf pick
one for a problem
Have to define problem, decision and
objectives and work through
A structure for thinkin about problems
No easy way of avoiding difficult
decisions


Use: 0.0261