About Implementing the Risk Management Process Within an Asset Management Organization
INTRODUCTION OF RISK MANAGEMENT BACKGROUND
Case Example: A fieldworker is doing some inspection work around a Mid Voltage station and stumbles over some loose stones in the pavement around the station. Question: Is this a risk?
Before we continue exploring this case, some definition and context is needed. A generic definition of risk management is:
Risk = Likelihood * Impact
When talking about risk management within the context of asset management, we have to narrow the scope. Our specific focus on risk within the asset management process is the connection between Business Risk and Decision Risk.
Figure 1. Risk Management within Asset Management
We define risk management as managing potential events that could have a negative impact on the business objectives related to the assets or management of those assets.
1 Case example text can be recognized in this document by the red font color.
Figure 2. Core decision-making process within asset management
The different perspectives between the day-to-day operations and the (risk-based) asset planning process.
Many mistakes have been made in implementing risk management by not understanding that day-today operations and (risk-based) asset planning operate in different time periods. The best way to explain this is with the example of our stumbling fieldworker.
The fieldworker realizes after he had stumbled that he had a narrow escape from a serious injury. He could have broken a leg or even worse! This must be a safety risk. The first thing he does is enter the incident in the issue register and ask the risk analyst to undertake an analysis of the incident to find out whether this is a high-ranked risk or a medium to small risk. He then waits on the outcome of the risk analysis before he takes any further action.
This is not a fictitious example; it is a real case from a utility in the early implementation stage of a risk-based asset planning process. The mistake which was made was not having a clear understanding of the different focus of day-to-day operations versus that of risk-based asset planning. Risk management as part of the risk-based asset planning process should focus on threats in the future. Day-to-day operations should focus on actions in the here and now. Once he understood the focus of each, the fieldworker would have acted differently. A good practice process would lead to the following occurrence.
The fieldworker realizes after stumbling over the stones that this is a safety issue. He immediately starts repairing the loose stones in the pavement. At the end of the day, he is back at the office and books his working hours. When this year’s budget was created, a portion was allocated to “small repair and maintenance work”. The time he spent in the repair of the pavement is charged against this account.
The company also wants him to track safety incidents, so he reports the incident in the safety incident tracking system.
The risk analyst periodically looks at all systems which track incidents and sees the new safety incident report. He enters this issue in the issue register (or updates an existing one). He also collects other information which is reported in other maintenance and failure systems and enters these in the issue register. Because there are several similar incidents reported, he decides to perform analysis on the available data. He suspects that the current policy is not sufficient and needs to be updated. This might have an impact on civil maintenance and budgets for next year.
Figure 2. Different perspectives between day-to-day operations and risk-based asset planning process
The key message here is to understand the different perspectives between day-to-day operations and the risk-based asset planning process and to keep these processes separated from each other. Not separating these processes will lead to resistance especially in the day-to-day operational process, where people will consider the risk management process as additional bureaucracy not adding any value.
ASSET RISK VERSUS BUSINESS RISK
Another topic over which confusion often occurs is the difference between Asset Risk and Business Risk. Asset Risk refers to the functional failure of assets. However, particularly in the area of maintenance management, these functional failures are considered to be a business risk. This is not the case as can be explained by further exploring our example.
The risk analyst starts evaluating the entered issue in the issue register which describes the incident of the fieldworker. The analyst looks at the description of the issue and assumes that this is a safety risk. He takes the existing risk matrix of the company and starts thinking about the stones in the pavement. The function of the stones in the pavement is to provide a smooth path for fieldworkers to be able to safely walk around the Mid Voltage station. This function has been disturbed. Due to this a severe safety incident almost occurred. He has a look at the risk matrix: the impact of this functional failure, in this case, is low. The frequency was at least once this year. It appears that the overall risk assessment tells him that this is a low risk and therefore acceptable. Since it falls within the pre-established risk tolerance, it will not lead to any action.
The mistake in the methodology described is that the risk analyst began his risk analysis by focusing on the asset and the functional failure of the asset. First, he focused on the incident which occurred, rather than potential future risks. In addition, he didn’t consider a future threat impacting business objectives, rather he focused on component failure which is typically what you would do when assessing maintenance policy. What he should have done is define hypotheses of events that could cause threats in the future. These threats should be evaluated on the level of risk and eventually mitigating actions should be derived. In our case study this would occur as follows:
The risk analyst starts evaluating the entered issues in the issue register. He does some reporting on geographical analysis and some reporting on asset analysis. From the analysis, he discovers that several issues have been reported regarding Mid Voltage stations. Several leaking roofs of Mid Voltage stations have been reported over the past three months. Also, several complaints have been reported regarding painting of doors and window casings. The analyst also had a look in the workflow system and discovered that actual maintenance spend on Mid Voltage station is far behind the expected realization. He formulates two hypotheses of potential threats;
– Delays in maintenance cause a major short circuit leading to a blackout of a city with 100,000 citizens having more than 4 hours loss of electricity supply
– Incorrect maintenance (i.e., the wrong maintenance policy) of Mid Voltage stations cause a major short circuit leading to a blackout of a city with 100,000 citizens having more than 4 hours loss of electricity supply.
Both potential threats are evaluated with the risk matrix and lead to the conclusion that these are severe risks and mitigating actions need to be taken.
This case demonstrates the skill set needed for a risk analyst – the ability to look beyond the functional failure of a component and the capability to translate leading indicators into the root causes and hypotheses of actual threats.
Figure 4. Asset Risk versus Business Risk
FROM ISSUES TO RISKS
When implementing risk management, one of the difficulties is to identify the level at which issues need to be collected, as well as the level of detail needed to define risks. The fact is that two parallel levels should be used for both. First, a top-down process is implemented where assessments are made to collect all possible major disasters like earthquakes, major storms, flooding, etc. once or twice per year. These are not issues, but rather threats that have a major impact on the business and as such should be evaluated for their potential impact on business values and probability of occurrence to be scored within the risk matrix.
This should be followed by a bottom-up process where issues are collected from the day-to-day business operations and analyzed to identify potential future threats. The pitfall in this bottom-up process is that there is a natural inclination to relate each issue to a risk, resulting in an enormous amount of risks to be analyzed. The secret to successfully executing this process is to add a step between these two processes in which region and asset-related reporting and analysis is performed and formulation of risks which could negatively impact business objectives are identified. This can be difficult to implement as a different skill set is needed to be able to do this.
Figure 5. From Issue to Risk
Companies who have successfully implemented risk management typically started by forming a risk expert group which has the task of reviewing risks and making decisions. This group needs to be very disciplined in the beginning and stick to a fixed agenda which contains three steps – issue analysis including formulation of threats, risk analyses of the formulated threats, and specification of mitigation activities.
RISK MITIGATING STRATEGIES
The last step in implementing a risk management process is the development of strategies to mitigate risks. In general, there are at least 4 risk mitigation strategies that should be studied during the risk analyses. These four strategies are:
1. Accept the risk and do nothing. The question to be studied is the risk of deferring the problem to the next decision-making point.
2. Mitigate the impact of the risk. Define a solution which mitigates the impact of the occurrence to a more acceptable level.
3. Mitigate the likelihood of the risk. Define a solution in which the frequency of occurrence is mitigated to an acceptable level.
Figure 5. Risk Mitigating Strategies
IMPLEMENTING RISK MANAGEMENT
In conclusion, this white paper discusses concepts regarding the implementation of risk management within asset management. First, risk management within asset management has been defined. Then, three important topics have been addressed regarding implementing risk management. These are:
- Recognizing the different perspectives between risk-based asset planning and day to day operations
- Recognizing the difference between Asset Risks and Business Risks
- The pitfalls of the n-to-n relation between issues and risks In our experience, creating a risk expert group with a fixed agenda and with structured preparation and discipline to stick to the agenda is a good way to implement a sound risk management process.
For more information on our viewpoints, case studies, etc. regarding risk management please contact us at: info@itamsprogramconference.umsgroup.com
Talk to Our Experts Today
