This is the continuation of a two-part article. View part one here.
ISO 31000, the International Standard for Risk Management, provides a clear framework for managing risks, prompting us to think about the scope and context of the organization, what is important, and what we are trying to achieve. From that starting point, we can assess risks by identifying them, analyzing causes, extents, vulnerabilities, likelihoods, and consequences. With that information in hand, we can begin to evaluate whether risks need to be mitigated, how to mitigate them, and whether the mitigation strategies are a good use of public money. Of course, nothing changes without action and the implementation of risk treatments.
ISO 31000 also prompts us to consult with others throughout the process, communicate relevant information, monitor and review the effectiveness of our risk treatments, and record and report how well we are doing. This is, of course, all common sense, but how often do we systematically carry out all of these actions?
Some risk principles are hinted at in the international standard, but more explicitly documented in other frameworks: in ISI’s Envision framework, some key principles associated with risk management make a significant difference in the robustness of the approach. These include:
Risk = Likelihood x Consequence: Likelihood, probability, chance, uncertainty - whatever you call it, this is a key dimension representing the level of uncertainty in risk. Consequence, extent, and impacts all represent the size of potential impacts. These two concepts are fundamental to risk assessment.
A Common Currency of Risk: While still not widely applied, humans are so used to dealing in money that it makes sense to express risk in economic terms. We continually hear about the cost of the latest disaster or the cost of congestion to the economy. We are able to more readily evaluate risk expressed in economic terms to the very tangible costs of dealing with risks. It makes sense to express risk in dollar terms.
Integrated and Holistic: Risk is a complex thing. We recognize that the causes may be many and varied and the consequences could be far-reaching. More robust approaches to risk management take a broad and integrated view of risk, and consider the economic, social, and environmental (or triple bottom line) implications.
Application: The opportunity to use this systematic process exists in almost everything that we do, whether it is community planning and management, asset planning, project delivery, or operational and maintenance activities. Project managers know it makes sense to apply a systematic approach to understanding potential project risks. Investment program managers need to be able to effectively prioritize capital programs that best manage the trade off between costs, performance, and risk.
Operationally, we may choose to apply the principles of risk in HAZOP (Hazard and Operability) or FMEA (Failure Mode & Effects Analysis) studies to improve operational and maintenance activities and better manage risk. More importantly, if we can take our inherent ability to understand risk and apply it to our day-to-day jobs, we can create a culture of more effective risk management. This has the ability to transform the health and safety culture of organizations, radically improve supply chains, and generate significant investment efficiencies or performance improvements.
At Associated, we bring our expertise to help organizations begin to understand the jargon and navigate the common-sense application of risk management that may initially seem complex. With a better understanding of risk and the ability to articulate risk, we can have a more convincing conversation with stakeholders, more robustly defend our decisions to the public, and more readily access funding from agencies that ultimately want to know we are doing the right thing.
About the authors:
Owen James, M.Sc., ENV.SP, CWEM, MIAM is our National Practice Leader for Asset Management. He has over 25 years of experience developing and implementing asset management capabilities for organizations in Canada and the United Kingdom.