Nadine Cranenburgh

Jeff Jones is an Associate Fellow of the Risk Management Institution of Australasia and member of the Queensland Chapter Committee of the Engineers Australia Risk Engineering Society. He’ll share his thoughts about whether ISO 31000:2018 is redundant or relevant to your organisation at a REBOK lunchtime webinar on Tuesday 22 September 2020. Register here. What is risk, and how does it relate to risk management? The 2018 update to ISO 31000 defines risk as “effect of uncertainty on objectives”. But this means different things to different people. ‘Effect’ is the first term to unpack, and that’s the deviation from the expected. This can be positive, negative or both, and result in opportunities and threats. That’s where the language starts to get debatable. Do we call risk neutral, and the upside opportunity and the downside threat? Or do we call the upside opportunity and the downside risk? The concept of using the word ‘objectives’ is also debatable, there are some other standards that don’t do that. But I support it. Risk is also expressed as the source of potential events and their consequence and likelihood. But unfortunately that lends itself to the predominant view of risk assessment as a qualitative risk matrix process. This is only one of many processes, and it’s beneficial, but it shouldn’t be used to the detriment of having a broader toolkit at our disposal. Most people see risk assessment as risk management, which it’s not. Most businesses adopt risk management frameworks that are just risk assessment processes. They don’t achieve the values defined in ISO 31000:2018 – which defines risk management as “coordinated activities to direct and control an organisation with regard to risk”. It’s not just about proactive control of risk to promote positive outcomes, but also to mitigate threats and negative outcomes. Can you tell us more about risk management frameworks? Risk management frameworks integrate risk management (not risk assessment) into all the organisation’s activities and functions. In modern organisations it should be implemented at the highest level, from the board and through the whole organisational structure including all the risk committees and governance structures. In particular, it should drive the organisation’s decision making. It’s about support from stakeholders and top management. Like any other framework, it requires design, implementation, evaluation, continuous improvement and integration. The end game of risk management is not just risk assessments, but decision making. At the top end it’s decision making, at the operational and tactical level it’s risk assessments. Why do organisations find it difficult to articulate the benefits of risk management? It’s hard for an organisation to measure the success of risk management. In fact, where risk management is most successful it goes unnoticed, because businesses thrive and achieve their business objectives. When things fail, risk management gets the blame. But many other risks could have eventuated if risk management processes weren’t in place. Risk management is also a compliance requirement for many industries. Therefore, it's done to tick a box and not really integrated into decision making or management systems – which is the intention of ISO 31000:2018. The final reason is that risk management is a relatively new field compared to core disciplines such as financial and quality management. There’s nothing forcing an organisation to put risk management systems in place, but if financial management is neglected the business will fall over. Do you think the ISO 31000:2018 standard is relevant in today’s increasingly complex world? There’s some controversy about whether the world has moved on from the standard. I think it’s a framework that can be applied to any environment, it’s just a matter of how you view and think about it. It’s called up in a lot of Acts, regulations and tendering processes. Anywhere where risk is mentioned, ISO 31000:2018 is referenced. So I think its relevance is still there. But it’s not a black and white standard. It has to be used in context for each organisation, and each organisation will adopt it differently. This leads to healthy differences of opinion, but not clarity for organisations looking for benchmarks to implement the standard in new risk management frameworks.

How is the pandemic affecting Australia and other nations (from a risk engineering perspective)? What is the difference between individual and societal risk and how does each relate to the pandemic response? How are governments balancing the economic and public health risks? What about a long term plan including economic recovery? What is outrage risk and how can it be managed? How long will the restrictions need to be in place? What risk management / risk engineering tools and techniques are useful during the crisis? What risk management procedures should be in place for engineering workplaces? How can engineers can help people live and work more safely and productively during the crisis and recovery? Will COVID-19 change the way we do risk engineering?

Introduction Over the past 20 years, processes have been developed to identify and manage risks in complex projects to implement risk-based approaches for better cost and schedule estimation. However, these processes generally treat cost and schedule separately instead of integrating them in one model. Integrating cost and schedule is highly relevant as schedule delays are often the root cause of severe cost overruns. Process The process used for developing an integrated cost and schedule model is: The base cost estimate is reviewed, subjected to uncertainties and integrated into the Work Breakdown Structure (WBS) Identified risks are assessed (probable cost & time impact) and integrated into the WBS and construction schedule Risks are assigned to tasks in the project’s schedule. Subsequently, completion date, critical paths and delays due to risks are simulated (using Monte Carlo simulation) Cost impacts due to time delays are calculated with time-related costs and integrated into the WBS Project Cost including uncertainty is available at all WBS levels and for all cost components. This process is summarised in the diagram below. Diagram courtesy of Taylor Burns, RiskConsult, GmbH Sources The information on this page was primarily sourced from: Text provided by Taylor Burns, Project Engineer, RiskConsult, GmbH Peer review conducted by Pedram DaneshMand, Director, Project Risk Consulting, Audit, Assurance & Risk Consulting, KPMG CEVP-RIAAT Process—Application of an Integrated Cost and Schedule Analysis by Philip Sander and Martin Entacher from RiskConsult and John Reilly from John Reilly International.

Introduction The Cost Estimation and Validation Process (CEVP) is a process used to address the common concerns associated with large complex projects. These include: Why do project costs seem to always go up? Why can’t the public and/or private owners be told exactly what a project will cost? Why can’t projects be delivered at the cost quoted at the start of the project? CEVP opens the 'black box' of estimating, ensures cost transparency, and provides a basis for senior management decisions. Process In CEVP, estimates are comprised of two components: the base cost component and the risk component. Base cost is defined as the planned cost of the project if everything materialises as planned and assumed. The base cost does not include contingency but does include the normal variability of prices, quantities and like units. Once the base cost is established, a list of risks is identified and characterised (including both opportunities and threats, and listed) in a risk register. This process is shown in the diagram below, which is conducted according to the following principles: bring project and CEVP team (including subject matter experts) together in workshops promote openness to risks which may occur (culture of realism without cognitive bias <link>) create mutual understanding of the project integrate uncertainties <link> in all phases create a clear project structure which includes base cost, risk and escalation. Diagram courtesy of Taylor Burns, RiskConsult, GmbH This risk assessment replaces general and vaguely defined contingency with explicitly defined risk events that include the associated probability of occurrence plus impact on project cost and/or schedule for each risk event. Risk is usually developed in a CEVP Cost Risk Workshop. The validated base cost, base variability and the probable consequence of risk events are combined in a simulation model (such as RIAAT) to produce an estimated range of cost and schedule, with probabilities of achieving a particular cost or schedule outcome. The output is a rich data set of probable cost and schedule, potential impact of risk events, ranking of risks, and risk impact diagrams. Outputs An example of the probabilistic cost outputs can be seen in the diagram below. Note that similar S-Curves can be derived for schedule. The three S-Curves shown below are made up of the following cost components: Base cost: the cost if “all goes according to plan” without contingencies Uncertainty cost: the variability of prices, quantities and time frames Risk cost: the cost resulting from threats and opportunities that might occur Escalation cost: additional costs resulting from inflation Diagram courtesy of Taylor Burns, RiskConsult, GmbH As shown in the diagram above, once uncertainty, risk cost and escalation are considered through the CEVP process, the probability of the originally budget not being exceeded is only 20 per cent. Sources The information on this page was primarily sourced from: Text provided by Taylor Burns, Project Engineer, RiskConsult, GmbH Peer review conducted by Pedram DaneshMand, Director, Project Risk Consulting, Audit, Assurance & Risk Consulting, KPMG CEVP-RIAAT Process—Application of an Integrated Cost and Schedule Analysis by Philip Sander and Martin Entacher from RiskConsult and John Reilly from John Reilly International.

RAMS RAMS (Reliability, Availability, Maintainability, Safety) is a management process used to avoid failures during the planning stage of projects. RAMS Management ensures that systems are defined, risk analyses are performed, hazards are identified and detailed reviews and safety cases are executed and reported. One specific goal is to provide hard evidence to achieve authorisation for operations. These terms can be summarised as follows: Reliability – as ability to perform a specific function and may be assessed as design reliability or operational reliability Availability – as ability to keep a functioning state in the given environment Maintainability – as ability to be timely and easily maintained (including servicing, inspection and check, repair and/or modification) Safety – as ability not to harm people, the environment, or any assets during a whole life cycle. Fault Tree Analysis The Fault Tree Analysis (FTA) is the core of probabilistic safety value analysis. The FTA depicts the functional system and quantifies all relevant factors to evaluate reliability, availability, maintainability and safety of the complete system. All components of a system will be evaluated systematically and analysed according to their roles and functions within the system. Starting at the Top Event (System Failure) all functions, and the assigned failure status of the system’s components are evaluated. This results in a Boolean Model (Fault Tree) which is quantified by the characteristic reliability values. The logical linking of events is based on the following graphical elements as shown in the diagram below. Diagram courtesy of Taylor Burns, RiskConsult, GmbH Example results After completing the analysis, the following example information (see diagram below) can be used to help improve the safety of the system. In the below example it was found that due to an error in a braking system that the reliability was only 78 per cent. By taking a low risk tolerant approach and using the VaR95 value we can determine that the down time within one year will be less than 6.5 hours, and in this case the corrective maintenance costs would be in the order of $6200. For the full example please see the following link. Diagram courtesy of Taylor Burns, RiskConsult, GmbH Analysing the example braking system for safety of a period of one hour, we can see the system has a high level of safety, with the average probability of a dangerous failure per hour being 4.8E-11. Diagram courtesy of Taylor Burns, RiskConsult, GmbH Sources The information on this page was primarily sourced from: Text provided by Taylor Burns, Project Engineer, RiskConsult, GmbH Peer review conducted by Pedram DaneshMand, Director, Project Risk Consulting, Audit, Assurance & Risk Consulting, KPMG RiskConsult RIAAT Software RAMS Analysis webpage, 2019.

Introduction Probabilistic Safety Value Analysis is a process that uses the Reliability, Availability, Maintainability and Safety (RAMS) process combined with Fault Tree Analysis (FTA). It is designed to achieve the following objectives: evaluate the soundness of a system check if all safety requirements are fulfilled (using RAMS) create a better understanding of context, causes and effects evaluate critical failure combinations (Minimal Cut Sets) provide a description of potential for optimisation via comprehensive assessment support probabilistic methods to model uncertainty Outcomes Based on the results of probabilistic safety value analysis, measures can be taken to optimise the system such as: optimisation of the system structure creation of additional redundancies replacement of particularly susceptible components with more robust components installation of monitoring systems to detect faults at an early stage adjustment of maintenance intervals and scope avoidance of common cause failures. Sources The information on this page was primarily sourced from: Text provided by Taylor Burns, Project Engineer, RiskConsult, GmbH Peer review conducted by Pedram DaneshMand, Director, Project Risk Consulting, Audit, Assurance & Risk Consulting, KPMG RiskConsult RIAAT Software RAMS Analysis webpage, 2019.