Nadine Cranenburgh

RES Newsletter April 2019.pdf

RES Newsletter 2020 April Issue 1 Vol 5 FINAL Rev1.pdf

RES Newsletter 2020 June Issue 2 Vol 5 FINAL Rev0.pdf

RES Newsletter 2020 October Issue 3 Vol 5 Rev0.pdf

Taylor Burns is the Australian representative for the Austrian based company, RiskConsult. He’ll share his thoughts about risk management for major infrastructure projects at a REBOK lunchtime webinar on Tuesday 20 October 2020. Register here. Why is a ‘big picture’ view important for infrastructure projects? If you don’t know what the big picture is, you’re missing all the uncertainty. There’s an image by Nassim Nicholas Taleb which shows somebody walking across a river that’s just over one metre (four feet) deep on average. But averages vary, so it’s potentially really deep at one end, and really shallow at the other. If you were to walk across assuming it was the same depth the whole way, you could potentially fall in and drown. The same thinking can be applied to infrastructure projects. Image courtesy of Taylor Burns, RiskConsult Why is it important for engineers and project managers to take cost and schedule uncertainties into account? Let’s start with costs. Any quantities you might have on a project include uncertainties. For instance, with excavation, you might have less or more unsuitable materials or rock than determined by the geotechnical investigations. Before the award of a contract, costs for materials and other payment items may also vary significantly from the initial estimate at the time of tender. Risk impacts incurred throughout the project will also result in additional costs and time-related costs. These risk impacts also hold uncertainty. With probabilistic assessment of cost and schedules, we are able to use distributions, one of the most common being a triangular distribution. In this case you have the most likely (often the deterministic estimate) in the middle, and the best and worst scenarios either side of it. The same goes for time durations. This can be done for all items in the work breakdown structure, including the risk impacts, which bring another set of time and cost uncertainties. It’s really important to do this assessment to get an understanding of how good or bad things could be. Once the distributions are set we can do a simulation – either Monte Carlo or Latin hypercube sampling – to work out the probabilities of certain outcomes so that you can have the full picture. When you’re doing estimates deterministically, you only get a very narrow view of what the outcomes might be, and you miss a whole lot of information about what might happen. Things don’t always work out the way you plan them – so it’s important to have the full picture. How can a good picture of cost uncertainties help with infrastructure project management? Having a good picture of uncertainty is especially helpful for decision makers. Knowing the likelihood of cost overruns or project delays in advance provides opportunities to take action early and mitigate risks to acceptable levels. This is especially helpful for large infrastructure projects that may stretch over a number of years. To further clarify the picture, it is useful to use a cost component structure. A simple example is to separate costs into base costs, risk costs (known and unknown) and escalation. Escalation is particularly important for projects spanning multiple years. These cost components are often depicted in the form of a waterfall diagram with results shown as S-Curves. Image courtesy of Taylor Burns, RiskConsult How would you define a complex infrastructure project? Generally, complexity comes with the size of the project, for example, projects above $50 million. Complex infrastructure projects have many components, stakeholders and elements which need to integrate with one another, and with the potential to mutually affect each other. They are surrounded by uncertainty and ambiguity, similar to the unpredictability of many moving parts. One example of a complex project is a bridge replacement. You may have to provide a temporary bridge, demolish the old bridge, realign the road and have multiple traffic interchanges. Another example is tunnelling. You may have a lot of unknown geotechnical constraints such as especially soft or hard material, water inflow, or heat due to geothermal activity. You could also have fault lines within the material that you're tunnelling through. You’ll need to assess the impact on the tunnel boring machine when travelling through all of these different substrates. This could include the different classes of protection needed and the time taken to bore through different substrates. In addition to the technical complexities, large infrastructure projects often require a complex or alternative contracting method. Why should you avoid a blanket contingency in large or complex infrastructure projects? If you were doing a cost estimate deterministically for a low value project with little risk, you might use a blanket contingency of 10 to 20 per cent based on what you perceive the risk to be for your project. Very large or complex infrastructure projects generally have a lot of unknowns and uncertainty. I feel it’s better to assess those unknowns along with the identified risks and integrate them within your work breakdown structure and your schedule. Then you can carry out a Monte Carlo simulation to get the full picture of the potential impacts of those risks, uncertainties and escalation over time. These probabilistic results can then be used to inform what a suitable contingency might be. Who do you think would benefit from your webinar? Project managers and decision makers for large infrastructure projects, engineers, consultants, government, and people who take on high-value, complex projects.

Jeff Jones is an Associate Fellow of the Risk Management Institution of Australasia and member of the Queensland Chapter Committee of the Engineers Australia Risk Engineering Society. He’ll share his thoughts about whether ISO 31000:2018 is redundant or relevant to your organisation at a REBOK lunchtime webinar on Tuesday 22 September 2020. Register here. What is risk, and how does it relate to risk management? The 2018 update to ISO 31000 defines risk as “effect of uncertainty on objectives”. But this means different things to different people. ‘Effect’ is the first term to unpack, and that’s the deviation from the expected. This can be positive, negative or both, and result in opportunities and threats. That’s where the language starts to get debatable. Do we call risk neutral, and the upside opportunity and the downside threat? Or do we call the upside opportunity and the downside risk? The concept of using the word ‘objectives’ is also debatable, there are some other standards that don’t do that. But I support it. Risk is also expressed as the source of potential events and their consequence and likelihood. But unfortunately that lends itself to the predominant view of risk assessment as a qualitative risk matrix process. This is only one of many processes, and it’s beneficial, but it shouldn’t be used to the detriment of having a broader toolkit at our disposal. Most people see risk assessment as risk management, which it’s not. Most businesses adopt risk management frameworks that are just risk assessment processes. They don’t achieve the values defined in ISO 31000:2018 – which defines risk management as “coordinated activities to direct and control an organisation with regard to risk”. It’s not just about proactive control of risk to promote positive outcomes, but also to mitigate threats and negative outcomes. Can you tell us more about risk management frameworks? Risk management frameworks integrate risk management (not risk assessment) into all the organisation’s activities and functions. In modern organisations it should be implemented at the highest level, from the board and through the whole organisational structure including all the risk committees and governance structures. In particular, it should drive the organisation’s decision making. It’s about support from stakeholders and top management. Like any other framework, it requires design, implementation, evaluation, continuous improvement and integration. The end game of risk management is not just risk assessments, but decision making. At the top end it’s decision making, at the operational and tactical level it’s risk assessments. Why do organisations find it difficult to articulate the benefits of risk management? It’s hard for an organisation to measure the success of risk management. In fact, where risk management is most successful it goes unnoticed, because businesses thrive and achieve their business objectives. When things fail, risk management gets the blame. But many other risks could have eventuated if risk management processes weren’t in place. Risk management is also a compliance requirement for many industries. Therefore, it's done to tick a box and not really integrated into decision making or management systems – which is the intention of ISO 31000:2018. The final reason is that risk management is a relatively new field compared to core disciplines such as financial and quality management. There’s nothing forcing an organisation to put risk management systems in place, but if financial management is neglected the business will fall over. Do you think the ISO 31000:2018 standard is relevant in today’s increasingly complex world? There’s some controversy about whether the world has moved on from the standard. I think it’s a framework that can be applied to any environment, it’s just a matter of how you view and think about it. It’s called up in a lot of Acts, regulations and tendering processes. Anywhere where risk is mentioned, ISO 31000:2018 is referenced. So I think its relevance is still there. But it’s not a black and white standard. It has to be used in context for each organisation, and each organisation will adopt it differently. This leads to healthy differences of opinion, but not clarity for organisations looking for benchmarks to implement the standard in new risk management frameworks.

How is the pandemic affecting Australia and other nations (from a risk engineering perspective)? What is the difference between individual and societal risk and how does each relate to the pandemic response? How are governments balancing the economic and public health risks? What about a long term plan including economic recovery? What is outrage risk and how can it be managed? How long will the restrictions need to be in place? What risk management / risk engineering tools and techniques are useful during the crisis? What risk management procedures should be in place for engineering workplaces? How can engineers can help people live and work more safely and productively during the crisis and recovery? Will COVID-19 change the way we do risk engineering?

Introduction Over the past 20 years, processes have been developed to identify and manage risks in complex projects to implement risk-based approaches for better cost and schedule estimation. However, these processes generally treat cost and schedule separately instead of integrating them in one model. Integrating cost and schedule is highly relevant as schedule delays are often the root cause of severe cost overruns. Process The process used for developing an integrated cost and schedule model is: The base cost estimate is reviewed, subjected to uncertainties and integrated into the Work Breakdown Structure (WBS) Identified risks are assessed (probable cost & time impact) and integrated into the WBS and construction schedule Risks are assigned to tasks in the project’s schedule. Subsequently, completion date, critical paths and delays due to risks are simulated (using Monte Carlo simulation) Cost impacts due to time delays are calculated with time-related costs and integrated into the WBS Project Cost including uncertainty is available at all WBS levels and for all cost components. This process is summarised in the diagram below. Diagram courtesy of Taylor Burns, RiskConsult, GmbH Sources The information on this page was primarily sourced from: Text provided by Taylor Burns, Project Engineer, RiskConsult, GmbH Peer review conducted by Pedram DaneshMand, Director, Project Risk Consulting, Audit, Assurance & Risk Consulting, KPMG CEVP-RIAAT Process—Application of an Integrated Cost and Schedule Analysis by Philip Sander and Martin Entacher from RiskConsult and John Reilly from John Reilly International.

Introduction The Cost Estimation and Validation Process (CEVP) is a process used to address the common concerns associated with large complex projects. These include: Why do project costs seem to always go up? Why can’t the public and/or private owners be told exactly what a project will cost? Why can’t projects be delivered at the cost quoted at the start of the project? CEVP opens the 'black box' of estimating, ensures cost transparency, and provides a basis for senior management decisions. Process In CEVP, estimates are comprised of two components: the base cost component and the risk component. Base cost is defined as the planned cost of the project if everything materialises as planned and assumed. The base cost does not include contingency but does include the normal variability of prices, quantities and like units. Once the base cost is established, a list of risks is identified and characterised (including both opportunities and threats, and listed) in a risk register. This process is shown in the diagram below, which is conducted according to the following principles: bring project and CEVP team (including subject matter experts) together in workshops promote openness to risks which may occur (culture of realism without cognitive bias) create mutual understanding of the project integrate uncertainties in all phases create a clear project structure which includes base cost, risk and escalation. Diagram courtesy of Taylor Burns, RiskConsult, GmbH This risk assessment replaces general and vaguely defined contingency with explicitly defined risk events that include the associated probability of occurrence plus impact on project cost and/or schedule for each risk event. Risk is usually developed in a CEVP Cost Risk Workshop. The validated base cost, base variability and the probable consequence of risk events are combined in a simulation model (such as RIAAT) to produce an estimated range of cost and schedule, with probabilities of achieving a particular cost or schedule outcome. The output is a rich data set of probable cost and schedule, potential impact of risk events, ranking of risks, and risk impact diagrams. Outputs An example of the probabilistic cost outputs can be seen in the diagram below. Note that similar S-Curves can be derived for schedule. The three S-Curves shown below are made up of the following cost components: Base cost: the cost if “all goes according to plan” without contingencies Uncertainty cost: the variability of prices, quantities and time frames Risk cost: the cost resulting from threats and opportunities that might occur Escalation cost: additional costs resulting from inflation Diagram courtesy of Taylor Burns, RiskConsult, GmbH As shown in the diagram above, once uncertainty, risk cost and escalation are considered through the CEVP process, the probability of the originally budget not being exceeded is only 20 per cent. Sources The information on this page was primarily sourced from: Text provided by Taylor Burns, Project Engineer, RiskConsult, GmbH Peer review conducted by Pedram DaneshMand, Director, Project Risk Consulting, Audit, Assurance & Risk Consulting, KPMG CEVP-RIAAT Process—Application of an Integrated Cost and Schedule Analysis by Philip Sander and Martin Entacher from RiskConsult and John Reilly from John Reilly International.

RAMS RAMS (Reliability, Availability, Maintainability, Safety) is a management process used to avoid failures during the planning stage of projects. RAMS Management ensures that systems are defined, risk analyses are performed, hazards are identified and detailed reviews and safety cases are executed and reported. One specific goal is to provide hard evidence to achieve authorisation for operations. These terms can be summarised as follows: Reliability – as ability to perform a specific function and may be assessed as design reliability or operational reliability Availability – as ability to keep a functioning state in the given environment Maintainability – as ability to be timely and easily maintained (including servicing, inspection and check, repair and/or modification) Safety – as ability not to harm people, the environment, or any assets during a whole life cycle. Fault Tree Analysis The Fault Tree Analysis (FTA) is the core of probabilistic safety value analysis. The FTA depicts the functional system and quantifies all relevant factors to evaluate reliability, availability, maintainability and safety of the complete system. All components of a system will be evaluated systematically and analysed according to their roles and functions within the system. Starting at the Top Event (System Failure) all functions, and the assigned failure status of the system’s components are evaluated. This results in a Boolean Model (Fault Tree) which is quantified by the characteristic reliability values. The logical linking of events is based on the following graphical elements as shown in the diagram below. Diagram courtesy of Taylor Burns, RiskConsult, GmbH Example results After completing the analysis, the following example information (see diagram below) can be used to help improve the safety of the system. In the below example it was found that due to an error in a braking system that the reliability was only 78 per cent. By taking a low risk tolerant approach and using the VaR95 value we can determine that the down time within one year will be less than 6.5 hours, and in this case the corrective maintenance costs would be in the order of $6200. For the full example please see the following link. Diagram courtesy of Taylor Burns, RiskConsult, GmbH Analysing the example braking system for safety of a period of one hour, we can see the system has a high level of safety, with the average probability of a dangerous failure per hour being 4.8E-11. Diagram courtesy of Taylor Burns, RiskConsult, GmbH Sources The information on this page was primarily sourced from: Text provided by Taylor Burns, Project Engineer, RiskConsult, GmbH Peer review conducted by Pedram DaneshMand, Director, Project Risk Consulting, Audit, Assurance & Risk Consulting, KPMG RiskConsult RIAAT Software RAMS Analysis webpage, 2019.

Introduction Probabilistic Safety Value Analysis is a process that uses the Reliability, Availability, Maintainability and Safety (RAMS) process combined with Fault Tree Analysis (FTA). It is designed to achieve the following objectives: evaluate the soundness of a system check if all safety requirements are fulfilled (using RAMS) create a better understanding of context, causes and effects evaluate critical failure combinations (Minimal Cut Sets) provide a description of potential for optimisation via comprehensive assessment support probabilistic methods to model uncertainty Outcomes Based on the results of probabilistic safety value analysis, measures can be taken to optimise the system such as: optimisation of the system structure creation of additional redundancies replacement of particularly susceptible components with more robust components installation of monitoring systems to detect faults at an early stage adjustment of maintenance intervals and scope avoidance of common cause failures. Sources The information on this page was primarily sourced from: Text provided by Taylor Burns, Project Engineer, RiskConsult, GmbH Peer review conducted by Pedram DaneshMand, Director, Project Risk Consulting, Audit, Assurance & Risk Consulting, KPMG RiskConsult RIAAT Software RAMS Analysis webpage, 2019.