Nadine Cranenburgh

The success of the REBOK Community depends very much on the engagement of its members. As such we would very much like you to optimise your settings so that you are aware of what is going on and can engage fully. Due to privacy laws we can't do this for you. Following are the steps you need to take to be fully engaged: Firstly you need to be logged on to make changes to your settings. Click the sign in button at the top right or register if you have not already done so. Follow the LinkedIn main forums: Click on the forums tab then click the Follow button at the top right Choose you frequency of emails (we recommend "when new content is posted" otherwise you can't participate in the live conversation) Follow the Wiki: Click on the Wiki tab, then index and click the follow button. The above are the most important ones. However, we also suggest that you bookmark the following useful pages in your browser: Calendar of events Webinar Recordings On your profile page (down arrow in top right corner) upload an image of yourself (picture icon next to circle) and say something about yourself by clicking the "Edit Profile" button tick any appropriate organisation membership consider enabling status updates so you can share what you are doing in the Risk Engineering space tick "news and information" and "automatically follow content" in the Notification Settings. Please choose to receive emails frequently as most communities thrive with regular interaction. Finally, don't forget to make a contribution by: Add a risk engineering event you have heard of, or are hosting, to the Other Events section of the calendar Make a comment on any page of the Wiki Post a discussion forum topic Participate in the RES LinkedIn Forum Post a blog and tell your friends about REBOK.

Introduction Quantitative risk assessment is one approach to measuring risk. It involves measuring both consequences and likelihoods using numerical scales. These can be expressed as ranges or distributions. Alternative measurement approaches are qualitative and semi-quantitative risk assessment. Examples Quantitative risk assessment techniques need to be carried out using the appropriate units for the risk being measured. For example, the expected frequency of car accidents per thousand kilometres travelled by a driver. Other examples include the mean time to failure of a piece of equipment, expected values of financial returns over a financial year, or cost of repairs per thousand duty cycles. The consequence of risks can also be expressed as a probability distribution, for example, the variance of returns on a financial investment. Another quantitative measure is calculating the value which has a certain probability of occurring for a particular risk. For example, the number of litres which have a 50 per cent chance of leaking out of a particular water pipe over a year. Quantitative methods can also express consequence-based measures such as the probable maximum loss from an investment. These are usually used when there is not enough data to estimate likelihood, or there is uncertainty over which project controls will fail. Risk aggregation Quantitative risk assessment can be used to aggregate values for a group of like risks into a single value as long as they share a single consequence and common units, such as Australian dollars or failures per hour. However, this reduces the amount of data available about each individual risk, which may cause problems in complex systems. Correlations between probability distributions also need to be taken into account to avoid misleading results. For a reliable result, tools such as Monte Carlo simulation should be used to combine distributions. Sources: The content on this page was primarily sourced from: IEC 31010:2019 Risk Management – Risk Assessment Techniques (6.3.5.4)

Introduction Semi-quantitative risk assessment is one approach to measuring risk. It involves expressing one parameter, such as likelihood, quantitively. The other parameter is assigned a descriptive or numerical ranking. Alternative measurement approaches are qualitative and quantitative risk assessment. Limitations When using semi-quantitative methods, risk engineers and other practitioners should ensure that they provide explanations of how their quantitative calculations were carried out to avoid them being misinterpreted. Like qualitative methods, semi-quantitative methods are only useful to compare risks with a common measurement method, or with the same criteria. They can also be difficult to use in cases where trade-offs between risks need to be measured, or where a particular risk can have both positive and negative outcomes. To combine or aggregate risks, quantitative methods must be used. Sources: The content on this page was primarily sourced from: • IEC 31010:2019 Risk Management – Risk Assessment Techniques (6.3.5.4)

Introduction Systems thinking is a branch of the complexity sciences which can be readily applied to modern-day risk management. It is also referred to as complex systems theory and systems theory. The purpose of systems thinking is to try to understand how highly integrated and interactive systems operate and apply that knowledge to everyday management situations. Unlike more mathematical complexity sciences such as computational and chaos theory, systems thinking is a practical field, and can be readily understood by most stakeholders. Sources: The information on this page is based primarily on the following sources: Webinar titled ‘An Introduction to Complexity and How it Influences Risk Management’, Session 1', delivered to REBOK community on 30 April 2019 by Warren Black, Principal and Founder, Complexus and Geoff Hurst, Principal, ENGENEOHS

Introduction Qualitative risk assessment is one approach to measuring risk. It involves using descriptive or numerical ranking scales to classify the potential consequences and likelihoods of each risk. Alternative measurement approaches are semi-quantitative and quantitative risk assessment. Examples One example of a qualitative risk assessment tool is a risk assessment matrix, which defines rating scales for the likelihood and impact of each identified risk, then combines them in a colour-coded diagram to decide which are major, moderate or minor in order to develop an appropriate risk response. A likelihood scale is shown below. And an impact scale for injury at work in the next diagram. In the corresponding risk matrix, a risk with a likelihood of 5 and impact of 5 would be classified as a major risk, while an impact of 3 and a likelihood of 3 would be moderate, and an impact of 3 and likelihood of 1 would be minor. Other examples include: bow-tie analysis probability/consequence matrix decision tree analysis brainstorming Delphi technique structured what-if technique (SWIFT). Sources: The content on this page was primarily sourced from: IEC 31010:2019 Risk Management – Risk Assessment Techniques (6.3.5.4)

Introduction In Australia, Section 19 of the Work Health and Safety Act requires Persons Conducting a Business or Undertaking (PCBU) to eliminate risks in the workplace, or if that is not reasonably practicable, minimise the risks so far as is reasonably practicable. Hazard identification is the critical first step in an organisation’s risk management approach. This approach forms the basis for subsequent risk assessment, identification of risk controls, and ongoing review of hazards and control measures. Definition A hazard is defined by Safe Work Australia as “a situation or thing that has the potential to harm a person". Examples of workplace hazards include moving vehicles, machinery noise, chemicals, electricity, bullying and workplace violence. Hazard identification is used as a basis for risk assessment, in cases where there is a risk of injury or death when a person is exposed to a hazard. Guidance Managing work health and safety risks is an ongoing process that needs attention over time, but particularly when there are changes affecting work activities. It should also be considered when designing and planning products, processes or places used for work. Hazards generally arise from the following aspects of work and their interaction: physical work environment equipment, materials and substances used work tasks and how they are performed work design and management. Risk identification strategies include: workplace inspections safe design reviews to identify and eliminate hazards and minimise risks is during the design phase consultation with workers and suppliers review of suppliers’ and manufacturers’ product data (safety data sheets) and user manuals reviewing records of workplace incidents, near misses, worker complaints, sick leave, and the results of any inspections and investigations to identify hazards. Sources The content on this page was primarily sourced from the following: Material provided by Peter Flanagan, Capital Insight ISO Guide 73:2009 Risk Management - Vocabulary ISO 31000:2018, Risk Management – Guidelines IEC/ISO 31010:2009, Risk Management – Risk Assessment Techniques AS HB 158—2010, Delivering Assurance Based on ISO 31000:2009 Risk Management Principles and Guidelines

Introduction Risk is a dynamic concept that is influenced by constantly changing external and internal environments – with project environments typically experiencing the highest rate of change. Therefore, organisations should monitor and review the performance of their risk management process as well as the potential impact of environmental changes. Organisations should also identify emerging risks and monitor changes to the likelihood and impact of identified risks. Keeping track of the effectiveness and adequacy of existing controls, associated risk treatment plans and the management processes for controlling their implementation is also important. Definition ISO Guide 73:2009 defines monitoring as “continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected”. The same reference defines review as “activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives”. Further definition and guidance on monitoring and review is provided in: AS ISO 31000:2018, Risk Management – Guidelines (6.6) IEC/ISO 31010:2009, Risk Management – Risk Assessment Techniques (5.6) Guidance HB 158—2010, Delivering Assurance Based on ISO 31000:2009 Risk Management Principles and Guidelines provides a guide to assessing the adequacy of the risk management framework and process. It also describes how to use the risk management process to: develop a risk-based assurance strategy and program plan an assurance engagement report the assurance program design controls. Sources: The content on this page was primarily sourced from the following: Material provided by Peter Flanagan, Capital Insight ISO Guide 73:2009 AS ISO 31000:2018, Risk Management – Guidelines IEC/ISO 31010:2009, Risk Management – Risk Assessment Techniques AS HB 158—2010, Delivering Assurance Based on ISO 31000:2009 Risk Management Principles and Guidelines

Introduction Because risk is the effect of uncertainty on objectives, it is important to understand the concept of uncertainty. Uncertainty is a lack of certainty about future outcomes, characterised by a lack of knowledge or information about events or circumstances. Definition ISO Guide 73:2009 Risk Management - Vocabulary defines uncertainty as “the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.” Similarly, HB 203:2012, Managing Environment-related Risk defines uncertainty as “a lack of knowledge arising from changes that are difficult to predict or events whose likelihood and consequences cannot be predicted accurately". Managing Uncertainty Uncertainty cannot be measured in quantitative terms through past models. However, uncertainty can be reduced through systematic efforts to obtain knowledge and informed opinion. Applying an iterative process to improve knowledge – when combined with recognising sources of uncertainty – enhances risk management thinking and can transform the risk assessment process and the selection of risk treatments. Some uncertainty will always remain, and organisations need to be sufficiently resilient to cope with unexpected circumstances. Sources: The content on this page was primarily sourced from the following: Material provided by Peter Flanagan, Capital Insight ISO Guide 73:2009 Risk Management - Vocabulary AS HB 203:2012, Managing Environment-related Risk

Introduction Establishing the context is necessary to customise the risk management process to meet an organisation's needs and enable effective risk assessment and appropriate risk treatment. Establishing the context involves: defining the purpose and scope of risk management activities, including relevant objectives defining the internal and external context of the organisation defining the risk criteria to be used to evaluate the significance of risks and to support decision-making processes. Definition ISO Guide 73:2009 defines establishing the context as “defining the external and internal parameters to be taken into account when managing risk, and setting the scope and risk criteria (3.3.1.3) for the risk management policy (2.1.2)”. Further definition and guidance on establishing the context is provided in: AS ISO 31000:2018, Risk management – Guidelines (6.3) IEC/ISO 31010:2009, Risk management – Risk assessment techniques (4.3.3) Setting the Context for Risk Assessment For a specific risk assessment, establishing the context should include: confirming the purpose and scope, including identification of: the relevant objectives the decisions that need to be made scope inclusions and exclusions appropriate assumptions and the basis of those assumptions relevant stakeholders and the extent of their influence on, and input to, the risk management process appropriate risk assessment tools and techniques required resources required investigations or research interdependencies with other projects, processes or activities. establishing an understanding of an organisation’s internal characteristics and their influence on the management of risk, including organisational values and culture, governance arrangements, policies and procedures, and decision-making processes identifying significant factors in the external environment that give rise to uncertainty, including the social, regulatory, cultural, physical, financial and political environment; external stakeholders; and key external organisational drivers agreement on the risk criteria to be applied – including consequence and likelihood definitions, method for determining the level of risk, criteria for deciding when a risk requires treatment, the impact of risk timeframes (urgency) and existing risk controls, and how combinations of risks will be taken into account. Sources: The content on this page was primarily sourced from the following: Material provided by Peter Flanagan, Capital Insight ISO Guide 73:2009 AS ISO 31000:2018, Risk management – Guidelines IEC/ISO 31010:2009, Risk management – Risk assessment techniques

Introduction Documents and records are fundamental for managing risk, safety, and quality. Even with digital advancement and the migration of records to an online environment, managers, risk practitioners and engineers still need to decide the extent of the documentation and records required to manage risk and collect enough information to support the organisation's level of risk appetite. Should things go wrong, conflict is almost always resolved through documentation. The documentation suite in most workplaces can be likened to a swamp. It contains a lot of good information, but it can be murky, making it hard to find what you need. Instead, risk managers should aim for a crystal-clear lake, where you can see right to the bottom, and everything is in its place. Context The risk management basics page outlines a framework for building a risk management solution. The framework includes six components: Governance structure Defined risk appetite Risk based management planning Risk control systems Risk based assurance Risk culture Each of these components has enabling tools attached to it, such as: leadership structure (i.e. organisation chart) risk appetite statement (i.e. policy or vision) risk matrices / heat maps documented risk tolerances, thresholds & limits (i.e. plans or procedures) strategic, business, project management, and risk management plans assurance frameworks, standards, and plans. Other tools used in risk management include: risk registers, bow-tie analyses, layer-of-protection analyses control effectiveness studies. These enabling tools are, by their nature, documents and records. Purpose Documents and records are differentiated by their purpose. Documents (which can be hardcopy or electronic) are typically plans, procedures, or contracts, which in effect tell a person what to do. Documents provide guidance if there is a misunderstanding about what is supposed to be done. Records (which can also be paper-based or electronic), are typically reports, checklists, certificates, registers, or spreadsheets which tell a person what has been done. Records are often the evidentiary output that is relied upon if there is a dispute or misunderstanding about what happened. Effective risk management solutions require both documents and records. Criteria Access to computers and electronic devices has made document and record creation a simple task. However, this can mean that there is little preamble or thought about whether the document or record should be created in the first place. For each document and record, the aspects listed below should be considered and written down, so that there is a common understanding of why the effort needs to be expended in writing and maintaining the document or record: purpose audience level of detail and/or accuracy required length and structure history and source of input information lifecycle (inputs, outputs, usage and storage approval requirements Where the aspects above are unknown, unclear, or disputed, the value of the document or record should be reconsidered, as should the need to create it in the first place. Design process Designing a suite of documents and records for risk management includes the following steps: Define the entire suite of documents and records, before writing any of them List the plans, procedures, reports, registers and tools that will be used Design with the reader or user in mind Layout the content of each document or record in a logical flow for the reader. The design determines if it is worth reading or using Declutter the content Be very sure about the audience of the document or record, and what they will use it for. Be sure of what it needs to do, and stick to that; nothing more, nothing less. Deliver for approval, or address the question: “done, then what?” Understand what approvals are needed and how long they will take Determine the review process, and advise the reviewer or approver of any relevant guidelines that need to be consulted Decide what happens to the document or record after approval. Sources: The content on this page was based primarily on the following sources: Material provided by Susan Jaques, Sage Consulting Solutions

Introduction The notion of risk appetite is used by many organisations as an attempt to diligently balance competing priorities with limited resources. Such statements represent an organisational expression of risks and rewards in the value system of the board and senior decision makers. However, there are serious methodological difficulties with this attempt to treat all risks as having the same underlying nature when, for example, market risks are quite different in nature to safety risks. Market vs safety perspective In the business community, risk appetite has often been expressed as meaning that an outstanding outcome can justify taking greater chances to achieve success. In policy terms, this means encouraging the organisation to select projects and programs with greater rewards for similar effort, which is to be applauded. This interpretation of risk appetite is most relevant to the market risk paradigm. There remain some serious caveats to this approach. It is ordinarily unacceptable to adopt a course of action, which despite demonstrating an almost certain outstanding upside benefit, nevertheless has a low possibility of destroying the entire enterprise. A joint venture option is usually the way forward in such circumstances. Safety has a different perspective. Often the consequences of failure are so high that there is simply no appetite for it. The notion that anyone has an appetite for death and maiming is presently not acceptable in Australian society. The notion of danger money (increased pay due to the hazards associated with the work) has been firmly rejected. If a workplace is not safe then work must stop. Instead, provided the situation is not prohibitively dangerous, the requirement is for (safety) risk to be eliminated or reduced so far as is reasonably practicable (SFAIRP), a matter which can be forensically tested in court. This is a positive demonstration of safety due diligence. The diagram below shows this difference graphically. Diagram courtesy of Richard Robinson, R2A From an overall business perspective a better term may be a risk tolerance statement or, keeping it generic across the different risk domains, a risk position statement. A risk position statement would be an articulation of the board’s understanding of the key risk issues for the business and their understanding of the management and optimisation of these risks. It would become a quality assurance document to ensure the board can transparently demonstrate risk management governance to stakeholders including the community, government and, if necessary, the courts. Sources The content on this page was based primarily on the following sources: Robinson Richard M and Gaye E Francis (2019). Engineering Due Diligence (11th Edition). R2A Pty Ltd, Consulting Engineers.

Introduction Resilience can be defined as the ability of a system to respond to rapid changes in a positive manner. A particular challenge for complex projects is building the maturity of internal control systems to increase resilience in the event of uncertainty and unpredictable risks. Challenges As the world becomes more dynamic and volatile, proponents of a resilience approach to risk management maintain that rather than finding ways to predict risks, risk practitioners need to focus on innovating in the area of building organisation-wide resilience to unpredictable risks. Challenges include designing internal management systems with the ability to weather rapid changes, disruption to operations, unexpected changes in government and trade alliances, as well as market shocks. Standards One standard relevant to processes for building resilience is AS/NZ 5050:2010 Business continuity - Managing disruption-related risk. This standard outlines a process of identifying critical business functions and protecting them to increase resilience. Sources: The content on this page was primarily sourced from: Webinar titled ‘Perspectives on Risk: Engineers, frameworks and new ways of thinking’, delivered to REBOK Community on 29 May 2018 by Warren Black, Principal and Founder, Complexus

Introduction New approaches to risk management are emerging in response to increasingly large and complex project environments and systems with unpredictable risks. These include the application of complexity sciences to help organisations understand how complexity influences risk management. What is complexity? As complexity means different things to different people, there is no universally accepted definition, and within a single operating environment, a mix of simple and complex elements can exist. The formal study of complex phenomena is known as complexity science and includes a broad range of disciplines, such as chaos theory, systems thinking, resilience theory, network theory, social theory, and computational theory. Application of the complexity sciences has attracted interest from several fields including risk engineers, managers and practitioners due to their potential to improve the control of complex operating environments and related challenges such as risk and project management. What is a complex system? A complex system is an entity comprised of a large number of highly energised and interconnected contributing parts. In nature, some examples of complex systems are the weather and rainforests. The human world has also produced complex systems, including social structures such as political systems and economies, as well as large organisations, global communications networks, cities, and major projects. As the systems constructed by humans become more complex, risk engineers and other professions are striving to learn from natural complex systems in order to better understand the behaviour and challenges of human complex systems. Sources: The content on this page was primarily sourced from: Webinar titled ‘Perspectives on Risk: Engineers, frameworks and new ways of thinking’, delivered to REBOK Community on 29 May 2018 by Warren Black, Principal and Founder, Complexus Webinar titled ‘An Introduction to Complexity and How it Influences Risk Management’, Session 1', delivered to REBOK community on 30 April 2019 by Warren Black, Principal and Founder, Complexus and Geoff Hurst, Principal, ENGENEOHS Further Reading James Gleick, Chaos: Making a New Science John H Holland, Complexity: A Very Short Introduction Neil Johnsson, Simply Complexity.

Introduction While conventional risk management approaches work well when all risks are foreseeable, the increased prevalence of complex and uncertain environments has led to the need for scalable, fit-for-purpose management solutions. Challenges Conventional risk management approaches such as ISO 31000 are limited in their guidance on controlling unpredictable risks. There are many classes of unpredictable risk, including: Unknown risks Black Swans Rogue Waves Another challenge for conventional risk management systems is that the emphasis tends to be on identifying, measuring and treating specific risks rather than establishing internal controls to address areas of weakness and improve the resilience of systems faced with unpredictable risks. Conventional risk management models and standards should also be rigorously assessed to ensure they are tailored to specific projects and applications, rather than being applied in a ‘one-size-fits-all’ method. Emerging approaches Emerging approaches to risk management include: Complexity Sciences Resilience Sources: The content on this page was primarily sourced from: Webinar titled ‘Perspectives on Risk: Engineers, frameworks and new ways of thinking’, delivered to REBOK Community on 29 May 2018 by Warren Black, Principal and Founder, Complexus