asset management

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 1 of 23

Topic 7 - Risk Assessment and Management

Table of Contents Preview ...................................................................................................................................... 2

Learning Objectives ................................................................................................................ 2 Introduction ................................................................................................................................ 2

Risk Assessment and Management Principles ....................................................................... 2 Risk Management Processes ..................................................................................................... 4 Risk Management Context ......................................................................................................... 5 Risk Identification ....................................................................................................................... 7 Risk Analysis ............................................................................................................................10

Consequences and Probability ..............................................................................................10 Likelihood Ratings .................................................................................................................12 Consequence Ratings ...........................................................................................................12

Risk Treatment (Managing Risk) ...............................................................................................14 Prioritisation Based on Risk ......................................................................................................15 Monitoring and Reviewing Risk .................................................................................................16 Implementation of a Risk Management Plan .............................................................................16 Summary ..................................................................................................................................17 Review Questions .....................................................................................................................18 Review Questions and Sample Answer Summary ....................................................................19 References ...............................................................................................................................22

Readings ...............................................................................................................................22 Activities ................................................................................................................................23

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 2 of 23

Preview Learning Objectives The learning objectives of this topic are as follows:

• Examine the risk management context for an organisation in establishing its corporate risk framework to ensure consistent application of criteria against which risk can be measured.

• Analyse how to identify critical risks that might apply to a particular organisation and how these risks might manifest themselves.

• Examine risks applicable and derive a rating system to quantify the impacts of identified risks for various asset classes. Also identify and rank assets in terms of their risk exposure.

• Investigate treatments that can be applied to various assets or asset classes to minimise their risk exposure.

• Analyse how to prioritise action and projects based on a risk management process. • Discuss processes applicable to monitor and review risk management that deal with any

changes in risk profile.

Introduction

Risk Assessment and Management Principles There are various risks involved in providing services from infrastructure that may result in loss of the service or increased costs or in the worst case, injury or death to people. Risk management is increasingly being viewed as a core business driver that should influence all decision making, (not just for infrastructure assets management) and certainly should not be seen as an activity undertaken as an isolated process. Hence a corporate risk management framework needs to be consistently applied across the organisation. The degree of sophistication applied will be up to each organisation and no doubt dependant on the criticality of certain of its assets, and the resources it is prepared to commit to address its perceived risk exposure. In this topic, for the purpose of infrastructure asset management however, the issue of risk assessment/management will be addressed specifically with various asset classes in mind. Accordingly, recommended actions will differ depending upon asset types. However, the following general principles apply, and the risk management process steps are generally as follows:

1. Risk management context: establish the corporate risk framework, and risk policy including the criteria against which risk can be evaluated and who in the organisation has the responsibilities for risk management.

2. Risk identification: identify the risks an organisation may encounter and explain the impact of those risks on the organisation.

3. Risk analysis: establish a risk rating for each asset group and assess which assets represent the greatest risk for the organisation.

4. Risk treatment: identify what actions to take to appropriately mitigate risk at asset or asset group level. Evaluate based on cost versus risk reduction.

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 3 of 23

5. Monitor and review: the ongoing process for ensuring risk levels remain acceptable even if risks change.

Each of these will be addressed in detail as we work through this topic. Reading 7.1 Figure 3.2.2 from the IIMM on p 3/35 provides a pictorial presentation of the steps involved in the risk management process. Some organisations take a purely risk-based approach to decision making. The risk cost (or risk exposure) associated with the proposed projects are used to prioritise the option or project that should proceed first. Minimum risk management plans, as a first step, should clearly identify:

• the services to be delivered; • which assets are critical to the continued delivery of those services; • what could happen to compromise the continued service delivery or which may have an

adverse social, environmental or economic effect; • level of risk that is acceptable to the organisation; and • options to mitigate all those risks deemed unacceptable.

For the more advanced asset management planning, the risk management process is applied to all significant / critical assets at an individual level, and to less critical assets at a ‘group’ or ‘facility’ level. Organisations adopting more advanced risk management practices:

• Apply the risk management process to all significant/critical assets at an individual level, and to less critical assets at a group or facility level;

• Adopt a uniform approach to risk reduction across all business units; • Integrate risk processes into all key decision making processes; • Quantify failure for different failure modes (condition, hazard etc, likelihood of hazard

and likelihood of asset failure from that hazard; and • Quantify the rehabilitation and replacement required to meet the minimum acceptable

level of service without compromising the acceptable level of risk. (IIMM 2015 p 3/36) At this juncture, we should also note that there is an Australian and New Zealand ISO Standard AS/NZS ISO 31000 Risk Management which will be referenced for a fully rigorous description of risk management processes. (Standards Australia 2009) Risk Management is also quite an “industry” in its own right. There are associations devoted to this field and even a magazine published on this topic. Go to the following website for more detail. http://www.riskmanagementmagazine.com.au/

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 4 of 23

Risk Management Processes The IIMM defines risk, based on the ISO definition, as follows: Risk – The effect of uncertainty on objectives. Risk events are events which may compromise the delivery of the organisation’s strategic objectives. (IIMM 2015 p xxi) As highlighted above, risk management processes should be a corporate wide function and applied across all the activities of the organisation, not just its assets. Through such application, risk management then becomes a major factor in the subsequent decision making processes and consideration of how various projects or activities should be prioritised, given the dilemma of often scarce resources. We deal in the next topic in more detail about optimised decision making to prioritise allocation of resources to competing projects. Figure 3.2.3 in the IIMM on p 3/36 sets out some views on risk application across a typical organisation. So, what are some of the risks that one might expect to see faced by an infrastructure service provider type organisation? The following are some examples that might typically occur. You will note that these are not “exclusive” to an infrastructure provider and in fact could apply to many an organisation in other fields of activity. Conversely, the list is not exhaustive and there is likely to be other risks that could apply. Hence it is up to each organisation to carefully and thoroughly assess its own circumstances and identify all risks potentially applicable.

• Civil defence emergencies (natural disasters) • Occupational health and safety matters • Corporate and strategic direction issues such as business continuity. • Asset level risks • Financial and cash flow risks • Public and general liability. • Political and Legal risks • Environmental risks.

(IIMM 2015 p 3/35 and 3/36.)

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 5 of 23

The following Table from the NAMS.PLUS eBook also identifies similar risk issues that should be used as a prompt when considering the issues applicable to your organisation. Criterion Risk Evaluation Notes Operational Risks that have the potential to reduce services for a period of time

unacceptable to the community and/or adversely affect the organisation’s public image.

Technical Risks that cannot be treated by the organisation’s existing and/or readily available technical resources.

Financial Risks that cannot be treated within the organisation’s normal maintenance budgets or by reallocation of an annual capital works program.

Legal Risks that have the potential to generate unacceptable exposure to litigation. Social Risks that have the potential to:

- cause personal injury or death and/or - cause significant social/political disruption in the community.

Environmental Risks that have the potential to cause environmental harm. Risk Management Context Again, this is largely about the corporate wide approach before we get into the detail down at the asset level. Here we are focused on the organisation’s framework, policy and strategic objectives. This will establish the framework by which the risks will be addressed and set out the process for establishing probabilities and consequence to allow ranking of the risks involved. In setting up the organisation wide framework it is important to ensure that it complies with relevant standards such as the one mentioned previously, AS/NZS ISO 31000 Risk Management. The following are the hallmarks of successful implementation of a risk management program:

• Support for risk management at all levels of the organisation should be evident and achieved by training, education and briefing

• developing and communicating the organisation wide policy • management of risks at organisational level, program level, project level and service

level (or whatever sub-organisation levels exist) according to the policy • monitoring and review of risk management programs and their effectiveness as risks are

ever changing. In terms of a generic type framework, and applying this generally, this can be considered with the key concepts of asset based risk management, which are illustrated in the following figure and explained below:

1. Adopt and fully understand the risk management framework that will be used. 2. Know which adverse events (identifying the risks) that need to be controlled. 3. Predict the likelihood of the adverse events occurring. 4. Understand the full consequences of the adverse events. 5. Analyse with due consideration of critical assets. 6. Establish and prioritise programmes and projects to control and minimise the likelihood

and consequences of adverse events associated with critical assets. (IPWEA Sydney 2009)

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 6 of 23

These should all be pursued through the auspices of the risk management team.

(INGENIUM, 2006) A consistent risk framework should be applied within organizations across corporate, activity and operational levels to enable comparison of risks. The first step in risk management (in fact, with any management system) is to establish the objectives and scope of the risk management process with clear consideration of its business context. Risk objectives are generally presented in a corporate risk policy document. This document should demonstrate the organisation’s commitment to risk management and be able to be understood and applied at all levels of the organisation. (IIMM 2015 p 3/36) Some worthwhile points to note when deciding the scope of a risk management program are:

• Where an organisation seeks to transfer risk by insurance when an unacceptable business risk has been determined, the premium paid may relate to the level of confidence insurers have in an organisation’s risk management program.

• Insurance policies for infrastructure assets may limit liability when there is a failure to act to address a known risk.

• Risk management is mandatory in some circumstances if an organisation is to avoid prosecution (e.g. environmental regulations or health and safety legislation).

• The effort put into assessing and managing the risk needs to be proportional to the risk exposure but less than the potential risk reduction.

• A uniform approach to risk reduction across all business units as part of appropriate asset management is essential. This allows corporate management to judge the relative merits of risk across the organisation.

• Organisations must develop a clear picture of the assets that provide the services, current asset condition, decay profile, mode of failure, and the rehabilitation or

Set the Risk Management Framework: Objectives, Stakeholders, Criteria, Key Issues

Identify the Risks: What risks might exist, and how will they occur or what is their failure mode?

Evaluate the Risks:

What is the likelihood of the event happening?

What is the consequence of failure?

Rank the risk based on asset criticality

Condition based analysis of

replacement timing

Criticality Criteria: Consequences Health & safety

Tech. Obsolescence Service delivery

Maintenance needs

Control the Risks:

Provide reliable information to the Governing Body to prioritise projects

Monitor and Review / Asset Management Plan

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 7 of 23

replacement required to meet the minimum acceptable level of service, as expected by the customers, without compromising the acceptable level of risk.

• Risk cost to an organisation needs to be assessed for all failures from those needing minor maintenance, to major catastrophic structural failures. The costs of reduction or avoidance of risk needs to be quantified and weighed up against the benefit to the organisation.

Reading 7.2 A number of examples of risk management policies have been provided in the IIMM. Refer to Case Studies 3.10, 3.11, and 3.12 for such examples on p 3/37 of the IIMM.

Risk Identification Risk types can generally be categorised under some main headings as follows:

• Planning risks – includes service levels and natural disasters. • Management risks – systems, information, people, financial. • Delivery risks – procurement, project management. • Physical asset risks – asset failures etc

Reading 7.3 Refer to Figure 3.2.4 of the IIMM on page 3/38 for detail and explanation of various categories of risk types. For all asset portfolios, the seriousness of risks associated with those assets can vary, making some groups of assets more critical than others. Critical assets are defined as those which have a high consequence if they do not meet their level of service targets as distinct from not necessarily having a high probability of failure. It is important to identify which assets are most critical as well as the possible ways in which they might fail to meet their service standards. It is then possible to target and refine maintenance plans, capital expenditure plans, and investigative activities focused on these more critical assets or components of those assets. It may be acceptable to allow some assets or components to fail because there is limited consequence, but other assets must not be allowed to fail as this may reduce service delivery, impact health and safety, or create unacceptable costs associated with the failure. The intent in assigning criticality to various assets is to allow the appropriate development of priorities through risk mitigation plans and to incorporate the results of these plans into the intervention process. The following Table gives an example of how criticality ranking can be applied for assets such as buildings: Organisations can use this table to determine the appropriate rating for criticality at facility level or individual building level.

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 8 of 23

Functional Purpose Specified Standard Rating

High profile purpose with critical results (e.g. Entertainment Centre) or high profile public building (e.g. Council Administration Building).

Building to be in the best possible condition. Only minimal deterioration will be allowed.

CR5

Good public presentation and a high quality working environment are necessary (e.g. Library, Branch Office building).

Building to be in good condition operationally and aesthetically, benchmarked against industry standards for that class of asset.

CR4

Functionally-focused building (e.g. Depot facility, Treatment plant building).

Building to be in reasonable condition, fully meeting operational requirements.

CR3

Ancillary functions only with no critical operational role (e.g. storage, pump station building) or building has a limited life.

Building to meet minimum operational requirements only.

CR2

Building is no longer operational - it is dormant, pending disposal, demolition, etc.

Building can be allowed to deteriorate, however, must be marginally maintained to meet minimum statutory requirements.

CR1

(IPWEA 2009) All decisions about the rehabilitation, replacement or disposal of an asset and the timing for such activities should be based on a sound determination of what the critical failure mode is. This will ensure an organisation focuses on the assets and failures that can have the most impact on its business. If the critical failure mode for an asset can be determined, it is possible to target and refine maintenance plans, capital expenditure plans and investigative activities to address that failure. There are a number of processes for identification of risks, but one found to be effective is a workshop of key organisation personnel brainstorming to come up with all possible scenarios. The precursor to such a workshop is ensuring that all participants are familiar with the organisation's risk policy, and objectives. The following questions are good prompts for this process:

• What are the risks to achieving the organisation’s objectives, particularly relating to sustainable delivery to the agreed levels of service?

• What is the source of each risk? • What might happen? • What would the effect be? • When, where, why and how are these risks likely to occur? • Who might be involved or impacted? • What controls presently exist? • What could cause the control to not have the desired effect on the risk?

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 9 of 23

Once risks are identified they are generally recorded in a risk register. Usually there will be a formal six monthly or annual review of the risk register. There should also be processes for recording other risks as they are identified. All of this should be managed through the risk management team. Reading 7.4 Refer to Figures 3.2.6 and 3.2.7 in the IIMM on p 3/39 and 3/40 for examples of various levels of risk registers applied in practice. Risk events could be grouped into:

• Natural events, where there is no real control over the timing or the extent of the event, although the probabilities may be understood e.g. floods, lightning strikes, high winds

• External impacts, for example other organisations not providing services that impact on the organisation or individuals, such as power supply failures, material supply failures

• Physical failure risks, where condition or performance of the asset could lead to failure • Operational risks, where errors in the management of the asset or asset management

activities might impact adversely on the performance of an asset. As mentioned before, it is important to identify critical assets as well as the critical failure modes. A common approach is to begin at a high, broad level for risk identification. It is then possible to target and refine maintenance plans, capital expenditure plans, and investigative activities, focusing on the critical areas identified from the initial assessments. An organisation with highly critical assets may record risks at an individual asset level or even at component level and look at the various risks of failure such as:

• Structural: where the physical condition of the asset is the measure of deterioration, service potential and remaining life.

• Capacity / utilisation: where it is necessary to understand the level of under- or over- capacity against the required level of service to establish remaining life or timing for renewal.

• Level of service failures: e.g. reliability, image, where performance targets are not achieved.

• Obsolescence: technological change or lack of replacement parts can render assets uneconomic to operate or maintain.

• Cost or economic impact: where the cost to maintain and operate an asset is likely to exceed the economic return expected, or the customer's willingness to pay, to retain an asset.

Understanding the above failure modes will allow an organisation to plan for the impacts of an event. An organisation needs to continually review the possible failure modes as they can be influenced by external events. As well as direct impacts on assets, the events will usually pose a risk by impacting directly or indirectly on customers and possibly others. The legal liability for nuisance, negligence and third party damage needs to be recognized. Reading 7.5 Refer to Case Study 3.13 in the IIMM on p 3/42 for an example of asset criticality analysis.

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 10 of 23

Reading 7.6 Read about the 2008 road collapse at Gosford where the Coroners inquest placed blame on the Council for poor asset management practice and lack of proper risk assessments.

Refer also to Case Study 3.15 in the IIMM on p 3/46 for an update on the legal position on legal liability for road authorities. Activity 7.1 For a particular group of infrastructure assets that you are familiar with, through discussion with staff responsible for those assets, list out the critical components in order of criticality and also list the possible failure modes. Risk Analysis This involves a systematic approach to identify which risks are “severe” and which could not be tolerated. This allows an organisation to develop its “attitude” to risk ie. What actions it proposes to address that risk exposure. You will note that some literature refers to “risk appetite” but this is criticised in some risk management circles as being a confusing term. ISO 31000 uses the term risk attitude.

Consequences and Probability

The overall risk depends on both the probability and consequence of the event. To estimate the level of risk, organisations should determine:

• the consequences of failure for events • the probability of failure of the asset • the probability of the event occurring.

At a simple level, the risk can be assessed using a qualitative matrix approach as described later. For a more advanced approach, risk may be quantified in dollar terms: Risk $ = Business Risk Exposure = Cost of Consequences x Probability of a Failure Typically, data that is called upon to make these assessments, can include:

• Subjective assessment based on experience and professional judgement; • Asset attribute data, location and operating context this information is commonly held in

asset management information systems, GIS and, in the case of linear assets, network models;

• Data sets capturing and analysing natural events, such as rainfall, tides, temperature, earthquakes, tsunamis, cyclones, electrical storms, etc;

• Specific studies into asset or service issues such as analysis of past failure events to identify causes, consequences and likelihoods; and

• Outcomes from user or community consultation into expectations and perceptions.

(IIMM 2015 p 3/42)

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 11 of 23

The probability of physical failure of an asset is closely related to the current condition of the asset, hence the importance of realistic and accurate condition assessment which we addressed in the previous Topic. Factors such as redundancy of systems must be accounted for when developing probabilities of failure of assets or systems.The probability of natural and external events is determined less easily but reports of detailed studies are available on the likelihood of occurrence of particular events. Risk events typically arise from some significant initiating event like a major rainfall event, earthquake or the like. These then lead to a number of various consequences, each with its own probability. These probabilities can be determined from fault tree and event tree analyses, expert opinion and computer modelling. Probability can be assessed in a qualitative way (e.g. A to E scale) or a quantitative way (e.g. probability of 0.02). The qualitative assessments feeds into the risk matrix approach, the statistical probability is required for those quantifying risk dollars. (IIMM 2015 p 3/42) The following Table 3.2.1 from the IIMM demonstrates a combination of approaches in establishing a probability of failure. Note that when we use the term “failure” we mean failing to meet the assets service level objectives.

(IIMM 2015 p 3/44) Consequences of failure are linked to the asset types and should be considered in terms of how they score against a triple bottom line sustainability score card of Economic, Social and Environmental factors. Such should include: Economic Factors Social Factors Environmental Factors Organisational  Repair costs  Loss of income  Fines/litigation Community  Damage to property  Third party losses  Business impacts

Organisational  Loss of life, or injury  Health impacts  Loss of image  Reputation/integrity Community  Loss of service  Loss of life, or injury  Health impacts

 Organisational  Failure to meet statutory

requirements  Fines

Community  Environmental damage

(IPWEA 2007b)

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 12 of 23

Reading 7.7 Refer to Table 3.2.2 from the IIMM on p 3/44 for a detailed Table of examples of a risk consequence rating system. By applying the risk analysis approach, identifying the probability, likelihood and consequence of various events for particular assets, a risk rating can be determined that then gives a lead as to recommended action. For qualitative analysis, a matrix of consequences against likelihood can be used, as illustrated in the following tables:

Likelihood Ratings Likelihood ratings are shown below.

Likelihood Descriptor Probability of occurrence Rare May occur only in exceptional circumstances More than 20 years Unlikely Could occur at some time Within 10-20 years Possible Might occur at some time Within 3-5 years Likely Will probably occur in most circumstances Within 2 years Almost certain Expected to occur in most circumstances Within 1 year

Consequence Ratings

Consequences ratings are shown below.

Consequences Description Insignificant No injuries, low financial loss (less than $10,000) Minor First aid treatment, on-site release immediately contained, medium

financial loss ($10,000 - $50,000) Moderate Medical treatment required, on-site release contained with outside

assistance, high financial loss ($50,000 - $200,000) Major Extensive injuries, loss of production capacity, off-site release with no

detrimental effects, major financial loss ($200,000 - $1,000,000) Catastrophic Deaths, toxic release off-site with detrimental effect, huge financial loss

(more than $1M) The likelihood and consequences levels should be reviewed by each council to ensure that measures of likelihood and consequences are applicable to their council’s circumstances. Columns ‘Level of Risk’ and ‘Action required’ can then be generated from the ‘Likelihood’ and Consequences’ data fields using the level of risk matrix and risk action relationships below.

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 13 of 23

Risk Rating Likelihood

Consequences Insignificant Minor Moderate Major Catastrophic

Rare L L M M H Unlikely L L M M H Possible L M H H H Likely M M H H VH Almost Certain M H H VH VH

(IPWEA, 2007)

Level of Risk Action required VH Very High Risk Immediate corrective action H High Risk Prioritised action required M Medium Risk Planned action required L Low Risk Manage by routine procedures

(IPWEA, 2007) The identified unacceptable risks, should be the outcome of applying the organisations risk management policy and risk management framework. This typically involves assessing risks at three levels:

• “Gross” or inherent risk. This is the risk assessed assuming that there are no systems, processes or resources to manage the event.

• Current risk. This is the risk assessed assuming the current systems, processes or resources are in place to manage the event.

• Residual risk. This is the risk assessed assuming the additional systems, processes or resources associated with the selected treatment option to reduce current risk are in place.

(IIMM 2015 pp 3/44 and 3/45) Reading 7.8 Read the section on Overall Risk Ranking and Figure 3.2.9 in the IIMM on pp 3/44 and 3/45 to gain an understanding of the ranking principles.

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 14 of 23

Risk Treatment (Managing Risk) Having come up with a risk rating, which will identify those higher or extreme risks, the high consequence events and those with legal or compliance ramifications, the next step is deciding on what options are going to be considered to deal with the unacceptable risks. Such should, of course, include an assessment of all current risk treatments. When an asset is expected to fail in the future, then strategies can be developed to avoid or react to the failure. If the failure of an asset is critical to the organisation, failure avoidance is likely to be more effective than reactive activities. Organisations need to weigh the cost of avoidance against the costs incurred by accepting risk. This involves a cost-benefit analysis - some risks can be addressed more easily (and cost effectively) than others. Several strategies to manage the total business risk are available:

• Reduce the risk by pro-active capital or maintenance expenditure i.e. Reduce the probability of failure

• Reduce the impact of a failure by actions such as preparing emergency response plans • Accept some risk and carry the consequential costs • Insure against the consequential costs • A combination of the above.

Implementation of these strategies will require an evaluation of:

• The cause of failure and the failure mode • Impact and probability of failure and its criticality • The current controls to manage the asset for that failure mode, e.g. Maintenance plan,

rehabilitation plan, augmentation plan • What treatment options are available to:

o reduce the probability of failure o reduce the impact of failure

• The suitability and economics of those treatments to ensure reduced business risk. This step involves the costing of the risk reduction treatment and the savings from risk reduction. Risk reduction treatments rarely avoid risk altogether, and the risk cost associated with any residual risk needs to be calculated to identify risk reduction savings. The greater the benefit (savings) to cost ratio, the more beneficial is the treatment. (IIMM 2015 p 3/45) Activity 7.2 For the same group of infrastructure assets that you selected in Activity 7.1, select a particular critical component and a possible failure mode. Carry out a risk analysis by using the matrices in the previous section and then develop a risk treatment option for this scenario.

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 15 of 23

Prioritisation Based on Risk As mentioned earlier, prioritisation and optimised decision making go hand in hand and we will deal with the latter in full detail in the next Topic. For now however, it is important to note the role that risk management processes and framework play in deciding the priority for projects or maintenance activities. Through the use of some simple ranking processes and a degree of cost benefit analysis, a logical plan of action priority can be developed with due account of available funding. This process can also be a powerful tool for the setting of budgets. The matrices on the previous page were already heading in this direction. Prioritising of work needs an intimate knowledge of what the various options entail. Armed with such knowledge, we must then assess risk treatment options against costs and residual risk. The method of assessment of risk treatment options can range from an assessment by a local group of stakeholders and practitioners experienced in operation and management of the assets/service to detailed risk cost and risk reduction cost/benefit analysis. The next step is to select optimum risk treatments that then make up the prioritised risk treatment plans. Selecting the most appropriate option involves balancing the costs of implementing each option against the benefits derived from it. In general, the costs of managing risks need to be commensurate with the benefits obtained. It is important to consider all direct and indirect costs and benefits whether tangible or intangible and measured in financial or other terms. A number of options may be considered and applied either individually or in combination. Where a risk treatment or risk action plan is prepared that sets out prioritised projects or actions, it should contain at least the following for each project:

• Actions • Responsibility • Resources required • Budget • Date due

It could also include additional data on final rankings, as well as details on the probability and consequence of failure as well as the risk factor derived.

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 16 of 23

Monitoring and Reviewing Risk As part of the continuous improvement process and to ensure currency of the risk management process, there needs to be a system in place for monitoring and review of the risks, the risk management policy and framework and the risk treatment plan. Where possible, this monitoring and review process should be incorporated into existing review methods. This is part of moving from a minimum or core level approach to the more sophisticated advanced approach. The risk management team and senior management of the organisation should review suggestions arising from this process and make appropriate changes to suit individual organisation needs and processes.

(IPWEA Sydney 2007b) The objective should be for risk management to be seen as an integral part of overall business decision-making and not a stand-alone process.

Implementation of a Risk Management Plan As detailed in the IIMM, AS/NZ S ISO 31000 lists some good suggestions for successful implementation of a risk management approach. These are repeated here, as follows: Strong and sustained commitment by management. This includes:

• defining and endorsing the risk management policy; • ensuring alignment between the organisation’s culture and the risk management policy; • ensuring alignment between risk management objectives and the organisation’s

strategic objectives; • defining risk management performance indicators which align with organisational

performance indicators; and • ensuring legal and regulatory compliance.

Activity Review Process Review of new risks and changes to existing risks

Annual review by team with stakeholders and report to council using the RM framework.

Review of Risk Management Policy and framework.

3 yearly review and re-write by team and report to council

Performance review of Risk Treatment Plan

Action plan tasks incorporated in council staff performance criteria with 6 monthly performance reviews. Action plan tasks for other organisations reviewed at annual team review meeting

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 17 of 23

Appropriate framework design. The framework should:

• reflect the organisation and its context; • clearly present the risk management policy; • identify resources and accountabilities; • be integrated into the organisation’s practices and processes, rather than considered as

a stand-alone task; and • establish clear communication and reporting mechanisms.

Communication and consultation. Communication and consultation with stakeholders to:

• raise awareness; • ensure that the policy and framework is understood and applied appropriately; and • ensure that the framework remains relevant and appropriate.

(IIMM 2015 p 3/47) Reading 7.9 Read case studies 3.16, 3.17 and 3.18, from the IIMM pages 3/48, 3/49 and 3/50 for some examples of risk management processes and frameworks for various infrastructure industry sectors. Summary In this Topic 7, we have focused on the important role that risk plays in the whole decision making process for any organisation but particularly so for infrastructure asset managing organisations. Infrastructure management by its very nature involves inherent risks of “failure” leading to potential loss of service, or even worse, injury or death. So risk management is a vital part of the whole infrastructure asset management process. We started off in this topic by considering some of the likely risks an infrastructure organisation could face and the corporate framework needed to be established to address these. We highlighted the importance of a corporate wide risk management team. Setting a corporate wide context with appropriate policy and communication of the framework was emphasised. We also introduced the AS/NZ ISO Standard on Risk Management as a good tool to use. A generic type framework was introduced along with some pointers to note when scoping out a risk management program. Risk identification was the next topic introduced and this focused not only on the likely risks but also those assets or components of assets deemed to be most critical in terms of the consequences if they failed. This then lead into risk analysis and various tools such as matrices of likelihood and consequence ratings were introduced leading into a risk rating where we match up likelihood versus consequence which then prompts possible action based on the severity of the risk rating.

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 18 of 23

Topic 7 then moved into risk treatment where we make decisions about how to manage the identified risks and possible strategies that can be employed to moderate the level of risk exposure. Decisions about what action to take, fairly obviously includes the dilemma of how to schedule competing tasks or projects. Hence we introduce prioritisation of projects based on risk and mention also later work that will address optimised decision making. The topic then reinforces the principles of continuous improvement with monitoring and reviewing of the risk management process being highlighted as so necessary to make sure we identify any new risks that might have developed. The concepts of moving from a core to an advanced approach in risk management is also again emphasised as part of that continuous improvement process. The next Topic logically starts to look at various decision-making techniques based on asset life-cycle and all the inputs we have addressed in the 7 topics to date. Review Questions

1. Spell out what you believe to be an appropriate risk management process and framework for an infrastructure organisation managing assets for service delivery and what are some of the important issues that should be inherent in the way the organisation approaches risk management?

2. What steps would you follow in identifying the risks that might be faced by a typical infrastructure organisation and assessing the criticality of those risks?

3. Having identified potential risks in a risk register, how would you go about analysing those risks to come up with a risk rating for any particular event for the assets involved?

4. Based on the risk analysis carried out, which has come up with a risk rating, what would you now do about developing an appropriate risk treatment?

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 19 of 23

Review Questions and Sample Answer Summary 1. Spell out what you believe to be an appropriate risk management process and framework

for an infrastructure organisation managing assets for service delivery and what are some of the important issues that should be inherent in the way the organisation approaches risk management?

Answer Summary dot points;

• Risk Management Framework -List the common steps that should be followed: o Risk management context: establish the corporate risk framework, including the

criteria against which risk can be evaluated and who in the organisation has the responsibilities for risk management.

o Risk identification: identify the risks an organisation may encounter and explain the impact of those risks on the organisation.

o Risk analysis: establish a risk rating for each asset group and assess which assets represent the greatest risk for the organisation.

o Risk treatment: identify what actions to take to minimise risk at asset or asset group level.

o Monitor and review: the ongoing process for ensuring risk levels remain acceptable even if risks change.

• Some important issues that should be addressed: o Establishing a risk management team o Ensuring a corporate wide approach o Support for risk management at all levels of the organisation should be evident

and achieved by training, education and briefing o Developing and communicating the organisation wide policy o Management of risks at organisational level, program level, project level and

service level (or whatever sub-organisation levels exist) according to the policy o Monitoring and review of risk management programs and their effectiveness as

risks are ever changing. 2. What steps would you follow in identifying the risks that might be faced by a typical

infrastructure organisation and assessing the criticality of those risks? Answer Summary dot points;

• List the following possible categories of risks as ones to consider for inclusion in a risk register:

Operational Technical Financial Legal Social Environmental

Discuss the issues of criticality for various assets or components and how they might be ranked with a rating of one to five depending on an assessment of the consequences of that asset failing.

• List and discuss a number of categories that risks can generally be grouped under as follows:

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 20 of 23

o Structural: where the physical condition of the asset is the measure of deterioration, service potential and remaining life.

o Capacity / utilisation: where it is necessary to understand the level of under- or overcapacity against the required level of service to establish remaining life or timing for renewal.

o Level of service failures: e.g. reliability, image, where performance targets are not achieved.

o Obsolescence: technological change or lack of replacement parts can render assets uneconomic to operate or maintain.

o Cost or economic impact: where the cost to maintain and operate an asset is likely to exceed the economic return expected, or the customer's willingness to pay, to retain an asset.

3. Having identified potential risks in a risk register, how would you go about analysing those

risks to come up with a risk rating for any particular event for the assets involved?

Answer Summary dot points; • Comment on the overall risk being dependant on both the probability and consequence

of the event. Accordingly, to estimate the level of risk, organisations should determine: o the consequences of failure for events o the probability of failure of the asset, and o the probability of the event occurring.

• Develop a “likelihood” rating on scale of 1 to 5 (rare to almost certain) based on probability of that event occuring.

• Develop a “consequence” rating on scale of 1 to 5 based on the impact of that asset failing in the event under analysis with a range from insignificant to catastrophic.

• Apply these ratings in a risk rating matrix such as that in the earlier material to come up with a risk rating level from low to extreme for the derived likelihood and consequence ratings

4. Based on the risk analysis carried out, which has come up with a risk rating, what would you

now do about developing an appropriate risk treatment?

Answer Summary dot points;- • Discuss the typical strategies that could be followed in managing overall organization

risk for the case under consideration: o Reduce the risk by pro-active capital or maintenance expenditure i.e. reduce the

probability of failure o Reduce the impact of a failure by actions such as preparing emergency response

plans o Accept some risk and carry the consequential costs o Insure against the consequential costs o a combination of the above.

• Evaluate the options under consideration for that particular risk analysis and assess: o the cause of failure and the failure mode o impact and probability of failure and its criticality o the current controls to manage the asset for that failure mode, e.g. maintenance

plan, rehabilitation plan, augmentation plan o what treatment options are available to:

 reduce the probability of failure

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 21 of 23

 reduce the impact of failure o the suitability and economics of those treatments to ensure reduced business

risk. • Prioritise the proposed action in line with other competing actions derived from the

overall risk management process, using various techniques such as cost/benefit analysis.

• Remember that where actions have been developed into projects, these should include detail of the action proposed, who is to be responsible for such, resources required, a budget for the work, and a time frame for completion.

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 22 of 23

References INGENIUM (2006) NAMS Property Manual Association of Local Government Engineering

New Zealand Inc. Thames, New Zealand

IPWEA (2007) NAMS.PLUS Asset Management Institute of Public Works Engineering

Australia, Sydney

IPWEA (2007) Condition Assessment and Asset Performance Guidelines – Preamble

Document Institute of Public Works Engineering Australia, Sydney

IPWEA (2009) Buildings Condition and Performance Assessment Guidelines Institute of

Public Works Engineering Australia, Sydney

IPWEA (2015) International Infrastructure Management Manual V 5.0.

Standards Australia (2009) Australian Standard AS/NZS ISO 31000 Risk Management

Readings Reading 7.1 Figure 3.2.2 from the IIMM on p 3/35 provides a pictorial presentation of the

steps involved in the risk management process. Reading 7.2 A number of examples of risk management policies have been provided in the

IIMM. Refer to Case Studies 3.10, 3.11, and 3.12 for such examples on p 3/37 of the IIMM.

Reading 7.3 Refer to Figure 3.2.4 of the IIMM on page 3/38 for detail and explanation of

various categories of risk types.

Reading 7.4 Refer to Figures 3.2.6 and 3.2.7 in the IIMM on p 3/39 and 3/40 for examples of various levels of risk registers applied in practice.

Reading 7.5 Refer to Case Study 3.13 in the IIMM on p 3/42 for an example of asset criticality

analysis. Reading 7.6 Read about the 2008 road collapse at Gosford where the Coroners inquest

placed blame on the Council for poor asset management practice and lack of proper risk assessments.

Refer also to Case Study 3.15 in the IIMM on p 3/46 for an update on the legal position on legal liability for road authorities.

Source: Gosford Council blamed for Road Collapse downloaded from

Asset Management Fundamentals: Topic 7 - Risk Assessment and Management

Centre for Pavement Engineering Education Inc: 4YNMHPR6JJ7C-96203995-366 Document Version Number : 2.0 Uncontrolled when printed Page 23 of 23

http://www.smh.com.au/national/coroner-blames-gosford-council-for-road- collapse-20080918-4j7q.html on 3rd January 2016

Reading 7.7 Refer to Table 3.2.2 from the IIMM on p 3/44 for a detailed Table of examples of a risk consequence rating system.

Reading 7.8 Read the section on Overall Risk Ranking and Figure 3.2.9 in the IIMM on pp 3/44 and 3/45 to gain an understanding of the ranking principles.

Reading 7.9 Read case studies 3.16, 3.17 and 3.18, from the IIMM pages 3/48, 3/49 and 3/50

for some examples of risk management processes and frameworks for various infrastructure industry sectors.

Activities Activity 7.1 For a particular group of infrastructure assets that you are familiar with, through

discussion with staff responsible for those assets, list out the critical components in order of criticality and also list the possible failure modes.

Activity 7.2 For the same group of infrastructure assets that you selected in Activity 7.1, select a particular critical component and a possible failure mode. Carry out a risk analysis by using the matrices in the previous section and then develop a risk treatment option for this scenario.