46
Feature article which will often be the business units. Another approach is to set enterprise-wide definitions of consequence and likelihood, and this is becoming increasingly common. However, even with enterprisewide definitions in place, it is still not unusual to see the same risk weighted differently by different business units. This problem can be solved by centralised or corporate arbitration, but at the cost of disengagement of individual business units. This is especially the case with regards to the management of assets and networks of assets, because there is still a widespread view that asset management is primarily and solely about managing assets. By contrast, best practice asset management focuses on the management of services delivered by assets, rather than the assets themselves (and this is articulated in the forthcoming ISO 55000 series). Risks to service levels need to be managed, rather than risks to assets themselves, which therefore requires a focus on those assets that are critical to service provision. The key trade-off required is, therefore, not between costs/funds/resources and asset condition, but between costs/funds/resources, level of service, and risk to those levels of service. Reducing funding on assets can result in both a reduction in level of service, and an increase in organisational risk. The relationship between these three concepts can be cryptic, however, and not obvious. The implication is that these three key variables need to be measured in an internally consistent manner so that they can be directly compared. What we generally find is that expenditure is measured, level of service is sometimes measured, but risk to not meeting the required level of service is not.
Tsunami storm barrier in Tsugaru, Japan – an example of managing a high-consequence/low-likelihood risk category. a practice that is relatively uncommon, partly as a result of the lack of a time domain in most risk tables. This is further complicated by relationships between historical events, which are commonly used as a proxy for future risk. By making this connection, we are assuming the past represents the future. In doing so we are managing ourselves in a way that implicitly assumes that the past is a perfect representation of the future, which cannot always be the case, especially with regards to climate change and future economic conditions. It is the difference between the past and future where the most risk lies.
When and hOW tO Manage RisKs
A more insidious problem when using risk tables (tables of consequence and likelihood) to manage risk is that the majority of risks fall into the ‘medium’ risk categories in the middle part of the table. This means that risk managers feel that they have to prioritise or choose between allocating resources to managing, for example, a devastating tsunami or climate-change mediated major weather event (high consequence/low likelihood), or the leakage of a rural trunk main that occurs annually but impacts only a small number of residents (high-likelihood/low-consequence).
When should risks be managed or, more importantly, when should risk management be practiced? Surveys like KPMG’s consistently highlight the patchiness around risk management within both medium-sized and large organisations. As highlighted, it is common practice to allocate risk management responsibilities unevenly throughout corporate administrative functions (for example, a dedicated risk manager) and diffusely within business units. Similarly, risk management is commonly a mixture of processes and procedures and culture.
In the case of the rare extreme natural hazards, our minds are ideally suited to misinterpreting the risks of these rare events, sometimes described as ‘Black Swan’ events, a term coined by Lebanese-American essayist, scholar and statistician, Nassim Taleb.
The answer to when to manage risks is simple: constantly and relentlessly. When considering how to manage risks, it is clear that all staff within organisations cannot simply be redirected towards exclusively managing risks. However, like health and safety risk management, all forms of risk management need to be embedded in the culture of the organisation. Like health and safety, it will also take several decades for such a culture to be fully embedded. While we have become very effective in our personal lives at transferring risk away from ourselves, at an organisational level we are often less effective.
RisK liFesPan Managing these supposedly equal risks can be addressed through a better understanding of the organisation risk appetite, as described later. However, the other factor to keep in mind is the lifespan of the risk. In the examples used above (a rare natural hazard or a low-level leak), the rare event will have the same long-term likelihood of occurrence every year (although climate change may increase the average annual likelihood), but the pipe will continue to downgrade over a timescale of years. Hence the risk profile of the pipe changes more rapidly over time, while the long-term average of the rare event remains more consistent often over decadal timescales. This does not mean that the long-term risks can be ignored, or that an extreme event will not occur anytime soon, as the long-term return periods of natural events only describe the probability of such an event occurring within any particular year – they still actually happen. It also does not mean that the trunk repair is necessarily prioritised over the rare events, but it does highlight the need to capture the lifespan of risks when identifying and assessing risks,
water November 2013
This brings us back to the all-important how. Considering the fundamentals, risk management at some stage requires the allocation of resources. Most asset-intensive organisations have clear processes for allocating resources. However, these commonly only implicitly map onto risk at best. For example, it is common within asset-intensive organisations to develop rolling and annual capital investments plans, describing CAPEX and OPEX expenditure. It is also common to have each business unit develop these independently, for aggregation at corporate level. It is also common to use economic cost-benefit type analyses to prioritise this expenditure. Cost-benefit approaches reveal whether the general benefits exceed the costs. However, the assessed benefits rarely explicitly quantify the risk reduced. These sorts of