About Implementing the Risk Management Process Within an Asset Management Organization

by

This white paper discusses the experience of implementing a risk management process within an Asset Management organization. It discusses three important subjects that need to be considered while implementing risk management – the different perspectives between day-to-day operations and risk-based asset planning, asset risk versus business risk, and the n-to-n relationship between issues and risks. This paper has been shaped around a real case Example 1.

INTRODUCTION OF RISK MANAGEMENT BACKGROUND

Case Example: A fieldworker is doing some inspection work around a Mid Voltage station and stumbles over some loose stones in the pavement around the station. Question: Is this a risk?

Before we continue exploring this case, some definition and context is needed. A generic definition of risk management is:

Risk = Likelihood * Impact

When talking about risk management within the context of asset management, we have to narrow the scope. Our specific focus on risk within the asset management process is the connection between Business Risk and Decision Risk.

Figure 1. Risk Management within Asset Management

We define risk management as managing potential events that could have a negative impact on the business objectives related to the assets or management of those assets.

1 Case example text can be recognized in this document by the red font color.

The risk management process within asset management is part of the core decision-making process and consists of two steps. The first is the identification of issues and the second is the determination and analysis of risks. Other steps in the core decision-making process include the design of solutions, the selection of the optimal portfolio, and the contracting of work packages from the selected portfolio. In a best practice asset management process, all of these process steps are strongly connected to each other. This is called the “line of sight” of asset management processes, meaning that you’re able to relate your work packages back to projects/programs to solutions to risks.

Figure 2. Core decision-making process within asset management

The different perspectives between the day-to-day operations and the (risk-based) asset planning process.

Many mistakes have been made in implementing risk management by not understanding that day-today operations and (risk-based) asset planning operate in different time periods. The best way to explain this is with the example of our stumbling fieldworker.

The fieldworker realizes after he had stumbled that he had a narrow escape from a serious injury. He could have broken a leg or even worse! This must be a safety risk. The first thing he does is enter the incident in the issue register and ask the risk analyst to undertake an analysis of the incident to find out whether this is a high-ranked risk or a medium to small risk. He then waits on the outcome of the risk analysis before he takes any further action.

This is not a fictitious example; it is a real case from a utility in the early implementation stage of a risk-based asset planning process. The mistake which was made was not having a clear understanding of the different focus of day-to-day operations versus that of risk-based asset planning. Risk management as part of the risk-based asset planning process should focus on threats in the future. Day-to-day operations should focus on actions in the here and now. Once he understood the focus of each, the fieldworker would have acted differently. A good practice process would lead to the following occurrence.

The fieldworker realizes after stumbling over the stones that this is a safety issue. He immediately starts repairing the loose stones in the pavement. At the end of the day, he is back at the office and books his working hours. When this year’s budget was created, a portion was allocated to “small repair and maintenance work”. The time he spent in the repair of the pavement is charged against this account.

The company also wants him to track safety incidents, so he reports the incident in the safety incident tracking system.

The risk analyst periodically looks at all systems which track incidents and sees the new safety incident report. He enters this issue in the issue register (or updates an existing one). He also collects other information which is reported in other maintenance and failure systems and enters these in the issue register. Because there are several similar incidents reported, he decides to perform analysis on the available data. He suspects that the current policy is not sufficient and needs to be updated. This might have an impact on civil maintenance and budgets for next year.

Figure 2. Different perspectives between day-to-day operations and risk-based asset planning process

The key message here is to understand the different perspectives between day-to-day operations and the risk-based asset planning process and to keep these processes separated from each other. Not separating these processes will lead to resistance especially in the day-to-day operational process, where people will consider the risk management process as additional bureaucracy not adding any value.

ASSET RISK VERSUS BUSINESS RISK

Another topic over which confusion often occurs is the difference between Asset Risk and Business Risk. Asset Risk refers to the functional failure of assets. However, particularly in the area of maintenance management, these functional failures are considered to be a business risk. This is not the case as can be explained by further exploring our example.

The risk analyst starts evaluating the entered issue in the issue register which describes the incident of the fieldworker. The analyst looks at the description of the issue and assumes that this is a safety risk. He takes the existing risk matrix of the company and starts thinking about the stones in the pavement. The function of the stones in the pavement is to provide a smooth path for fieldworkers to be able to safely walk around the Mid Voltage station. This function has been disturbed. Due to this a severe safety incident almost occurred. He has a look at the risk matrix: the impact of this functional failure, in this case, is low. The frequency was at least once this year. It appears that the overall risk assessment tells him that this is a low risk and therefore acceptable. Since it falls within the pre-established risk tolerance, it will not lead to any action.

The mistake in the methodology described is that the risk analyst began his risk analysis by focusing on the asset and the functional failure of the asset. First, he focused on the incident which occurred, rather than potential future risks. In addition, he didn’t consider a future threat impacting business objectives, rather he focused on component failure which is typically what you would do when assessing maintenance policy. What he should have done is define hypotheses of events that could cause threats in the future. These threats should be evaluated on the level of risk and eventually mitigating actions should be derived. In our case study this would occur as follows:

The risk analyst starts evaluating the entered issues in the issue register. He does some reporting on geographical analysis and some reporting on asset analysis. From the analysis, he discovers that several issues have been reported regarding Mid Voltage stations. Several leaking roofs of Mid Voltage stations have been reported over the past three months. Also, several complaints have been reported regarding painting of doors and window casings. The analyst also had a look in the workflow system and discovered that actual maintenance spend on Mid Voltage station is far behind the expected realization. He formulates two hypotheses of potential threats;

– Delays in maintenance cause a major short circuit leading to a blackout of a city with 100,000 citizens having more than 4 hours loss of electricity supply

– Incorrect maintenance (i.e., the wrong maintenance policy) of Mid Voltage stations cause a major short circuit leading to a blackout of a city with 100,000 citizens having more than 4 hours loss of electricity supply.

Both potential threats are evaluated with the risk matrix and lead to the conclusion that these are severe risks and mitigating actions need to be taken.

This case demonstrates the skill set needed for a risk analyst – the ability to look beyond the functional failure of a component and the capability to translate leading indicators into the root causes and hypotheses of actual threats.

Figure 4. Asset Risk versus Business Risk

FROM ISSUES TO RISKS

When implementing risk management, one of the difficulties is to identify the level at which issues need to be collected, as well as the level of detail needed to define risks. The fact is that two parallel levels should be used for both. First, a top-down process is implemented where assessments are made to collect all possible major disasters like earthquakes, major storms, flooding, etc. once or twice per year. These are not issues, but rather threats that have a major impact on the business and as such should be evaluated for their potential impact on business values and probability of occurrence to be scored within the risk matrix.

This should be followed by a bottom-up process where issues are collected from the day-to-day business operations and analyzed to identify potential future threats. The pitfall in this bottom-up process is that there is a natural inclination to relate each issue to a risk, resulting in an enormous amount of risks to be analyzed. The secret to successfully executing this process is to add a step between these two processes in which region and asset-related reporting and analysis is performed and formulation of risks which could negatively impact business objectives are identified. This can be difficult to implement as a different skill set is needed to be able to do this.

Figure 5. From Issue to Risk

Companies who have successfully implemented risk management typically started by forming a risk expert group which has the task of reviewing risks and making decisions. This group needs to be very disciplined in the beginning and stick to a fixed agenda which contains three steps – issue analysis including formulation of threats, risk analyses of the formulated threats, and specification of mitigation activities.

RISK MITIGATING STRATEGIES

The last step in implementing a risk management process is the development of strategies to mitigate risks. In general, there are at least 4 risk mitigation strategies that should be studied during the risk analyses. These four strategies are:

1. Accept the risk and do nothing. The question to be studied is the risk of deferring the problem to the next decision-making point.

2. Mitigate the impact of the risk. Define a solution which mitigates the impact of the occurrence to a more acceptable level.

3. Mitigate the likelihood of the risk. Define a solution in which the frequency of occurrence is mitigated to an acceptable level.

4. Mitigate impact and likelihood of the risk. Define a solution which is a combination of 2 and 3 which reduces the risk level through mitigating actions. These steps can be assisted through the use of a risk matrix as an instrument to structure requirements. The task of the risk expert group is to provide input to the risk analyst who defines mitigation activities for the asset engineer.

Figure 5. Risk Mitigating Strategies

IMPLEMENTING RISK MANAGEMENT

In conclusion, this white paper discusses concepts regarding the implementation of risk management within asset management. First, risk management within asset management has been defined. Then, three important topics have been addressed regarding implementing risk management. These are:

  • Recognizing the different perspectives between risk-based asset planning and day to day operations
  • Recognizing the difference between Asset Risks and Business Risks
  • The pitfalls of the n-to-n relation between issues and risks In our experience, creating a risk expert group with a fixed agenda and with structured preparation and discipline to stick to the agenda is a good way to implement a sound risk management process.

For more information on our viewpoints, case studies, etc. regarding risk management please contact us at: info@infrashieldlabs.com

Talk to Our Experts Today