RISK MANAGEMENT

What is Risk?

Risks are those events or conditions that may occur and whose occurrence has a harmful

or negative impact on a project.

Classes of Risk:

 Asset Failure – The sudden unexpected failure of an asset. A steam pipe bursts in a

public access corridor.

 Asset Degradation – The relative slow degradation of an asset’s performance over time

which is not noticed. A lift car not stopping level with the floor level.

 Asset Invasion – In this class, the asset may continue to work perfectly normally,

however the asset itself gets invaded or colonised. For example Legionaries bacteria

happily growing in the nice warm cooling tower water does not affect the cooling ability

of the tower, but the asset becomes deadly. Bird nests or insect invasion can lead to asset

failure or other unexpected problems.

 Unexpected Human Behaviour – Humans behaving in a totally unexpected way. For

example someone becomes very upset and attacks or damages equipment, power

distribution switchboards etc.

 Possible misinterpretation by humans – Poorly worded instructions or signs can lead

people to do things that are dangerous to themselves or others or contribute to dangerous

conditions developing.

What is Risk Management?

 Risk management is minimizing dangerous results if a risk was to become a reality.

You’re reducing the potential impact on the facility you manage. It is the identification,

evaluation, and prioritization of risks followed by coordinated and economical application of

resources to minimize, monitor, and control the probability or impact of unfortunate events or to

maximize the realization of opportunities.

Objectives or purposes of Risk Management Plan in Facility Management:

1. To IDENTIFY the risks

2. To LOWER the likelihood of accidents or failure events

3. To MINIMIZE the consequences of accidents or failure events.

4. To ASSURE uncertainty does not deflect the endeavor from the business goals.

Intangible Risk Management. Intangible risk management allows risk management to

create immediate value from the identification and reduction of risks that reduce productivity.

This identifies a new type of a risk that has a 100% probability of occurring but is ignored by the

organization due to a lack of identification ability. For example, when deficient knowledge is

applied to a situation, a knowledge risk materializes.

Relationship Risk. This appears when ineffective collaboration occurs.

Process-Engagement Risk. This may be an issue when ineffective operational procedures are

applied. These risks directly reduce the productivity of knowledge workers, decrease cost-

effectiveness, profitability, service, quality, reputation, brand value, and earnings quality.

Components of Risk Management:

 1. Risk Assessment. Risk assessment identifies the possible risks and assesses the

consequences by means of checklists of possible risks, surveys, meetings and brainstorming, and

review of plans, processes and products. Once risks have been identified, they must then be

assessed as to their potential negative of impact (generally damage or loss) and to the probability

of occurrence. The project manager can also use the process database to get information about

risks and risk management on similar projects. The probability of occurrence of which is

unknown. Therefore, in the assessment process it is critical to make the best educated decisions

in order to properly prioritize the implementation of the risk management plan.

Example: Even a short-term positive improvement can have long-term negative impacts. A

highway is widened to allow more traffic. More traffic capacity leads to greater development in

the areas surrounding the improved traffic capacity. Over time, traffic thereby increases to fill

available capacity. Turnpikes thereby need to be expanded in a seemingly endless cycles.

2. Risk Control. Identify the actions needed to minimize the risk consequences.

This is also known as risk mitigation. Develop a risk management plan. Focus on the highest

prioritized risks. Prioritisation requires analysing the possible effects of the risk event, in case it

actually occurs. This approach requires a quantitative assessment of the risk probability and the

risk consequences. For each risks, determine the rate of its occurrence and indicate whether the

risk is low, medium or of high category. If necessary, assign probability values in the ranges as

prescribed based upon experience. If necessary assign a weight on a scale 1 to 10.

3. Risk Prioritising. Rank the risks based on the probability and effects on the project.

For example, a high probability, high impact item will have higher rank than a risk item with a

medium probability and high impact. In case of conflict, use judgment.

 4. Risk Mitigation. Select the top few risk items for mitigation and tracking. Refer to a

list of commonly used risk mitigation steps for various risks from the previous risk logs

maintained by the project manager and select suitable risk mitigation step. The risk mitigation

steps must be properly executed by incorporating them into the project schedule. In addition to

monitoring the progress of the planned risk mitigation steps, periodically revisit the risk

perception of the entire project. The results of this review are reported in each milestone analysis

report. To prepare this report, make a fresh risk analysis to determine whether the priorities have

changed.

Once risks have been identified and assessed, all techniques to manage the risk fall into

one or more of these four major categories:

 Avoidance (eliminate, withdraw from or not become involved)

This includes not performing an activity that could carry risk. An example would be not

buying a property or business in order to not take on the legal liability that comes with it.

Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the

potential gain that accepting (retaining) the risk may have allowed. Not entering a business to

avoid the risk of loss also avoids the possibility of earning profits.

 Reduction (optimize – mitigate)

Risk reduction or "optimization" involves reducing the severity of the loss or the

likelihood of the loss from occurring. For example, sprinklers are designed to put out a fire to

reduce the risk of loss by fire. This method may cause a greater loss by water damage and

therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost

may be prohibitive as a strategy. Acknowledging that risks can be positive or negative,

optimizing risks means finding a balance between negative risk and the benefit of the operation

or activity; and between risk reduction and effort applied. Modern software development

methodologies reduce risk by developing and delivering software incrementally. Outsourcing

could be an example of risk reduction if the outsourcer can demonstrate higher capability at

managing or reducing risks.

 Sharing (transfer – outsource or insure)

This is briefly defined as "sharing with another party the burden of loss or the benefit of

gain, from a risk, and the measures to reduce a risk." In practice if the insurance company or

contractor go bankrupt or end up in court, the original risk is likely to still revert to the first

party. However, technically speaking, the buyer of the contract generally retains legal

responsibility for the losses "transferred", meaning that insurance may be described more

accurately as a post-event compensatory mechanism.

 Retention (accept and budget)

Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self-

insurance falls in this category. Risk retention is a viable strategy for small risks where the cost

of insuring against the risk would be greater over time than the total losses sustained. All risks

that are not avoided or transferred are retained by default.

STEPS

1. Identify. Identify what the possible risks are or the Risk Classes. The reason for

having a Risk Class checklist is to guide people in the assessment process to check things

that may not normally occur to them.

 2. Document. The collection of information about risk management is a very time

consuming process, but the collection of this information is itself a powerful risk

management strategy. The collection of information can be done by many people at the

same time and should be done by people with knowledge about the specific asset class or

area. My recommendation is for the specific trade staff to do the collection because they

probably know more about the asset classes they work with and would be more accepting

of risk management procedures for which they had some input. They can provide Risk

Assessment Collection and Planning Form.

(use _ or ✗to indicate if the item is

applicable):
(a) Asset + description or location (enter an asset no + description or a
physical location eg. loading bay)
o Asset Failure
o Asset Degradation
o Asset Invasion
(b) Risk Class(s) involved (select the risk classes that apply to this asset or
o Unexpected Human
location)
Behaviour
o Misinterpretation by
Humans
(c) What could go wrong? (describe in words what could go wrong with the
asset or location)
o Catastrophic
o Slow degradation
(d) Failure mode(s)? (select the mode(s) catastrophic, slow degradation, o Intermittent failure
intermittent) o Evidence of failure
o No external evidence
o Visual, sound or smell
(e) What are the consequences of failure?
(describe in words)
o Level 1 – life threatening
o Level 2 – major disruption
o Level 3 – minor disruption
(f) Critically of failure (choose a value 1, 2, 3, 4, 5)
o Level 4 – inconvenience
o Level 5 – almost no
impact
(g) What is the likelihood of this failure in the next 12 months? (enter a
value 0% to 100%)
(h) What can we do to minimise damage when this happens? (describe in
words)
(i) What can we do to recover from the event? (describe in words)
(j) What can we do to prevent the event? (describe in words)
(k) Agreed risk minimisation action (describe in words or identify specific
CMMS Task Id)
 Every _____
o Once only
(l) Agreed frequency of action (how often the risk minimisation action is to o Days
be carried out, for example every 2 weeks) o Weeks
o Months
o Years

3. Plan. The planning process can take place. Of course in some cases the plan will be

very straight forward and very obvious. This plan would address what items of equipment

spares need to be carried “if” the risk event occurs and thus the duration and extent of the

event can be reduced. The plan can make sure that clear instructions exist on how to

respond to the risk event, for example electrical isolation process, shutdown sequences

for computer driven systems etc. A well setup cmms would provide this alert function.

The plan should define an inspection (checklist) or task and have this task carried out

regularly at some recurrent interval such as every 3 months. The plan should have a

budgeted resource time and cost for managing this risk. The plan should be easily

accessible to be reviewed as circumstances change or to add new steps or procedures to

the plan.

4. Deploy. One of the most common problems that I see in business generally is the

issue of implementation of plans into the normal operational workflow of an

organisation. The implementation of a Risk Management Plan will generally need to

spawn 3 simultaneous actions. The first action is doing the things that only need to be

done once. These are things like installing extra guard rails, replacement of inherently

dangerous equipment, replacing signs etc. The requirement generally is extra capital

funds and an external contractor to carry out the work. The second action is acquiring

additional safety equipment or spare parts. This applies to identify risks such as fire

breaking out. There may be little that can be done to prevent the risky event from
 occurring, but when it does the organization can respond more quickly and more

decisively because equipment is in place. The documented procedures can be included

into personnel training or the documentation can be consulted when the event occurs. The

third action is the ongoing inspection process that may be necessary to manage the risk.

The time and resources needed to do this are often not easily obtained. The inspections

processes are often contracted out because it is easier to get block funding for external

services than to increase staffing levels within an organisation. This outsourcing of

responsibility seems like a neat solution, however in practise the organisation also needs

to ensure that processes are being followed in the way they were designed.

Common risk identification methods are:

1. Objectives-Based Risk Identification[citation needed] – Organizations and project

teams have objectives. Any event that may endanger achieving an objective partly or

completely is identified as risk.

2. Scenario-Based Risk Identification – In scenario analysis different scenarios are

created. The scenarios may be the alternative ways to achieve an objective, or an analysis

of the interaction of forces in, for example, a market or battle. Any event that triggers an

undesired scenario alternative is identified as risk – see Futures Studies for methodology

used by Futurists.

3. Taxonomy-Based Risk Identification – The taxonomy in taxonomy-based risk

identification is a breakdown of possible risk sources. Based on the taxonomy and

knowledge of best practices, a questionnaire is compiled. The answers to the questions

reveal risks.
 4. Common-Risk Checking[citation needed] – In several industries, lists with known risks

are available. Each risk in the list can be checked for application to a particular situation.

5. Risk Charting – This method combines the above approaches by listing resources at

risk, threats to those resources, modifying factors which may increase or decrease the risk

and consequences it is wished to avoid. Creating a matrix under these headings enables a

variety of approaches. One can begin with resources and consider the threats they are

exposed to and the consequences of each. Alternatively one can start with the threats and

examine which resources they would affect, or one can begin with the consequences and

determine which combination of threats and resources would be involved to bring them

about.

Several risk management standards have been developed

1. the Project Management Institute

2. the National Institute of Standards and Technology

3. actuarial societies

4. ISO standards.

The International Organization for Standardization (ISO) identifies the following principles of

risk management.

Risk management should:

 create value – resources expended to  be an integral part of organizational

mitigate risk should be less than the processes

consequence of inaction  be part of decision making process

  explicitly address uncertainty and  take human factors into account

assumptions  be transparent and inclusive

 be a systematic and structured  be dynamic, iterative and responsive

process to change

 be capable of continual improvement

 be based on the best available and enhancement

information  be continually or periodically re-

 be tailorable assess

Classification of Risks:

1. External risks 2. Internal risks

a. Financial a. Health and Safety

b. Strategic b. Employees

c. Hazards

References:

RiskManagementinFM.pdf(Mercury Computer Systems P/L Page 1-6

https://en.m.wikipedia.org/wiki/Risk_management

https://www.farsight.co.uk/blog/risk-management/