There are legal and regulatory requirements for risk assessment and an implicit requirement for the officers of an enterprise to assess and mitigate the risks to it. There are also risk requirements regarding financial compliance.
So what areas of risk are of more direct interest to facilities managers? First, facilities managers should review the regulatory risk requirements for their industry and check compliance.
Letters of the law
In 1976, in a factory in Seveso, Italy, a toxic release caused widespread contamination. This led ultimately to the Control of Major Accident Hazards Regulations 1999 (COMAH). COMAH identifies ten generic categories of dangerous substances (for example,toxic, flammable).
Under COMAH, the principle of prevention is to reduce risk to a level as low as reasonably practicable (ALARP), using the best available technology not entailing excessive cost (BATNEEC). Sites must also prepare a major accident prevention policy (MAPP). On high-risk sites MAPP is replaced by a safety report, to be updated every five years and made public.
Hazard Analysis Critical Control Point (commonly known as the HACCP principles) forms the basis of the European Commission (EC) hygiene directive (93/43/EEC). HACCP covers food risk assessment from field to plate and covers canteens and restaurants.
There is a swelling tide of generic health and safety directives and legislation from the EC, as well as laws and regulations involving specific hazards.
Typically, employers' duties require a balance between protection and what is 'reasonable and practical'. The employer is required to balance cost against risk — but lack of cash or resources is not a defence against a known risk.
The health and safety of staff is legally a personal responsibility of managers that cannot be delegated. Failure to assess and mitigate risk to employees could lead to the manager's imprisonment.
In a case where employees died because the doors to the fire escape were locked shut and the fire doors in the corridors were locked open,the directors were prosecuted for manslaughter.
And, in The Herald of Free Enterprise trial, following the sinking of the ferry, the judge held that a company could be guilty of manslaughter.
Even if criminal liability is not established, the subsequent loss of goodwill could kill the company. The media and the relatives of those who died can bring enormous pressure to bear and cause damaging publicity impacts on share value and customer base.
Another factor that would affect share price is non-compliance with the Turnbull report, because this would have to be disclosed in the company's annual report and would be picked up by the media. Turnbull recommends that directors set their business targets and timeframes and then consider the risks to achieving these.
Assessment and management
Before companies can manage risks, those risks have to be assessed. Threats such as fire, flood and power loss are identified. Each asset is examined to identify how vulnerable it is to these theoretical threats. Then the risk can be analysed and countermeasures considered. Once a business impact analysis (impact in cash and non-cash terms) has taken place, cost justification of the risk reduction measures follows. Thus the cost of the countermeasure can be balanced against the potential for loss.
Options for risk management include:
- accepting the risk (do nothing)
- avoiding the risk (for example, do not relocate to a flood plain)
- reducing the risk (change the equation — for example, install surveillance equipment to deter thieves or install a power supply which cannot be interrupted)
- containing the risk (minimise the impact — for example, do not put all your eggs in one basket)
- transferring the risk (pass it to someone else — for example, insure or outsource dangerous activities).
Effective risk management is a judicious selection from these options.
A basic approach
Facilities risk can be categorised as premises and process/operational. These risks can be ranked as:
- high impact, high probability
- high impact, low probability
- low impact, high probability
- low impact, low probability.
- the level of risk they find acceptable, depending on the risk / reward ratio
- the control strategy to avoid or mitigate the risk
- who is accountable for managing the risk and maintaining controls
- what is the residual risk
- what is the early warning mechanism.
While the board has overall responsibility for a company's internal control system and policies, line management is responsible for implementing policies adopted by the board.
Operational risk management
For existing and new facilities, projects and processes we can examine risk in planning, development, implementation, operational use and after-use.
We can examine risk associated with location. This should cover the processes and the technology used in them, as well as the processes and the infrastructure upon which they depend.
Management risks can be reviewed in terms of strategy, of the production process and operations.
For production activities, risk data may be gathered concerning pre-process activity, the core process itself, and post-process activities. This should reveal risks related to operational strategy, management and operations. Interaction with associated (dependent) processes and parallel processes (for example, using the same facilities) and any consequential processes can also be considered.
This will provide not just a powerful tool-set for risk management, but a risk-aware culture. Often a risk and impact assessment provides the stimulus for improved control, procedures, resilience or processes. This benefits the organisation every day, not just at times of disaster.
Unfortunately many organisations still rely solely on insurance. Insurance has limits on the duration of business interruption payments. Moreover, the cause of the disaster may be excluded from insurance. Insurance usually only covers 30-50 per cent of disaster losses. Insurance pay-outs can take a long time — up to several years in very complicated cases or where several insurers are involved.
Bits in pieces?
Critical Component Failure Analysis identifies key dependencies and assesses the possibility of the failure of components and the lead-time to recover. A mathematical model (Monte Carlo Analysis) can be run to identify the likelihood of multiple component failures. When the impact of the loss of the component is identified, a cost/benefit case may be made to introduce redundancy, resilience or alternative paths and processes.
An output approach
One perspective on risk is to identify mission-critical outputs or deliverables. Having done this, one can then trace the facilities, processes and channels used in the development, creation and delivery of those outputs and deliverables. Interdependencies can be identified. The risk in each of these can then be assessed.
If undertaking a site risk assessment, we review the threats relating to:
- the neighborhood
- the premises
- the equipment or technology
- personnel
- materials and processes
- suppliers.
Neighbourhood risks include the actual location. There may be neighbours undertaking dangerous processes or posing targets for malicious attack. The site may be at risk from seasonal flooding.
The premises may be more or less vulnerable to theft — inherently secure or insecure.
Equipment and technological risks include reliance on obsolete technology, investment in unproven technology and exposure to premature obsolescence.
Personnel risks may include dependence on rare skills or reliance on key teams of people, who could be headhunted by competitors.
Process and material risk arise from the use of dangerous chemicals, processes creating potentially explosive dust or build up of potentially flammable grease and dependence on rare materials or materials that have high price volatility.
Supplier risks could include supplier dependence. It may be difficult to find another alternative with sufficient immediate capacity. More than half of all outsourcing contracts involve dispute.
It's about success
Risk management is becoming fully integrated with the way businesses operate every day, and has benefits every day. Those organisations that manage risk effectively will increase productivity, improve profitability, reduce waste and create competitive edge. Risk management is not only about survival — it is about success.
For information on Survive:
Tel: 01483 710600
Email: survive@survive.com
Website: survive.com
Risk analysis — a vital tool
Risk management is the key to disaster recovery planning and, therefore, to an organisation’s security. Risk analysis is a vital tool in the risk management process. Risk analysis is a combination of identifying an organisation’s assets, (what are we trying to protect?), identifying the known and potential threats to those assets, (what are we protecting them against?) and applying some weighting to the threats, (how serious are they?). Once the risks are identified it is then possible to develop the necessary countermeasures and thus reduce the organisation’s exposure to an acceptable level. Risk analysis is the starting point and will generally include examination of the risks relating to the business itself, the premises and the neighbourhood, the equipment, plant, technology, materials and processes they use, their personnel and the third parties on whom they depend. In 1999 high street retailer Argos appointed The Kingswell Partnership to undertake a risk analysis of its high volume retailing and distribution operations throughout the UK. The output from the risk analysis exercise was used by the company to focus on the major areas of potential risk and, where necessary, to develop countermeasures to reduce the risks and their potential impact. Ian Carman is a director of The Kingswell PartnershipTel: 01865 822010
Email: admin@kingswell.net
Website: kingswell.net
Source
The Facilities Business
Postscript
Andrew Hiles is chairman of Survive, the international user group for business continuity and also a director of risk and service management consultants The Kingswell Partnership. He is the author of 'Business Continuity — Best Practices'.