Risk Management 101 - Transcript.

docx

Risk Management 101

Introduction

Hi everyone and welcome to Risk Management 101. We're going to go through these basic concepts of risk
management. We're going to break it down into the constituent parts. Then we're going to build it up
again and show you how it's done.

My name is Simon Di Nucci and I have a lot of experience working in risk management, project risk
management, safety risk management, etc. I’m hoping that I can put my experience to good use, helping
you in whatever you want to do with this information. Whether you're going for an interview or you want
to learn some basics. You can watch this video and decide if you want to know more about risk
management or you don’t need to. Whatever it might be, you'll find this short session useful. I hope you
enjoy it and thanks for watching.

Topics For This Session

Risk Management 101. So what does it all mean? We're going to break risk management down into we've
got six constituent parts. I'm using a particular standard that breaks it down this way. Other standards
will do this in different ways. We'll talk about that later. Here we've got risk management broken down in
to; hazard identification, hazard analysis, risk estimation, risk evaluation (and ALARP), risk reduction,
and risk acceptance.

Risk Management

Let's get right on to that. Risk management – what is it? It’s defined as “the systematic application of
management policies, procedures and practises to the tasks of hazard identification, hazard analysis, risk
estimation, risk and ALARP evaluation, risk reduction, and risk acceptance”.

There are a couple of things to note here. We're talking about management policies, procedures and
practices. The ‘how’ we do it. Whether it's a high-level policy or low-level common practice. E.g. how
things are done in our organisation vs how the day-to-day tasks are done? And it's also worth saying that
when we talk about ‘hazards’, that's a safety ‘ism’. If we were doing security risk management, we can be
talking about ‘threats’. We can also be talking about ‘causes’ in day-to-day language. So, we can be talking
about something causing a risk or leading to a risk. More on that later, but that's an overview of what risk
management is.

Part 1

Let's look at it in a different way. For those of you who like a visual representation, here is a graph of the
hierarchical breakdown. They need to happen in order, more-or-less, left to right. And as you can see,

1|Page
Risk Management 101 - Transcript.docx

there's a link between risk evaluation and risk reduction. We’ll come on to that. So, it's not ‘or’ it’s a serial
‘this is what you have to do’. Sometimes they're linked together more intimately.

Hazard Identification

First of all, hazard identification. So, this is the process where we identify and list hazards and accidents
associated with the system. You may notice that some words here are in bold. Where a word is in bold, we
are going to give the definition of what it is later.

These hazards could lead to an accident but only associated with the system. That's the scope. If we were
talking about a system that was an aeroplane, or a ship, or a computer, we would have a very different
scope. There would also be a different way that maybe accidents would happen.

On a more practical level, how do we do hazard identification? I'm not going to go into any depth here, but
there are certain classic ones. We can consult with our workers and inspect the workplace where they're
operating. And in some countries, that's a legal requirement (Including in Australia where I live). Another
option is we can look at historical data. And indeed, in some countries and in some industries, that's a
requirement. A requirement means we have to do that. And we can use special analysis techniques. Now,
I’m not going to talk about any of those analysis techniques today. You can watch some other sessions on
The Safety Artisan to see that.

Hazard Analysis

Having done hazard identification, we've asked ourselves ‘What could go wrong?’. We can put some more
detail on and ask, ‘How could it go wrong? And how often?’. That kind of stuff. So, we want to go into
more detail about the hazards and accidents associated with this particular system. And that will help us
to define some accident sequences. We can start with something that creates a hazard and then the hazard
may lead to an accident. And that's what we're talking about. We will show that using graphics late, which
will be helpful.

But again, more on terminology. In different industries, we call it different things. We tend to say
‘accident’ in the UK and Australia. In the U.S., they might call it a ‘mishap’, which is trying to get away
from the idea that something was accidental. Nobody meant it to happen. Mishap is a more generic term
that avoids that implication. We also talk about ‘losses’ or we talk about ‘breaches’ in the security world.
We have some issue where somebody has been able to get in somewhere that they should not. And we can
talk about accident sequences. Or, in a more common language, we call it a sequence of events. That's all
it is.

Risk Estimation

Now we’re talking about the risk estimation. We’ve thought about our hazards and accidents and how they
might progress from one to another. Let's think about, ‘How big is the risk of this actually happening?’.

2|Page
Risk Management 101 - Transcript.docx

Again, we'll unpack this further later at the next level. But for now, we're going to talk about the
systematic use of available information. Systematic- so, ordered. We're following a process. This isn't
somebody on their own taking a subjective view ‘Look, I think it's not that’. It's a process that is
repeatable. We want to do something systematic. It's thorough, it's repeatable, and so it's defendable. We
can justify the conclusions that we've come to because we've done it with some rigour. We've done it in a
systematic way. That's important. Particularly if we're talking about harm coming to people or big losses.

Risk and ALARP Evaluation

Now, risk evaluation is just taking that estimated risk just now and comparing it to something and saying,
“How serious is this risk?”. Is it something that is very low? If it's very insignificant then we're not
bothered about it. We can live with it. We can accept it. Or is it bigger than that? Do we need to do
something more about it? Again, we want to be systematic. We want to determine whether risk reduction
is necessary. Is this acceptable as it is or is it too high and we need to reduce it? That's the core of risk
evaluation.

In this UK-based standard – we're using terminology is found in different forms around the world. But in
the UK, they talk about ‘tolerability’. We're talking about the absolute level of risk. There probably is an
upper limit that's allowed in the law or in our industry. And there's a lower limit that we're aiming for. In
an ideal world, we'd like all our risks to be low-level risks. That would be terrific.

So, that's ‘tolerability’. And you might hear it called different things. And then within the UK system,
there're three classes of ‘tolerability’ at risk. We could say it's either ‘broadly acceptable’- it’s very low. It’s
down in the target region where we like to get all our risks. It's ‘tolerable’- we can expose people to this
risk or we can live with this risk, but only if we've met certain other criteria. And then there's the risk that
it's so big. It’s so far up there, we can't do that. We can't have that under any circumstances. It's
unacceptable. You can imagine a traffic light system where we have categorised our risk.

And then there’s the test of whether our risk can be accepted in the UK. It's called ALARP. We reduce the
risk As Low As Reasonably Practicable. And in other places, you’ll see SFARP. We've eliminated or
minimised the risk So Far As Is Reasonably Practicable. In the nuclear industry, they talk about ALARA:
As Low As Reasonably Achievable. And then different laws use different tests. Whichever one you use,
there's a test that we have got to use to say, “Can we accept the risk?” “Have we done enough risk
reduction?”. And whatever you've put in those square brackets, that's the test that you're using. And that
will vary from jurisdiction to jurisdiction. The basic concept of risk evaluation is estimating the level of
risk. Then compare it to some standard or some regulation. Whatever one it might be, that's what we do.
That's risk evaluation.

Risk Reduction

We’ve asked, “Do we need to reduce risk further?”. And if we do, we need to do some risk reduction.
Again, we’re being systematic. This is not some subjective thing where we go “I have done some stuff, it'll

3|Page
Risk Management 101 - Transcript.docx

be alright. That's enough.”. We're being a bit more rigorous than that. We've got a systematic process for
reducing risk. And in many parts of the world, we’re directed to do things in a certain way.

This is an illustration from an Australian regulation. In this regulation, we're aiming to eliminate risk. We
want to start with the most effective risk reduction measures. Elimination is “We’ve reduced the risk to
zero”. That would be lovely if we could do that but we can't always do that.

What's the next level? We could get rid of this risk by substituting something less risky. Imagine we've got
a combustion engine powering something. The combustion engine needs flammable fuel and it produces
toxic fumes. It could release carbon monoxide and CO2 and other things that we don't want. We ask, “Can
we get rid of that?”. Could we have an electric motor instead and have a battery instead? That might be a
lot safer than the combustion engine. That is a substitution. There are still risks with electricity. But by
doing this we've substituted something risky for something less risky.

Or we could isolate the hazard. Let’s use the combustion engine as an example again. We can say, “I'll put
that in the fuel and the exhaust somewhere, a long way from people”. Then it’ll be a long way from where
it can do harm or cause a loss.” And that's another way of dealing with it.

Or we could say, “I'm going to reduce the risks through engineering controls”. We could put in something
engineered. For example, we can put in a smoke detector. A very simple, therefore highly reliable, device.
It’s certainly more reliable than a human. You can install one that can detect some noxious gases. It's also
good if it’s a carbon monoxide detector. Humans cannot detect carbon monoxide at all. (Except if you've
got carbon monoxide poisoning, you'll know about it. Carbon monoxide poisoning gives you terrible
headaches and other symptoms.) But of course, that's not a good way to detect that you're breathing in
poisonous gas. We do not want to do it that way.

So, we can have an engineering control to protect people. Or we can an interlock. We can isolate things in
a building or behind a wall or whatever. And if somebody opens the door, then that forces the thing to cut
out so it's no longer dangerous. There are different things for engineering controls that we can introduce.
They do not rely on people. They work regardless of what any person does.

Next on the list, we could reduce exposure to the hazard by using administrative controls. That's giving
somebody some rules to follow a procedure. “Do this. Don't do that.” Now, that's all good. We can give
people warning signs and warn people not to approach something. But, of course, sometimes people break
the rules for good reasons. Maybe they don't understand. Maybe they don't know the danger. Maybe
they've got to do something or maybe the procedure that we've given them doesn't work very well. It's too
difficult to get the job done, so people cut corners. So, procedural protection can be weak. And a bit hit
and miss sometimes.

And then finally, we can give people personal protective equipment. We can give them some eye
protection. I'm wearing glasses because I'm short-sighted. But you can get some goggles to protect your
eyes from damage. Damage like splashes, flying fragments, sparks, etc. We can have a hard hat so that if
we’re on a building site and something drops from above on us that protects the old brain box. It won't

4|Page
Risk Management 101 - Transcript.docx

stop the accident from happening, but it will help reduce the severity of the accident. That's the least
effective. We're doing nothing to prevent the accident from happening. We're reducing the severity in
certain circumstances. For example, if you drop a ton of bricks on me, it doesn't matter whether I'm
wearing a hard hat or not. I'm still going to get crushed. But with one brick, I should be able to survive
that if I'm wearing a hard hat.

Risk Acceptance

Let's move on to risk acceptance. At some stage, if we have reduced the risk to a point where we can accept
it. We can live with it and we’ve decided that we're going to need to do whatever it is that is exposing us to
the risk. We need to use the system. We want to get in our car to enable us to go from a to b quickly and
independently. So, we're going to accept the risk of driving in our car. We’ve decided we're going to do
that. We make risk acceptance decisions every day, often without thinking about it. We get in a car every
day on average and we don't worry about the risk, but it's always there. We've just decided to accept it.

But in this example we've got, it's not an individual deciding to do something on the spur of the moment.
Nor is it based on personal experience. We've got a systematic process where a bunch of people come
together. The relevant stakeholders agree that a risk has been assessed or has been estimated and has
been evaluated. They agree that the risk reduction is good enough and that we will accept that risk.
There’s a bit more to it than you and I saying, “That'll be alright.”

Part 2

Let's summarise where we’ve got to. We've talked about these six components of risk management. That's
terrific. And as you can see, they all go together. Risk evaluation and risk reduction are more tightly
coupled. That’s because when we do some risk reduction, we then re-evaluate the risk. We ask ‘Can we
accept it?’. If the answer is ‘No.’ we need to do some more work. Then we do some more risk reduction. So
those tend to be a bit more coupled together at the end. That's the level we've got to. We're now going to
go to the next level.

So, we're going to explain these things. We've talked about hazard identification and hazard analysis, but
what is a hazard? And what is an accident? And what is an accident sequence? We're going to unpack that
a bit more. We’re going to take it to the next level. And throughout this, we're talking about risk over and
over again. Well, what is ‘risk’? We're going to unpack that to the next level as well. It all comes down to
this anyway. This is a safety standard. We're talking about harm to people. How likely is that harm and
how severe might it be? But it might be something else. It might be a loss or a security breach. It might be
a financial loss. It might be a negative result for our project. We might find ourselves running late. Or
we're running over budget. Or we’re failing to meet quality requirements. Or we’re failing to deliver the
full functionality that we said we would. Whatever it might be.

Hazard

5|Page
Risk Management 101 - Transcript.docx

So, let's unpack this at the next level. A hazard is a term that we use, particularly in safety. As I say, we call
it other things in different realms. But in the safety world, it's a physical situation or it's a state of a
system. And as it says, it often follows from some initiating event which we may call a ‘cause’. And the
hazard may lead to an accident. And the key thing to remember is once a hazard exists, an accident is
possible, but it's not certain. You can imagine the sort of cartoon banana skin on the pavement gag. Well,
the banana skin is the hazard. In the cartoon, the cartoon character always steps on the banana skin. They
always fall over the comic effect. But in the real world, nobody may tread on the banana skin and slip over.
There could be nobody there to slip over all the banana skin. Or even if somebody does, they could catch
themselves. Or they fall, but it's on a soft surface and they don't hurt themselves so there's no harm.

So, the accident isn't certain. And in fact, we can have what we call ‘non-accident’ outcomes. We can have
harmless consequences. A hazard is an important midway step. I heard it called an accident waiting to
happen, which is a helpful definition. An accident waiting to happen, but it doesn't mean that the accident
is inevitable.

Accident

But the accident can happen. Again, the ‘accident’, ‘mishap’, or ‘unintended event’. Something we did not
want or a sequence of events that causes harm. And in this case, we're talking about harm to people. And
as I say, it might be a security breach. It might be a financial loss. It might be reputational damage.
Something might happen that is very embarrassing for an organisation or an individual. Or again, we
could have a hiccup with our project.

Harm

But in this case, we're talking about harm. And this kind of standard, we're using what you might call a
body count approach to the harm. We're talking about actual death, physical injury, or damage to the
health of people. This standard also considers the damage to property and the environment. Now, very
often we are legally required to protect people and the environment from harm. Property less so. But
there will be financial implications of losses of property or damage to the systems. We don't want that. But
it's not always criminally illegal to do that. Whereas usually, hurting people and damaging the
environment is. So, this is ‘harm’. We do not want this thing to happen. We do not want this impact.
Safety is a much tougher business in this instance. If we have a problem with our project, it’s
embarrassing but we could recover it. It’s more difficult to do that when we hurt somebody.

Risk

And always in these terms, we're talking about ‘risk’. What is ‘risk’? Risk is a combination of two things.
It's a combination of the likelihood of harm or loss and the severity of that harm or loss. It’s those two
things together. And we've got a very simple illustration here, a little table. And they're often known as a
risk matrix, but don’t worry about that too much. Whatever you want to call it. We've got a little two by
two table here and we've got likelihood in the white text and severity in the black. We can imagine where

6|Page
Risk Management 101 - Transcript.docx

there's a risk where we have a low likelihood of a ‘low harm’ or a ‘low impact’ accident or outcome. We
say, ‘That's unlikely to happen and even if it does not much is going to happen.’ It’s going to be a very
small impact. So, we'd say that that's a low risk.

Then at the other end of the spectrum, we can imagine something that has a high likelihood of happening.
And that likelihood also has a high impact. Things that happen that we definitely do not want to happen.
And we say, ‘That's a high risk and that's something that we are very, very concerned about.’

And then in the middle, we could have a combination of an outcome that is quite likely, but it's of low
severity. Or it's of high severity, but it's unlikely to happen. And we say, ‘That's a medium risk’.

Now, this is a very simplified matrix for teaching purposes only. In the real world, you will see matrices
that four by four, or five by five, or even six by six, or combinations thereof. And in security where they
talk about threat and vulnerability and the outcomes. Here, you might see multiple matrices used. They
use multiple matrices to progressively build up a picture of the risk. They use matrices as building blocks.
So, it may not be only one matrix used in a more complex thing you've got to model. But here we've got a
nice, simple example. This illustrates what risk is. It's a combination of severity and likelihood of harm or
loss. And that’s what risk is, fundamentally. And if we have a firm grasp of these fundamentals, it'll help
us to reason and deal with almost anything. With enough application.

Accident Sequence

Now, let's move on and talk about accident sequences. We're talking about a progression in this case.
We're imagining a left-to-right path. A progression of events that results in an accident. This diagram, that
looks like a bow tie, it's meant to represent the idea that we can have one hazard. There might be many
causes that lead to this hazard. There might be many different things that could create the hazard or
initiate the hazard. And the hazard may have many different consequences.

As I've said before, nothing at all may happen. That might be the consequence of the hazard. Most of the
time that's what’s going to happen. But there may be a variety of consequences. Somebody might get a
minor injury or there might be a more serious accident where one or more people are killed. A good
example of this is fire. So, the hazard is the fire. The causes might be various. We could be dealing with
flammable chemicals, or a lightning strike, or an electricity arc flash. Or we could be dealing with very
high temperatures where things spontaneously burst into flames. Or we could have a chemical in the
presence of pure oxygen. Some things will spontaneously burst into flames in the presence of pure oxygen.
So there're a variety of causes that lead to the fire.

And the fire might be very small and burn itself out. It causes very little damage and nobody gets hurt. Or
it might lead to a much bigger fire that, in theory, could kill lots of people. So, there's a huge range of
consequences potentially from one hazard. But the accident sequence is how we would describe and
capture this progression. From initiating events to the hazard to the possible consequences. And by
modelling the accident sequence, of course, we can think about how we could interrupt it.

7|Page
Risk Management 101 - Transcript.docx

Part 3

We've broken risk management down into those six constituent parts. We've gone to the next level, in that
we’ve sort of gone down to the concepts that underpin these things. These hazards, the accidents, and the
accident sequence. We've talked about risk itself and what we don't want to happen. The harm, the loss,
the financial loss, the embarrassment, the failed or late or budget project, a security breach, the undesired
event, etc. We had an objective which was to do something safely or to complete a project and the risk is
that that won't happen. That there'll be an impact on what we were trying to do that is negative. That is
undesirable.

There are just only more concepts that we need to look at to complete the pattern, as you can see. We've
been talking about the system. And we've been talking about doing things systematically. And then a
system works in an operating environment. So, let's unpack that.

System

First of all, we have a system. The system is going to be a combination of things. I wouldn't call a pen or a
pencil a system. It's only got a couple of components. You could pull it apart. But it's too simple to be
worth calling it a system. We wouldn’t call it a pen system, would we? So, a system is something more
complex. It’s a combination of things and we need to define the boundary. I'll come back to that.

But within this boundary, we've got some different elements in the system that work together. Or they’re
used together within a defined operating environment. So, we're going to expose this system to a range of
conditions which it is designed to usually work in. The intention is the system is going to do whatever it
does to perform a given task. It can do one defined task or achieve a specific purpose. I talked before
about getting in our car. A car is complex enough to be called a system. We get in our car and we drive it
on the roads. Or if we've got a four-wheel drive, we can drive Off-Road. Or we can use it in a more
demanding operating environment to achieve a specific purpose. We want to transport ourselves, and
sometimes some stuff, from A to B. That's what we're trying to do with the system.

And within that system, we may have personnel/people, we may have procedures. A bunch of rules about
how you drive a car legally in different countries. We've got materials and physical things – what the car is
made of. We could have tools to repair it, change wheels. We've got some other equipment, like a satnav.
We've got facilities. We need to take a car somewhere to fill up with fuel or to recharge it. We've got
services like garages, repairs, servicing, etc. And there could be some software in there as well. Of course,
these days in the car, there’s software everywhere in most complex devices.

So, our system is a combination of lots of different things. These things are working together to achieve
some kind of goal or some kind of result. There’s somewhere we want to get to. And it's designed to work
in a particular operating environment. Cars work on roads really well. Off-road cars can work on tracks.
Put them in deep water, they tend not to work so well. So, let's talk about that operating environment.

8|Page
Risk Management 101 - Transcript.docx

Operating Environment

What we've got here, the total set of all external, natural, and induced conditions. (That’s external to the
system, so outside the boundary.) So, it might be these conditions-. It might be natural or it might be
generated by something else, which a system is exposed to at any given moment. And we need to get a
good understanding of the system, the operating environment, and what we want it to do.

If we have a good understanding of those three things, then we will be well on the way to being able to
understand the risks associated with that system. That's one of the key things with risk management. If
you've got those three things, that's crucial. You will not be able to do effective risk management if you
don't have a grasp of those things. And if you do have a thorough grasp of those things, it's going to help
you do effective risk management.

Conclusion

So, we've talked about risk management. We've broken it down into some big sections. Those six sections;
the hazard identification; analysis; risk estimation; evaluation; reduction; and acceptance. We've seen
how those things depend on only a few concepts. We've got the concepts of ‘hazards’, ‘risks’, and
‘accidents’. As well as the undesirable consequences that the risk might result in. And the risk is measured
based on the likelihood and severity of that harm or that loss occurring.

And when we're dealing with a more complex system, we need to understand that system and the
environment in which it operates. And of course, we've put it in that environment for a purpose. And that
unpacking has allowed us to break down quite a big concept, risk management. A lot of people, like
myself, spend years and years learning how to do this. It takes time to gain experience because it's a
complex thing. But if we break it down, we can understand what we're doing. We can work our way down
the fundamentals. And then if we've got a good grasp of the fundamentals, that supports getting the more
complex stuff right. So, that's what risk management is all about. That’s your risk management 101 and I
hope that you find that helpful.

Copyright Statement

I just need to say briefly that those quotations from the standard. I can do that under a Creative Commons
licence. The CC4.0. That allows me to do that within limits that I am careful to observe. But this video
presentation is copyright the Safety Artisan.

For More…

And you can see more like these at the Safety Artisan website. That’s www.safetyartisan.com. And as you
can see, it's a secure site so you can visit without fear of a security breach. So, do head over there.

9|Page
Risk Management 101 - Transcript.docx

Subscribe to the monthly newsletter to get discounts on paid videos and regular updates of what's coming
up. both paid and free.

So, it just remains for me to say thanks very much for watching and I look forward to catching up with you
again very soon.

10 | P a g e