4. Critical success factors/objectives of the activity/proposal/project being risk assessed

Transcription

1 ARTC Risk Management Work Instruction 2: 1. Conduct Risk Assessment Workshop This Work Instruction provides general guidelines for conducting a generic Risk Assessment workshop. The instructions supplement the flowchart in RMWI 1 and provide the facilitator of the Risk Assessment with detailed instructions for prior to, during and after conducting a risk assessment workshop. For safety related risk assessments, RMWI 3 Guidelines on So Far As Is Reasonably Practicable (SFAIRP) shall be followed during Steps 4 and 5 Risk Evaluation and Control. PRIOR 1.1. STEP 1 - ESTABLISH THE CONTEXT This step shall be carried out prior to the risk assessment workshop taking place by the person responsible for the risk assessment (usually the Nominated Risk Manager). The template is available in RMWI 4 Risk Assessment Templates. The information collected in this section shall be distributed to participants prior to the workshop, and usually will be built upon during the risk assessment. The amount of information that is to be provided at this point may depend on the scope and complexity of the process/proposal that is being considered but in all circumstances, there will be a minimum requirement to provide at least the information detailed below: 1. Background This section includes background information and data that clarifies the nature of the proposal. This information should be prepared and distributed to stakeholders in advance of the risk assessment workshop. The information can be in spreadsheet, PowerPoint, drawing, report, or any other format or combination of formats. During the risk assessment workshop, it is usually good practice for someone to verbally explain the situation, including supporting background information. 2. Risk Statement Specify a clear, summary statement such as To assess the safety/operational risks associated with the construction of ABC over the area bounded by x and y. 3. Risk Assessment Objectives This section outlines what ARTC wants to achieve as a result of the risk assessment. There may be a number of objectives that are expected to be addressed. For example, objectives may include identifying risks associated with an activity or interface, identifying controls to reduce those risks so far as is reasonably practicable, or provide supporting analysis to a submission, etc. 4. Critical success factors/objectives of the activity/proposal/project being risk assessed This section outlines the critical success factors of the activity/proposal/project being risk assessed. For example, the objectives of a particular project may be to remain on budget, on schedule and deliver to specifications. The aim of a safety interface agreement may be to ensure safety at the interface boundary. Once we know the objectives of the activity we are risk assessing, we can then identify risks that affect achievement of those aims. Pg. 1 of 9 RMWI 2 V1.1

2 5. Scope (inclusions and exclusions) This section outlines what is to be included within the scope of the risk assessment, and importantly, what is to be excluded. Once the scope of the risk assessment has been defined it may be appropriate to divide the scope into smaller parts. If the scope of the Risk Management task is very large or complex, it is often appropriate to divide the scope into the component sections, areas, projects, activities, tasks or functions to make the next stage easier to progress with. For example, a project may be broken down into design, construction and implementation phases. 6. Stakeholders Risk Management should be conducted in consultation with a group of stakeholders as participants, including those persons who are responsible for creating the risk as well as those who are exposed to the risk. An identified list of stakeholders will include people or organisations that are, or may be, affected by the risk or the control measures. Stakeholders may include individuals, groups of persons, alliance partners, other organisations, regulatory bodies, the public etc. Identifying stakeholders allows for identification of suitable people and organisations to be involved in the Risk Management process. Those identified stakeholders should also be involved in ensuing communication and consultation processes. 7. Stakeholder consultation Outline what stakeholder consultation has taken place, and when. 8. Participants Outline who will attend the risk assessment, including their organisations, names and positions. 9. Assumptions Identify any assumptions you are making along the way. The assumptions help to clarify the nature of any risks that may arise at the risk identification phase. 10. Constraints Identify what constraints the proposal is operating under. There are usually a number of constraints and these can be broadly categorised as: Political, including regulatory; Environmental; Social; Economic; Technical; and Logistic. Pg. 2 of 9 RMWI 2 V1.1

3 11. Boundaries Identify the boundaries of the risk assessment. The boundaries can be made up of such things as: Geographical boundaries; Operational boundaries; Interface boundaries; Phase boundaries; Time driven boundaries; and Other boundaries. 12. Qualifications/conditions Identify what qualifications or conditions are needed to ensure that there is no misunderstanding of any of the context setting components. A qualification can be a dependency or requirement that needs to be highlighted. 13. Reference Documentation and Standards Make reference to any relevant standards or documents that form part of the information needed to understand the context clearly. 14. Other Clarifying Commentary Use this section to include additional information that is relevant. DURING 2. STEP 2 - IDENTIFICATION OF RISKS ARTC defines risk as the chance of something happening or circumstances arising or changing that will have an impact upon objectives, measured in terms of likelihood and consequence. It encompasses both positive and negative impacts. For ARTC to achieve consistent Risk Management outcomes, it is fundamental to understand what can be defined as being a risk, and what cannot. 2.1 Components of Risk A risk description generally includes a source (e.g. hazard), risk event, cause and consequence. Risks are often incorrectly expressed as consequences only yet this is not the best way to define a risk. Consequences are the effects or impacts of a risk or combination of risks that result after a risk event occurs. Pg. 3 of 9 RMWI 2 V1.1

4 An example of a risk description: 1. The operator fails to notice a warning signal (cause) that leads to 2. A train SPADs (source) that leads to 3. A low speed collision of rolling stock (risk event) that results in 4. Rolling stock damage and/or personal injury (consequence). For clarification, the following shows examples of what are not risks, with an explanation of why not. Someone falling off a bridge does not state the cause and the consequence; SPAD does not describe the cause, risk event and consequence; and Train collision does not state the source, cause and consequence. 2.2 Identification of causes For every risk, there may be a number of causal factors associated with that risk. As part of the risk assessment process, primary causal factors must be determined in order to consider appropriate controls to reduce or exploit the risk. As such, there needs to be an understanding of what causes the risk event to occur. Only after having considered the causes of the risk event can suitable controls be considered that target these causes. Examples of causal factors: Distracted by mobile phone Inadequate on-site or off-site induction Not attending a toolbox meeting. 2.3 Methods of Risk Identification The aim of risk identification is to generate a comprehensive list of hazards, circumstances, consequences and risk events that might have an impact on the achievement of each of the activity/proposal/project objectives. Methods used to identify risk issues include checklists, brainstorming, experience and historical records, stakeholder consultation, flow charts, systems and scenario analysis and systems engineering techniques. The approach taken will depend on the type of activities and risks under review and is at the discretion of the risk facilitator. The methods used to identify risks must be documented in the risk assessment report. Risk issues may be identified in a number of ways. Methods that are within the capability of ARTC to carry out without external assistance include, but are not limited to: Checklists An extensive although not exhaustive list of sources of safety related risk is included in Appendix A to this work instruction. Generic sources of risk and area of impact may also be found in Appendix D of AS/NZS 4360:2004. Checklists should be used as a memory jogger during risk assessments to aid in the capture of risks that might otherwise be overlooked. Pg. 4 of 9 RMWI 2 V1.1

5 Brainstorming Brainstorming with the right mix of stakeholders can be a very powerful way to extract good quality risk information. When conducted as a group activity, brainstorming should be done in a controlled and structured manner, otherwise such matters as group think occur. Group think is the acceptance of obviously wrong answers simply because it is socially unacceptable to disagree, where there are conflicts of interest. A good technique is to convene a short 30 minute workshop, and ask individuals to write any potential risks on a sticky note. The notes are then stuck to a board and further analysed and grouped by the workshop participants. After the workshop, the facilitator assesses the relevance of the risk issues and places them into a risk assessment template and distributes to all participants for further workshop analysis. Railway Safety Records & Reports and Historical Records The ARTC Train Control Report (TCR) is the initiating document for the management of safety incidents within ARTC and its service providers and is also the basis of reporting rail safety incidents to the Rail Safety Regulators. The TCR database receives inputs via Network Controllers and Train Transit Managers from a wide range of stakeholders. Data collected is analysed regularly to identify the appearance of new risks or a change in risks already identified. The Generic Checklist contained in Appendix A to this work instruction is primarily derived from TCR and other incident data and provides a high level list of potential risks and precursor events. Findings from major incident investigations and audits are analysed individually and in conjunction with the Risk Register to identify possible new risks. Historical records, databases and articles on incidents and accidents both foreign and domestic should be sought out where possible and appropriate. 2.4 Additional methods The following methods are useful tools for the identification of risks, but may not be within ARTC s capability to carry out without external assistance. The techniques below require technical knowledge and a level of competency to be carried out effectively. Depending on the level of complexity of the risk scenario or activity being assessed, external assistance may be required to conduct the following risk identification techniques: Decomposition Techniques Where a proposal or project can be broken down into component parts, each of which is then considered on its own if risk events occur. Process Maps By describing a process using flow charts it is sometimes possible to identify risks involved at each stage in the process. Fault Tree Analysis (FTA) FTA can be used to identify risks in a process or system. These techniques are detailed methods of risk identification and staff should be trained in using these approaches before applying them. Pg. 5 of 9 RMWI 2 V1.1

6 HAZOPs and FMECA studies This includes past accident and incident data from databases within the organisation and external to the organisation in a related industry. This could also include near miss incident data. 3. STEP 3 - ANALYSIS OF RISKS Once a potential list of risk issues has been identified, these are systematically categorised as causes, circumstances, consequences and risk events. These risks are then further analysed in order to understand and prioritise them, and provide data to assist in their evaluation and treatment. 3.1 Determining Risk Level All identified risks are assessed in terms of likelihood and consequence criteria in order to determine the associated risk level. Relevant stakeholders must be consulted to achieve an agreed level of likelihood and consequence for identified risks. The risk assessment participants must consider the existing controls applicable to the risk scenario in question. Identification of the causal factors is important so that stakeholders can assess what controls already exist that specifically address the identified causes. Knowledge of ARTC s control inventory is critical at this stage and getting the right mix of stakeholders to participate when assessing risks will greatly assist. The assessed levels of likelihood and consequence are analysed and ranked using the risk calculator in Table # to determine the overall level of risk for the activity, situation or circumstance. The risk may be described as Very High, High, Medium or Low. 3.2 Risk criteria The risk analysis process is based on the assessment of the risk in relation to ARTC safety, financial and operational objectives. Risk criteria have been developed by ARTC and form the basis for analysing risks. For projects, specific criteria relating to project delivery may be developed. Further information is contained within PP-157. The Risk Criteria are formulated on two dimensions: 3.3 Analysing risk 1. The Consequence of the event occurring; and 2. The Likelihood of the consequence occurring. When analysing risk, there are two consequences that may be considered for each risk: The most likely; and The worst case this is considered to be the most pessimistic case or outcome of a risk event. The consequence should be assessed first, and then the likelihood of that particular consequence eventuating. Risks may then be scored using the consequence and likelihood scoring tables and matrix within RM-01. Pg. 6 of 9 RMWI 2 V1.1

7 3.4 Quantitative assessment The risk assessment workshop shall assess the requirement for a quantitative assessment on the basis of the complexity of the risks being assessed. In the event of a quantitative analysis being required, ARTC will source the capability externally. Where a quantitative approach is required, based on the conclusion that the qualitative approach is not adequate, there needs to be an evaluation of the type of quantitative approach to adopt. Considerations should include the availability of existing tolerability data for the subject in question and the determination of the final outcome of the quantitative analysis. 3.5 Project risk assessment ARTC projects, which operate under the Project Management Procedure PP-157, may require particular risks to be assessed against additional consequence criteria of budget, schedule and performance. These additional criteria may be applied to those risks that are deemed to exist for the life of the project only. Further information is contained within PP STEPS 4 AND 5 - RISK EVALUATION AND CONTROL The purpose of the risk evaluation and control phase is to make decisions about the degree of control required for each risk. It involves the identification of the range of options that can be deployed for treating the risks. These options will require assessment in terms of which is the best to adopt and the subsequent preparation and implementation of treatment plans and activities. Risks can be treated via a single strategy or the combination of a number of strategies. Various tools may be used to consider risk controls, e.g. for safety related risks, the hierarchy of controls may be used. For safety related risks, ARTC will adopt the SFAIRP principle when addressing this phase of the assessment (So Far As Is Reasonably Practicable). Risk Management Work Instruction 3 Guidelines on SFAIRP is to be followed when controlling safety related risks. 4.1 Evaluation and control for Non-SFAIRP risk assessment During a generic risk assessment, the following five questions should be asked in order to determine the best ways to eliminate, reduce or optimise the level of risk: 1. Can we eliminate or avoid the risk entirely? 2. Can we control the cause of the risk? 3. Can we control the scenario or circumstance associated with the risk? 4. Can we reduce or increase the likelihood of the risk occurring? 5. Can we reduce or increase the consequence of the risk? 4.2 Identifying options for the control of risks with positive outcomes Actively seek an opportunity to start or continue with an activity likely to create or maintain the positive outcome Change the likelihood, to enhance the likelihood of beneficial outcomes Pg. 7 of 9 RMWI 2 V1.1

8 Change the consequences, to increase the extent of gains 4.3 Identifying options for the control of risks with negative outcomes Eliminating or avoiding the risk Change the likelihood of the risk, to reduce likelihood of negative outcomes Change the consequences, to reduce the extent of losses 4.4 Understanding ways to eliminate, reduce or optimise risk can be gained by: Reference to established standards, where applicable. This may include local and international standards, codes of practice, company procedures and track access agreements. The standards used must be applicable to the risk; Reference to good practice ; Drawing on knowledge held by those performing the assessment and of stakeholders. 4.5 The following should be considered when establishing what is good practice : The practice is established in the jurisdiction, or another jurisdiction which has railway operations that are similar in scale to the operation in question; The practice is established and widely implemented in a similar industrial sector; The practice is enforced by legislation in more than one other country. The practice has demonstrably improved safety in its current application; The application of the risk elimination or control measure is relevant to the circumstances, as shown by experience of other organisations facing similar operating conditions; The established risk elimination or control measure of combination thereof has a proven track record in terms of incident history both locally and internationally; and The application of the risk measure is supported by existing reports or studies. 4.6 Risk control plans (for all risk assessments) Once controls have been selected then a risk control plan shall be developed to ensure that treatment is correctly implemented, together with mechanisms for monitoring that the controls are being properly maintained. A risk control plan using the template within RMWI 4 shall be prepared to document how the chosen risk control options are to be implemented. For any new control measures, there shall be in place a formal system of reviewing the effectiveness of the control once it has been implemented. The residual risk (risk after the control has been implemented) shall be analysed and evaluated to determine if the control measure has introduced any new risks. As part of the risk assessment, a nominated review date shall be agreed upon by all stakeholders. Once a control has been implemented, the effect of the control shall be monitored at a minimum on the nominated review date. Pg. 8 of 9 RMWI 2 V1.1

9 Depending on the type of control review mechanisms could include: Review at a regular risk management or safety / environmental meeting; or Talking to affected people to get feedback on the effectiveness of the control. Review of a control should take place soon after the implementation of the control and then at intervals afterwards dependent on the level of risk and anticipated effectiveness of the control. 4.7 Implementing control plans Responsibility for the control plan should be allocated to those best able to control the risk. Responsibilities should be agreed between the stakeholders at the earliest opportunity. AFTER 5. REPORT REQUIREMENTS On completion of any risk assessment workshop, the facilitator is required to write a report. The draft should be circulated to all risk assessment participants for their review and comment. Once feedback has been incorporated or rejected as appropriate (and circulated again if significant changes made), the report is signed by the person responsible for the risk assessment to indicate that ARTC risk management processes have been followed. The report is then submitted to the relevant General Manager/s for their sign off. The General Manager is acknowledging the identified risks and control plans. Once the report has been agreed and signed, the final risk assessment is to be distributed to all relevant parties, to ensure that personnel are aware of their responsibilities for controls. Control plans are to be implemented by the nominated responsible person. The report is also filed within the R Drive risk assessment library for future reference. 6. MONITOR AND REVIEW Risks are to be monitored and reviewed in accordance with RM-01. Pg. 9 of 9 RMWI 2 V1.1