RISK MANAGEMENT FOR INFRASTRUCTURE CONTENTS 1.0 PURPOSE & SCOPE 2.0 DEFINITIONS 3.0 FLOWCHART 4.0 PROCEDURAL TEXT 5.0 REFERENCES 6.0 ATTACHMENTS This document is the property of Thiess Infraco and all rights are reserved in respect of it. This document may not be reproduced or disclosed in any manner whatsoever, in whole or in part, without the prior written consent of Thiess Infraco. Thiess Infraco expressly disclaims any responsibility for or liability arising from the use of this document by any third party. Revision Status Issue/ Rev. Date Revision Description By Checked Checked Approved A1 June 2001 Original Issue JG PD RB PS Thiess Infraco Page 1 of 15 TIC-ASM-CON-PP12/A1
1.0 PURPOSE AND SCOPE The purpose of this procedure is to detail the process for Risk Management associated with infrastructure. This procedure shall be read in conjunction with TIC-ASM-CON-PP13 Material Change to Infrastructure Asset Management and shall apply to all infrastructure asset systems. This procedure is based on AS/NZS 4360: 1999 Risk Management 2.0 DEFINITIONS Consequence. The outcome of an event expressed qualitatively or quantitatively, being a loss, injury, disadvcantage or gain. There may be a range of possible outcomes associated with an event. Cost is the cost of activities, both direct and indirect, involving any negative impact, including money, time, labour, disruption, goodwill, political and intangible losses. Event. An incident or situation, which occurs in a particular place during a particular interval of time. Failure Mode and Effects Analysis (FMEA). A procedure by which potential failure modes in a technical system are analysed. Can be extended to perform a failure modes effects and criticality analysis (FMECA). Each failure mode identified is ranked according to the combined influence of its likelihood of occurrence and the severity of its consequences. Frequency Measure of the rate of occurrence of an event expressed as the number of occurances of an event in a given time. Hazard. A source of potential harm or a situation with a potential to cause loss. Likelihood. Term used as a qualitative description of propability or frequency. Loss. Is any negative consequence, financial or otherwise. Monitor. Is to check, supervise, observe critically, or record the progress of an activity, action or system on a regular basis in order to identify change. Probability. Is the likelihood of a specific event or outcome, measured by the ratio of specific events events or outcomes to the total number of possible events or outcomes. Probability is expressed as a number between 0 and 1, with 0 indication an impossible event or outcome and 1 indication an event or outcome is certain. Risk. The chance of something happening that will have an impact upon objectives. It is measured in terms of consequence and likelihood. Risk Analysis. A systematic use of available information to determine how often specified events may occur and the magnitude of their consequences. Risk Assessment. The overall process of risk analysis and risk evaluation. Risk Control. That part of risk management which involves the implementation of policies, standards, procedures and physical changes to eliminate or minimize adverse Thiess Infraco Page 2 of 15 TIC-ASM-CON-PP12/A1
risk. Risk Evaluation. The process used to determine risk management priorities by comparing the level of risk against predetermined standards, target risk levels or other criteria. Risk Identification. The process of determining what can happen, why and how. Risk Management Process. The systematic application of management policies, procedures and pracrices to the task of establishing the context, identifying, analysing, evaluating, treating, monitoring and communicating risk. Sensitivity Analysis. Process for examining how the results of a calculation or model vary as individual assumptions are changed. Stakeholders. Those people and organizations who may affect, or be affected by, or perceive themselves to be affected by, a decision or activity. Thiess Infraco Page 3 of 15 TIC-ASM-CON-PP12/A1
8 Communicate & Consult RISK MANAGEMENT FOR INFRASTRUCTURE 3.0 FLOWCHART TIC-ASM-CON-PP12 1 Establish the Context - Stategic context - Organisational context - Risk management context - Develop risk evaluation criteria - Decide the structure 2 Identify the Risks - What can happen? - How can it happen 3 Analyse Risks Determine existing controls: - Determine likelihood - Determine consequences to estimate level of risk 7 Monitor & Review 4 Evaluate Risks - Compare against criteria - Set risk priorities 5 Accept risk Yes No 6 Treat Risks - Identify treatment options - Evaluate treatment options - Select treatment options - Prepare treatment plans - Implement plans Figure 1: Risk Management Process Thiess Infraco Page 4 of 15 TIC-ASM-CON-PP12/A1
1 Evaluated and ranked risk 2 Risk acceptable Yes 3 Accept No Identify Treatment options 5 Reduce likelihood 6 Reduce consequences 7 Transfer in full or in part 8 Avoid 9 Consider feasibility costs and benefits Communicate and consult Assess treatment options 10 Recommend treatment strategies 11 Select treatment strategy 4 Monitor and review Prepare treatment plans 12 Prepare trearment plans Implement treatment plans 13 Reduce likelihood 14 Reduce consequences 15 Transfer in full or in part 16 Avoid 17 Risk acceptable Yes 18 Retain No Figure 2: Risk Treatment Process Thiess Infraco Page 5 of 15 TIC-ASM-CON-PP12/A1
4.0 PROCEDURAL TEXT The Risk Management process in this procedure follows the basic steps detailed in the reference standard AS/NZS 4360: 1999. TIC-OHS-RSK-PP01 Risk Management details the processes for the management of risk at the working level for day to day activities. This procedure is for more formal documentation of risk involving proposed changes to infrastructure to meet the requirements of notification of material changes to the Department of Infrastructure. 4.1 Responsibilities Project managers, Manager Engineering, Manager Asset Management are responsible for ensuring a risk management study is undertaken to identify any impact on risk resulting from material changes to infrastructure. Line managers are responsible for risk management in the work place in accordance with TIC-OHS-RSK-PP01. 4.2 Process Overview The process involves the following steps: Establishing the context; Identification of risks; Assessing the risks; - Analysing Risks - Evaluating Risks Treating Risks; Monitoring and reviewing Risks; and Communicating and consulting with stakeholders. The following paragraphs para-phrase the reference standard. 4.2 Establishing the Context Establishing the context involves the following: Establishing the strategic context; Establishing the organisational context; Establish the risk management context; Develop risk evaluation criteria; and Define the structure. 4.2.1 Establishing Strategic Context This step is focused on the environment in which the Thiess Infraco operates. The context includes financial, operational, competitive, political (public perceptions/image), social, client, cultural, and legal aspects. At this level and for broader studies it is appropriate to consider risks such as Health and safety (public and staff); Business interruption; Thiess Infraco Page 6 of 15 TIC-ASM-CON-PP12/A1
Public image/reputation; Equipment/asset damage Environmental damage Internal and external stakeholders are identified along with areas of potential impact. Communication policies with these parties need to be established. 4.2.2 Establish Organizational Context It is necessary to understand organizational capabilities, goals and objectives and the strategies in place to achieve them. Risk management takes place in the context of the wider goals, objectives and strategies. Failure to achieve objectives, or the specific activity, or the project being considered is one of the risks that need to be managed. Policy and goals help define the criteria by which it is decided whether a risk is acceptable or not, and form the basis of options for treatment. 4.2.3 Establish the Risk Management Context This step involves establishing goals, objectives, strategies, scope and parameters of the activity to which the risk management process is to be applied. Setting the scope and boundaries for the application of the risk management process involves: Defining the project or activity and establishing its goals and objectives; Defining the extent of the project in time and location; Identifying any studies needed; their scope, objectives, resources required, generic sources of risk, and areas of impact. Defining the extent and comprehensiveness of the risk management activities to be carried out. Factors to consider are: - Roles and responsibilities of various parts of the organisation(s) participating in managing the risk, - Relationships between the project or activity and other projects or activities being undertaken. 4.2.4 Develop Risk Evaluation Criteria Decide the criteria that risk is to be evaluated against. Decisions concerning risk acceptability and risk treatment will usually be based on operational, technical, financial, legal, or social (Public Relations or Environmental) criteria. The risk criteria must correspond to the type of risks and the way in which risk levels are expressed. Thiess Infraco Page 7 of 15 TIC-ASM-CON-PP12/A1
4.2.5 Define the Structure This step involves separating the activity or project into a set of elements. These elements provide a logical framework for identification and analysis, which helps ensure significant risks, are not overlooked. The structure chosen depends on the nature of the risks and the scope of the project or activity. For a material change that involves a change to infrastructure: The process of change (ie construction and commissioning) may be considered as one part of the exercise and the effect of the change considered as a separate study. The principle risks are considered to be: - Collision (PR1) - Injury to the public (PR2) - Injury to staff (PR3) - Derailment (PR4) - Infrastructure failure (PR5) - Rolling Stock failure (PR6) Other examples of Risk Types used in previous changes are: - Effect on public and employees - On time running - Equipment and asset damage - Legal liability - Equipment and asset damage - Public relations - Effect on the environment - Effect on user comfort 4.3 Risk Identification This step seeks to identify the risks to be managed. It should include all risks whether or not they are under control of Thiess Infraco. This step involves determining: What can happen How and why it can happen Tools and techniques to be used 4.3.1 What can Happen The aim is to generate a comprehensive list of events, which might affect each element of the structure in paragraph 4.2.5 above. These are considered in more detail to identify what can happen. Thiess Infraco Page 8 of 15 TIC-ASM-CON-PP12/A1
4.3.2 How and why it can happen Having identified a list of events, it is necessary to consider possible causes and scenarios. There are many ways an event can be initiated. It is important that no significant causes are omitted. 4.3.3 Tools and Techniques to be Used Checklists, judgements based on experience and records, flow charts, brain storming, systems analysis, scenario analysis and systems engineering techniques are the approaches used to identify risks. 4.4 Risk Analysis This step involves consideration of the sources of risk (events and hazards), their consequences and likelihood in the context of existing control measures. The objective is to separate the minor acceptable risks from the major risks, and to provide data to assist in the evaluation and treatment of risks. Excluded risks are to be listed, where possible to demonstrate the completeness of the risk analysis. 4.4.1 Determine Existing Controls It is necessary to identify existing management, technical systems and procedures to control risk and assess their strengths and weaknesses. 4.4.2 Consequences and Likelihood The consequences of an event and the likelihood of it occurring are assessed in the context of existing controls. Consequences and likelihood are combined to produce a level of risk. They may be determined by using statistical analysis or calculations, or where no data is available, by subjective estimates. Possible sources of information are: Past records Relevant experience Industry practice and experience Relevant published literature Experiments and prototypes Engineering models Specialist and expert judgements Techniques include: Structured interviews with experts in areas of interest Use of multi-disciplinary groups of experts Individual evaluation using questionnaires Use of computer and other modelling Use of fault trees and event trees FMECA (failure modes, effect and criticallity analysis). Thiess Infraco Page 9 of 15 TIC-ASM-CON-PP12/A1
4.4.3 Types of Analysis The types of analysis are: Qualitative analysis Semi-quantitative analysis Quantitative analysis Quantitative analysis is usually undertaken to provide a general indication of the level of risk initially. Where appropriate this is followed by a more specific quantitative analysis. 4.4.4 Qualitative Analysis Uses word form or descriptive scales to describe the magnitude of potential consequences and the likelihood that those consequences will occur. The scale s are adapted or adjusted to suit the circumstances. Table 1 shows Qualitative Measures of Consequence. Table 1 shows Qualitative Measures of Likelihood. Table 3 shows a Qualitative Risk Analysis Matrix Level of Risk. Table 4 shows examples of consequences and qualitative measures that were used for a risk analysis for a speed increase. Level Descriptor Example detail description 1 Insignificant No injuries, low financial loss 2 Minor First aid treatment, dealt with internally, medium financial loss 3 Moderate Medical treatment required, external assistance required, high financial loss 4 Major Extensive injuries, loss of operational capabilities, major financial loss 5 Catastrophic Death(s), business seriously threatened Table 1: Qualitative Measures of Consequence Level Descriptor Example detail description A Almost certain Is expected to occur in most circumstances B Likely Will probably occur in most circumstances C Possible Might occur at some time D Unlikely Could occur at some time E Rare May occur only in exceptional circumstances Table 2: Qualitative Measures of Likelihood Thiess Infraco Page 10 of 15 TIC-ASM-CON-PP12/A1
Likelihood Insignificant 1 Minor 2 Consequences Moderate 3 Major 4 Catastrophic 5 A (Almost certain) H H E E E B (Likely) M H H E E C (Possible) L M H E E D (Unlikely) L L M H E E (Rare) L L M H H Table 3: Qualitative Risk Analysis Matrix Risk Criteria E: Extreme risk; immediate action required to reduce risk. H: High risk; senior management attention needed. M: Moderate risk; management responsibility must be specified. L: Low risk; Risk generally acceptable, manage further by routine procedures Effect on Public and Employees 1. Fatalities and permanent disability 2. Serious lost time injury or illness 3. Moderate lost time injury or illness 4. Minor lost time injury or illness 5. No lost time On Time Running (OTR) 1. Major cancellation (more than one line) 2. Cancellation (one line) 3. Transposition s 4. Delays > 3 minutes 5. Delays < 3 minutes Legal Liability Equipment And asset Damage($) Public Relations 1. >$500K 1. >$500K 1. Loss of accreditation 2. $100K - $500K loss 3. $50K - $100K loss 4. 5K - $50K loss 5. Less than $5K loss 2. $100K - $500K loss 3. $50K - $100K loss 4. 5K - $50K loss 5. Less than $5K loss 2. Major negative media coverage Effect on environment 1.>$500K 2. $100K - $500K loss remediation costs Local actions 3. 3. $50K - $100K loss remediation costs Customer complaints (phone calls, letters) 5. on site complaints 4. 5K - $50K loss remediation costs 5. Less than $5K loss remediation costs Effect on user comfort 1. Extremely rough ride 2. Very rough ride 3. Rough ride 3. Noticeably rough ride 5. No discomfort in ride Table 4 Examples of Consequences with Quantitative Measures 4.4.5 Semi-quantitative Analysis For a semi-quantitative analysis, qualitative scales (extreme, high, moderate, and low) are given values. The objective is to produce a more detailed prioritization than is usually Thiess Infraco Page 11 of 15 TIC-ASM-CON-PP12/A1
achieved in a qualitative analysis. Table 5 provides an example of this. Note: The consequences in Table 4 are list in reverse order to Table 1. Table 5 cannot be used with Table 1. Tables 4 and 5 were used in courses run by Alara. CONSEQUENCES 1 2 3 4 5 PROBABILITY A B C D E 1 2 4 7 11 3 5 8 12 16 6 9 13 17 20 10 14 18 21 23 15 19 22 24 25 Table 5: Semi-qualitative Risk Ranking 4.4.6 Quantitative Analysis This approach uses numerical values for both consequences and likelihood using data from a variety of sources (see paragraph 4.4.2). Consequences may be expressed in terms of monetary, Technical or human criteria similar to Table 5 above. Likelihood is usually expressed as a probability, a frequency, or a combination of exposure and probability. 4.5 Risk Evaluation This step involves comparing the level of risk found during the analysis process with previously established criteria. The output of a risk evaluation is a prioritized list of risks for further action. If resulting risks fall into the low or acceptable risk categories they may be accepted with minimal further treatment. Low and accepted risks should be monitored and periodically reviewed to ensure they remain acceptable. Risks not falling into low or acceptable risk category should be treated one or more of the following options below. 4.6 Risk Treatment Risk treatment involves identifying the range of options for treating risk, assessing those options, preparing risk treatment plans and implementing them. 4.6.6 Identifying Options for Risk Treatment Figure 2 illustrates the risk treatment process. Options are: Avoid the risk Reduce the likelihood of occurrence. Reduce the consequences. Thiess Infraco Page 12 of 15 TIC-ASM-CON-PP12/A1
Transfer the risk. Retain the risk Measures to reduce consequence and likelihood are referred to as risk controls. Examples of measures for reducing or controlling likelihood are: - Audit and compliance programs - Formal reviews of requirements, specifications, design, engineering and operations - Inspection and process controls - Preventive maintenance - Quality assurance, management and standards - Research and development, technological development - Structured training - Supervision - Testing, trials - Technical controls - Organisational arrangements. Examples of measures for reducing or controlling consequence are: - Contingency planning - Contract conditions - Design features - Disaster recovery plans - Engineering and structural barriers - Minimising exposure to sources of risk - Separation or relocation of an activity and resources 4.6.7 Assessing Risk Treatment options Options are assessed based on the extent of risk reduction and the extent of additional benefits or opportunities created. Selection of the most appropriate option(s) involves balancing the cost of implementing each option against the benefits derived from it. The cost of managing risks needs to be commensurate with the benefits obtained. Where large reductions in risk may be achieved with relatively low cost, they should be implemented. Rare but severe risks may warrant risk reduction measures although not justifiable on economic grounds. The adverse impact of risks should be made as low as reasonably practicable, irrespective of any absolute criteria. Risk treatment options consider how risk is perceived by the affected parties and the most appropriate ways to communicate to those parties. 4.6.8 Preparing Treatment Plans Plans document how the chosen options shall be implemented. Plans identify responsibilities, schedules, the expected outcome of treatments, budgeting, performance measures and the review process to be put in place. Thiess Infraco Page 13 of 15 TIC-ASM-CON-PP12/A1
4.6.4 Implementing treatment Plans Responsibility for treatment of risk should be borne by those best able to control the risk. Responsibilities should be agreed between the parties at the earliest possible opportunity. If after treatment there is a residual risk, a decision shall be taken as to whether to retain that risk or repeat the risk treatment process. 4.7 Monitoring and Review Risks, effectiveness of risk treatment plan, strategies and the management system used to set up control implementation all need to be monitored. Risks and the effectiveness of control measures need to be monitored to ensure circumstances do not alter risk priorities. Ongoing review is necessary to ensure that the management plan remains relevant. 4.8 Communication and Consultation Communication and consultation need to be considered at each step of the risk management process. A communication plan for both internal and external stakeholders needs to be developed as early as possible. The plan should address issues relating to both the risk itself and the process to manage it. Perceptions of risk can vary, due to differences in assumptions and concepts and the needs, issues and concerns of stakeholders as they relate to the risk or the issues under discussion. Stakeholders are likely to make judgements of the acceptability of a risk based on their perception of risk. Stakeholders can have a significant impact on decisions made. It is important that their perceptions of risk and benefits are identified, documented, and understood. 4.9 Documentation Requirements A risk assessment and development of a risk management strategy needs to be documented in an appropriate report comprising the following structure: Title Page Executive Summary Introduction Brief description of the risk management process: - How the context was established - Identification of the risks - Assessment of the risks - Treatment of the unacceptable risks - How monitoring and review was undertaken - How consultation and communication was executed Description of Definitions used: - Incident/risk categories - Probability - Consequence - Risk ranking Results: Thiess Infraco Page 14 of 15 TIC-ASM-CON-PP12/A1
- Risk Register - Risk treatment schedule and plan - Risk action Plan Summary of recommendations for new controls to put in place. Examples of forms to document the risk analysis are: Risk Register TIC-ASM-CON-PP12-PF01 (Attachment 1). Risk Treatment Schedule and Plan TIC-ASM-CON-PP12-PF02 (Attachment 2). Risk Action Plan TIC-ASM-CON-PP12-PF03 (Attachment 3) 5.0 REFERENCES TIC-ASM-CON-PP01 - Material Change to Infrastructure Asset Management AS/NZS 4360: 1999 - Risk Management AS 4292.1: 1995 Railway Safety Management Standard Conditions of Accreditation under the provisions of the Transport Act 1983. 6.0 ATTACHMENTS TIC-ASM-CON-PP12-PF01 TIC-ASM-CON-PP12-PF02 TIC-ASM-CON-PP12-PF03 Risk Register Risk Treatment Schedule and Plan Risk Action Plan Thiess Infraco Page 15 of 15 TIC-ASM-CON-PP12/A1