risk management concepts requirements in the …. risk...risk management framework in european...
TRANSCRIPT
Slide n° 1Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Risk Management ConceptsRequirements in the European Railway Legislation
EUMedRail, Brussels, 24 October 2017
Dragan JOVIČIĆ, EU Agency for Railways (Safety Unit)
Slide n° 2Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
CONTENTS
1. General concepts on “Risk” and “Risk Management”
2. Place of the Risk Management within the Organisation Business?
3. Advantages of a proactive vs. reactive Risk Management
4. Requirements for risk management in the EU railway legislation
5. Conclusions
Slide n° 3Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
What is “Risk”?What is “Risk Management”?
Slide n° 4Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Definition of the general concepts
Definition from dictionary: “the possibility of loss or injury”
awareness of company risks implies the necessity to understand the potential problems that might occur with the company activities and how they might endanger the company sustainability
What is risk?
Risk is inherent to life which means that there is a possibility of loss or damage whenever undertaking an activity
To the common man, risk means therefore exposure to danger
Concept of risk
Risk Management consists of the various activities and strategies that an organi-sation can use to protect itself from situations, circumstances or events that may undermine its sustainability
Usually Risk Managers work closely with “H&S personnel to reduce risks of accidents and injuries at work” or with “insurance companies”
Concept of Risk Management
Ensures risk is considered from the beginning and is continuously managed
Preventive actions are part of the strategic and operational planning of the organisation
Risk-based thinking
Slide n° 5Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
We are all familiar with
Generally everyone has some understanding of the meaning of the word “Risk”:
as children we were taught that something is risky, or we are sometimes told not to take risks
But what exactly is “a risk”?
In fact everyday we all take risks quite happily. We all do many things although we are aware that there is a risk involved. E.g. in:
crossing a street, or driving a car, or riding a bike, or going on a skiing holiday
We accept those risks because in our minds, although the potential consequences can be death or serious injury, we think that if we are careful, the chances of something terrible happening is very low
All these activities can result in an
accident
Slide n° 6Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
How can a Risk be specified/characterised?
In practice risk evaluation considers 4 inseparable factors/parameters :
the hazard [H] [i.e. an initiating/triggering event] which can lead to something happening that we do not want [Unwanted Event] and which can impact (usually) on or several of the following targets:
one or several persons, one or several groups of people, one or several ecosystems, one or several (sub-)systems [equipment/assets],
the probability [P] of occurrence of the Unwanted Event, the severity [S] of the consequences if the Unwanted Event happens, the risk acceptability [A] by the stakeholders, including one of the targets
While (H; P; S) can be defined, it is not possible to define scientifically Risk Acceptability. This latter one is strongly dependent on individual or collective subjectivity and risk perception
R is thus dependent on (H; P; S, A)
Slide n° 7Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Examples of risk evaluation and risk acceptability
Example with high consequence and low probability: an airplane flight
the consequence of an airplane crash is usually the “loss of most, if not all lives on board” – terrible
fortunately, when we fly, the probability of being in an airplane crash is very small (1 in several millions according to aviation statistics)
the very low probability of the hazard makes the risk very acceptable
Example with very high probability but relatively low consequences: a flu
when going to work there is a very good chance to catch a flu (influenza) from a colleague at some time in the year
the probability of this happening might be 1 in 5, but if it does happen we will be just laying up in bed for a week without serious
or long-term damages. The low severity of the consequence makes the risk of getting flu by going to work quite acceptable.
So whether we choose to ACCEPT or REJECT a risk depends on the mix of two factors (Probability and Consequence Severity) of the hazard
Slide n° 8Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Example of Hazard-Risk-Accident - Bow-Tie diagram in Fig. A.4 of EN 50 129: Definition of hazards with respect to the system boundary
Accident k
System Boundary
Accident l
Hazard (at System Level)
Cause (of a Hazard at Sub-System Level)
Sub-System Boundary
CAUSES CONSEQUENCES
Cause (of a Hazard at System Level)
Hazard (at Sub-System Level)
Causes of hazards at level of system under assessment may be considered as hazards at the sub-system level (with respect to sub-system boundary).
Derailment Loss of toxic substances
OverspeedBad braking performances
R = fH x SCHazard: fH
Use of Fault Trees (FTA) Use of Event Trees (ET)
Slide n° 9Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Where does the Risk Management fit within the Company/Organisation Business?
Slide n° 10Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Risk is ALWAYS present
No matter what kind of company, organisation or institution we are talking about, “risk” is always going to be present
Identifying, understanding and evaluating risks is a very important aspect of business management. Indeed, business can suffer terrible consequences if risks are not appropriately managed
Company, Organisation or Institution
So, in the scope of their decisions the Top Management must always keep in mind the presence of risk in order to be able to manage it and to “make the right trade off decisions” between a risk and an opportunity
But Risk Management must not focus only on minimising a risk to the detriment of all the rest. It permits also to consider the opportunities
In EU railway legislation, proactive management of risks arising from the company activities is mandatory
Slide n° 11Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Perception of the concepts
Many people see Risk and Risk Management as a boring task that nobody likes and nobody is happy to deal with it
In practice, no matter we like or dislike it, proper Risk Identification and appropriate Risk Management must be done
Slide n° 12Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Most widely understood risks
Occupational Health and Safety risks
Most people generally associate the word “risk” with injury, health risks and death, but there are many other types of risk faced by any business
For example, we can think of:
risk of harm risk of detriment or damage
The risk of "harm" is the type of risk that we mostly think about.
The word “harm” is employed in relation to something living, usually a person or the natural environment
The risk of "detriment" or “damage” does not involve injury to something living. It generally means some form of economic loss, including the loss of operational capability
Slide n° 13Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Although no consensus exists on how an organisation should categorise its risks, one approach could be to divide them into 4 quadrants
People risk,IT risk,
Management oversight,
Business processes
Operational Risk
Arises from people or a failure in processes, systems or controls, including those involving IT technology
Financial Risk
Arises from the effect of market forces on financial assets or liabilities
Hazard Risk
Arises from property, liability or personnel loss exposure and are generally the subject of insurance
Strategic Risk
Arises from the trends in the economy and society
Property risk,Legal risk,Personnel risk andconsequential losses
Economic environment, Political environment,
Demographic changes,
Competition
Market risk,Credit risk,Price risk,Liquidity risk
Slide n° 14Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Although no consensus exists on how an organisation should categorise its risks, one approach could be to divide them into 4 quadrants
People risk,IT risk,
Management oversight,
Business processes
Operational Risk
Arises from people or a failure in processes, systems or controls, including those involving IT technology
Financial Risk
Arises from the effect of market forces on financial assets or liabilities
Hazard Risk
Arises from property, liability or personnel loss exposure and are generally the subject of insurance
Strategic Risk
Arises from the trends in the economy and society
Property risk,Legal risk,Personnel risk andconsequential losses
Economic environment, Political environment,
Demographic changes,
Competition
Market risk,Credit risk,Price risk,Liquidity risk
Operational and Hazard risks are PURE RISKS
Strategic and Financial risks are SPECULATIVE RISKS
A particular risk can fall into several risk quadrants
Slide n° 15Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Example of the four Risk Quadrant areas for a New Company
Risk arising from staff turnover or the inability to
find skilled staff
Business process risks related to the Supply Chain management
IT technology risks related to the auto-mated manufacturing process and services
Operational Risk
Financial Risk
Hazard Risk
Strategic Risk
Property damage risks to its plant and equipment resulting from fire, storms or other events
Risk of injury to its employees and liability risks associated with its products and services
Competition and economic factors that could affect consumer demand
Political risks arising from countries in which the company component suppliers
are located
Exchange rate risks
Price risks for raw materials and supplies
Slide n° 16Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Advantages of a proactive vs. a reactive Risk Management
Slide n° 17Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Reactive and Proactive Risk Management in railways
Railway Activities (Operation, Traffic Management and Maintenance)
Generate risks
Safe Operation & Safe Maintenance(i.e. all risks are under control)
Slide n° 18Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Reactive and Proactive Risk Management in railways
Railway Activities (Operation, Traffic Management and Maintenance)
Generate risks
Safe Operation & Safe Maintenance(i.e. all risks are under control)
Accidents used to prevent repetition of similar accidents
Reactive approach(React & Fix)
PAST: achieved by compliance with National (Rules, CoP and Standards)
Symptoms
Slide n° 19Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Reactive and Proactive Risk Management in railways
Railway Activities (Operation, Traffic Management and Maintenance)
Generate risks
Safe Operation & Safe Maintenance(i.e. all risks are under control)
Competence and knowledge used to identify and control systematically all
risks and prevent accidents (or protect)
Proactive approach(Predict & Prevent or Protect)
PAST: achieved by compliance with National (Rules, CoP and Standards)
Safety Directive: risk-based approach through a (Safety) Management System
Accidents used to prevent repetition of similar accidents
Reactive approach(React & Fix)
Symptoms
Slide n° 20Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
PROACTIVE Risk Management is most effective and it must be continually repeated
You cannot just react when Unwanted Events happen, you must anticipate
Risks must be identified and managed PROACTIVELY in order to:
anticipate potential problems that might have a chance of happening, and ensure that the company has the necessary processes in place for dealing
with them before they actually arise
Instead of just focusing on the symptoms (reaction), it looks for the root causes of problems and manages them before they actually happen
Prevention is always better than the cure. If you can prevent something from happening, it’s saving you a lot of time and money in the long term
Also, Risk Management is not a “one shot” activity
Since an organisation is continually changing and progressing in different ways (e.g. staff turn over, new employees, new business opportunities, etc.), Risk Management processes and procedures in place have to be continually reviewed in order to check their applicability and effectiveness
Slide n° 21Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Specify the risks, then manage them
This part is very important and often overlooked:
Specify the Risk Details (H; P; S; A) [Hazard, Probability, Severity of Consequence, Acceptability] then manage the risks
Do NOT do it the other way around!
If you have a clear specification of the risk ahead of you, it is much easier to:
understand the risk identify other related problems, and define action plans (Risk Control Measures) to deal with it effectively
In practice, do not forget that when facing unusually high risks there might be also clear opportunities for improved benefits, for example higher margins:
Practical methods of risk management comply with this natural reasoning and decision-making. They enable to make a link between risks and opportunities in an integrated management system of the company business and finance, maximising the results of positive events and minimising the consequences of adverse events
Slide n° 22Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
A proactive Risk Management permits to link Risks and OpportunitiesRisk is a threat/negative or an opportunity/positive?
RISK:
any uncertainty that, if it occurs, would affect one or more objectives of the organisation
RISK/THREAT:
any uncertainty that, if it occurs, would affect one or more objectives
of the organisation NEGATIVELY
OPPORTUNITY:
any uncertainty that, if it occurs, would affect one or more objectives
of the organisation POSITIVELY
Find a way to avoid the risk
Find a way to mitigate the risk reducing either the probability of occurrence or the severity of the consequence
Find a way to transfer to another party
Exploit the opportunity
Enhance the benefit by increasing the effect or the probability
Share with another party
Slide n° 23Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Risk response strategies/optionsProbability
Consequence Severity
Avoid(Eliminate cause of risk)
Transfer(Have a third party
taking on responsibility for risk – e.g. Insurance)
Reduce/Mitigate(Reduce probability or
impact of risk)
Accept(Implement risk control
measures – Action Plans)
High
Low impact
High impact
Preferences for risk management
AvoidReduce/MitigateTransfer
Accept
Low
BESTWORST
Slide n° 24Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
What is finally "Risk Management"?
Risk Management is a logical andsystematic method of identifying the hazards and analysing, treating and monitoring the associated risks which are involved in any activity or process of a company
Risk Management shall be an integral part of the company business planning and the key management process for taking decisions.
Risk Management gives the company the opportunity:
to protect the business from unexpected financial outcomes due to sudden and unwanted events
to improve its efficiency, make the best allocation of their available capital and resources and improve the benefits
Slide n° 25Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
General overview of risk management framework in ISO 31000
Regardless of type of business, activity or function of company, Risk Management is 7 step based process
Defining context (System Definition)
Risk Assessment
Hazard/Risk Identification Risk Analysis Risk Evaluation
Risk Control
Risk Monitoring and Review
Communication with and consult staff on the company activities and risks
System Definition
Ris
k A
sse
ssm
ent
Communicate and Consult on risks
Hazard/Risk Identification
Risk Analysis
Risk Evaluation
Risk Control
Risk Monitoring and Review
Bas
ic s
tep
s o
f th
e R
isk
Ass
ess
me
nt
Pro
cess
‘Risk’ is dynamic and subject to constant change,
so Risk Management process includes continuous
Par
t o
f SM
S
Slide n° 26Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Recording, Reviewing and continual use of Risk Assessments
Recording: risk assessments need to be recorded whenever risks are significant. Recording provides a basis for monitoring the Rick Control Measures and helps defining the training needs and developing suitable training programmes
Reviewing: risk assessments should not be regarded as fixed and unchanging documents. They should be subject to regular review. If there are no changes or developments in the workplace, no new equipment has been purchased and the operational processes have remained unchanged then reviews can take place on a routine basis (e.g. every 12 months)
Continual use of Risk Assessments: Any change in the workplace, from the intro-duction of new equipment to changes in work practices should lead to a review of the risk assessment. As new hazards are introduced or existing hazards eli-minated, existing controls may not be necessary any more, sufficient or effective
Finally, whenever an accident occurs the risk assessment should be reviewed as part of the investigation process. It may be that the initial assessment failed to identify a hazard or that the control that had been implemented was not effective at reducing risk or was not being followed or used. A review of a risk assessment following an accident is an essential part of the learning process, leading to continual improvement of the company Safety Management System
Slide n° 27Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
European Railway Legislation
Slide n° 28Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
EU Regulatory Framework on Risk Management Harmonised «Risk based approach» and proactive Management of Safety
Instead of «reacting and fixing» only the events that occurred in past, Directive 2004/49 requires RUs, IMs & ECMs putting in place:
(Safety) Management System (SMS/MS), and; proactive way of thinking in «predicting and preventing»
possible unwanted events (risks) that may happen;
to ensure safe Operation & Maintenance of railway system,SMS/MS shall look both FORWARD and RETROSPECTIVE in order to control (all) risks associated with RU, IM & ECM activities. This implies to:
«predict» unwanted events that can happen during operation & maintenance of railway system;
«prevent» them to happen or «protect» against their consequences;
Safe Operation & Maintenance
(i.e. all risks are under control)
Railway Activities
(RUs, IMs & ECMs)
SMS/MSRisks
Slide n° 29Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
The RU, IM & ECM Management System must be certified by a Conformity Assessment Body
CUSTOMER
ECM
IM RUTrack
Access
SafetyCertification
SafetyAuthorisation
TransportContract
MaintenanceContract
Renting Contract
Contract of use - GCU KEEPER
ECM CERTIFICATIONBODYNSA
Surveillance of MSSupervision of SMS
ECM CERTIFICATIONBODY
NSA
Certification of MSCertification
of SMS
Slide n° 30Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
1) PLAN: the company is organised (designed) to deliver safely the operation through appropriate processes, procedures & rules
2) DO: the company actually deploys the operational and supporting processes
3) CHECK: the company measures the effectiveness of the processes (monitoring)
4) ACT/ADJUST: the company takes preventive or corrective measures on detection of non-compliances ( i.e. continuous management of company risks with aim of preventing accidents)
SMS/MS is a structured & documented set of tools, specific to activities of every RU-IM-ECM, used for safe management of company risks. It ensures that:
What is an SMS/MS?
SMSMS
DO
CHECKACT
PLAN
Risk Manage
ment
Processes
(Existing)Rules
Procedures
Human Factors
Slide n° 31Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
CSM for risk assessment
(Reg. 402/2013 &
Reg. 2015/1136)
CSM for monitoring
(Reg. 1078/2012)
Complementary processes in Risk Mangement
They are cornerstones/pillars of an effective Risk Management and Safety Management System
Implementation of Technical, Operational & Organisationalchanges can be safe & effective only if the Change ControlManagement process of SMS is based on a continual andcombined use of CSM for risk assessment & CSM formonitoring
CSM for risk assessment & CSM for monitoring cannot be separated from each other
Slide n° 32Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
1) PLAN: the company is organised (designed) to deliver safely the operation through appropriate processes, procedures & rules
2) DO: the company actually deploys the operational and supporting processes
3) CHECK: the company measures the effectiveness of the processes (monitoring)
4) ACT/ADJUST: the company takes preventive or corrective measures on detection of non-compliances ( i.e. continuous management of company risks with aim of preventing accidents)
SMS/MS is a structured & documented set of tools, specific to activities of every RU-IM-ECM, used for safe management of company risks. It ensures that:
SMSMS
DO
CHECKACT
PLAN
Risk Manage
ment
Processes
(Existing)Rules
Procedures
Human Factors
CSM for risk assessment
CSM for monitoring
CSM for risk assessment
What is place of CSM for risk assessment and CSM for Monitoring within Management System (SMS/MS)?
Slide n° 33Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Relation between predictive Risk Assessment and Monitoring Comparison with engineering disciplines Automatic Regulation Systems
+
–
K(p)
C(p)
Order
E (p)
Gap
ε (p)
Command
U (p)
Output
S (p)
Sensor
G(p)
Measure
X (p)
Corrector System underregulation
ACTION
REACTION
REGULATOR
Slide n° 34Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Equivalence of Principle with Automatic Regulation SystemsRelations between Risk Assessment & Monitoring
Change
(Objectives)
+
–
CSM for monitoring
CSM for risk assessment
(RCM - Risk Control Measures)
Railway System
Order Command
Action Plan
Actual Performance
Predictive Risk Assessment
Monitoring and Preventive/Corrective measures
REGULATOR
Reg. 402/2013 & 2015/1136
Information on how to monitorReg. 1078/2012
Slide n° 35Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Slide n° 37Risk Management Framework in European Railway Legislation,
Brussels, 24 October 2017
Reminder
Risk Assessment Risk Management
What can happen?(Identify Hazards)
What can be done?
How likely is it to happen?(Estimate frequency)
What are the benefits, costs and risks of each option?
What are the consequences if it happens? (Estimate severity)
What are the impacts of each option on future options?
Are consequences acceptable?(Risk acceptability)
Are the impacts of each option affordable?
Reduce the risks where required(Risk control)
Risk monitoring and risk review (i.e. check effectiveness + improve)
Risk assessment is a means to an end, not an end in itself - The aim is to keep people safe, not only to have good paperwork
Questions? → Send e-mail on:[email protected]