risk management concepts requirements in the …. risk...risk management framework in european...

Slide n° 1Risk Management Framework in European Railway Legislation,

Brussels, 24 October 2017

Risk Management ConceptsRequirements in the European Railway Legislation

EUMedRail, Brussels, 24 October 2017

Dragan JOVIČIĆ, EU Agency for Railways (Safety Unit)



CONTENTS

1. General concepts on “Risk” and “Risk Management”

2. Place of the Risk Management within the Organisation Business?

3. Advantages of a proactive vs. reactive Risk Management

4. Requirements for risk management in the EU railway legislation

5. Conclusions



What is “Risk”?What is “Risk Management”?



Definition of the general concepts

Definition from dictionary: “the possibility of loss or injury”

awareness of company risks implies the necessity to understand the potential problems that might occur with the company activities and how they might endanger the company sustainability

What is risk?

Risk is inherent to life which means that there is a possibility of loss or damage whenever undertaking an activity

To the common man, risk means therefore exposure to danger

Concept of risk

Risk Management consists of the various activities and strategies that an organi-sation can use to protect itself from situations, circumstances or events that may undermine its sustainability

Usually Risk Managers work closely with “H&S personnel to reduce risks of accidents and injuries at work” or with “insurance companies”

Concept of Risk Management

Ensures risk is considered from the beginning and is continuously managed

Preventive actions are part of the strategic and operational planning of the organisation

Risk-based thinking



We are all familiar with

Generally everyone has some understanding of the meaning of the word “Risk”:

as children we were taught that something is risky, or we are sometimes told not to take risks

But what exactly is “a risk”?

In fact everyday we all take risks quite happily. We all do many things although we are aware that there is a risk involved. E.g. in:

crossing a street, or driving a car, or riding a bike, or going on a skiing holiday

We accept those risks because in our minds, although the potential consequences can be death or serious injury, we think that if we are careful, the chances of something terrible happening is very low

All these activities can result in an

accident



How can a Risk be specified/characterised?

In practice risk evaluation considers 4 inseparable factors/parameters :

the hazard [H] [i.e. an initiating/triggering event] which can lead to something happening that we do not want [Unwanted Event] and which can impact (usually) on or several of the following targets:

one or several persons, one or several groups of people, one or several ecosystems, one or several (sub-)systems [equipment/assets],

the probability [P] of occurrence of the Unwanted Event, the severity [S] of the consequences if the Unwanted Event happens, the risk acceptability [A] by the stakeholders, including one of the targets

While (H; P; S) can be defined, it is not possible to define scientifically Risk Acceptability. This latter one is strongly dependent on individual or collective subjectivity and risk perception

R is thus dependent on (H; P; S, A)



Examples of risk evaluation and risk acceptability

Example with high consequence and low probability: an airplane flight

the consequence of an airplane crash is usually the “loss of most, if not all lives on board” – terrible

fortunately, when we fly, the probability of being in an airplane crash is very small (1 in several millions according to aviation statistics)

the very low probability of the hazard makes the risk very acceptable

Example with very high probability but relatively low consequences: a flu

when going to work there is a very good chance to catch a flu (influenza) from a colleague at some time in the year

the probability of this happening might be 1 in 5, but if it does happen we will be just laying up in bed for a week without serious

or long-term damages. The low severity of the consequence makes the risk of getting flu by going to work quite acceptable.

So whether we choose to ACCEPT or REJECT a risk depends on the mix of two factors (Probability and Consequence Severity) of the hazard



Example of Hazard-Risk-Accident - Bow-Tie diagram in Fig. A.4 of EN 50 129: Definition of hazards with respect to the system boundary

Accident k

System Boundary

Accident l

Hazard (at System Level)

Cause (of a Hazard at Sub-System Level)

Sub-System Boundary

CAUSES CONSEQUENCES

Cause (of a Hazard at System Level)

Hazard (at Sub-System Level)

Causes of hazards at level of system under assessment may be considered as hazards at the sub-system level (with respect to sub-system boundary).

Derailment Loss of toxic substances

OverspeedBad braking performances

R = fH x SCHazard: fH

Use of Fault Trees (FTA) Use of Event Trees (ET)



Where does the Risk Management fit within the Company/Organisation Business?



Risk is ALWAYS present

No matter what kind of company, organisation or institution we are talking about, “risk” is always going to be present

Identifying, understanding and evaluating risks is a very important aspect of business management. Indeed, business can suffer terrible consequences if risks are not appropriately managed

Company, Organisation or Institution

So, in the scope of their decisions the Top Management must always keep in mind the presence of risk in order to be able to manage it and to “make the right trade off decisions” between a risk and an opportunity

But Risk Management must not focus only on minimising a risk to the detriment of all the rest. It permits also to consider the opportunities

In EU railway legislation, proactive management of risks arising from the company activities is mandatory



Perception of the concepts

Many people see Risk and Risk Management as a boring task that nobody likes and nobody is happy to deal with it

In practice, no matter we like or dislike it, proper Risk Identification and appropriate Risk Management must be done



Most widely understood risks

Occupational Health and Safety risks

Most people generally associate the word “risk” with injury, health risks and death, but there are many other types of risk faced by any business

For example, we can think of:

risk of harm risk of detriment or damage

The risk of "harm" is the type of risk that we mostly think about.

The word “harm” is employed in relation to something living, usually a person or the natural environment

The risk of "detriment" or “damage” does not involve injury to something living. It generally means some form of economic loss, including the loss of operational capability



Although no consensus exists on how an organisation should categorise its risks, one approach could be to divide them into 4 quadrants

People risk,IT risk,

Management oversight,

Business processes

Operational Risk

Arises from people or a failure in processes, systems or controls, including those involving IT technology

Financial Risk

Arises from the effect of market forces on financial assets or liabilities

Hazard Risk

Arises from property, liability or personnel loss exposure and are generally the subject of insurance

Strategic Risk

Arises from the trends in the economy and society

Property risk,Legal risk,Personnel risk andconsequential losses

Economic environment, Political environment,

Demographic changes,

Competition

Market risk,Credit risk,Price risk,Liquidity risk



Although no consensus exists on how an organisation should categorise its risks, one approach could be to divide them into 4 quadrants

People risk,IT risk,

Management oversight,

Business processes

Operational Risk

Arises from people or a failure in processes, systems or controls, including those involving IT technology

Financial Risk

Arises from the effect of market forces on financial assets or liabilities

Hazard Risk

Arises from property, liability or personnel loss exposure and are generally the subject of insurance

Strategic Risk

Arises from the trends in the economy and society

Property risk,Legal risk,Personnel risk andconsequential losses

Economic environment, Political environment,

Demographic changes,

Competition

Market risk,Credit risk,Price risk,Liquidity risk

Operational and Hazard risks are PURE RISKS

Strategic and Financial risks are SPECULATIVE RISKS

A particular risk can fall into several risk quadrants



Example of the four Risk Quadrant areas for a New Company

Risk arising from staff turnover or the inability to

find skilled staff

Business process risks related to the Supply Chain management

IT technology risks related to the auto-mated manufacturing process and services

Operational Risk

Financial Risk

Hazard Risk

Strategic Risk

Property damage risks to its plant and equipment resulting from fire, storms or other events

Risk of injury to its employees and liability risks associated with its products and services

Competition and economic factors that could affect consumer demand

Political risks arising from countries in which the company component suppliers

are located

Exchange rate risks

Price risks for raw materials and supplies



Advantages of a proactive vs. a reactive Risk Management



Reactive and Proactive Risk Management in railways

Railway Activities (Operation, Traffic Management and Maintenance)

Generate risks

Safe Operation & Safe Maintenance(i.e. all risks are under control)





Generate risks


Accidents used to prevent repetition of similar accidents

Reactive approach(React & Fix)

PAST: achieved by compliance with National (Rules, CoP and Standards)

Symptoms





Generate risks


Competence and knowledge used to identify and control systematically all

risks and prevent accidents (or protect)

Proactive approach(Predict & Prevent or Protect)

PAST: achieved by compliance with National (Rules, CoP and Standards)

Safety Directive: risk-based approach through a (Safety) Management System

Accidents used to prevent repetition of similar accidents

Reactive approach(React & Fix)

Symptoms



PROACTIVE Risk Management is most effective and it must be continually repeated

You cannot just react when Unwanted Events happen, you must anticipate

Risks must be identified and managed PROACTIVELY in order to:

anticipate potential problems that might have a chance of happening, and ensure that the company has the necessary processes in place for dealing

with them before they actually arise

Instead of just focusing on the symptoms (reaction), it looks for the root causes of problems and manages them before they actually happen

Prevention is always better than the cure. If you can prevent something from happening, it’s saving you a lot of time and money in the long term

Also, Risk Management is not a “one shot” activity

Since an organisation is continually changing and progressing in different ways (e.g. staff turn over, new employees, new business opportunities, etc.), Risk Management processes and procedures in place have to be continually reviewed in order to check their applicability and effectiveness



Specify the risks, then manage them

This part is very important and often overlooked:

Specify the Risk Details (H; P; S; A) [Hazard, Probability, Severity of Consequence, Acceptability] then manage the risks

Do NOT do it the other way around!

If you have a clear specification of the risk ahead of you, it is much easier to:

understand the risk identify other related problems, and define action plans (Risk Control Measures) to deal with it effectively

In practice, do not forget that when facing unusually high risks there might be also clear opportunities for improved benefits, for example higher margins:

Practical methods of risk management comply with this natural reasoning and decision-making. They enable to make a link between risks and opportunities in an integrated management system of the company business and finance, maximising the results of positive events and minimising the consequences of adverse events



A proactive Risk Management permits to link Risks and OpportunitiesRisk is a threat/negative or an opportunity/positive?

RISK:

any uncertainty that, if it occurs, would affect one or more objectives of the organisation

RISK/THREAT:

any uncertainty that, if it occurs, would affect one or more objectives

of the organisation NEGATIVELY

OPPORTUNITY:

any uncertainty that, if it occurs, would affect one or more objectives

of the organisation POSITIVELY

Find a way to avoid the risk

Find a way to mitigate the risk reducing either the probability of occurrence or the severity of the consequence

Find a way to transfer to another party

Exploit the opportunity

Enhance the benefit by increasing the effect or the probability

Share with another party



Risk response strategies/optionsProbability

Consequence Severity

Avoid(Eliminate cause of risk)

Transfer(Have a third party

taking on responsibility for risk – e.g. Insurance)

Reduce/Mitigate(Reduce probability or

impact of risk)

Accept(Implement risk control

measures – Action Plans)

High

Low impact

High impact

Preferences for risk management

AvoidReduce/MitigateTransfer

Accept

Low

BESTWORST



What is finally "Risk Management"?

Risk Management is a logical andsystematic method of identifying the hazards and analysing, treating and monitoring the associated risks which are involved in any activity or process of a company

Risk Management shall be an integral part of the company business planning and the key management process for taking decisions.

Risk Management gives the company the opportunity:

to protect the business from unexpected financial outcomes due to sudden and unwanted events

to improve its efficiency, make the best allocation of their available capital and resources and improve the benefits



General overview of risk management framework in ISO 31000

Regardless of type of business, activity or function of company, Risk Management is 7 step based process

Defining context (System Definition)

Risk Assessment

Hazard/Risk Identification Risk Analysis Risk Evaluation

Risk Control

Risk Monitoring and Review

Communication with and consult staff on the company activities and risks

System Definition

Ris

k A

sse

ssm

ent

Communicate and Consult on risks

Hazard/Risk Identification

Risk Analysis

Risk Evaluation

Risk Control

Risk Monitoring and Review

Bas

ic s

tep

s o

f th

e R

isk

Ass

ess

me

nt

Pro

cess

‘Risk’ is dynamic and subject to constant change,

so Risk Management process includes continuous

Par

t o

f SM

S



Recording, Reviewing and continual use of Risk Assessments

Recording: risk assessments need to be recorded whenever risks are significant. Recording provides a basis for monitoring the Rick Control Measures and helps defining the training needs and developing suitable training programmes

Reviewing: risk assessments should not be regarded as fixed and unchanging documents. They should be subject to regular review. If there are no changes or developments in the workplace, no new equipment has been purchased and the operational processes have remained unchanged then reviews can take place on a routine basis (e.g. every 12 months)

Continual use of Risk Assessments: Any change in the workplace, from the intro-duction of new equipment to changes in work practices should lead to a review of the risk assessment. As new hazards are introduced or existing hazards eli-minated, existing controls may not be necessary any more, sufficient or effective

Finally, whenever an accident occurs the risk assessment should be reviewed as part of the investigation process. It may be that the initial assessment failed to identify a hazard or that the control that had been implemented was not effective at reducing risk or was not being followed or used. A review of a risk assessment following an accident is an essential part of the learning process, leading to continual improvement of the company Safety Management System



European Railway Legislation



EU Regulatory Framework on Risk Management Harmonised «Risk based approach» and proactive Management of Safety

Instead of «reacting and fixing» only the events that occurred in past, Directive 2004/49 requires RUs, IMs & ECMs putting in place:

(Safety) Management System (SMS/MS), and; proactive way of thinking in «predicting and preventing»

possible unwanted events (risks) that may happen;

to ensure safe Operation & Maintenance of railway system,SMS/MS shall look both FORWARD and RETROSPECTIVE in order to control (all) risks associated with RU, IM & ECM activities. This implies to:

«predict» unwanted events that can happen during operation & maintenance of railway system;

«prevent» them to happen or «protect» against their consequences;

Safe Operation & Maintenance

(i.e. all risks are under control)

Railway Activities

(RUs, IMs & ECMs)

SMS/MSRisks



The RU, IM & ECM Management System must be certified by a Conformity Assessment Body

CUSTOMER

ECM

IM RUTrack

Access

SafetyCertification

SafetyAuthorisation

TransportContract

MaintenanceContract

Renting Contract

Contract of use - GCU KEEPER

ECM CERTIFICATIONBODYNSA

Surveillance of MSSupervision of SMS

ECM CERTIFICATIONBODY

NSA

Certification of MSCertification

of SMS



1) PLAN: the company is organised (designed) to deliver safely the operation through appropriate processes, procedures & rules

2) DO: the company actually deploys the operational and supporting processes

3) CHECK: the company measures the effectiveness of the processes (monitoring)

4) ACT/ADJUST: the company takes preventive or corrective measures on detection of non-compliances ( i.e. continuous management of company risks with aim of preventing accidents)

SMS/MS is a structured & documented set of tools, specific to activities of every RU-IM-ECM, used for safe management of company risks. It ensures that:

What is an SMS/MS?

SMSMS

DO

CHECKACT

PLAN

Risk Manage

ment

Processes

(Existing)Rules

Procedures

Human Factors



CSM for risk assessment

(Reg. 402/2013 &

Reg. 2015/1136)

CSM for monitoring

(Reg. 1078/2012)

Complementary processes in Risk Mangement

They are cornerstones/pillars of an effective Risk Management and Safety Management System

Implementation of Technical, Operational & Organisationalchanges can be safe & effective only if the Change ControlManagement process of SMS is based on a continual andcombined use of CSM for risk assessment & CSM formonitoring

CSM for risk assessment & CSM for monitoring cannot be separated from each other



1) PLAN: the company is organised (designed) to deliver safely the operation through appropriate processes, procedures & rules

2) DO: the company actually deploys the operational and supporting processes

3) CHECK: the company measures the effectiveness of the processes (monitoring)

4) ACT/ADJUST: the company takes preventive or corrective measures on detection of non-compliances ( i.e. continuous management of company risks with aim of preventing accidents)

SMS/MS is a structured & documented set of tools, specific to activities of every RU-IM-ECM, used for safe management of company risks. It ensures that:

SMSMS

DO

CHECKACT

PLAN

Risk Manage

ment

Processes

(Existing)Rules

Procedures

Human Factors


CSM for monitoring


What is place of CSM for risk assessment and CSM for Monitoring within Management System (SMS/MS)?



Relation between predictive Risk Assessment and Monitoring Comparison with engineering disciplines Automatic Regulation Systems

+

–

K(p)

C(p)

Order

E (p)

Gap

ε (p)

Command

U (p)

Output

S (p)

Sensor

G(p)

Measure

X (p)

Corrector System underregulation

ACTION

REACTION

REGULATOR



Equivalence of Principle with Automatic Regulation SystemsRelations between Risk Assessment & Monitoring

Change

(Objectives)

+

–

CSM for monitoring


(RCM - Risk Control Measures)

Railway System

Order Command

Action Plan

Actual Performance

Predictive Risk Assessment

Monitoring and Preventive/Corrective measures

REGULATOR

Reg. 402/2013 & 2015/1136

Information on how to monitorReg. 1078/2012



Reminder

Risk Assessment Risk Management

What can happen?(Identify Hazards)

What can be done?

How likely is it to happen?(Estimate frequency)

What are the benefits, costs and risks of each option?

What are the consequences if it happens? (Estimate severity)

What are the impacts of each option on future options?

Are consequences acceptable?(Risk acceptability)

Are the impacts of each option affordable?

Reduce the risks where required(Risk control)

Risk monitoring and risk review (i.e. check effectiveness + improve)

Risk assessment is a means to an end, not an end in itself - The aim is to keep people safe, not only to have good paperwork

Questions? → Send e-mail on:[email protected]

risk management concepts requirements in the …. risk...risk management framework in european...

Documents