Archive for the ‘Risk Management’ Category

Establishing the Risk Context

Thursday, May 17th, 2012

This is the first article in a series which will discuss the risk management process as outlined within the Risk management – Principles and guidelines Standard, ISO 31000:2009.

First let’s start off with a simple question: Why is Risk Management important? This may be a simple question but often the response may not be as easy.

Risk Management is important as some risk-taking is inevitable if your business is to achieve its objectives. Those businesses that are more risk aware, appreciate that actively managing not only potential problems but also potential opportunities provides them with a competitive advantage. Taking and managing risk is the very essence of business survival and growth.

So what is the risk management process? Put simply it is a process that systematically applies management policies, procedures, and practices to a set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyse, evaluate, treat, monitor, and review risk.

To recognise a risk it is important to know what a risk is. While some risks may apply to everyone, some will be specific to your business and to identify and deal with them you need to establish a base to work from.  This base is the context from where your risk analysis begins.

According to ISO 31000, to establish the context means:  “to define the external and internal parameters that organisations must consider when they manage risk. “

ISO 31000 expects that you consider your organisation’s context when you:

  • define the scope of your risk management program,
  • formulate your risk management policy and
  • establish your risk criteria.

Setting the context involves taking into account your business goals and capabilities as well as external factors, such as the changing legal environment and shifting social standards. In other words, you need to set the context to identify where your risks come from.

This is important because:

  • risk management occurs within the context of endeavouring to achieve goals and objectives,
  • failure to achieve the objectives is one set of risks that need to be managed, and
  • the goals and strategies assist to define whether a risk is acceptable or unacceptable.

This context sets the scope for your businesses’ risk management process.

So what do we need to look at when we are setting our context?

First your business will need to undertake a self-analysis which could include:

  • Defining roles & responsibilities;
  • Defining its goals and objectives;
  • Defining the risk assessment methodologies;
  • Defining the way performance is evaluated in the management of risks;
  • Identifying and specifying the decisions that have to be made; and
  • Defining the Governance and reporting process to be undertaken.

Secondly, your business will need an understanding of both the internal and external context in which it operates to enable it to better understand where its risks will come from.

The Internal Context  takes into account all the internal considerations and factors that influence how you manage risk and try to achieve your business objectives. These could be things like, your products, services, competition, financial, technology, customer segments and internal stakeholders.

The External Context takes into account all the external considerations and factors, these could include, external stakeholders, political climate, legal & regulatory constraints, environmental and cultural factors.

Any changes to either the internal and/or external context will be a trigger for your business to review its risks in light of those changes.

The importance of setting the correct context in which to start identifying business risks cannot be understated. The better and more thorough this is done the better and more thorough the resulting risks analysis will be, as setting the wrong context is in itself a risk.

 

Posted in Risk Management | No Comments »

OHS Body of Knowledge

Wednesday, May 16th, 2012

In July 2009 WorkSafe Victoria approved funding for “the development and implementation of the Core Body of Knowledge for the generalist OHS Professional”.  This project has included three major milestones.

  • To define the body of knowledge that an OHS Professional should have
  • To establish a course accreditation process for universities providing education in OHS
  • To develop a professional certification process.

Sally Bennett from Enhance Solutions has been the Project Manager for this project, working closely with Pam Pryor and the Technical Panel (Susanne Tepe, David Borys, Wendy Macdonald, Leo Ruschena, Jodi Oakman and Mike Capra).  The process of developing and structuring the main content of this document was managed by a Technical Panel with representation from Victorian universities that teach OHS and from the Safety Institute of Australia, which is the main professional body for generalist OHS professionals in Australia. The Panel developed an initial conceptual framework which was then amended in accord with feedback received from OHS tertiary-level educators throughout Australia and the wider OHS profession. Specialist authors were invited to contribute chapters, which were then subjected to peer-review and editing.

The OHS Body of Knowledge was formally launched in April 2012 at the SIA National Convention, Safety in Action.

 

http://www.ohsbok.org/

 

Posted in Risk Management | No Comments »

Interesting Facts About Stairs

Friday, April 20th, 2012

For those of you who know our team well, you will be aware that a team member is currently recovering from an incident at home involving stairs. So we thought we’d share some interesting facts and insights about stairs and their inherent risk.

Everyone trips on stairs and it is calculated to occur in one in every 2,222 occasions. A resulting minor incident is calculated to occur once in every 63,000 uses whilst a painful incident is calculated to occur once in every 734,000 uses.  An incident requiring hospital attention is calculated to occur once in every 3616000 uses. (Please don’t forget the rules of probability here and remind yourself that each time stairs are used, it is an independent event and a roll of the dice in terms of probability.)

People in good shape (those who are fit) will fall more often than people in poor shape. This phenomenon is thought to be related to our capacity to bound as we travel. Women are far more likely to fall on stairs than men and this is thought to be related to usage, especially at home. A common place for a stair fall to occur is unsurprisingly, at home and 1/3 of all incidents occur on the first OR last step whilst 2/3 of all incidents occur on the first OR last three steps. Stairs with fewer than four risers are more dangerous and this is thought to inspire overconfidence by the user.

Unsurprisingly, 90% of all injuries occur during decent and a broken rhythm is the prelude to a fall because it takes the brain 190 milliseconds for reflex to kick in and assimilate that something is wrong. In that time, the stair user has on average descended 20cm or more, making a graceful recovery unlikely!

The most important message here is about the controls used on stairs. Outside of good design, the most important control for the stair user is of course the hand rail and the complementary behaviour known as three point contact. We implore you to share these insights with your people in an effort to elicit control behaviour and prevent painful injuries.

If you are interested in further reading, here is a good reference point.

 J.A. Templer (1992) The Staircase: Studies of hazards, falls and safer design. MIT Press Cambridge MA 

Posted in Risk Management | No Comments »

Personal Accountability and Governance

Friday, April 20th, 2012

It has recently been reported through the global media that a Swiss billionaire and a Belgian baron have both been found guilty and sentenced to 16 years each in prison by an Italian court in a groundbreaking trial relating to over 3,000 alleged asbestos-related deaths.

The verdict, after a two-year trial found the former owner of the company, Eternit Fibre Cement and a major shareholder, guilty of causing an environmental disaster and failing to comply with safety regulations.

Through a network of subsidiaries and affiliates, Eternit became the largest manufacturer of asbestos cement products in the world and the company generated tremendous fortunes for their owners. But unlike Australia’s James Hardie and the US and British members of the global asbestos cartel, the Eternit companies had managed to avoid the sort of litigation that sent many of its competitors bankrupt.

The decade long criminal investigation that resulted in the verdict, accused the two men of deliberate and wilful failure to protect their employees and nearby residents from exposure to asbestos, a substance they knew could kill but concealed the fact.

The defendants were also ordered to pay 30,000 euros ($39,000) in damages to relatives of people killed by asbestos-related diseases, and 35,000 euros for every sick person, as well as other payouts set to total hundreds of millions of euros.

Barry Castleman is a US medical and legal expert who gave evidence for the prosecution.

“It’s enormous in that it’s holding personally responsible wealthy individuals who were the owners and directors of asbestos enterprises, [holding them] personally responsible for criminal acts for a wilful, negligent disaster causing thousands of deaths. This has never happened before,”

“We’re talking about stuff that went on long after it was well known in the asbestos industry that asbestos was deadly, mainly stuff that went on in the 1950s and 60s and 70s and 80s. There’s no question that the companies knew about the hazards of asbestos.”

This ground breaking case demonstrates the legal as well as the moral obligations of organisational office bearers. Justice can be pursued many years later and social norms can change. So our actions and the decisions that we make today must be made in the light of current good practise knowledge and in respect for the law.

Posted in Risk Management | No Comments »

Are they competent??

Friday, April 20th, 2012

This month we finished the second safety leadership program for an Australian wide manufacturing company. During the project presentations we were reminded of the importance of checking for competency. It was highlighted that assumptions are often made about what employees can and can’t do, especially those who are undergoing or have just finished their apprenticeship. For example, one of their electrical apprentices was asked to use a drop saw. Fortunately he was wise enough to let them know he had never used one before, however, the assumption had been made that he could.

OHS legislation is very clear about the importance of adequate information, instruction, training and supervision. It is essential that an employer has methods in place to measure competency in order to understand the level of supervision required by individual employees. In order to measure competency the aspects of a person’s tasks need to be broken down into competencies. Each person needs to be measured against the competencies and shortfalls identified. Once these have been identified training measures need to be implemented in order to provide the employee with the knowledge and skills to undertake their tasks safely.

The people undertaking the project we referred to earlier broke down the competencies for each of the tasks the apprentices needed to undertake in each area of the factory. This included the machinery and equipment, including hand tools, they needed to use for each task. The intention is to assess each of the apprentices against the competencies and arrange for training where there are gaps. They are fully aware of how vulnerable apprentices are in these situations, as they had just completed their own apprenticeships.

Employers need to be asking themselves about any assumptions they may be making about a person’s ability to undertake a task or use a piece of machinery. They need to have a method in place that systematically measures a person’s ability against the required competencies for a job and offer training to overcome any shortfalls. This needs to be recorded in an accessible manner and utilised when making decisions about who can work in what area of the business.

The key question is as an employer how do I know this person is competent to do this job?? How do you know?

Posted in Risk Management | No Comments »

Generative Risk Assessment and Vulnerability Analysis

Wednesday, March 14th, 2012

It is widely accepted that managing risk is an essential part of good business practice. It is also generally understood that a structured and disciplined approach to risk management needs to be adopted to ensure that optimum outcomes are achieved.   Read more ..Generative Risk Assessment

Posted in Risk Management | No Comments »

Business Continuity Management

Wednesday, March 14th, 2012

As defined by Standards Australia, Business Continuity Management, HB221:2004, Business Continuity is “the uninterrupted availability of all key resources supporting essential business functions.”

The Standard goes on to say that Business Continuity Management (BCM) provides for the availability of processes and resources in order to ensure the continued achievement of critical objectives.

Business Continuity Institute (BCI) & BS 25999 defines BCM as a process that identifies potential impacts that can threaten an organisation. It provides a framework for building resilience and the capability for an effective response which safeguards the interests of its key stake holders, reputation, brand and value creating activities.

So what does this mean, simply put BCM is “Plan B”.

A by-product of BCM is that it provides a comprehensive understanding of what the business actually does, how it does it and what it needs to do it to continue doing it.

BCM has mainly seen as being in the domain of financial institutions, insurance companies, Telco’s and utilities.  But it’s not only these businesses that are impacted by outages or natural disasters.

How would you or your business react during an incident would you be able to maintain your critical business services or would business just stop?

We only need to see what the impacts of the recent natural disasters, i.e.  Floods, cyclones and bush fires are having on business and the communities they service.

This is where BCM gives business an advantage as it prepares the business and its management team to quickly respond to unanticipated incidents.

BCM should be conducted as one of the required outcomes of the risk management program (ISO31000, 5.5 Treat Risks).

It must be pointed out that BCM differs from Disaster Recover (DR), as DR’s focus is on IT.  IT systems are resources of the business just like staff and equipment and play an important role in the BCM process, but should not be mistaken as the BCM process.

Poor business continuity management practices destroy credibility and leave the organisation exposed.

It is important that a robust BCM Framework within an organisation and covers:

  • Business Continuity, ( what will we do and how do we do it)
  • Disaster Recovery, (getting IT back up and running)
  • Crisis Management  (Roles & Responsibilities in managing the incident) &
  • Communications Policy, (what do we say to stakeholders, customers and the media)

BCM’s main output is the Business Continuity Plan (BCP), which will bring together:

  • All Contingency Plans (what we do);
  • Disaster Recovery Plan (IT recovery) and
  • Business Resumption Plan (getting back to business as usual)

All Businesses plan and part of the planning process should include a robust BCM process, as we insure against fire and theft, we should also insure in the continuity of customer service. After all, that’s what we are in business for.

Posted in Risk Management | No Comments »

What processes does your company have in place to support Directors’ Duties?

Monday, February 13th, 2012

The Centro Ruling was a landmark case last year in which the Federal Court  found that executives and directors of troubled property group Centro breached the Corporations Act by signing off on financial reports that failed to disclose billions of dollars of short-term debt.

In making declarations of contravention, Justice Middleton identified a number of key facts which supported his findings.

A few of these comments included that directors:

  • knew or ought to have known that the current liabilities were larger than disclosed, and that the guarantees had been granted;
  • failed to properly read, understand and give sufficient attention to the content of the financial reports as they related to current liabilities and the guarantees;
  • failed to make enquiry or adequate enquiry of management, the Audit Committee and other members of the Board concerning the apparent deficiencies in the reports;

The case is seen as having major implications for the way company directors do their job.

The head of ASIC, Mr Medcraft, says the ruling clarifies the duties of company directors.

“They can’t just simply delegate to management or rubber-stamp management, they are held to a high standard,” he said.

“I think today’s decision empowers directors, because what it says is, ‘I’m responsible, therefore I want to know what is going on’.”

This points to the importance of 2 things:

  • Directors need to ensure that the organisation’s risk management framework and governance framework are very transparent and support them in their oversight roles
  • Directors need to have in place processes to personally ensure that the reports they are being provided are accurate

Read here for further details of the case.

Centro penalties decision

 

 

 

 

Posted in Risk Management | No Comments »

« Older Entries