Académique Documents
Professionnel Documents
Culture Documents
Customer risk assessment. Evaluation of the risk profile of customers that could
potentially impact the organizations reputation and financial position. This
assessment weighs the customers intent, creditworthiness, affiliations, and other
relevant factors. This is typically performed by account managers, using a common
set of criteria and a central repository for the assessment data.
Supply chain risk assessment. Evaluation of the risks associated with identifying
the inputs and logistics needed to support the creation of products and services,
including selection and management of suppliers (e.g., up-front due diligence to
qualify the supplier, and ongoing quality assurance reviews to assess any changes
that could impact the achievement of the organizations business objectives).
Product risk assessment. Evaluation of the risk factors associated with an
organizations product, from design and development through manufacturing,
distribution, use, and disposal. This assessment aims to understand not only the
revenue or cost impact, but also the impact on the brand, interrelationships with
other products, dependency on third parties, and other relevant factors. This type of
assessment is typically performed by product management groups.
Security risk assessment. Evaluation of potential breaches in an organizations
physical assets and information protection and security. This considers
infrastructure, applications, operations, and people, and is typically performed by an
organizations information security function.
Information technology risk assessment. Evaluation of potential for technology
system failures and the organizations return on information technology
investments. This assessment would consider such factors as processing capacity,
access control, data protection, and cyber crime. This is typically performed by an
organizations information technology risk and governance specialists.
Project risk assessment. Evaluation of the risk factors associated with the delivery
or implementation of a project, considering stakeholders, dependencies, timelines,
cost, and other key considerations. This is typically performed by project
management teams.
The examples described above are illustrative only. Every organization should
consider what types of risk assessments are relevant to its objectives. The scope of
risk assessment that management chooses to perform depends upon priorities and
objectives. It may be narrow and specific to a particular risk, as in some of the
examples above. It may be broad but high level: e.g., an enterprise-level risk
assessment or a top-down view that considers the broad strategic, operational,
reporting, and compliance objectives; captures a high-level view of related risks;
and can be used to drill down further into a specific area of concern, as necessary.
Assessments may also be broad and deep, as with an enterprise-wide risk
assessment or an integrated top-down and bottom-up view, considering the
The scope of the risk assessment may focus on objectives that are related to
strategy, operations, compliance, and/or reporting, as previously discussed. Once
the scope has been agreed and the relevant objectives identified, it is important to
understand how these fi t in with the strategy and how much risk the organization is
willing to assume in pursuit of these objectives. Different strategies create exposure
to different risks, and different levels of risk appetite guide different levels of
resource allocation to respond to those risks. For example, an internal audit risk
assessment that is most effective and maximizes value aligns internal audit
activities to key organizational objectives. The focus on business objectives helps
ensure relevance and facilitates the integration of risk assessments across the
organization.
2. Identify events that could affect the achievement of objectives.
Based on the organizations objectives, the designated owners of the risk
assessment should develop a preliminary inventory of events that could impact the
achievement of the organizations objectives. Events refers to prior and potential
incidents occurring within or outside the organization that can have an effect, either
positive or negative, upon the achievement of the organizations stated objectives
or the implementation of its strategy and objectives. Various taxonomies or libraries
of common event types can help initiate the identification process.
A review of the external environment helps identify outside events that may have
impacted the organizations shareholder value in the past or may impact it in the
future. Drivers to consider include economic, social, political, technological, and
natural environmental events, which can be identified through external sources
such as media articles, analyst and rating agency reports, and insurance broker
assessments.
To illustrate the value of such external research, consider the external disclosure
snapshot in Figure 3, which illustrates the percentage of average quarterly
operating income by business unit and region in relation to volatility of earnings as
a percentage of operating income. From this information, a risk/reward measure
can be derived to understand how levels of volatility affect operating income. This
measure helps the organization pinpoint relative risk in earnings potential and
target dependencies within lines of business.
In Figure 5, a number of risk categories are identified and linked to several types of
objectives through the alphanumerical coding of the risks (e.g., regulatorycoded
C7is the seventh risk category related to the organizations compliance
objectives). The risks within each category may be individually rated and
summarized to provide an aggregate rating for the risk category, or the risk
category may be rated as a whole. The resulting score is then plotted on the risk
map. Likelihood is labeled across the x-axis, from low to high in percentages. Impact
is labeled over the y-axis, from low to high in dollar values. These ratings can be
used to produce a risk map noting increasing, stable, or decreasing movement in
risk exposure since the prior assessment. Item C7, relating to regulatory risk, shows
increasing risk exposure; a likelihood of occurrence greater than 50%; and an
impact, if this risk event occurred, of between $50 and $100 million.
An inherent risk map provides a portfolio view of risk that prompts analysis and
action. It helps determine which risk areas are most significant and should be the
focus of a more detailed assessment or implementation of a specific risk response.
It also enables analysis of interdependencies and relative prioritization of risks, and
determination of risk responses. In short, the risk map can provide focus for
managements risk agenda.
reasonable assurance that the likelihood and impact of an adverse event is brought
down to an acceptable level.
Continuing with the example above, to rate the risk of flood damage on a residual
basis, the likelihood and impact ratings should be assigned considering the risk
response measures in place to protect critical systems and data against flooding
(e.g., creation of an off-site IT and data storage center and an insurance policy to
cover any residual damage). While these measures may not reduce the likelihood of
a flood, they would help reduce the impact to the business if one were to occur. This
residual risk assessment can help management determine whether risks are
adequately controlled, over controlled, or under controlled in relation to the defined
risk tolerance.
Bringing it all together. The organization can now bring its individual residual risk
ratings together into a portfolio view to identify interdependencies and
interconnections between risks, as well as the effect of risk responses on multiple
risks. Management can then determine any actions necessary to revise its risk
responses or address design or effectiveness of controls. Action plans should be
assigned to parties with the capability and authority to effect change, with specified
milestones and timelines that are documented and tracked for completion.
Successful implementation should translate into reduced risk exposures on the
organizations risk map.
IMPORTANT QUANTITATIVE RISK ASSESSMENT (QRA) PREPARATION
GUIDANCE
Regulatory requirement where many aspects of the QRA may be clearly defined.
For example, in the European community, most regulators provide strong guidelines
on report format and methodologies.
Permitting where the legal process will set particular requirements and the
possibility of legal discovery may be an important consideration. The report is likely
to be submitted to the permitting authority and those responsible for preparation of
the report may be asked to make depositions and appear at any hearing to give
evidence in person. The level of detail provided in the assessment will be decided
by the requirements of thelegal process.
Evaluation of alternatives on its own requires a much less detailed assessment
than is needed for a fully quantified assessment. Only differences between
alternatives need to be explored, an approach which is likely to be limited to
comparative risks. For example, two different manufacturing routes may be under
consideration, where much of the equipment is identical, with the only difference
being the reactor itself. Consequently, the study can be limited to the reactor, but
this will not provide the overall level of risk.
Risk prioritization is used to rank potential hazards or system deficiencies for
possible mitigation. The only requirement is to order the different risks correctly. In
many instances in which only a limited number of hazards are involved,
prioritization requires only the identification of potential hazards, and a qualitative
assessment is sufficient. A risk ranking matrix is a common approach.
Corporate policy may require all operations meeting particular criteria to be
subject to QRA. This requirement is most often driven by a need to understand the
risks facing the company and to manage the full set of risks to a tolerable level. The
detail required in the assessment will vary according to the severity of the potential
hazards and the size and importance of particular operations. Quite often the need
for QRA is driven by results from less rigorous risk studies, such as risk prioritization
or process hazard analyses.
Cost/benefit analysis is most commonly used to select risk mitigation measures
for potential implementation. This requires as assessment of the reduction in risk if
a particular measure is implemented. Most measures reduce either the likelihood of
occurrence or the severity of the hazard. The assessment typically only addresses
the relevant mitigation, recognizing that to qualify the absolute risk reduction would
require a baseline risk assessment. In some cases a QRA may be justified when a
recommendation from a more qualitative study will be expensive to implement and
a more precise level of risk needs to be developed.
Business interruption is caused not only by hazardous events, but also by
mechanical and operational break-downs that pose no safety or environmental
hazard. This requires a more comprehensive study of initiating events than a
standard QRA. However, the output may be limited to the duration of any outage
and the lost production associated with this outage. It is also important to recognize
that the impact on the company may be reduced if: your manufacturing capacity is
not fully committed, you may have adequate inventory to cover the outage, or if
alternative supply is available.
Specify Output Requirements
The format of the results must meet the requirements objective of the assessment.
Examples of different requirements are:
Absolute or comparative risk. Absolute risk estimates are generally needed where
there is concern over the tolerability of the risk, when the risks from different
studies are to be added, or if the systems to be compared are very different.
Comparative risk estimates are used to choose between different options when
there is no question about the tolerability of the risk.
The output requirements have a significant impact on the level of effort and cost
required to complete the QRA. It is important to carefully select results formats that
meet your needs.
Determine Scope of Assessment
The scope of the assessment must meet the objectives of the QRA. The following
are examples of what might be included in the scope:
On-site risk only is used where the hazards are known to be primarily limited to
the immediate vicinity of the equipment or there is a buffer zone surrounding the
facility.
Off-site risk only is used when the focus of thestudy is impact on the surrounding
community. For example: the US EPA is responsible for off-site hazards and its
regulations focus on off-site risk.
All or selected units at a particular facility may be covered by the QRA. Particularly
where the focus is off-site risk, many units, such as utility units, pose no off-site
threat and these may be excluded from the study. However, because an accident at
one unit may impact an adjacent unit causing an off-site hazard, it may be
necessary to consider risks at all units to make sure the study includes these
initiating events. Individual units may also be considered if a screening of the units
has indicated that some pose higher risks than others and should be considered
sooner.
Hazards from third parties operating facilities close to yours may cause damage at
your facilities. Although it is unlikely that a QRA can be conducted of third-party
facilities, there is usually sufficient general information available to make a
qualitative estimate of potential hazards. In many industrial areas, land use
planning has resulted in many different companies building facilities in close
proximity to one another. In some instances the regulators have coordinated QRA
work so that this issue can be adequately addressed. An example of this is Rijmond
in the Netherlands. Third parties are also a significant factor in pipeline
transportation risk.
New or updated assessments generally require quite different levels of effort. An
updated assessment may be limited to a confirmation that nothing has changed in
the design and operation. It may include new knowledge of hazard modeling or the
likelihood of a failure which will allow a more accurate estimation of risk. Most
commonly, an updated assessment is required when existing equipment or
operations have been modified or new equipment has been added. In these cases
the objective is to estimate the incremental impact of these changes.
Clearly the scope of the assessment has a direct impact on level of effort and cost,
thus it is important to accurately scope the study so that there is no wasted effort.
Identify Existing Reports/Data
Existing data or reports can significantly reduce the level of effort required to
conduct the work. Some reports will provide data for input to a new QRA; others will
be the starting point for updating existing work. Existing reports/data may include:
Process Hazards Analyses reports (HAZOP reports, FMEA studies, event/fault tree
studies, etc.)
QRA reports
Company failure rate data and accident data bases
Hazard data (Material Safety Data Sheets, hazardous consequence calculations,
historical accident data, etc.)
Demographic data
Meteorological data
Identify Special Reporting Needs
The most obvious special reporting needs are regulatory requirements where the
report format and content may be specified. Internationally the report may be
required in the local language. In many instances the QRA has multiple audiences
with different needs: QRA specialists, local management, corporate management,
regulators, community interest groups, and lawyers all have different interests and
levels of expertise. It is common to require two or more different report formats to
meet different needs.
Select Approaches
Once all the requirements outlined above have been defined and existing data
reviewed the specific approaches to be used for the QRA can be selected. Some of
the choices available are described below:
Risk Determination
Generally, risk determination is now done using risk assessment software. The
number and detail of simplifying assumptions affects the level of effort.
Conducting the QRA
In conducting QRA work one must divide the work into four primary tasks and a
reporting activity. Each of the primary tasks is sub-divided into several sub-tasks.
These are illustrated in Figure 2. The primary tasks are:
Hazard Identification
Frequency Analysis
Hazards Analysis
Risk Determination
For each of these tasks both the company specialists and client staff with whom we
will work may vary. These tasks also provide logical breakpoints in the work where it
is important for the client to review and accept the findings/results before moving to
the next step. In this way we minimize the need for rework.