RISK MANAGEMENT CASE STUDY

By : Widiananda Prabowo
Brawijaya University

1. CASE STUDY – BRITISH AIRWAYS AUTHORITY (BAA) - TERMINAL 5

a. Overview of the Project

BAA has adopted a partnering technique to its Terminal 5 construction project, not
only taking full responsibility of all the risks to the success of the project, but also
securing a commitment towards uninterrupted improvement from its partners.

b. The Challenges facing BAA:

- Cost over-runs could have a damaging affect on BAA’s reputation, cash flow,
balance sheet, and even future survival, given the scale of the Project. Similarly,
delays must be avoided as there is a trend in the increase in the passenger
numbers. This makes the undertaken project very significant for the BAA.
- The site access is limited to one main route only. Hence, early planning work
inferred that the project would cost over £1 billion more than was affordable
and would be delivered two years late if an out-of-the-box approach is not
followed.
- A high degree of evolution is expected during the project by the BAA.

c. BAA’s response to the challenges :

BAA’s approach works on the principles of the Latham and Egan initiatives, but it
surpasses any solution so far applied in the UK.
- The risks are to be borne by the client.
- The Partners are given more importance than the suppliers - BAA has developed
an “Integrated Project Team Approach”, so that the talented people involved
with the project stay motivated and organized enough to get the maximum
output from them.

d. Risk management
BAA believes that “project management is a tool of the risk management
approach, not vice-versa”. Risk control ratings are set in the overall programme.
These ratings cascade through the project’s management and transform into personal
plans and objectives of all team members. The data in the system is supposed to be
meaningful and purposeful. The “root cause” of each risk is identified by the risk
process which enables the risk to be eradicated in the most effective way. BAA
identifies four levels of risk control. The primary objective is to keep all risks between
level 2 and 3 in the following scale:
- The solution does not manage the risk at an acceptable level.
- The risk is managed at an acceptable level with the possibility of improvement.
- The solution reached is optimal and cannot be improved upon.
 - The solution excels the level of risk, and should be adjusted.
- Early on, the most critical risks are identified and where suitable, the solutions are
tested in beforehand to determine effectiveness of the solution.

e. An example of pre-emptive risk management

To understand the challenge in erecting a huge roof (that spreads across more than
150 meters), the designers, suppliers, fabricators and the T5 roof team pre-erected
the roof abutment structure off-site in Yorkshire. The pilot pinpointed 140 significant
lessons. Each had a risk mitigation plan enables in smoother workflow and faster
construction on site. Overall, this pre-emptive risk management technique was
pivotal in saving three months as studied by the project team. In this particular case,
the time saved enabled the project team to cover-up for the delays had previously
arisen during the wet winter of 2001-02, which helped to keep the project on
schedule.

f. Key Lessons
- The risk is always borne by the client.
- Project management is a tool for risk and opportunity management and not vice
versa.
- Those who are best able to manage the risk should be handed over the
management activity, and take over forms of contract that supports a risk
management approach.
- All parties reap substantial benefits from collaborative, integrated working
arrangement with suppliers.
- Board level leadership and sponsorship is utmost important.
- Safer construction and fewer defects can be attained by off-site prefabrication
and assembly of elements.
- Major projects should be done under excellent and highly experienced people.
This minimizes confrontation and establishes trust and openness in working
relationships.
2. CHIPOTLE CASE STUDY – EITHER MANAGE RISK OR DISCLOSE LACK OF RISK
MANAGEMENT

a. Overview of the Project

Back in 2009, we blogged about the US Securities and Exchange Commission (SEC)
decision to require board-level accountability for Enterprise Risk Management (ERM).
This decision was based on the conclusion that inadequate risk management allowed
the regulatory failures that ultimately led to the financial crisis. As it’s wrote in that
post, “boards are now required by the SEC to report in depth on how their
organizations identify risk, set risk tolerances, and manage risk/reward trade-offs
throughout the enterprise.”

That blog detailed an important ruling: it refers not only to integrated risk
management competency at the executive level, but at all employee levels that have
an impact on company performance. This perfectly mirrors a risk management mantra
– risk should make up a part of everyone’s – not just risk managers’ – job description.

In 2007, regulators released Sarbanes-Oxley Audit Standard 5 (SOX AS5), which holds
management accountable for the risk of misstated company financials. The SEC
disclosure rule is similar in the sense that it uses materiality, not specific risks, as a
measure of what needs to be mitigated. It differs, however, in the sense that it applies
to all risks, not only financial concerns, and does not take into account an
organization’s size. In other words, everyone should be concerned with ERM
compliance.

This leads to a fork in the road : organizations need to either adopt an effective risk
management program or bite the bullet and disclose their ineffectiveness. There is no
third option – maintaining ineffective risk management tools without disclosure is
considered negligence, and is easier to prove than fraud is.

b. The Challenges
Chipotle’s recent fiasco demonstrates the results of poor risk management
According to Business Insurance, Chipotle’s problems don’t end with a host of recent
salmonella outbreaks, which have been linked to food sold in numerous branches. The
company also “failed to disclose that its ‘quality controls were inadequate to
safeguard consumer and employee health,’ according to a civil lawsuit.”

The company is now suffering a major reduction in share prices (35% since the end of
October 2016), reduced sales (December 2016, sales were down 30% in some
locations), and a marred reputation that relies upon the appeal of safe, sustainably
grown food. The manner in which the company misled shareholders is almost entirely
responsible for the civil suit.

Chipotle introduced a great innovation in the food industry: fresh, healthy, locally
sourced fast food. However, the company failed to implement the risk management
necessary to support that innovation. Enterprise risk management is as much about
enabling innovation as it is about facilitating compliance, health, and safety.
 The check-the-box approach of disclosing the “usual risks” was made unacceptable
back in 2010, if ever it was acceptable. Every business innovates, and every business
therefore needs to find the unique risks it introduces, get them covered, and disclose
them to shareholders.

c. Risk Management
Had Chipotle’s management implemented an enterprise risk management solution,
either of two outcomes would have occurred:

- Food might never have been contaminated, since ERM extends to a robust vendor
risk management methodology that helps identify risks associated with a
company’s supply chain.

- Even if the outbreaks had still happened, Chipotle would have been able to
use enterprise risk management reporting capabilities to evidence its risk
program. This would have avoided regulatory penalties, provided evidence of
control activities, and guided risk disclosure, all of which would have eliminated
liability for non-disclosure of risk.

These outcomes aren’t just possible, they’ve happened before. In 2009, a Morgan
Stanley executive was found to have evaded internal controls. The company itself
avoided prosecution thanks to the robustness of its internal policies and procedures.
Unlike Chipotle, Morgan Stanley “maintained a system of internal controls meant to
ensure accountability,” and pointed to these systems when asked about the adequacy
of its risk management program. There is never a 100-percent guarantee that
surprises won’t happen. Sometimes, human error and external threats can’t be
predicted. What’s important is minimizing the likelihood of those surprises, and ERM
software accomplishes just that. At the very least, a robust, well-documented solution
provides an easy way for organizations to maintain full disclosure and avoid regulatory
action.
3. CASE STUDY 3 – TRIBUTYLTIN RISK MANAGEMENT IN THE UNITED STATES

a. Overview and Challenges of the Project

Tributyltin (TBT) is a chemical with a variety of biocidal applications, including use as
an antifouling agent in boat paints. Biological effects of TBT on marine and estuarine
organisms and the concentrations of TBT that induce them vary widely among species.
A water concentration of 1,000 ng/L (1 part per billion) is lethal to larvae of some
species, and nonlethal effects have been observed at concentrations as low as 2 ng/L
(2 parts per trillion, ppt). Both laboratory and field studies of toxicity were initially
hampered by difficulties in measuring the low concentrations that were toxic to some
organisms.
Adverse effects on nontarget organisms, including commercially valuable species of
shellfish, were observed in Europe in the early 1980s. Abnormal shell growth was
documented in Crassostrea gigas (European oyster) and linked through laboratory
experiments to TBT leached from antifouling paints. That connection led to restrictive
regulations in France (in 1982) and Great Britain (in 1985 and 1987). In the United
States, concentrations exceeding those determined experimentally to be effective
have been found in many areas, particularly in harbors with large marinas. Snails in
the vicinity of a marina on the York River, Virginia, were shown to have an abnormally
high incidence of imposex (expression of male characteristics by female organisms), an
effect previously observed under laboratory conditions in female European
oysters, Ostrea edulis. EPA began to assess effects of TBT in 1986, but has not yet
issued any regulations. Meanwhile, restrictive actions have been taken by states and
by the Congress.
A proposal by the U.S. Navy to use TBT paints on its entire fleet was prohibited by
Congress in 1986, despite a Navy study that predicted no adverse environmental
impact. Virginia enacted legislation and an emergency regulation in 1987, and
Maryland, Michigan, and other states have since taken similar actions. Congress
enacted national legislation restricting use of TBT paints in 1988. Those actions
generally banned or restricted the use of TBT paints on small boats (less than 25 m
long) and placed limits on leaching rates from paints used on larger vessels. Studies in
Virginia had shown that most TBT releases were from small boats. Small-scale
monitoring studies (e.g., in France and Virginia) have shown that the restrictions have
been effective in reducing environmental concentrations and adverse impacts of TBT.
Risk management of TBT has been unusual in several ways. The initial basis for
concern was field observation of adverse effects, not extrapolation from laboratory
bioassays and field chemistry data. Risk assessment and risk management were
conducted by state agencies and legislatures, rather than by EPA. Although the risk
assessments were made without formalized methods, the results of the independent
assessments were the same. Finally, TBT is the first compound banned by the
Congress and the first regulated for environmental reasons alone.
b. Risk Management
The case study addressed, with differing completeness, each of the five recommended
steps in risk assessment and management. Hazard identification included the
observation of abnormalities in the field and the same effects in experimentally
exposed animals. Dose-response identification included data both from the field
(correlative) and from the laboratory (experimental). Exposure assessment was based
on estimated use and release rates rather than on monitoring or modeling studies.
Risk characterization was only qualitative; it did not address such issues as the number
and distribution of species that were vulnerable, or the degree of damage to the
shellfish industry. Risk management actions were based on the demonstrable
existence of hazard, on societal concern for the vulnerable species, and on the ready
availability of alternative antifouling agents.
Some workshop participants were critical of the risk assessment approach adopted by
Congress and state regulatory agencies. No attempt was made to plan and execute a
formal risk assessment. Risk identification was based primarily on data on nonnative
species. The Eastern oyster and blue crab, the species putatively at greatest risk, have
been found to be less sensitive. Regulatory responses were based on findings of high
environmental concentrations of TBT in yacht harbors and marinas, rather than in
ecologically important regions such as breeding grounds. The central issue is whether
a safe loading capacity (environmental concentration) of TBT for nontarget organisms
can be defined, given substantially reduced rates of input. Recent information on fate
and persistence, chronic toxicity, and dose-response relationships could support a
more quantitative risk assessment with the possibility of more or less stringent
restrictions.
4. CASE STUDY 4 – RISK ASSESSMENT METHODS IN ANIMAL POPULATIONS – THE
NORTHERN SPOTTED OWL AS AN EXAMPLE

a. Overview and Challenges of the Project

This paper described an analysis of northern spotted owl population dynamics
performed to support ongoing studies of the impacts of clear-cutting of old-growth
forest on the prospects for future survival of this endangered species. The paper
summarized a method for estimating rates of population increase or decrease based
on capture-recapture techniques and illustrates the methods with data on the
northern spotted owl. The method proceeds in three steps: use of capture-recapture
data to estimate age-specific survival or fecundity rates, estimation of the finite rate of
population change (Leslie's parameter ), and experiments on samples of marked
animals in natural environments. Mathematical models for estimating population
parameters, including , have been developed extensively, and computer programs are
available. Experimental studies are desirable to test hypotheses about relationships
between population parameters and risk factors.
The case study was of a population of northern spotted owls in California studied for 6
years. Capture-recapture data yielded estimates of age-specific survival and fecundity
for females, as well as estimates of mean population size (37 females) and annual
recruitment (0 to 19 females; mean, 8). On the average, the eight females entering the
population each year would have included six immigrants from outside the study area
and only two locally raised recruits. The calculated value of was 0.952 ± 0.028, which
indicated a decreasing population.
In this case, the risk factor was clearance of the old-growth forest on which the
species is believed to depend. Although the study area contained much suitable
habitat, the population appeared not to be self-sustaining, but to be maintained by
immigration from remaining areas of old-growth. It was suggested that the study
population is temporarily above the long-term carrying capacity because of the drastic
loss of habitat in surrounding areas; these circumstances lead to a large "floating"
component of the population.
The paper concluded that risk assessment in higher vertebrate populations must often
rely on analysis of samples of marked individuals. A robust theory exists for study
design and the analysis of such data. Selection of appropriate models is critical for
rigorous assessment of impacts. Analysis of capture-recapture data allows inferences
about the separate processes of birth, death, emigration, and immigration. Risk to a
population does not affect population size directly; rather, it acts on the fundamental
processes of birth and death.

b. Risk Management
Dr. Kentula commented that the case study (like others in the workshop) focused on
individuals and populations and thus took a bottom-up approach. An alternative, top-
down approach is to conduct an ecosystem risk assessment from a landscape
perspective. For example, Kentula stated that EPA's Wetlands Research Program is
developing methods to assess impacts on landscape function due to cumulative
wetlands loss. The method proceeds in two-stages: a landscape characterization map
is used to classify and rank units of the landscape according to relative risk, and can
also be used to set priorities for effort and allocation of resources; a response curve
expresses the hypothesized relationship between stressors (such as loss or
modification of wetlands) and reduction in landscape functions (e.g., maintenance of
water quality, or life support). The system can be used both to identify areas at risk
and to guide management decisions for landscapes that are already affected.

Dr. Loucks commented that the case study presents the consequences of the stress to
one local owl population at one time. For assessment of risk to the regional or total
population, one would need to construct a "dose-response" relationship, in which
"dose" would be a measure of the degree of stress (e.g., the percentage of the old-
growth forest that has been destroyed) and "response" would be the probability of
extinction of the population within an appropriate period (e.g., 250 years). Calculation
of the probability from the birth, death, and dispersal rates estimated in the case
study would require stochastic population modeling that takes account of uncertainty
and variability in the population parameters.
The Endangered Species Act is an example of preemptive risk management, in that a
high probability of extinction of a single species is designated as unacceptable. A
species-by-species approach, however, does not lead to quantitative assessment of
the risk of impoverishment of an ecosystem. Where possible, ecological risk
assessment should work across levels of organization and should assess risks of
reduction in system utility.
5. CASE STUDY 5 – ECOLOGICAL RISK ASSESSMENT FOR TERRESTRIAL WILDLIFE
EXPOSED TO AGRICULTURAL CHEMICALS

a. Overview and Challenges of the Project

The science of ecological risk assessment for exposure of terrestrial wildlife to
agricultural chemicals has advanced rapidly during the 1980s. EPA requires detailed
assessments of the toxicity and environmental fate of chemicals proposed for
agricultural use. Performance of an ecological risk assessment requires data from
several disciplines: analytical toxicology, environmental chemistry, biochemical
toxicology, ecotoxicology, and wildlife ecology.

Addressing the ecological risks associated with the use of an agricultural chemical
involves a complex array of laboratory and field studies—in essence, a research
program. This paper provides examples of integrated field and laboratory research
programs, such as The Institute for Wildlife and Environmental Toxicology (TIWET) at
Clemson University. Preliminary toxicological and biochemical evaluations include
measurements of acute toxicity (LC50 and LD50), toxicokinetics, and observations of
wildlife in areas of field trials. Assessment of reproductive toxicity includes studies
with various birds and other wildlife, particularly European starlings that nest at high
densities in established nest boxes; these studies include measurements of embryo
and nestling survival, postfledgling survival, behavior, diet, and residue chemistry.
Nonlethal assessment methods include measurement of plasma cholinesterase
activity associated with organophosphate pesticide exposures. A wide variety of birds,
mammals, and invertebrates have been used in these studies.

End points evaluated in wildlife toxicological studies include mortality, reproductive

success, physiological and biochemical changes, enzyme impacts, immunological
impairment, hormonal changes, mutagenesis and carcinogenesis, behavioral changes,
and residues of parent compounds and metabolites.

The paper includes a case history of a comparative evaluation of Carbofuran and

Terbufos as granular insecticides for control of corn rootworms. Carbofuran has been
responsible for many incidents of wildlife poisoning and is recognized as being very
hazardous to wildlife. In contrast, although Terbufos is highly toxic to wildlife in
laboratory studies, exposure of wildlife under field conditions appears generally to be
relatively low, and widespread mortality is not evident. Field studies of Terbufos
conducted by TIWET might be the only ones conducted to date that satisfy EPA's
requirements for a Level 2 field study, a more quantitative assessment of the
magnitude of the effects of a pesticide than the qualitative Level 1 studies. (Level 2
studies are performed when toxicity tests and use patterns suggest a detailed study is
warranted.) Data generated in those studies support an ecological risk assessment for
Terbufos that is reported in the paper. However, the research program on Terbufos
represents many years of effort with integration of laboratory and field research to
achieve a full-scale level 2 study in just one geographic area on one crop. Ecological
modeling techniques will be needed to generalize the results to other chemicals or to
other situations.
b. Risk Management
Dr. Williams noted that each step in ecological risk assessment is more complex and
less understood than the corresponding step in human health risk assessment.
Although hazard can be assumed when a toxic chemical is released, the species and
populations at risk must first be defined. The appropriate selection of surrogate
species for testing in the laboratory is usually unclear. Measurement of environmental
concentrations is only the first step in exposure characterization. Exposure assessment
also requires consideration of foraging behavior, avoidance, and food-web
considerations, as well as spatial and temporal variability. Risk characterization
involves comparison of exposure estimates with measures of hazard; this process
might result in compounding of errors. Ecological risk assessments do not track
individuals over time and so do not accurately reflect population changes.

The activities presented in the case study have a large research component, which is
focused on dose-response assessment and exposure assessment. One discussant
characterized risk assessment, as presented in the case study, as a retrospective
exercise based on focused characterization of hazard and exposure in wildlife. Given
the difficulties in conducting environmental risk assessments, the four-part paradigm
might not be applicable at levels of organization above that of the population.