Risk Assessment: A Practical Guide to Assessing Operational Risk Chapter 20: Global Perspectives

Risk Assessments: Global Perspectives Objectives Using ISO for Maturity Assurance and Conformity Global Uptake of ISO International Risk Management Standard Global Comparison of Risk Tolerability Criteria Tolerability Criteria for Planning New Industries / Locations Investment to Prevent a Fatality Shifting the Paradigm from Absolute Safety to Risk Management – ALARP & Reasonably Practicable Changing Traditional Language to Risk Based Language for more Effective Safety Risk Conversations

Introduction In these days of business globalization, professional safety, health & environmental (SH&E) practitioners often need to be aware of what are the international practices and standards around the world. Global organizations need assurance of the uniformity, consistency and harmonization of their risk management standards, policies and processes, in general, and their SH&E standards in particular.

Introduction ISO 31000:2009 was nationally adopted in the United States as an American National Standard, ANSI/ASSE Z , Risk Management Principles and Guidelines, and is identical to the ISO standard. The International Risk Management (RM) Standard consists of: 1.Principles, a Framework and a structured Process for effective RM shown in Figure Consistent defined RM vocabulary and language 3.A set of performance criteria 4.One, common overarching RM process shown in Figure Guidance on how that process should be integrated into the decision- making processes of any organization

Using ISO for Maturity Assurance and Conformity ISO 31000:2009 is being applied world-wide and now allows an organization of any size and business activity to assess the maturity and adequacy of its risk management system RMS. Many organizations currently have at least informal risk management practices and processes which include a number of fundamental components of an RMS as detailed in ISO 31000/ANSI Z690.2, ANSI Z , ANSI Z Prevention through Design, and even the Occupational Safety and Health Administration’s (OSHA) Process Safety Management standard, (briefly described in Chapter 6 - What if Analysis). However, the means of gaining confidence and assurance that those practices and processes are adequate, mature and effective are often lacking.

Using ISO for Maturity Assurance and Conformity Many organizations have made the extra step to integrate their risk management systems for consistency in handling all risk domains. ISO becomes the over-arching envelope that provides uniform management processes for all types of risks.

Using ISO for Maturity Assurance and Conformity A process called a Conformity Assessment consists of tools constructed and used to review, assess, and even audit how well the organization conforms and complies with the standard and hence provides a measure of maturity and adequacy of the organization’s own system. A practical conformity assessment tool [Whiting 2012] consists of 3 sets of comprehensive evidence-seeking questions designed for each detailed “should” expectation of the standard in its Principles, Framework, and Process. It can be used internally or externally as a first or second or even third party audit tool. It can be tailored to any activity and risk domain. According the answers to these questions an overall rating of Maturity Level 1  5 can be determined as in Figure 20.4.

Global Uptake of ISO International Risk Management Standard

Global Comparison of Risk Tolerance Criteria A critical stage in the RM Process is Evaluation. At that stage in the process, the risk manager needs to evaluate the sizes of the risks calculated or estimated in the preceding Analysis stage by comparing them with pre-determined criteria developed in the initial Establish Context and Scope stages. The criteria of most importance are the prior agreed risk acceptability levels and whether the risk level is being continually managed down So Far As Is Reasonably Practicable (SOFAIRP).

Global Comparison of Risk Tolerance Criteria Risks to people can be represented in two ways. Both are a combination of the likelihood of an event happening (e.g. an accident at a major hazard installation), and the possible consequences - in terms of harm to people: Individual Risk Societal Risk

Global Comparison of Risk Tolerance Criteria 1. Individual risk is the likelihood or probability or chance that a particular individual at a particular location under specific exposure circumstances will be harmed. It is usually described in numerical terms such as “a 1 in 20,000,000 chance of being killed by lightning per annum (p.a.)”.

Global Comparison of Risk Tolerance Criteria 2. Societal risk is a way to estimate the chances of numbers of people being harmed from an incident. The likelihood of the primary event (an accident at a major hazard plant) is still a factor, but the consequences are assessed in terms of level of harm and numbers affected, to provide an idea of the scale of an accident in terms of numbers killed or harmed.

Tolerability Criterion for Individual Risk In the UK and the Netherlands, many decades ago, public safety risk criteria for new industrial hazardous activities have been set by government regulation. The starting point for determining these criteria was the statement ‘that any additional risk from exposure to a new hazardous activity to a member of the public should not be significant when compared with risk in everyday life.’

Tolerability Criteria for Planning New Operations The foundation for choosing quantitative risk tolerability criteria is the principles: 1)that the exposed persons such as nearby residents, should not be involuntarily subject to a risk from a new exposure that is significant compared to the ‘background’ risk associated with existing hazards. 2)that individual and societal risk should be considered separately.

Tolerability Criteria for Planning New Operations Fatality Risk Criteria for Land Use Planning and Locations of New Exposures

Investment to Prevent a Fatality An interesting global perspective in Risk Management is how different countries use measures related to human life values when calculating cost-benefit analysis (CBA) for deciding to commit to spending on proposed new or changed risk controls for a particular risk, e.g. should all school buses be fitted with seat belts? The standard approach to CBA of risks to life is to convert them into equivalent costs. The monetary valuation of risks to life is often described as a “value of life”.

Shifting the Paradigm from Absolute Safety to Risk Management Internationally, more and more countries have shifted, and are shifting their safety philosophies and practices from unrealistic absolute safety or even zero risk beliefs to more appropriate models of managing risk to as low as reasonably practicable (ALARP). Safety regulators in many countries have been traditionally prescriptive in describing absolute obligations to detail how safety risks were to be eliminated or prevented or stopped. In recent decades, legal and regulatory safety obligations are being described in ALARP/performance based frameworks rather than prescriptive, unconditional ensure without risk models. National and International safety standards are now more and more written in terms of ALARP or the equivalent.

What is reasonably practicable? A risk-informed performance based regulatory approach to safety laws defines reasonably practicable, in relation to a duty to ensure health and safety, as meaning that what was reasonably able to be done in relation to ensuring health and safety

What is reasonably practicable? Weighing all relevant matters including: (a) the likelihood of the hazard or the risk occurring; and (b) the degree of harm that might result; and (c) what the person concerned knows, or ought reasonably to know, about— (i) the hazard/risk; and (ii) ways of eliminating/minimizing the risk; and (d) the availability/suitability of ways to eliminate/minimize the risk; and (e) after assessing the extent of the risk and the available ways of eliminating or minimizing the risk, the cost associated including whether the cost is grossly disproportionate to the risk.

Societal or Group Risk Tolerability Framework In terms of Societal or Group Risk, ALARP principles are described in Figure with a common expression of the “intolerable” frequency of Incidents involving more than 1,000 fatalities per incident (e.g. Bhopal or 2 X 500 passenger planes colliding in mid-air).

Moving Towards Risk Based Language for more Effective Risk Conversations The transition from compliance-based safety to risk-based safety in large part has occurred in many parts of the world, and is beginning to take place in the United States. This requires risk-centric organizations and progressive risk professionals to use better terminology and language for risk based conversations. For example, outdated terms such as loss control and loss prevention are now being replaced with safety risk management and risk control.

Conclusion Risk Management is fundamentally about how to make risk-informed decisions when life and business circumstances are uncertain. Risk Management is not about more risk taking, rather better risk understanding of the exposures we are currently not managing as well as we need to, or could. Safety is managing risk to ALARP, not zero risk. The risk makers and the risk takers need to be the risk managers.