Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards

A framework for the integration of risk management into the project and construction industry, following the principles and guidelines of the ISO 31000:2009 standard.

2nd Project And Construction Management Professions Conference

Gallagher Convention Centre, Midrand, – October 2014

Master Class Curriculum

1. Overview of key risk management terms and definitions in ISO 31000, ISO Guide 73 and ISO Guide 51

2. Overview of the risk management principles, framework and process in the ISO 31000 guidelines

3. Discussion on the criteria for the selection of suitable risk assessment techniques, as described in IEC/ISO 31010

4. Practical guidance on designing and implementing a suitable enterprise risk management framework in project and construction management organisations

3

1. Overview - Terms and Definitions

Key risk management terms and definitions in ISO 31000, ISO Guide 73 and ISO Guide 51

4

Vocabulary

• ISO 31000:2009 Risk management - Principles and guidelines

• ISO Guide 73:2009 Risk management — Vocabulary

• ISO Guide 51:1999 Safety aspects — Guidelines for

• their inclusion in standards

• Out of 51 terms and definitions contained in the ISO Guide 73, only 29 are used in ISO 31000 – excluded, e.g.:

– Risk Appetite

– Risk Tolerance

– Risk Management Audit

– etc. 5

Terms and Definitions…

• Risk

– effect of uncertainty on objectives

• NOTE 1 - An effect is a deviation from the expected — positive and/or negative.

• NOTE 2 - Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organisation-wide, project, product and process).

• NOTE 3 - Risk is often characterized by reference to potential events and consequences, or a combination of these.

• NOTE 4 - Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence.

• NOTE 5 - Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood.

• Risk management (RM)

– the coordinated activities to direct and control an organisation with regard to risk

• An integral part of organisational processes as well as a part of decision making

• Can be applied across an entire organisation, to its many areas and levels, as well as to specific functions, projects and activities. 6

Terms and Definitions…

• Risk assessment – overall process of risk identification, risk analysis and risk

evaluation

• Risk source – element which alone or in combination has the intrinsic potential

to give rise to risk

• Risk owner – person or entity with the accountability and authority to manage a

risk • Accountability = Authority + Resources (e.g. human, technology,

information, Finance, etc.) + Competence

• Stakeholder – person or organisation that can affect, be affected by, or perceive

themselves to be affected by a decision or activity 7

Terms and Definitions…

• Likelihood – chance of something happening

• NOTE 1 - In risk management terminology, the word “likelihood” is used to refer to the chance of something happening, whether defined, measured or determined objectively or subjectively, qualitatively or quantitatively, and described using general terms or mathematically (such as a probability or a frequency over a given time period).

• NOTE 2 - The English term “likelihood” does not have a direct equivalent in some languages; instead, the equivalent of the term “probability” is often used. However, in English, “probability” is often narrowly interpreted as a mathematical term. Therefore, in risk management terminology, “likelihood” is used with the intent that it should have the same broad interpretation as the term “probability” has in many languages other than English.

• Consequence – outcome of an event affecting objectives

• NOTE 1 - An event can lead to a range of consequences. • NOTE 2 - A consequence can be certain or uncertain and can have positive or

negative effects on objectives. • NOTE 3 - Consequences can be expressed qualitatively or quantitatively. • NOTE 4 - Initial consequences can escalate through knock-on effects

8

Terms and Definitions…

• Risk analysis

– process to comprehend the nature of risk and to determine the level of risk

• NOTE 1 Risk analysis provides the basis for risk evaluation and decisions about risk treatment.

• NOTE 2 Risk analysis includes risk estimation.

• Level of risk

– magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood

9

Terms and Definitions…

• Risk criteria – terms of reference against which the significance of

a risk is evaluated • NOTE 1 - Risk criteria are based on organisational

objectives, and external and internal context.

• NOTE 2 - Risk criteria can be derived from standards, laws, policies and other requirements.

• Risk evaluation – process of comparing the results of risk analysis

with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable • NOTE - Risk evaluation assists in the decision about risk

treatment

10

Terms and Definitions…

• Control – measure that is modifying risk

• NOTE 1 - Controls include any process, policy, device, practice, or other actions which modify risk.

• NOTE 2 - Controls may not always exert the intended or assumed modifying effect.

• Residual risk – risk remaining after risk treatment

• NOTE 1 - Residual risk can contain unidentified risk.

• NOTE 2 - Residual risk can also be known as “retained risk”.

11

Terms and Definitions

• Risk treatment – process to modify risk

• NOTE 1 - Risk treatment can involve: – avoiding the risk by deciding not to start or continue with the activity

that gives rise to the risk;

– taking or increasing risk in order to pursue an opportunity;

– removing the risk source;

– changing the likelihood;

– changing the consequences;

– sharing the risk with another party or parties (including contracts and risk financing); and

– retaining the risk by informed decision.

• NOTE 2 - Risk treatments that deal with negative consequences are sometimes referred to as “risk mitigation”, “risk elimination”, “risk prevention” and “risk reduction”.

• NOTE 3 - Risk treatment can create new risks or modify existing risks.

12

2. Overview - Relationships

Relationships between the risk management principles, framework and process in the ISO 31000 guidelines

13

ISO 31000 - Relationships

14

• Principles: Why risk management? • Framework: How to integrate risk management in the existing management system? • Process: How to integrate risk management in the existing management practices and processes?

3. Principles

a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation

15

4. Risk Management Framework

16

• Risk management framework

– set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation

• NOTE 1 - The foundations include the policy, objectives, mandate and commitment to manage risk.

• NOTE 2 - The organisational arrangements include plans, relationships, accountabilities, resources, processes and activities.

• NOTE 3 - The risk management framework is embedded within the organisation's overall strategic and operational policies and practices.

5. Risk Management Process

• Risk management process

– systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk

17

Risk Assessment (5.4)

Risk Identification (5.4.2)

Establishing the Context (5.3)

Risk Analysis (5.4.3)

Risk Evaluation (5.4.4)

Risk Treatment (5.5)Com

mu

nic

ati

on

& C

on

sult

atio

n (

5.2

)

Mon

ito

rin

g a

nd R

evie

w (

5.6

)

5.1 General

• Existing management practices might include components of RM: – critical review of existing practices and processes to

assessment and determine adequacy and effectiveness

– adapt and extend existing processes to cover missing elements

• Parameters might be similar to those considered during the design of the framework, for the RM process they need to be considered in greater detail: – scope of the particular instance of the RM process

18

5.2 Communication & Consultation

• Communication and consultation with external and internal stakeholders should take place during all stages of the RM process.

• Therefore, plans should be developed at an early stage.

19

5.3 Establishing the Context

20

5.3.1 General

5.3.2 Establishing the external context

5.3.3 Establishing the internal context

5.3.4 Establishing the context of the RM process

5.3.5 Defining risk criteria

Parameters might be similar to those considered during the design of the framework, for the RM process they need to be considered in greater detail; i.e. scope of the particular instance of the RM process

5.4 Risk Assessment • Purpose: Provide information to make informed decisions

– understanding the risk and impact upon objectives

– providing information for decision makers

– contributing to the understanding of risks

– identifying weak links in systems and organisations

– comparing of risks in alternative approaches

– assisting with establishing priorities

– contributing towards incident prevention

– selecting different forms of risk treatment

– meeting regulatory requirements

21

5.5 Risk Treatment

• Options – avoiding the risk (do not start / stop the activity) – increasing the risk to pursue an opportunity – removing the risk source – changing the likelihood – changing the consequences – sharing the risk with another party or parties – retaining the risk by informed decision

• Option selection – cost / benefit analysis – justifiable on economic grounds – combination of treatment is better – values and perceptions of stakeholders – if impacted, involve stakeholders in the decision – be aware of the introduction of new risks

22

5.6 Monitoring and Review

• Purpose : regular checking or surveillance

– Ensuring that controls are effective and efficient (in design and operation)

– Analyzing and learning lessons from events & changes

– Detecting changes in the internal & external context

– Identify emerging risks

– Further improvements

23

Health and Safety Risk Assessment

• Many texts deal only with the analytical processes of RA

– Omitting the management and organisational aspects of their implementation:

• establishing the context,

• communication and consultation, and

• monitoring and review

• This trend is particularly valid for the field of H&S risks.

24

3. Discussion – Selecting a Technique

The criteria for the selection of suitable risk assessment techniques, as described in IEC/ISO 31010 - Annex A correlate some potential techniques and their categories for illustrative purposes.

25

Selection based on Risk Criteria

• For a specific instance of the risk management process, establishing the context should include the definition of the external, internal and risk management context and classification of risk criteria

• Risk assessment may be undertaken in varying degrees of depth and detail and using one or many methods ranging from simple to complex.

• The form of assessment and its output should be consistent with the risk criteria developed as part of establishing the context.

26

Defining Risk Criteria

• Defining risk criteria involves deciding: – the nature and types of consequences to be

included and how they will be measured,

– the way in which probabilities are to be expressed,

– how a level of risk will be determined,

– the criteria by which it will be decided when a risk needs treatment,

– the criteria for deciding when a risk is acceptable and/or tolerable,

– whether and how combinations of risks will be taken into account.

27

Sources of Risk Criteria

• Criteria can be based on sources such as

– agreed process objectives,

– criteria identified in specifications,

– general data sources,

– generally accepted industry criteria such as safety integrity levels,

– organisational risk appetite,

– legal and other requirements for specific equipment or applications.

28

Applicability

29

Techniques and Tools Covered

1. Look-up methods 1. Checklists 2. Preliminary hazard analysis (PHA)

2. Supporting methods 3. Brainstorming 4. Structured or semi-structured interviews 5. Delphi technique 6. SWIFT (Structured “what-if”) 7. Human reliability analysis (HRA)

3. Scenario analysis 8. Root cause analysis (single loss analysis) 9. Scenario analysis 10. Toxicological risk assessment 11. Business impact analysis (BIA) 12. Fault tree analysis (FTA) 13. Event tree analysis (ETA) 14. Cause/consequence analysis 15. Cause-and-effect analysis

30

Techniques and Tools Covered

4. Function analysis 16. Failure mode and effects analysis (FMEA) and Failure mode, effects and criticality Analysis (FMECA) 17. Reliability-centred maintenance (RCM) 18. Sneak analysis (Sneak circuit analysis) 19. Hazard and operability study (HAZOP) 20. Hazard analysis and critical control points (HACCP)

5. Controls assessment 21. Layers of protection analysis (LOPA) 22. Bow tie analysis

6. Statistical methods 23. Sneak circuit analysis 24. Markov analysis 25. Monte Carlo analysis 26. Bayesian analysis

7. Presenting results and decision-making 27. FN Curve 28. Risk Indices 29. Consequence-probability matrix 30. Cost-benefit analysis (CBA) 31. Multi-criteria decision analysis (MCDA)

31

Factors influencing selection of RA techniques

1. Complexity of the problem and the methods needed to analyse it,

2. The nature and degree of uncertainty of the risk assessment based on the amount of information available and what is required to satisfy objectives,

3. The extent of resources required in terms of time and level of expertise, data needs or cost,

4. Whether the method can provide a quantitative output. 32

Attributes

33

HAZOP

Description

Relevance of influencing factors Can provide

quantitative

output

Resources

and

capability

Nature and

degree of

uncertainty

Complexity

A general process of risk

identification to define possible

deviations from the expected or

intended performance. It uses a

guideword based system. The

criticalities of the deviations are

assessed.

Medium High High No

Attributes

34

Preliminary Hazard Analysis

Description

Relevance of influencing factors Can provide

quantitative

output

Resources

and

capability

Nature and

degree of

uncertainty

Complexity

A simple inductive method of

analysis with the objective to

identify the hazards and hazardous

situations and events that can cause

harm for a given activity, facility or

system

Low High Medium No

Construction Project Risks…

• Construction is undeniably a risky business and risks are unavoidable in any project. – Risks such as tax risks, interface risks and local site risks are the most

common and inevitable risks in construction projects. Other risks that may be less likely to occur are force majeure events or changes in law; but should these risks occur, they will have significant impact on the project.

– Delays, claims for increased costs, injuries to workers and so on are common risks in construction projects. The accumulation of all these risks or the combination of them can be termed “project risks”.

• Construction project risks are interrelated and interdependent. The customary origins for project risks are the following (U.S. Department of Transportation, 2006): – Performance, scope, quality, or technology issues; – Environment, safety, and health concerns; – Scope, cost, and schedule uncertainty; – Political concerns

35

Construction Project Risks

Risks in construction projects may be classified in a number of ways according to their source. Naturally, risk will be peculiar to each particular project and each project participant, however, it is recognised that all construction projects share common risks that can broadly be classified as follows:

1. Construction

2. Financial and economic

3. Performance

4. Security

5. Contractual and legal

6. Physical

7. Political and societal

8. Technical risks

9. External risks

10. Organisational risks

11. Project management risks

36

What next?

• In the spirit of ISO 31000, one may decide to review the foundations of existing processes and practices regarding the H&S risk assessment and management. – While it is not specific to a particular industry or sector, the

standard can be applied to any organisational entity regardless of the type and nature of the risks.

– Despite this, the standard is not about promoting uniformity in risk management, because the design and implementation of the framework and management plans should take into account the specific needs of the organisation’s particular objectives, structure, operations, processes, functions, projects, products, services, goods, and specific practices employed.

• Legal compliance

– Some areas, such as in H&S, require regulatory criteria that reflect an “aversion” to the predominantly negative consequences of risk. Resorting to the approach proposed in the standard proposed enables the identification and application of such criteria.

37

4. Practical guidance

Designing and implementing a suitable enterprise risk management framework in project and construction management organisations

38

4. Risk Management Framework…

• The framework supports the organisation to effectively manage risks, applying risk management process on different levels, in the specific context, at a given moment.

39

4. Risk Management Framework

• This framework is to be embedded within the organisation's overall strategic and operational policies and practices – It includes a "set of components that provide

the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation. • It is worth noting that the risk management

framework proposed in the ISO 31000:2009 follows the Deming cycle (Plan-Do-Check-Act: PDCA).

40

4.1 General

• A risk management framework links the management of risk with other management activities within the organisation. – Therefore, the framework should be embedded in the overall

strategy of the organisation, in its policies and practices, as well as throughout the organisation at all levels.

• In particular, the risk management framework should ensure: – continual improvement; – full accountability for risks; – application of risk management in all decision making; – clear and continual communications; and – full integration in the organisation governance structure.

41

4.2 Mandate and commitment

• Management must initiate risk management and also ensure its efficiency. This requires a strong and sustained commitment, as well as a rigorous design of a strategic plan to obtain involvement at all organisation levels. In this regard, the management should: – define and endorse the risk management policy; – ensure alignment between organisation's culture and risk management

policy; – define risk management performance indicators that are aligned with

organisational performance indicators; – align risk management objectives organisational objectives and strategies; – assign accountabilities and responsibilities and empower individuals at

appropriate levels of the organisation, ensuring adequate competences; – ensure that the necessary resources are allocated to risk management; – communicate the benefits of risk management to all stakeholders; and – ensure that the framework for managing risk continues to remain

appropriate.

42

4.3 Framework design…

• Understanding the organisation and its context – includes the evaluation and understanding of "both the external and

internal context of the organisation - aimed at identifying external and internal parameters that influence the pursuit of the organisation’s objectives and, therefore, must be taken into consideration while managing risks

• Establishing the risk management policy – a “statement of the overall intentions and direction of an organisation

related to risk management”

• Integration into organisational processes – For its efficiency, effectiveness and, also, for the sake of simplicity, risk

management should be integrated with management systems or practices that already are familiar to the organisation

– Most construction-related companies have already adopted management processes addressing quality, environment, occupational safety and health, social responsibility, and others, along with the current practices of cost, time and scope management.

43

4.3 Framework design…

• Accountability and resources – the organisation should ensure that there is accountability,

authority and appropriate competence for managing risk, including implementing and maintaining the risk management process and ensuring the adequacy, effectiveness and efficiency of any controls

– For construction projects, the following key players concerning risk management should be identified: • company risk coordinators accountable for ensuring the uniformity of the

operational context and the compatibility of the risk criteria throughout the company and its projects;

• project risk managers accountable for developing, applying, reviewing and updating the risk management plan as a result of implementing the risk management process;

• risk owners that have the accountability and authority to manage risks through the implementation of the risk treatment procedures/measures.

– Regarding risk management, the link between the construction-related company and the construction projects is established through the communication between risk coordinators and risk managers.

44

4.3 Framework design - Participation

• To identify and manage H&S risk associated with a project, an organisation requires involvement and participation of the project manager, the project team members, the risk management team, customers, experts, end users, stakeholders and the specialists in risk analysis.

• All decision-making processes in the organisation, regardless of the level of importance or relevance, must explicitly consider risks and the implementation of risk management.

45

4.3 Framework design - Risk Owners

• A risk owner is the person with the obligation to manage risks (or the state of its management) relating the area of the construction project over which it is accountable and exercises authority.

• Risk owners should be accountable for: – the execution of risk management activities and risk-related

documentation (including for the activities and documentation generated by hierarchically dependent risk owners); and

– for reporting threats and opportunities and for validating and implementing risk treatments activities.

• Risk owners are allies of the risk manager in the sense that their

expertise and knowledge support the application of the risk management process. – Especially regarding the risk assessment (risk identification, risk analysis

and risk evaluation) and risk treatment stages, to all activities of the construction project, within or outside their particular area of influence.

46

4.3 Framework design…

• Communication and consultation – Continual and iterative processes that the

organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders regarding the management of risk.

• Stakeholders in the construction industry – range from authorities and official bodies, to

owners and their representatives, banks and insurance companies, conformity assessment bodies, designers, contractors, subcontractors and suppliers, and, finally but definitely not the least, end-users.

47

4.4 Implementation

• Implement

1. the RM Process; and

2. the RM Framework

• Implementation of risk management in the construction industry can be envisaged at two complementary levels:

1. Company level: Integrate risk management into the existing overall management system, by adapting components of the ISO 31000:2009 standard to your specific needs.

2. Projects level: Project owners should ensure that a risk management plan is designed and implemented throughout the various phases (lifecycle) of the construction projects they oversee, in order to establish the approach, the management components and the resources to be applied to manage risk.

48

4.5 Monitoring and review

• Alike other elements of overall management, risk management culminates with concrete proposals for amendment of policies, strategies, processes, projects, operations or activities.

• At company level, monitoring should cover the status of risk and its management and check if the level of performance complies or deviates from what is established in the risk management framework.

• On the other hand, review should determine the appropriateness, adequacy and effectiveness of the risk management framework to achieve the objectives laid down in the risk management policy.

49

4.6 Continual improvement

• Review should also promote the necessary changes, if necessary, towards continual improvement.

• The suggested framework includes monitoring and reviewing activities that, alongside with communication and consultation, provide a solid ground for enhancing a risk management culture within the construction industry.

50

Integration…

• There are three perspectives to establish the structural relation between the organisation’s management and risk management, namely:

– consider risk management as a component of the organisation management, with top management delegating the responsibility for it (Fig. 1);

– consider risk management to be incorporated within the organisation top management, so that risk management is not reduced to an administrative task (Fig. 2); or

– consider risk management throughout all aspects of the organisation management, including the possibility of delegating risk management task to external entities (Fig. 3).

51

Integration

• The first perspective, somehow, isolates risk management as a separated, additional task. The second perspective is more applicable for sectors such as insurance.

• For the construction industry, risk management should be integrated according to the last perspective.

• It is important to capture all potential risks in a project and undertake all necessary actions or make provisions for eliminating or preventing them from occurring. – Alternatively, the effects of risks may be reduced and

allocated to the party best prepared for managing them. This requires a systematic approach to risk management.

52

A Proposed RM Model for Projects / Construction Industry

53

Traditional - Project H&S Specifications

54

EPCM – H&S Plan

PC1 – H&S Plan

C1.1 – H&S Plan

SC1.1.1 – H&S Plan

SC1.1.2 – H&S Plan

C1.2 - H&S Plan

PC2 - H&S Plan

C2.1 - H&S Plan

SC2.1.1 – H&S Plan

Risk-based Project H&S Specification

55

EPCM Consultant

Project H&S Plan

Principal Contractor 1

Site H&S Plan 1

Contractor 1.1

Contract H&S Plan

Subcontractor 1.1.1 - Activity

Safety Plan

Subcontractor 1.1.2 - Activity

Safety Plan

Contractor 1.2

Contract H&S Plan

PC2 –

Site H&S Plan 2

Contractor 2.1

Contract H&S Plan

Subcontractor 2.1.1 - Activity

Safety Plan

Conclusion

• From a project standpoint, the successful implementation of risk management should be started and guided by the owner and their representatives, in order to capture the full spectrum of interested parties involved and focus the product performance on the end user demands.

• Following this, the designers, the contractors and others, should then implement the risk management based on the owner’s guidelines, in order to ensure that the objectives of the end users are met. 56

57