QSP - 08 - Risk Assessment, Management and Contingency Planning Rev 0.pdf

QSP-08 RISK ASSESSMENT, MANAGEMENT AND CONTINGENCY PLANNING

Date of Issue: 27/05/2014 QSP / 08 Rev 0 Date of Print: 18/06/2014 27/05/2014

of 11

Q.S.P-08

RISK ASSESSMENT, MANAGEMENT AND CONTINGENCY PLANNING

Rev Issued To Title Date Signed By

0 Management Team

27/05/14

DATE SECTIONS REVIEWED PREPARED APPROVED BY

27‐05‐14 First Issue



of 11

Procedure No.QSP - 08

RISK ASSESSMENT, MANAGEMENT AND CONTINGENCY PLANNING

1. PURPOSE AND SCOPE

To establish methods for identifying and controlling risks associated with impact on delivery, quality of product, and cost requirements associated with the manufacture and delivery of products in accordance with customer and/or regulatory requirements. This procedure shall support ###### Quality Policy and assist in achieving established Quality Objectives. The procedure identifies the techniques, tools and their application for risk identification, assessment and mitigation.

2. REFERENCES RIS/01 ‐ Risk Register ‐ A listing of known or perceived risks within the operating system at Cadeng which may impact on product delivery and/or quality RIS/02 ‐ Risk Assessment Form ‐ A form used to record data and information related to risk assessment

3. DEFINITIONS Risk ‐ An uncertain event or condition which may impact on delivery and/or quality of product Acceptable Risk ‐ Risk that is understood and agreed to by the organization management and the customer, and is not considered sufficient to impact on the defined success criteria within the approved level of resources. Contingency Plan – Plan(s) determined to minimize the identified risk (Mitigation) Harm ‐ Physical injury or damage to the health of people, or damage to property and/or the environment Risk Analysis ‐ systematic use of available information to identify hazards and to estimate the risk Risk Assessment ‐ overall process comprising a risk analysis and a risk evaluation Risk Evaluation ‐ judgment, on the basis of risk analysis, of whether a risk is acceptable or not Risk Control ‐ process through which decisions are reached and protective measures are implemented for reducing risks to, or maintaining risks within acceptable levels Risk Management ‐ systematic application of management policies, procedures and practices to the tasks of analyzing, evaluating and controlling risk Likelihood ‐ The chance of an event occurring Consequence ‐ the outcome of an event affecting objectives Grandfathering ‐ to be exempt from a new ruling due to a positive history and/or proven track record. Residual Risk ‐ the risk which remains after actions have been taken to mitigate an initial risk Contingency Plan ‐ A back‐up or alternate measure which can be used if an unplanned event occurs which may impact on delivery or quality of product



of 11

4. PROCEDURE

4.1 - General

4.2 - Responsibilities

The Quality Management System at ######, in conjunction with API, Customer and Connection Licensor specifications, provides for numerous process controls designed to ensure conformance to requirements. While these controls may be adequate to mitigate low to moderate level risks associated with the manufacturing environment, this procedure shall be used to identify the significant risks to achieving objectives, and to analyze, evaluate, and apply suitable risk treatment measures.

For routine tasks such as standard threading and connection make‐up, risk management is conducted informally between the members of the management team. Risks involved in these sort of tasks have been recognised over many years of operation, and are well known to all concerned. The formal risk assessment process described in this procedure applies to tasks or projects which require ###### to step outside familiar territory, and necessitate the implementation of procedures not commonly utilised.

This procedure should be used in conjunction with other established procedures and processes throughout the organization, such as sales, quoting, contract review, production planning, purchasing, manufacturing, and inspection to provide an integrated plan for managing risk throughout product realization. For the purposes of this process, the components of risk shall be identified as follows:

A future root cause (yet to happen), which, if eliminated or corrected, would prevent a potential consequence from occurring,

A probability (or likelihood) assessed at the present time, of that future root cause occurring, and

The consequence (or effect) of that future occurrence

Note ‐ Risks should not be confused with issues. If a root cause is described in the past tense, the root cause has already occurred, and hence, it is an issue that needs to be resolved, but it is not a risk. Issues are resolved through Corrective or Preventive Actions as described in QSP/05 ‐ Systems Monitoring and Improvement.

To assist with Risk Management, the Quality Manager maintains a Risk Register, (RIS/01), which lists all known significant events which may impact on product delivery and/or quality. Associated risk treatments and Contingency Plans currently used to reduce the risk to acceptable levels in these areas are among information included in the Risk Register. Records of risk assessment and management, including actions taken, shall be maintained as per QSP/04 ‐ Document Control and Records Management. ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ The General Manager shall retain ultimate authority and responsibility for Risk Management. The Quality Manager is responsible to ensure that the risk management framework is established, implemented, monitored, and reviewed for improvement. The Production Manager and the General manager shall be responsible to:

Establish, use, and assist in the maintenance of the risk management process.

Ensure that the risk management process is communicated and integrated throughout the organization, and that risks are identified, managed and



of 11

4.3 - Risk Criteria

4.3.1 - Likelihood

4.3.2 - Consequence

monitored in accordance with this process.

Ensure that adequate resources from all necessary disciplines are allocated to support this process.

Ensure that risk treatment strategies are developed, implemented and controls maintained.

Employees at all levels shall be responsible to manage risks in accordance with this process in their respective areas of concern.

Risk criteria are defined in terms of the following 2 elements: 1. The likelihood of an event (root cause) occurring, and; 2. The consequence of that event (root cause) occurring

These criteria shall be used later in the process to evaluate the significance of the risk.

The Level of Likelihood element shall be determined using the criteria specified in the following Levels of Likelihood Criteria Table (Fig 1.), and assigned a Level Number. The level should be determined by evaluating all available information, both current and historical, or by estimating the probability of occurrence using experience and judgment as a guide. Every effort should be made to ensure the determined Level is accurate.

LIKELIHOOD

LEVEL LIKELIHOOD PROBABILITY

1 Remote 10%

2 Unlikely 30%

3 Probable 50%

4 Highly Probable 70%

5 Near Certainty 90%

Fig 1.

The Level of Consequence element shall be determined using the criteria specified in the following Levels and Types of Consequence Criteria table (Fig 2.), and assigned a Level Number. While cost has been included in these criteria, and should be considered in the quoting and estimating stages, the inclusion of cost criteria should be evaluated for use after award of contract, (see section 4.8.1).



of 11

4.3.3 - Overall Risk Score

CONSEQUEN

CE

LEVEL PRODUCT QUALITY DELIVERY SCHEDULE COST

1 Insignificant ‐ Requires minor rework to bring into full conformity.

No Impact ‐ 1% Increase

2 Minor ‐ Requires significant rework to bring into full conformity.

Minor Impact - Internal schedule slip. Still able to meet original delivery schedule and

quantity

5% Increase

3 Moderate ‐ Extensive rework or remake. Cannot be reworked to

meet conformity requirements. Requires customer concession to

"Use as is"

Some Impact ‐ Requires minor schedule (< 7 days) or

quantity concession from customer.

5% Increase

4 Major ‐ Multiple scrapped parts. Multiple parts require repair to

restore to acceptable condition. Requires customer approval.

Major Impact ‐ Requires major schedule (> 7 days) or

quantity concession from customer. Minor impact to

Customer production schedule. Customer required Milestones

10% Increase

5 Severe ‐ All parts scrapped. Unable to produce conforming

parts. Unable to obtain required materials or services.

Catastrophic ‐ Unable to deliver parts. Major impact to

customer production or program schedule.

20% Increase

Fig 2.

The overall Risk Level is determined using the Risk Assessment Scoring Chart (Fig 3.), and is assigned a Level of Low (L), Moderate (M), or High (H).

RISK ASSESSMENT SCORING CHART

LIKELIHOOD

5 Near

Certainty

L M H H H

4 Highly

Probably

L M M H H

3 Probable

L L M M H

2 Unlikely

L L L M M

1 Remote

L L L L M

1

Insignificant2

Minor 3

Moderate 4

Major 5

Severe

CONSEQUENCE

Fig 3.



of 11

4.3.4 - Existing Risk Controls

Existing risk controls (refer to RIS/01 ‐ Risk Register) are evaluated against the following criteria to determine effectiveness, and whether further actions may be necessary.

EXISTING CONTROLS ASSESSMENT

EFFECTIVE Indicates effective risk controls are in place resulting in minimal net risk.

ADEQUATE

Indicates risk controls are in place and generally effective, however, an opportunity for refinement exists to further reduce risk. Evaluate for further risk treatment.

FAIR Indicates risk controls are presently being developed, or are only partially effective. Application of risk treatment is required to mitigate risk.

POOR Indicates risk controls have not yet been developed, or are ineffective. Application of risk treatment is required as a matter of priority.

Fig 4.



of 11

4.4 - Process Structure

Fig 5.



of 11

4.5 - Risk Identification

4.6 - Risk Analysis

The purpose of this step is to identify the risks to achieving objectives so they may be managed. Generally this will take place during the Quote and Contract Review stages; however risks should be continuously re‐evaluated throughout the product realization process. It is critical to identify risks as early in the life of a project as possible, because a risk not identified at this stage may be excluded from further analysis.

Tools for identifying risks may include Fault Tree Analysis (FTA), Failure Mode and Effects Analysis (FMEA), Historical Data Analysis, Brainstorming, informed opinions and expert advice from employees and reputable sources within the mining, and oil and gas industry, stakeholder input .

Potential sources of risk include:

Requirements ‐ Customer identified or Industry determined special requirements

Technology ‐ The degree to which existing technology has demonstrated sufficient maturity to be realistically capable of meeting performance objectives

Delivery of non‐conforming product

Production / Facilities ‐ The ability to achieve performance objectives based on available manufacturing resources and processes

Supplier performance ‐ The ability of material suppliers to deliver compliant products to a designated schedule

Outsources Tasks ‐ The abilities, experience, knowledge, and availability, of outsourced process suppliers

Cost – The ability of our system to achieve cost objectives. This includes the effects of errors in estimating techniques used, the cost of poor quality associated with customer furnished materials and other financial or budget effects

Management ‐ The degree to which plans and strategies exist and are realistic and consistent. Staffing and supervision should be sufficient to execute the task

Availability of Competent personnel

Schedule ‐ The sufficiency of time allocated to achieve objectives. Short lead times from customers, long lead times from suppliers, etc.

Having identified what events might occur, it is necessary to determine the root causes for these events. There may be many ways an event can happen, however, using the “5 Why” process will allow you to determine the root cause for each event. Root causes (Risks) shall be documented in RIS/02 ‐ Risk Assessment Form.

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Once the root causes have been identified, they will need to be analyzed in terms of their Likelihood to occur, and the severity of Consequences should they occur. This is accomplished using the Likelihood and Consequence Criteria charts established in sections 4.3.1 and 4.3.2 of this procedure. Each root cause shall be assigned a Likelihood Level and a Consequence Level score. These will be used to evaluate the overall risk assessment score, which in turn will determine further action. Scores shall be documented in RIS/02 ‐ Risk Assessment Form.

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐



of 11

4.7 - Risk Evaluation

4.7.1 - Contingency Planning

4.8 - Risk Treatment

Using the scores developed in section 4.6 for "Likelihood" and "Consequence", use the Risk Assessment Scoring chart to obtain a Risk Assessment Rating. This will correspond to one of three (3) overall levels of risk, Low (Green), Moderate (Yellow), or High (Red).

For Risks rating in the Low (Green) category, Risk treatment is not required. Monitor and Review for future treatment. For Risks rating in the Moderate (Yellow) category, existing controls must be evaluated for effectiveness. For controls assessed to be less than “Adequate”, further risk treatment is required. For controls assessed to be only “Adequate”, evaluate for further risk treatment. (Cost / Benefit – Risk / Reward, etc.). All Risks rating in the High (Red) category shall require risk treatment and / or further analysis.

Overall Risk Ratings shall be documented in RIS/02 ‐ Risk Assessment Form.

The Quality manager maintains a Risk Register (RIS/01), which identifies all known significant risks which may impact on delivery and quality of product. Included in the Risk Register is a Contingency Plan, which identifies a solution which can be implemented should a specified event occur. A Contingency Plan mitigates the consequences of an unplanned event taking place, and is a form of risk treatment. The existence of a Contingency Plan can be used to reduce an unacceptable risk into an acceptable risk.

The Contingency Plan shall encompass the significant risk scenarios associated with the following:

Facility/equipment availability and maintenance Supplier performance and Material availability/Supply Delivery of Non-Conforming Product Availability of Competent personnel

The Contingency Plan shall include authorities and responsibilities, and both internal and external communication controls.

The risk scenarios and the actions required shall be updated if required based on new risks identified.

All other information in this plan shall be updated whenever there is a change in responsibilities, authorities and/or communication controls.

This contingency plan shall be communicated to all personnel and shall be accessible to all employees via the Master List of Forms and Documents (DC/01).

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Risk treatment is process of identifying the options for modifying risks, selecting and implementing those options in the form of a risk treatment plan. Once implemented, treatments provide or modify risk controls. Risk treatment involves the cyclical process of:

developing a risk treatment

Deciding whether residual risk levels are acceptable

If not acceptable, developing a new risk treatment

Assessing the effectiveness of that treatment

Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The available options can include:

Avoiding the risk by deciding not to start or continue an activity

Accepting, or even increasing the risk in order to pursue an opportunity

Removing the source of the risk



of 11

4.8.1 - Selection of Risk Treatment Options

4.8.2 - Preparing and Implementing Treatment Plans

4.9 - Monitor and Review

Changing the Likelihood of the risk occurring

Changing the Consequence of the risk occurring (Contingency)

Sharing the risk with another party or parties

Retaining the risk by informed decision

1. Selecting the most appropriate treatment options involves balancing the costs of implementation against the benefits derived. In general, the cost of managing risk needs to be commensurate with the benefits obtained. When evaluating cost versus benefit, the context should be taken into account. It is important to consider all costs, both direct and indirect, and all benefits whether tangible or intangible.

2. Decisions should account for the need to consider carefully those rare but severe risks that may warrant risk treatment, that are not justifiable on strictly economic grounds. Customer, regulatory, or legal requirements may override simple cost / benefit analysis.

3. If budgetary constraints exist, the treatment plan should clearly specify the priority order in which treatments should be implemented. Consider the full impact of not taking action against any cost savings.

4. If after treatment residual risk remains, this risk should be evaluated and a decision should be made about whether to retain this risk, or repeat the risk treatment process.

The purpose of the treatment plan is to document how the chosen options will be implemented. The plan may be documented in any format, and may require several formats, however, should be available to all concerned stakeholders and contain as a minimum:

The proposed actions

Resource requirements

Assigned responsibilities

Timing and scheduling requirements

Performance measures

Reporting and monitoring requirements

Treatment plans should be integrated with other management processes such as Quoting, Contract Review, Production Planning, Manufacturing, and Verification activities.

Once a risk treatment has been implemented, all information related to the assessment and subsequent treatment plan shall be determined and recorded on the Risk Assessment Form (RIS/02) by the designated person.

The designated person shall complete all remaining relevant sections of the Risk Assessment Form and forward it to the Quality Manager.

The QA shall transfer the information to the Risk Register (RIS/01) and maintain relevant documents.

A significant risk may be included in Contingency Plan.

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐Ongoing review is essential to ensure that the management plan remains relevant and effective. The factors that affect the Likelihood and Consequences of an event may change, as may the factors that affect the suitability or cost of the treatment



of 11

options. Other process monitoring such as Quality and Delivery performance, as well as actual progress against treatment plan should provide information about the effectiveness of the risk management process.

Information gathered during risk assessments shall be collated and analysed before being presented at Management Review Meetings for discussion with a view to possible improvements to the Quality Management system

QSP - 08 - Risk Assessment, Management and Contingency Planning Rev 0.pdf

Documents

Transcript of QSP - 08 - Risk Assessment, Management and Contingency Planning Rev 0.pdf