Issue 28 – June 2011
A major change in the risk management field has been the development of a new global Standard that has been adopted locally – AS/NZS ISO 31000:2009. This replaced the former Standard, AS/NZS 4360:2004.
Geraint Bermingham, Engineer, Risk management consultant, and Chair of the New Zealand Society for Risk Management, says AS/NZS 4360 – the long-standing local Standard on risk management – was used as the basis of the new global Standard ISO 31000. 'Very few of the original concepts have been changed, which is a testimony to the high quality original thinking of the New Zealanders and Australians who did the original outstanding ground work.
'However, our engineering profession seems to be stuck with the pre-4360 model of risk assessment and analysis. It's very narrowly focused – usually concerned only with engineering failure, does not consider the broader context and does not contemplate a more holistic understanding of risk.'
Mr Bermingham says the AS/NZS 4360 Standard set a new benchmark, not only for being a management Standard, but also for setting out a universal process for the management of risk.
As a nuclear engineer in the Royal Navy submarine fleet, Mr Bermingham felt he had a good understanding of risk and how to handle it. Training in this was a requirement of the nuclear regulator and was considered an essential skill for the engineers responsible for the safe operation of nuclear plants. However, when he arrived in New Zealand in 1996 he came across the draft of a new risk Standard – which was to become AS/NZS 4360.
'I picked it up and it was only 20 pages long. My thoughts were, 'Wow, this is brilliant, what they have done in only 20 pages'. It was essentially what I was taught as a nuclear engineer, but developed in a way that any sector, profession, or discipline is able to apply the concepts. It was a universal risk management process – it went from where you start to where you finish.'
Although through his engineering training and practice, Mr Bermingham had been trained to identify risk, analyse it, and mitigate it, he says this Standard says 'No – you need to start much earlier. You have to understand the context of the problem being solved'. AS/NZS ISO 31000 has now taken this concept even further – defining as it does, risk in terms of objectives.
'Engineers need to take a step change in the way they understand risk. They traditionally commence at the step of identifying risk, but miss out an essential step, which is establishing the risk context. You need to ask, 'what does risk mean, and to whom, how does it come about, who should be involved, what's the benchmark, and what's an acceptable risk?' To understand risk it is necessary to have a clear understanding of the client's or principal's objective.'
Mr Bermingham says risk can only be defined in terms of objectives and any other objectives imposed by the law and regulation. Safety is, for example, usually an imposed objective, while, say, customer experience requirements of a product will be determined by the client.
'Also, importantly, risk is often still thought of in terms of a negative, when intuitively we also know it can be useful if it is seen as a positive. This is what financial markets work on. People buy shares knowing they go down in price. They may also go up against expectations. Speculators take a risk hoping for a return: risk and return – they're well-established concepts.'
The way Mr Bermingham explains it, if you start at the 'identification of risk' step (rather than establishing its context) it will not be clear what 'risk' actually means. This will probably result in the assessment of risk being distorted. In addition, if you miss the step where the context is established, along with the associated process of understanding the client's strategic/overall objective, you may also have missed the opportunity to engage at a more senior and strategic level.
He then supplied the following example to illustrate the need to understand the key client objective so as to define risk within a project.
Air New Zealand is a company operating in a cut-throat industry where failing to deliver to the customer's needs can result in a rapid decline in market share and global relevance. Air New Zealand concluded it needed to jump ahead of the competition, and before starting on a new product development project associated with the introduction of its new 777-300 and 787-9 aircraft, defined success in terms of the customer proposition, and in particular, the wish to delight and 'wow' the customer.
During this project's development stage the customer proposition was always 'top of mind' and risk was therefore defined as any circumstance or situation that may compromise the value proposition and the all-important 'wow' factor.
From this viewpoint, risk in its many forms including technical and engineering failure was seen quite differently from the traditional view of component or technical performance. It was the effect on the top objective that allowed risk to be rated and assessed in a more meaningful way.
The result was all participants, whether technical or otherwise, had a common perception of risk and the engineers were equally engaged in the strategic direction and delivery of the project.
Mr Bermingham says the point is that in what was essentially a complex engineering project, Air New Zealand defined risk as a customer experience and so made decisions that were always focused on the strategic objective – that of 'wowing' the customer.
He also makes one other point: this cutting-edge project was undertaken despite the inherent risks – without the traditional risk-avoidance mentality that pervades many engineering projects.
In a different example, Mr Bermingham describes a situation where a community is worried that a river might flood. One solution, an engineering-oriented one, would be to build stop banks to prevent the flood affecting a given area.
'But say the river is next to sports fields and clubrooms. An easier, better and cheaper solution might be to put the clubrooms on piles. Then, if the river floods, although the fields will be inundated for a couple of days, the major asset (the clubrooms) will be safe and protected. This becomes obvious if, instead of defining risk as 'flood', you take a step back and define risk in terms of objectives – in this case of 'limiting social disruption cost'. By adopting this wider understanding, more cost-effective alternatives not involving major engineering/construction can be considered.'
Mr Bermingham says from an organisational perspective, AS/NZS ISO 31000 provides important risk management principles and an organisational framework as well as the earlier 4360 process, thus providing all the components for sound manipulation and management of risk within organisations.
'This understanding can allow engineers to be part of a much broader conversation, and allows risk to be managed within organisational structures and decision-making processes.'
Mr Bermingham says Christchurch's rebuild after the earthquake is an example of where the engineering profession needs to be involved – right at the beginning – but involved at the right level. This means not talking yet about, for example, what construction method should be used but instead, considering what type of city do Cantabrians really want in 15 years' time? Risk then becomes the failure to deliver to this vision and all decisions about risk are then framed first by this understanding.
'We need to define what success will look like for the city,' he says. 'There's going to be some very sophisticated risk questions that engineers need to be involved in. An up-to-date understanding of risk management can offer not only better professional practice but also an avenue to higher-level involvement in key long-term decisions.'
This article was written by Juliet Palmer and first appeared in Volume 12/3 of the May/June 2011 issue of Engineering Insight. It is summarised and reproduced with the permission of The Institution of Professional Engineers Inc.
- AS/NZS ISO 31000:2009 Risk management – Principles and guidelines
- ISO/IEC 31010:2009 Risk management – Risk assessment techniques
- ISO Guide 73:2009 Risk management – Vocabulary
- HB 327:2010 Communicating and consulting about risk
- Just published – Handbook 141:2011 Risk financing guidelines, Touchstone, June 2011
- Recent disasters and ISO Standards, Touchstone, June 2011
- New risk management Standard available now, Touchstone, December 2009
- New Standard published for managing disruption-related risk, media release, 7 July 2010
- New risk assessment Standard joins risk management toolbox, Touchstone, March 2010
- Risk management – new vocabulary Standard, Touchstone, December 2009