Sushil Bhatia, Director BRiQ MSS
Risk Management is the identification, analysis and elimination (and/or mitigation to an acceptable OR tolerable level) of those hazards, as well as subsequent risks, that threaten the viability of an organization. (ICAO DOC 9859).
The term operational risk management (ORM) is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk. ORM is the oversight of operational risk, including the risk of loss resulting from inadequate or failed internal processes and systems; human factors; or external events.
The objective of Risk Management is to ensure that the risks associated with hazards to operations are systematically and formally identified, assessed, and managed within acceptable safety levels.
And the next logical question is “what are the acceptable safety levels?”
Let us understand it this way. A worker has to cycle down 4 kms to go to the work site of a company. On the way, he has to negotiate broken roads, pass through a thick forest for 500 m, which is known to have a panther. Also, there is no repair shop on the way. Now, the worker has two options. He does not go and loses the job, and perish. Or he goes and faces the risk of falling down; breaking his bones, or getting killed by panther, etc. Actually, he cannot risk any of the options in the present form. So he decides to continue with the job. To minimize the risk of getting hurt by falling down while cycling, he decides to use helmet and knee guards. To ward off the carnivore, he decides to use a siren for that 500 m stretch. He also decides to keep a small tool box handy, in case his cycle happens to break down.
The situation of any company is something similar. Take for example a civil aviation carrier. The company faces risks right from the time of inception. What type of aero planes to fly? How much maintenance staff? What capability? Training status? Ticket pricing? Sectors to be served? Full service or low-cost? Pay packages to employees? What all to outsource? And so on.
The complete elimination of risk in any organization is obviously an unachievable and impractical goal. Being perfectly safe would amount to stopping all operations. But then why the company should come into existence at first place? Also, not all risks can be removed or mitigated to perfection, as it may become too uneconomically viable. Hence, this is taken for granted that during operations, there will be some risks which have to be accepted. So how much is “acceptable” risk? This is called “MANAGEMENT’S DILEMA”.
So, how do you define the acceptable levels of risk? It is defined by the term “AS LOW AS REASONABLY PRACTICABLE (ALARP)”. The ALARP principle is that after the risk mitigation, the residual risk is at a level which is acceptable to regulators and management, in the interest of all stake holders.
Thus, given the scenario, the organisation is expected to operate between the thin band of Safety Space, with Bankruptcy and Catastrophe as extreme values, as shown below.
It is pertinent to note that of late, all standards, whether we talk of ISO or AS, have introduced the clauses of Risk Management, to be complied with.
The risk can be considered having two factors:
(a) Probability (P) that the event will occur
(b) Severity (S) of the outcome, if the event occurs.
The factor P can be divided into a scale of 5 as (Frequent=5, occasional=4, remote=3, improbable=2 and highly improbable=1) and Severity S as (Catastrophic=A, hazardous=B, major=C, minor=D and negligible=E).
The multiplication of P and S gives us the Risk Index (RI). Now, each organisation needs to decide, in their situation, what values of RI are acceptable without mitigation, what values acceptable with mitigation and what values of RI as “no go” situations.
Thus, a Risk Matrix can be drawn for ease of understanding and working out various levels, as given below.
| RISK PROBABILITY | RISK SEVERITY | ||||
|---|---|---|---|---|---|
| Catastrophic A |
Hazardous B |
Major C |
Minor D |
Negligible E |
|
| 5 – Frequent | 5A | 5B | 5C | 5D | 5E |
| 4 – Occasional | 4A | 4B | 4C | 4D | 4E |
| 3 – Remote | 3A | 3B | 3C | 3D | 3E |
| 2 – Improbable | 2A | 2B | 2C | 2D | 2E |
| 1–Extremely Improbable | 1A | 1B | 1C | 1D | 1E |
While referring to the Table above, suggested levels of acceptable risks are shaded in Red, Blue and Green, with following suggested interpretations:
| Sl No | RISK INDEX | REMARKS |
|---|---|---|
| 1 | 5A, 5B, 5C, 4A, 4B | NO GO situation. Mitigation to be taken by top management. |
| 2 | 4C, 4D, 4E, 3A, 3B, 3C, 3D, 2A, 2B, 2C | Acceptable, with mitigation actions. |
| 3 | 3E, 2C, 2D, 2E, 1B, 1C, 1D, 1E | ACCEPTABLE |
The RI can be reduced by one of these:
(a) Reducing the Probability (P)
(b) Reducing the Severity (S)
(c) Or by reducing both P and S
For example, in case of the worker cycling to work, whereas probability of fall on bad roads may not be in his control, he is trying to control the severity of fall by wearing helmet and knee guards. Whereas helmet and knee guards may also reduce the severity of the panther attack, he is trying to reduce the probability of attack by loud horn.
This is important to remember that risk management needs to be done for each department, including each process, and records thereof need to be kept for future reference. Also, each process may have to be revisited in terms of Risk Management at regular intervals, depending on any changes introduced.