R2A was recently commissioned to complete a desktop risk documentation review in the context of the CBA Prudential Inquiry of 2018. The review has provided a framework for boards across all sectors to consider the strength of their risk culture. This has been bolstered by the revelations from The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.

Specifically, R2A was asked to provide commentary on the following:

• Overall impressions of the risk culture based on the documentation.
• To what extent the documents indicate that the organisation uses organisational culture as a risk tool.
• Any obvious flaws, omissions or areas for improvement
• Other areas of focus (or questions) suggested for interviews with directors, executives and managers as part of an organisational survey.

What are the elements of good organisational risk culture?

Organisations with a mature risk culture have a good understanding of risk processes and interactions. In psychologist James Reason’s terms[1], these organisations tend towards a generative risk culture shown in James Reason’ s table of safety risk culture below.

How different organisational cultures handle safety information

Key attributes include:

• Risk management should be embedded into everyday activities and be everyone’s responsibility with the Board actively involved in setting the risk framework and approving all risk policy. Organisations with a good risk culture have a strong interaction throughout the entire organisation from the Board and Executive Management levels right through to the customer interface.
• The organisation has a formal test of risk ‘completeness’ to ensure that no credible critical risk issue has been overlooked. To achieve this, R2A typically use a military intelligence threat and vulnerability technique. The central concept is to define the organisation’s critical success outcomes (CSOs). Threats to those success outcomes are subsequently identified and are then systematically matched against the outcomes to identify critical vulnerabilities. Only the assessed vulnerabilities then have control efforts directed at them. This prevents the misapplication of resources to something that was really only a threat and not a vulnerability.
• Risk decision making is done using a due diligence approach. This means ensuring that all reasonable practicable precautions are in place to provide confidence that no critical organisational vulnerabilities remain. Due diligence is demonstrated based on the balance of the significance of the risk vs the effort required to achieve it (the common law balance). This is consistent with the due diligence provisions of the Corporations, Safety (OHS/WHS) and environmental legislation.

Risk frameworks and characterisation systems such as the popular 5x5 risk matrix (heat map) approach are good reporting tools to present information and should be used to support the risk management feedback process. Organisations should specifically avoid using ‘heatmaps’ as decision making tool as that is inconsistent with fiduciary, safety and environmental legislative requirements.

Risk Appetite Statements for commercial organisations have become very fashionable. The statement addresses the key risk areas for the business and usually considers both the possibility of risk and reward. However, for some elements such as compliance (zero tolerance) and safety (zero harm), risk appetite may be less appropriate as the consequences of failure are so high that there is simply no appetite for it. For this reason, R2A prefers the term risk position statements rather than risk appetite statements.

To get a feel for the risk culture within an organisation, R2A suggest conducting generative interviews with recognised organisational ‘good’ players rather than conducting an audit.

We consider generative interviews to be a top-down enquiry and judgement of unique organisations rather than a bottom-up audit for deficiencies and castigation of variations for like organisations. R2A believes that the objective is to delve sufficiently until evidence to sustain a judgement is transparently available to those who are concerned. (Enquiries should be positive and indicate future directions whereas audits are usually negative and suggest what ought not to be done).

Interview depth

Individuals have different levels of responsibility in any organisation. For example, some are firmly grounded with direct responsibility for service to members. Others work at the community interface surface with responsibilities that extend deep into the organisation as well as high into the community. We understand that the idea is that a team interviews recognised 'good players' at each level of the organisation. If a commonality of problems and, more particularly, solutions are identified consistently from individuals at all levels, then adopting such solutions would be fast, reliable and very, very desirable.

Other positive feedback loops may be created too. The process should be stimulating, educational and constructive. Good ideas from other parts of the organisation ought to be explained and views as to the desirability of implementation in other places sought.

If a health check on your organsational risk culture or a high level review of your enterprise risk management system is of interest, please give us a call to discuss further on 1300 772 333 or head to our contact page and fill in an enquiry.

[1] Reason, J., 1997. Managing the Risks of Organisational Accidents. Aldershot, Hants, England: Ashgate Publishing Limited. Page 38.

The consequences of the WHS legislation on electrical safety is quite startling, but not yet realised.  The legislation requires that risks to health and safety should be eliminated, so far as is reasonably practicable.For instance, a bane of electrical regulators is the home handyman working in a roof space and fiddling with the 240V conductors.  The deaths arising from the home insulation Royal Commission also spring to mind.Many of us have been replacing our lights with energy efficient 12 V LEDs. And whilst it may be unreasonable to retrospectively replace the 240V wiring in the roof spaces with extra low voltage (ELV) conductors for existing structures, it is obviously quite achievable for a new dwelling.  If all the wiring is a 12 or 24 V, the possibility of being electrocuted in a roof space is pretty much eliminated, which is the whole point of the legislation.So in the event of a death that would have been prevented with ELV wiring in a dwelling constructed after commencement of the model WHS act, the public prosecutor presumably has a duty to prosecute any officer of a PCBU (person conducting a business or undertaking) that facilitated the fatal 240V installation.  This would include officers of firms of builders, engineers, electricians, architects and building surveyors at the very least.

The precautionary approach required by the model WHS act forbids, on pain of criminal imprisonment, the exclusive use of target levels of risk (tolerable or acceptable) as a method of establishing whether a situation or circumstance is safe.Amongst other concerns, this is problematic for those involved in SIL allocation under IEC 61508.  The usual comment is; how else can it be done?  Actually, it’s quite straight forward. Disproportionality in safety results from the economist’s law of diminishing returns (the pain is not worth the gain) for precautionary effort based on the significance of the risk vs the effort required to reduce it.For example, if an initial precaution reduces the risk by 99%, the next precaution can only address the remaining 1% of the risk and so on.  This means that in terms of the balance of the significance of the risk vs the effort required to reduce it, the scales thump to the ‘lets not do anymore’ side very quickly for effective precautions. It is always hard to define this point in advance because it does depend on the actual circumstances of the issue of concern.  But when considering the cost effectiveness of precautions in the context of all those available (as well as those already in place), it is generally quite obvious where to draw the line.This has always been R2A’s understanding of the meaning of disproportionality as used in case law and now the model WHS act.

Risk management is a key element required in large infrastructure development projects. Organisations want a robust and transparent system that can be utilised during current and future development phases of a project to inform decision-making and guide levels of investment in various project investigations.

In setting up a risk management framework for a project it is essential that it take account of all risks to Project including technical, environmental, economic, stakeholder, political delivery and on-going operational considerations.  This must be done in the context of the current operations.

The risk management framework and system must be set up so that the Organisation has confidence in the process and results, ownership of the outcomes and can maintain and utilise the system going forward.  It must be set up to ensure that the project is right the first time.

To ensure the project is successful in terms of both delivery and ultimate project performance, R2A has developed a project due diligence methodology.

This differs from the traditional project risk management approach.

Traditional project risk management isn’t always as successful as desired especially in the eyes of the government when it comes to delivering large projects.  This is because it does not view the project from finish to start.  It typically only refers to the management of project uncertainty during the construction phase (tendering to commissioning) as shown in the diagram below.  This short sightedness is the cause of many delays and budget / cost blowouts as well as not achieving the ultimate goals of the project.

Project due diligence refers to the consideration of risk over the entire project life cycle.  The due diligence aspect arises from confirming that the ultimate objectives (critical success factors) of the fully functioning outcomes are achieved for all stakeholders rather than just the delivery portion to the contract specification.

Project due diligence uses a combination of top down and bottom up risk techniques and generally involves two main tasks: a high level functional vulnerability assessment and associated risk profiling supported by specific detailed bottom up reviews.  The overall concept can be described by the following figure.  Sometimes an intermediate assessment is also required to deal with issues on a geographic or zonal basis, especially for infrastructure projects.

The benefits of the project due diligence approach are:

1. 1. The project critical success factors in terms of performance are identified and articulated by the Organisation long term.  This ensures all risk work (current and future) is completed in the decision maker’s context.
   2. The project is able to focus on the credible critical threats to both project performance (the owner’s concerns) and project delivery (the contractor’s concerns).
   3. The Organisation has a confidence that all potential project show stoppers have been identified and are being effectively managed.
   4. Project scoping and sub-project planning is optimised before tendering / detailed design.
   5. Value adding opportunities are identified during the planning stages.
   6. The project does not experience unexpected issues.

1. The potential for continual blowouts in terms of cost and time in minimised.
2. A succinct and manageable risk register is developed.

This ensures the organisation has confidence in the risk management process and results and will help to ensure that the project is right the first time.

For further information on we can help your organisation with your project's due diligence using engineering methodologies, contact us on 1300 772 333 or fill in our contact form and we'll be in touch.

Questions & Answers

Reader response regarding Richard's article - 'Engineering Implications of the Harmonised Safety Legislation'

This is a response that Richard received following the publication of an article in Engineering Media. Read the article here.

Hi Richard

Safety assurance is one of the 3 key elements of technical integrity (the other elements being fitness-for-service and environmental compliance), and as such risk assessments are a fundamental and important part of our engineering activities.

Your recent article in the January 2012 edition of the Engineers Australia magazine was a very interesting read, and has generated numerous discussions amongst my engineering colleagues. Thus, I am seeking some clarification on a number of statements made in your article, as follows:

Reader question –

Your article suggests that the 5 x 5 risk assessments matrix approach developed under the AS/NZS 4360 or AS/NZS ISO 31000 are fundamentally flawed under the due diligence requirements of the new harmonised safety legislation.

I have a difficulty in accepting this argument in the way that we currently conduct our risk assessments utilising the ISO 31000 standard and a tailored 5 x 5 risk matrix, as follows:

1. Hazards/risks are identified.
2. Qualitative (and sometimes quantitative) criteria for likelihood and consequences (for safety, performance and environment) are defined against which a risk level (untreated) is determined from a 5 x 5 matrix (i.e. low, medium, high, extreme). Qualified Objective Quality Evidence (OQE), rather than subjective opinion normally supports this assessment.
3. Subsequently, a risk mitigation activity is conducted in order to determine credible and precautionary risk mitigation strategies. The mitigation strategies are normally based on a Hierarchy of Controls (safety) approach to ensure that the level of effort (e.g. cost, schedule, resources, redesign, etc) is balanced and commensurate with the level of identified risk.
4. Thus, risk mitigation (or treatment) strategies are developed and proposed for implementation, and a subsequent residual (i.e. treated) level of risk is determined. Mitigations can include, for example; redesign, restrictions, additional training, warning/cautions in technical documentation/manuals, etc. In addition, these risk assessments are actively managed and reviewed.
5. The residual risk is then presented to the 'customer' (or executive authorities) for consideration for acceptance. Noting that the risk assessments we conduct are technical risk assessments, which are conducted by competent technical staff in consultation with relevant stakeholders (e.g. equipment users/operators, maintainers, trainers, etc).
6. Acceptance of the technical risks are then considered for acceptance by the relevant authority while balancing all other risks (e.g. operational, schedule, budget, etc).

Not sure I understand your arguments in the reference EA article, thus, seek your clarification as to how the above process which uses the 5 x 5 risk matrix based on AS/NZS ISO 31000 is considered flawed? Please clarify.

Richard response –

Originally the 5 x 5 matrix approach was derived from US and UK military standards in the 70s. At that time it appears to have been used as a reporting tool for military personnel to explain by exception the issues of concern in the value system of their decision makers. More recently, and especially by accounting and management firms, it has been used as a corporate risk decision criteria tool, especially in the sense that once the dot made it to the green area, no further risk reduction was required. This never satisfied the common law.

You sound like you are using it more in the original military sense. As a reporting tool, its use has always been fine.

Reader question –

By risk criteria, do you mean 'the acceptance of risk criteria'?

Richard response –

Yes. The notion of tolerable or target levels of risk.

Reader question –

Does acceptable risk criteria under the new laws actually mean 'so far as is reasonably practicable (SFARP)'?

If we can achieve SFARP, regardless of whether the residual risk is medium, high, etc, (i.e. provided the level of effort required to reduce the risk to SFARP is balanced and commensurate with the significance of the risk) then is due diligence not demonstrated?

Richard response –

SFARP may mean this. I'm not a lawyer. I avoid the term (and ALARP for that matter), as the final test will be in court, post event, judged to the common law duty of care. So I use the High Court's understanding of that duty and how this court expects it to be demonstrated.

Reader question –

Do you believe that the SFARP principle of common sense precautionary approach on risk reduction replaces the doctrine of risk tolerability (such as ALARP principle) or complements the efforts already accomplished in managing the risk of 'actual harm'?

Richard response –

Yes. The common law precautionary approach replaces the doctrine of tolerable or acceptable risk.

FYI - I have briefed the senior counsel for Defence in this whole matter (the OHS partner in Blake Dawson in Sydney) and he volunteered that the approach I mentioned in that article would demonstrate due diligence under the model act.