Risk management is a key element required in large infrastructure development projects. Organisations want a robust and transparent system that can be utilised during current and future development phases of a project to inform decision-making and guide levels of investment in various project investigations.

In setting up a risk management framework for a project it is essential that it take account of all risks to Project including technical, environmental, economic, stakeholder, political delivery and on-going operational considerations.  This must be done in the context of the current operations.

The risk management framework and system must be set up so that the Organisation has confidence in the process and results, ownership of the outcomes and can maintain and utilise the system going forward.  It must be set up to ensure that the project is right the first time.

To ensure the project is successful in terms of both delivery and ultimate project performance, R2A has developed a project due diligence methodology.

This differs from the traditional project risk management approach.

Traditional project risk management isn’t always as successful as desired especially in the eyes of the government when it comes to delivering large projects.  This is because it does not view the project from finish to start.  It typically only refers to the management of project uncertainty during the construction phase (tendering to commissioning) as shown in the diagram below.  This short sightedness is the cause of many delays and budget / cost blowouts as well as not achieving the ultimate goals of the project.

Project due diligence refers to the consideration of risk over the entire project life cycle.  The due diligence aspect arises from confirming that the ultimate objectives (critical success factors) of the fully functioning outcomes are achieved for all stakeholders rather than just the delivery portion to the contract specification.

Project due diligence uses a combination of top down and bottom up risk techniques and generally involves two main tasks: a high level functional vulnerability assessment and associated risk profiling supported by specific detailed bottom up reviews.  The overall concept can be described by the following figure.  Sometimes an intermediate assessment is also required to deal with issues on a geographic or zonal basis, especially for infrastructure projects.

The benefits of the project due diligence approach are:

1. 1. The project critical success factors in terms of performance are identified and articulated by the Organisation long term.  This ensures all risk work (current and future) is completed in the decision maker’s context.
   2. The project is able to focus on the credible critical threats to both project performance (the owner’s concerns) and project delivery (the contractor’s concerns).
   3. The Organisation has a confidence that all potential project show stoppers have been identified and are being effectively managed.
   4. Project scoping and sub-project planning is optimised before tendering / detailed design.
   5. Value adding opportunities are identified during the planning stages.
   6. The project does not experience unexpected issues.

1. The potential for continual blowouts in terms of cost and time in minimised.
2. A succinct and manageable risk register is developed.

This ensures the organisation has confidence in the risk management process and results and will help to ensure that the project is right the first time.

For further information on we can help your organisation with your project's due diligence using engineering methodologies, contact us on 1300 772 333 or fill in our contact form and we'll be in touch.

With the paradigm shift occurring to precautionary risk assessment from hazard-based risk assessment, R2A have heard a number of discussions suggesting that if an organisation demonstrates ALARP (as low as reasonably practicable) then can also demonstrate due diligence.

R2A’s opinion is that this may not necessarily be the case. The concept of ALARP is in fact hazard focused, comparing risk (likelihood and consequence) to acceptable or tolerable target levels of risk and safety.  The use of such quantified risk assessment processes to satisfy target (tolerable or acceptable) risk criteria has never been able to satisfy post event common law scrutiny in Australia, which requires a demonstration of due diligence.

However, many industries that use the ALARP principle currently appear to be redefining its meaning by adding a number of caveats in what appears to be an attempt to close the due diligence loop and satisfy the courts after an event.  The shift from hazard based risk assessment to due diligence is shown in the diagram below.

Common law vs. target risk approaches to risk management

The notes in blue in the diagram describe the several difficulties associated with the target risk approach.

Firstly, hazard analysis and risk calculations are inherently unrepeatable.  Two independent risk experts assessing the same circumstances or situation never come up the same numerical answer (unless they use deliberately identical assumptions and processes in which case the assessment is not independent).  QRA risk calculations are always imperfect especially with regard to human failings and management systems.  Quoting Mark Tweeddale (2003):

“In the case of the process industry, most of the major disasters in recent years have resulted primarily from failures of management systems, which would not have been included in the quantitative assessment of risk, and not from random equipment failures such as are statistically assessable using data from data banks.  This is a most serious limitation...”

Secondly, risk criteria are subjective.  The old adage should probably be extended to; there are lies, damned lies, statistics and then there are target risk criteria.  Most risk criteria are based on statistical analyses.  The traditional way to determine them is to consider mortality statistics.  But they are just that, statistics.  The numbers change according to the exposed group selected.  For example, the lightning strike death rate of around 1 in 10 million (for the whole population) is often selected as the lower limit to risk scrutiny.  However, if the mortality figures for the group of people who play golf during lightning storms are considered, it will be much higher.  Which number ought to be used?

Further, the inconsistency in individual and societal risk criteria between states, especially Victoria and NSW dating from the mid-nineties is problematic.  The flexible choice of societal risk criteria for the land use planning criteria by NSW Department of Planning (DoP) for the Kurnell Peninsula QRA in the 2007 study is seriously problematic.

Thirdly, if the risk associated with a hazard is below acceptable or tolerable threshold, there is a tendency to say that nothing further needs to be done, which is always problematic with low frequency, high severity events.  This leads to the fourth concern, which the temptation is to implement a precaution that reaches the target threshold without formally considering the hierarchy of controls.

Therefore, it is my opinion that to demonstrate that ALARP is the same as due diligence is indeed complex and is prone to a tortuous, error prone path.

Thoughts on AS/NZS ISO 31000

In Australia, we are currently undergoing a paradigm shift in the way safety risk management is conducted. The new Work Health & Safety Act is replacing the old approach typified by the standard, AS/NZS ISO 31000.

We have heard conversation in the Engineering community that the move away from AS/NZS ISO 31000 doesn’t necessarily it present a better way forward and the standard can in fact demonstrate safety due diligence.  R2A does not share this view.

The key issue arises from the use of the notion of target (tolerable or acceptable) levels of risk.  The standard is quite specific in the definitions and process explanations:

2.24 risk evaluationprocess of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk (2.1) and/or its magnitude is acceptable or tolerable

5.4.4 risk evaluationRisk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered.

The section on the treatment options is more careful.

5.5.2 Selection of risk treatment optionsSelecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. Decisions should also take into account risks, which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks.

The point of the new due diligence approach is to deal with the severe safety (high negative consequence) but rare events.  The standard seems to suggest that this is a supplementary risk management concern, not a primary focus.

Unfortunately by following the standard for safety risk management, businesses may in fact be heading towards a ‘beyond reasonable doubt’ proof of recklessness in the event of a serious injury or death, which potentially creates criminal liabilities for responsible officers under the provisions of the new WHS Act.

R2A has described on a number of occasions how the standard fails.  In particular, RES 2010 regarding the use of iso-risk contours for Major Hazards land use safety planning after the Buncefield incident, CORE 2010 regarding rock falls in rail cuttings and the Tunnel Conference in Lyon.

At R2A, we are excited by the paradigm change and believe it is a better way forward.  Please drop us a line if you have any questions.

Questions & Answers

Reader response regarding Richard's article - 'Engineering Implications of the Harmonised Safety Legislation'

This is a response that Richard received following the publication of an article in Engineering Media. Read the article here.

Hi Richard

Safety assurance is one of the 3 key elements of technical integrity (the other elements being fitness-for-service and environmental compliance), and as such risk assessments are a fundamental and important part of our engineering activities.

Your recent article in the January 2012 edition of the Engineers Australia magazine was a very interesting read, and has generated numerous discussions amongst my engineering colleagues. Thus, I am seeking some clarification on a number of statements made in your article, as follows:

Reader question –

Your article suggests that the 5 x 5 risk assessments matrix approach developed under the AS/NZS 4360 or AS/NZS ISO 31000 are fundamentally flawed under the due diligence requirements of the new harmonised safety legislation.

I have a difficulty in accepting this argument in the way that we currently conduct our risk assessments utilising the ISO 31000 standard and a tailored 5 x 5 risk matrix, as follows:

1. Hazards/risks are identified.
2. Qualitative (and sometimes quantitative) criteria for likelihood and consequences (for safety, performance and environment) are defined against which a risk level (untreated) is determined from a 5 x 5 matrix (i.e. low, medium, high, extreme). Qualified Objective Quality Evidence (OQE), rather than subjective opinion normally supports this assessment.
3. Subsequently, a risk mitigation activity is conducted in order to determine credible and precautionary risk mitigation strategies. The mitigation strategies are normally based on a Hierarchy of Controls (safety) approach to ensure that the level of effort (e.g. cost, schedule, resources, redesign, etc) is balanced and commensurate with the level of identified risk.
4. Thus, risk mitigation (or treatment) strategies are developed and proposed for implementation, and a subsequent residual (i.e. treated) level of risk is determined. Mitigations can include, for example; redesign, restrictions, additional training, warning/cautions in technical documentation/manuals, etc. In addition, these risk assessments are actively managed and reviewed.
5. The residual risk is then presented to the 'customer' (or executive authorities) for consideration for acceptance. Noting that the risk assessments we conduct are technical risk assessments, which are conducted by competent technical staff in consultation with relevant stakeholders (e.g. equipment users/operators, maintainers, trainers, etc).
6. Acceptance of the technical risks are then considered for acceptance by the relevant authority while balancing all other risks (e.g. operational, schedule, budget, etc).

Not sure I understand your arguments in the reference EA article, thus, seek your clarification as to how the above process which uses the 5 x 5 risk matrix based on AS/NZS ISO 31000 is considered flawed? Please clarify.

Richard response –

Originally the 5 x 5 matrix approach was derived from US and UK military standards in the 70s. At that time it appears to have been used as a reporting tool for military personnel to explain by exception the issues of concern in the value system of their decision makers. More recently, and especially by accounting and management firms, it has been used as a corporate risk decision criteria tool, especially in the sense that once the dot made it to the green area, no further risk reduction was required. This never satisfied the common law.

You sound like you are using it more in the original military sense. As a reporting tool, its use has always been fine.

Reader question –

By risk criteria, do you mean 'the acceptance of risk criteria'?

Richard response –

Yes. The notion of tolerable or target levels of risk.

Reader question –

Does acceptable risk criteria under the new laws actually mean 'so far as is reasonably practicable (SFARP)'?

If we can achieve SFARP, regardless of whether the residual risk is medium, high, etc, (i.e. provided the level of effort required to reduce the risk to SFARP is balanced and commensurate with the significance of the risk) then is due diligence not demonstrated?

Richard response –

SFARP may mean this. I'm not a lawyer. I avoid the term (and ALARP for that matter), as the final test will be in court, post event, judged to the common law duty of care. So I use the High Court's understanding of that duty and how this court expects it to be demonstrated.

Reader question –

Do you believe that the SFARP principle of common sense precautionary approach on risk reduction replaces the doctrine of risk tolerability (such as ALARP principle) or complements the efforts already accomplished in managing the risk of 'actual harm'?

Richard response –

Yes. The common law precautionary approach replaces the doctrine of tolerable or acceptable risk.

FYI - I have briefed the senior counsel for Defence in this whole matter (the OHS partner in Blake Dawson in Sydney) and he volunteered that the approach I mentioned in that article would demonstrate due diligence under the model act.