Managing Critical Risk Issues: Synthesising Liability Management with the Risk Management Standard

The importance of organisations managing critical risk issues has been highlighted recently with the opening hearings of the coronial inquest into the 2016 Dreamworld Thunder River Rapids ride tragedy that killed four people.

In a volatile world, boards and management fret that some critical risk issues are neither identified nor managed effectively, creating organisational disharmony and personal liabilities for senior decision makers.

The obligations of WHS – OHS precaution based legislation conflict with the hazard based Risk Management Standard (ISO 31000) that most corporates and governments in Australia mandate. This is creating very serious confusion, particularly with the understanding of economic regulators.

The table below summarises the two approaches.

Precaution-based Due Diligence (SFAIRP) Hazard-based Risk Management (ALARP)
Precaution focussed by testing all practicableprecautions for reasonableness. Hazard focussed by comparison to acceptable ortolerable target levels of risk.
Establish the context

Risk assessment (precaution based):

Identify credible, critical issues

Identify precautionary options

Risk-effort balance evaluation

Risk action (treatment)

Establish the context

Risk assessment (hazard based):

(Hazard) risk identification

(Hazard) risk analysis

(Hazard) risk evaluation

Risk treatment

Criticality driven. Normal interpretation ofWHS (OHS) legislation & common law

Risk (likelihood and consequence) driven

Usual interpretation of AS/NZS ISO 31000[1]

A paradigm shift from hazard to precaution based risk assessment

Decision making using the hazard based approach has never satisfied common law judicial scrutiny. The diagram below shows the difference between the two approaches. The left hand side of the loop describes the legal approach which results in risk being eliminated or minimised so far as is reasonably practicable (SFAIRP) such as described in the model WHS legislation.

Its purpose is to demonstrate that all reasonable practicable precautions are in place by firstly identifying all possible practicable precautions and then testing which are reasonableness in the circumstances using relevant case law.

The level of risk resulting from this process might be as low as reasonably practicable (ALARP) but that’s not the test that’s applied by the courts after the event. The courts test for the level of precautions, not the level of risk. The SFAIRP concept embodies this outcome.

The target risk approach, shown on the right hand side, attempts to demonstrate that an acceptable risk level associated with the hazard has been achieved, often described as as low as reasonably practicable or ALARP. But there are major difficulties with each step of this approach as noted in blue.

Risk Management to Due Diligence

SFAIRP v ALARP

However, there is a way forward that usefully synthesises the two approaches, thereby retaining the existing ISO 31000 reporting structure whilst ensuring a defensible decision making process.

Defensible Decision Making

Essentially, high consequence, low likelihood risk decisions are based on due diligence (for example, SFAIRP, ROI, not trading whilst insolvent and the precautionary principle, consistent with the decisions of the High Court of Australia) whilst risk reporting is done via the Risk Management Standard using risk levels, heat maps and the like. This also resolves the tension between the use of the concepts of ‘risk appetite’ (very useful for commercial decisions) and ‘zero harm’ (meaning no appetite for inadvertent deaths).

Essentially the approach threads the work completed (often) in silos by field / project staff into a consolidated framework for boards and executive management.

If you'd like to discuss how we can assist with identifying and managing critical risk issues within your organisation, we'd love to hear from you. Head to our contact page to organise a friendly chat.

[1]   From the definition in AS/NZS ISO 31000: 2.24 risk evaluation process of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk (2.1) and/or its magnitude is acceptable or tolerable.

Previous
Previous

What you can learn about Organisational Risk Culture from the CBA Prudential Inquiry

Next
Next

Energy Safety Report Released