Risk Management - A General Framework - Global Approach and Structure 11

2. Global Approach and Structure 11

3.2. Risk Management - A General Framework

The literature shows clear disagreement on definitions and scope of risk management.

Lindhe et al. (2009) defines risk management in the context of decision making, starting with the question whether the current risk is acceptable or not. As a next step, they com-pared several risk mitigation options within a decision analysis framework to find the best solution (Lindhe et al., 2011). Tartakovsky (2013) relates risk management to the task of find-ing the best decision either through optimization or by decision analysis. Furthermore, the author includes aspects of communicating risk and uncertainty to all participants involved in the risk assessment. Risk communication and reporting is often unintentionally ignored, especially within the scientific environmental modeling community, although being part of the risk management process. The objective of risk communication is to transparently con-vey information to all participants of the risk assessment process, such as local authorities, public and others.

In order to resolve these disagreements, national and international standards should be con-sidered. By definition of the ISO (2009), risk management is more than merely taking a de-cision and communicating risk. Risk management actually involves all steps starting from risk analysis and risk assessment to the mitigation of risk and monitoring the system to en-sure that risk is controlled (see Fig. 3.2). Nevertheless, most authors (e.g., Lindhe et al., 2011;

Tartakovsky, 2013) relate risk management only to the additional working steps directly following the risk assessment. This point of view seems to be established and accepted community-wide. There exist several standards, which explain in detail the concept of risk management, such as DVGW (2009); ISO (2009) and the Australian Management Standard (AS/NZS 4360:2004, 2004). All these concepts share basic principles, although using a dif-ferent risk terminology.

Thus, it makes good sense to adopt an even more global view, taken from management in general. One management framework that features the basic idea of risk management or any other management and decision process is the PDCA (Plan - Do - Check - Act) cycle.

The PDCA cycle consists of four phases:

(1) In the”planning“ period, one has to identify the target and objectives of the risk as-sessment study and identify all potential hazards that my alter the defined goals. Fur-thermore, acceptable outcome levels are determined.

(2) The

”Do“-phase includes the collection of all available information and data through monitoring or other means. With the available information, the outcome is estimated.

(3) The results are compared to the predefined acceptable outcome levels (

”check“) to define whether they are acceptable or not.

(4) The last phase adjusts the results to the point of acceptance through means of risk reduction methods (”Act“), if necessary.

The PDCA management framework is continuous and helps to constantly and continuously improve the processes in a system, e.g., supply safety (DVGW, 2009). This is very close to risk management, which also aims to be a continuous developing process to improve the system state. Thus, risk management also incorporates the four presented phases, only naming and structuring the work flow differently.

A modified risk management framework according to ISO is illustrated in Fig. 3.2 and com-pared to the PDCA cycle. The ISO risk management framework is very detailed, thus being an excellent raw model for this thesis. The individual steps are explained next.

000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

ZŝƐŬ KďũĞĐƚŝǀĞƐ

;^ĐŽƉĞ ŽĨ ƌŝƐŬ ĂŶĂůǇƐŝƐͿ

ZŝƐŬ /ĚĞŶƚŝĨŝĐĂƚŝŽŶ

;ZŝƐŬ ƐŽƵƌĐĞ ĚĞƐĐƌŝƉƚŝŽŶͿ ZŝƐŬ ĞƐƚŝŵĂƚŝŽŶ

;WĂƚŚǁĂǇƐ͕^ĞǀĞƌŝƚǇ ƵŶŝƚͿ

ZŝƐŬ ĞǀĂůƵĂƚŝŽŶ

;ZŝƐŬ ĂĐĐĞƉƚĂŶĐĞ͕ZĂŶŬŝŶŐͿ

ZŝƐŬ ŽƉƉŽƌƚƵŶŝƚŝĞƐ

;ůƚĞƌŶĂƚŝǀĞƐ͕ZŝƐŬ ŵŝƚŝŐĂƚŝŽŶͿ

ZŝƐŬ dƌĞĂƚŵĞŶƚ

;ĚĞĐŝƐŝŽŶ ŽŶŽƉƉŽƌƚƵŶŝƚŝĞƐͿ

ZŝƐŬƌĞƉŽƌƚŝŶŐĂŶĚĐŽŵŵƵŶŝĐĂƚŝŽŶ

DŽŶŝƚŽƌŝŶŐ

;ZŝƐŬ ĐŽŶƚƌŽů͕ƐƵƌǀĞŝůůĂŶĐĞͿ

ZŝƐŬŶĂůǇƐŝƐ

ZŝƐŬƐƐĞƐƐŵĞŶƚ

ZŝƐŬDĂŶĂŐĞŵĞŶƚ W

Figure 3.1.: Risk management framework modified after ISO (2009), compared to the PDCA cycle.

Risk Objective: The goal of this step is to define the objectives and targets of the risk as-sessment study. It includes the definition of the scenario to be analyzed. The following questions should be addressed: Which object is at risk? What is the unit to measure risk in, by which risk measure, and which risk level is acceptable and which one is not?

Also, the type of risk assessment study is defined. This is either human-health or envi-ronmental risk assessment, following European Commission (2003) or US EPA (1989) standards. Nevertheless, the risk assessment objective could also be of technical or

economical nature, such as quantitative supply safety with a minimal water produc-tion down-time or supply with cost-minimal effort. Depending on the risk objective, the relevant risk estimation criteria and suitable risk models are chosen, respectively.

Risk identification: The risk identification phase includes, among others, the hazard iden-tification, i.e., the collection of all potential risk sources in the system that might lead to a positive or negative effect on the target objective. In addition, all possible exposure routes from the risk source to the receptor are identified and reported. This challenges risk managers to know their system, including all relevant processes, in depth. There exist several hazard identification tools that help risk managers to identify all relevant hazards, such as using expert knowledge, performing a Delphi study or brainstorm-ing of participants and experts. Durbrainstorm-ing the risk identification, process potential risk mitigation options may come up, which should be marked down as early as possible for a later use. All information gathered to this point should be systematically doc-umented. This documentation is often done with the help of hazard databases, e.g., using GIS systems.

Risk estimation: Risk has an upside and downside element because the impact at the tar-get can be positive or negative. Although being aware of upside risk, research com-munities commonly consider only downside risk. The estimation of risk is either mea-sured by a monitoring network or calculated by qualitative or quantitative risk es-timation methodologies. Most scientific work in risk assessment has been done for improved risk estimation, developing new tools and concepts to represent reality best and thus render the decision basis closer to reality.

Risk evaluation: The resulting risk is denoted as acceptable,aslowasreasonablepracticable (ALARP), or as unacceptable. Assigning risk levels to the categorized impact and probability is by definition part of the risk evaluation process. This distinction is clear in qualitative risk assessment, as risk categories are assigned as a last step to the risk matrix (see explanation in Section 3.5.2). In quantitative risk estimation, risk evalua-tion is commonly only related to judging the risk estimate against pre-defined thresh-old levels, goals (see risk objective) or national standards, and evaluate whether the residual risk is acceptable or not. Risk acceptance depends on risk aversion (seerisk treatment) and denotes the treatment of residual risk. In case risk is not acceptable, risk managers perform a hazard prioritization that depends on the hazard severity.

Risk opportunities: While risk evaluation focuses on the prioritization of risk sources ac-cording to their impact and probability at the receptor, the risk opportunities step fo-cuses on the prioritization of mitigation measures in order to reduce the unacceptable risk the best way. The prioritization of risk mitigation options is based on the effec-tiveness of the reduction options to achieve the risk objectives defined in the first step.

The decision by risk managers, which option to take (see risk treatment), can either be supported through optimization algorithms or by the concept of decision analysis.

According to the ISO (2009), the establishment of risk opportunities is part of the risk evaluation process. The two steps are separated in this thesis, as determining the best possible risk mitigation measures is an additional step to hazard prioritization and can be independently performed of each other. Risk evaluation, risk opportunities and

risk estimation are closely related, but receive in this thesis a precise work description.

Please note, that the individual steprisk opportunity is not a separate working step in the ISO (2009) definition, but belongs to risk evaluation.

Risk treatment: According to the mitigation ranking and personal preferences, risk man-agers decide and implement one or more risk mitigation measures. Risk treatment is often denoted as the process of making and implementing a decision about the miti-gation measure. As indicated before (seerisk evaluation) the decision depends on the risk behavior or culture. There are three types of risk personalities or cultures:

Risk aversion leads to a decision, where the mitigation option is least uncertain but confident in its expected risk reduction, although it may be inferior to the other alternatives in the statistical average.

Risk neutrality leads to a decision based alone on the expected risk reduction, weighting effectiveness to reduce risk and uncertainty in the reduction potential the same.

Risk sympathy leads to a decision with highest risk reduction potential, although being uncertain.

Monitoring: In order to know, that risk mitigation measures were successfully imple-mented or that risk is below the pre-defined acceptable risk level (seerisk objective), the system and all relevant processes or parameters are monitored. This step is contin-uous, as stakeholders should always know and re-confirm that all hazards and their impact at the receptor are under control (e.g., Davison et al., 2005).

Risk communication: In order to transparently reflect decisions and increase public awareness and confidence, risk communication should not be regarded as a separate process, but as being an integral part of risk assessment and management. It involves all interest groups and needs constant documentation of all findings.

Kaplan and Garrick (1981) summarize these steps by defining risk management as achieving an appropriate balance between realizing opportunities for gains while minimizing losses.

Risk management is a continuous process, being constantly updated with new and most current information.

3.3. Risk Assessment and Management in the Field of

Im Dokument Risk quantification and management in water production and supply systems (Seite 48-51)