Posted on

Risk communication

What is risk communication

Risk communication is a specialised branch within the communication framework. It stems from the conflict between experts and lay people. Opposite of crisis communication, risk communication has a long-term preventive perspective and aims to make organisations more resilient to future risks/crisis. This could involve some form communication of unwanted events or loss in the future internally, as well as externally in the organisation. 

Internal/external communication

Internal: 

A) Can be communicated vertically and horizontally.
B) Can be communicated from employees and up from the management and down.
B) Effects the culture in the organisation in relation with the impact on existing culture consider the following: Suitable for the message “top-down” Communication. Few and simple messages. Examine the effect of the message. Consider involving employees before the campaign runs. Clarify employee’s perception of the case before   

External: 

1 – Reassure or warn.
2 – Dialogue is important – A risk should never stand alone.
3 – It’s not always enough to comply with the requirements of the law, especially not with the influence of the media including social media 

Pros and cons of involving stakeholders:  

Pros 

  1. Larger and more nuanced basis for risk assessment.
  2. Increased confidence.
  3. Greater acceptance of the final result.

Cons

  1. Time consuming.
  2. Can be cumbersome  

Different types of risk communication

Care communication

Care Communication is about how your organisation should handle risks which are backed by scientific research and generally accepted by the public. This type of communication should be performed before an event occurs. 

Consensus communication

This is type of risk communication where you inform and encourage groups to work together to reach a decision on how risk should be managed (usually whether to prevent or mitigate). 

Here is an example of when internal communication should occur between departments in an organisation. 

  1. A crane accident at a construction site leads to management writing a recommendation to 3 different departments: Health and safety, HR and Operations.
  2. Management writes as follows: These crane accidents WILL have to be avoided in the future! Please find or make an action plan as to how we can eliminate these problems and have it ready by the end of the month!
  3. And it continues from here…  

Crisis communication

This is a communication method related to extern suddenly occurred events. The typically events would be earthquakes, outbreaks/pandemics or otherwise severe influences from nature.  

Posted on

Risk governance

What is risk governance

Risk governance is not so much a tool as it is a way of handling risk in general. It is a systematic process to identify, rate, control and economically assess risk in an organisation. By making a risk profile for the organisation it is possible to achieve effective risk governance. Risk profiling is the act of establishing what acceptable risk is to the organisation, whether risk is evaluated in terms of money, reputation or damage. A risk profiling should be made in advance of risk governance. It, as all other risk tools, serve as a cost saving mechanism if done correctly, as well as a time saving mechanism.  

It involves five phases/elements: Risk identification, risk description, risk evaluation/assessment, risk strategy & risk reporting.

Risk identification

– What we know from previous encounters. This is where the organisation will look at what has happened to them before or try to identify risks that they have not encountered yet. It is usually performed either by being proactive or reactive. 

  1. The proactive method is where you try to imagine risk you are vulnerable to. By analysing risk factors and performing a likelihood evaluation.
  2. The reactive method is where you analyse previously encountered risk scenarios and register them according to organisations specific variables. By looking at previous events and evaluating them, you in time learn how to manage these risks so they are not as likely. 

Using both these methods will probably yield the best result. But it can be hard to successfully imagine risk, so we recommend at least being reactive, and then when there are enough registered events (hopefully not) then try to imagine what else can happen. It is also a good idea to perform brainstorm sessions at regular intervals with engineers, risk managers and financial managers to at least try and see if there are any future risk scenarios you should be aware of. This process can be done with the previously described risk tools: Brainstorming and Scenario risk analysis 

Risk description

– This is the phase where you establish a common view of risks. 

  1. Here you should establish what you, as an organisation, see as risks. To create common ground for how a risk is perceived and experienced.
  2. This is important to do, because if the organisation doesn’t have a common risk perception then it’s hard to learn from a previous event. There will always be someone who see a risk that someone else doesn’t see. 

Risk evaluation/assessment

– This is the phase where the risk is evaluated/assessed.

  1. Risk is evaluated and rated according to the organisations risk profile to determine which risk are acceptable and which are not.
  2. This is also the phase where the organisation would re-evaluate their risk profile if necessary. In the risk evaluation/assessment phase you evaluate risk according to: Likelihood & Consequence.
  3. This should result in a vulnerability analysis which is a ranking of one’s vulnerabilities.

Risk strategy

– How should the organisation handle risks? 

  1. In this phase a strategy for risk management is chosen based on the previous evaluation of the organisation’s vulnerabilities. This can be done with a Risk Matrix where you place risk in their respective “fields” in the matrix (green, yellow, red) according to their likelihood and consequence. Then you make a plan for handling those risk starting with the red ones or the ones that are most likely and has the highest consequence. 
  2. This is where some risks are either accepted or deemed unacceptable. Is deemed unacceptable, then a plan should be implemented to remove that risk or at least lower its likelihood and/or consequence. 
  3. Ideally every risk is removed, but that is not realistic. The goal here should be to lower every risk as much as possible while still being able to run your company. That is why evaluation is important. In some areas of operation some risks are acceptable even though they are rated as catastrophic e.g. In nuclear energy power plants. The risk of a meltdown is accepted but the risk is managed by safety procedures, and other mitigative barriers. 

Risk reporting

– documentation/evaluation. 

  1. The last phase in this risk governance “tool”. This is where you report your findings to the corporation, and an evaluation is made on the whole thing. 

Why is it a good idea to do risk governance? 

First of all, it is nice to know how likely your organisation is of being “hit” by a specific risk. Because then you can manage it! Secondly it saves the organisation a lot of money both in terms of equipment but also in terms of reputation. You gain branding opportunities by being able to say what a safe company you are. You lessen the fear of accident among workers and therefore maintain a human gain, instead of having workers who are scared of coming to work.

Sources

  1. IRGC is a good place to start. Their explanation can be found here.
  2. Another IRGC article about the framework for risk governance can be found here.
  3. CIO Wiki, is also a good place to get an overview. See it here.
  4. ScienceDirect is another great place to look. This is aimed at the IT sector. https://www.sciencedirect.com/topics/computer-science/risk-governance.

Posted on

SWOT analysis

What is a SWOT analysis

Most, if not all, project managers know what a SWOT Analysis is. If not, they are probably not doing their best job of being a PM. A SWOT analysis is an acronym for analysis of Strengths, Weaknesses, Opportunities and Threats. With a SWOT analysis you analyse your organisation both Internally and Externally. We usually set this up in a handy two by two table, each axis will have a one label for one column or row, and another label for the other column or row. One axis will have the labels “Helpful” and “Harmful” while the other has the labels “External Origin” and “Internal Origin”

Example of a SWOT table

How to Conduct a SWOT Analysis

First, assemble your dream team. Then, take a look at the internal factors that affect your business or project. Do you have an exceptionally dedicated team? Do you lack the finances to achieve the success you’re looking for? These internal factors, positive and negative, will become your business’s strengths and weaknesses.

Next, examine the external factors that affect your business. Is there a need for your product in the market? Are there competing businesses that offer a better product? These positive factors are your opportunities while the negative ones are your threats. 

Examine every possible factor and don’t be afraid to poll your employees. They may see factors you don’t. 

As a risk tool

In order to determine risk factors with a SWOT analysis you kind of use it the same way. First figure out the internals: What strengths do you have? Is it a great safety policy or a great risk manager? What are your weaknesses? Does the company policy disappoint in the safety department? Are some employees not following SOP’s or other safety regulations? What is helpful and what is harmful to your project and the workers?

The external factors are then not directly related to opportunities or threats. But you can still analyse external factors based on whether they are helpful or harmful.

As with the above examples; use your employees! They are the ones doing the bulk of the work so listen to their expertise. They may surprise you with their knowledge. 

Sources 

  1. Wikipedia is a great place to start: https://en.wikipedia.org/wiki/SWOT_analysis. 
  2. This page is also a great source: https://www.wordstream.com/blog/ws/2017/12/20/swot-analysis

Posted on

Bow-Tie Diagram

What is a bow-tie analysis? 

Bow-tie diagram is a qualitative visual risk analysis tool, that can be used to communicate and analyse risk scenarios. To use the bow-tie, you first start with visually analysing plausible incident scenarios that could exist around a certain hazard. Second the bow-tie represent what an organisation does to control those scenarios by identifying safety barriers. Barriers are then divided into 2 groups; Prevention and Mitigation. Preventive barriers are placed on the left of the top event and Mitigation barriers on the right.  

How do we use a Bow-Tie Diagram? 

In the bow-tie diagram you have a hazard, which creates the top event. On the left side of the diagram, the threats are placed. Threats are those events that ‘’can’’ happen. How do we prevent them? The answer is barriers. Barriers has the function to prevent, control and mitigate treats or consequences. Now we talked about what could happen, and how to prevent it. But what if it happens, and the barriers does not prevent the threat. If you look at the diagram, you will see consequences on the right side of the diagram. Consequences is those events that happen, if the selected barriers are not durable.  

All the different bow-tie specific elements are described in detail below, followed by a diagram as an example: 

Hazard – The ‘hazard’ is an operation, activity or material with the potential to cause harm. Hazards are part of normal business and are often unavoidable. Some may even be necessary to run an operation (e.g., flammable gas). Some examples of hazards are toxic materials (e.g. paints and solvents) high pressure gases (e.g. oxygen, propane, acetylene) radioactive materials (e.g. NORM)  

The “top event” – The top event is the moment when control over the hazard or its containment is lost, releasing its harmful potential. It represents the turning point in the risk analysis, separating prevention from mitigation. This is visually represented in the bow tie diagram by the central ‘knot’ — hence the bow tie analogy. Even though it is undesirable for the top event to occur, there may still be time for barriers to act to stop or limit the consequences. The term top event derives from another type of risk analysis called fault tree analysis, which has similarities with the left side of the bow tie model.

Consequences (bow-tie) – Consequences are unwanted outcomes that could result from the top event and lead to damage or harm. Consequences can be described in terms of safety, environment, asset / property damage, and reputational losses, although the scope of the analysis will determine this. A single top event usually has multiple consequences although typically only the most significant consequences (in terms of quantifiable loss) are included in the analysis.

Threats – Threats are potential reasons for loss of control of the hazard leading to the top event. For each top event there are normally multiple threats placed on the left side of the diagram. Threats have some of the same characteristics as both hazards and barrier failures (fx. having the potential to cause harm) but they are defined separately in the context of bow tie analysis.

Barriers – Barriers are physical or non-physical measures to prevent or mitigate unwanted events. They are the ‘meat on the bones’ of the Bow Tie diagram. Barriers are so-called because each has the capability on its own to interrupt a sequence of events. 
A barrier is placed on the bow tie diagram where it delivers its function or effect; either prevention (threat side) or mitigation (consequence side). Prevention barriers prevent the top event from occurring. Mitigation barriers are employed after the top event has occurred to help prevent or reduce losses and to regain control once it has been lost. 

Degradation factors – The degradation factor is a condition that can reduce the effectiveness of the barrier to which it is attached. A degradation factor does not directly cause a top event or consequence, but since it degrades a barrier on a main pathway, the likelihood of reaching undesired consequences will be higher. A degradation factor can apply to barriers on either side of the bow tie diagram. Degradation factors are sometimes referred to as escalation factors, i.e., Lack of/poor training which makes people unable to activate barriers correctly. 

Degradation controls – Degradation controls do not directly prevent or mitigate the sequence of events, as that is the role of the main pathway barriers. Degradation controls provide greater confidence that the barrier will do its job effectively. Degradation controls are frequently human and organisational factors concerned with the management of risk and barrier assurance (fx. competence, scheduled maintenance). 

Below is an example of a simple bow-tie diagram. In the sources there is a link to the specific software used to make this bow-tie.

An example of a very simple bow-tie diagram.

Sources

  1. CGE Risk, the wikipedia for risk management, has a great article explaining, in great detail, the bow-tie method. Check it out here.
  2. The software can be found here.
Posted on

Capacity assessment

What is a capacity assessment

A capacity analysis is, as the name implies, an analysis of one’s capacities. Specifically, one’s capacity to handle risk and “disasters”. A capacity analysis Is usually made of 2 elements: Before an accident and after an accident, or preventive and reactive. It is a holistic view of your company’s risk prevention and disaster reaction plans/policies. 

Preventive: is what measures one has to possibly prevent a disaster, it could be; Company policies, safety regulations, PPE for workers, etc. 

Reactive: is what measure one has to react to an accident, it could be; Fire extinguishers, contingency plans, local deals with other companies (example will be given later), etc. 

A capacity analysis should be based on the previously made Scenario risk analysis and Risk Matrices your company have made. That makes it possible to more precisely decide where capacity is lacking and where theres need for be better risk managing.

How to use it

There is no “right” way to make a capacity analysis. It is something you have to figure out in your organisation. Do you have the capacity to handle the risks you face during everyday operation? How do you get that? Sometimes just asking the right questions can have a huge impact! 

Some of those questions might be: 

What does the law say? – Are you required by law to specific risk managing procedures?

What does the company policy say? – Does the company have any policies on the area of risk management? If not, go back and look at the law where the company is placed. Now, should they have policies on risk management?

Does your company offer education to workers on how to handle an accident? – First aid, fire training, SOP’s etc.

Do you perform drills with your employees?

Are you equipped with tools to help you react faster to an accident? – Fire alarms, smoke alarms, sprinklers etc.

Tips and tricks: 

  1. If possible, make a deal with other companies to help out in case you face disaster/catastrophe. 
    • Say you’re your crane falls over, then a predetermined deal might save you valuable time and a lot of money. An example of this( almost): The Danish highway Police, have a deal with different companies who does vehicle removal. So, in very little time they can have an accident on the road cleaned up. Where it used to sometime take hours, now they can be on their way in 20-30 minutes (depending on the accident of course).  
  2. Put everything in a chart/diagram and write down details.  
  3. Debrief your employees after an accident and make sure your employees have access to psychological help. 

Sources:  

  1. The Danish Emergency Management Agency (DEMA) has a rather long and detailed document describing capacity assessment. It is unfortunately only in danish… See it here
  2. Working on international source… 
Posted on

The wonderful risk matrix

What is a Risk Matrix, and how do we use it?

A Risk Matrix is a tool used to rate a risk according to likelihood and consequence/impact. Your organisation have to identify what the specific impact means to them and when a risk is likely to happen. This tool is used in association with a Scenario Analysis and usually you make to different Risk Matrices; one before mitigative measures and one after mitigative measures.

A likelihood scale will most times look like this: 1) highly unlikely, 2) Unlikely, 3) Possible, 4) Likely and 5) Very likely. With this likelihood scale your organisation must define, according to your operational standards, what each step means. It is often measured and defined by frequency in which an accident or emergency is present but, it can also be defined by chance or quantitatively by percentages e.g., probability.

A Consequence/Impact scale is very similar to the likelihood scale, except it is measured in impact. Impact in this case, once again, have to be defined by the individual organisation. Some of the impact or consequence descriptors could be: People, Information, Reputation, Economic etc. Each descriptor then has 5 different levels of severity as given in the example below. But you can, and should, of course define you own according to the specific risk scenario.

An example will be given: 

An example of a risk matrix created for travel safety – before ane mitigative measures.

The risk matrix is divided into colours REDYELLOW and GREEN which depicts the level of seriousness the threat poses. A red risk is clearly bad and should never be allowed to remain. A yellow risk is a bit more nuanced; this can be divided into top yellow, middle yellow and bottom yellow.

— The top part of the yellow area (consequence 4) needs a more detailed assessment of other factors such as; people and their skills. Have they worked on this type of project before, are there any new guys? Then conditions such as weather. Are there optimal conditions to perform these tasks if not, then maybe you should wait. Try doing a more detailed Scenario Analysis at this point, maybe do multiple, whit different factors turned up or down.

— The middle part of the yellow (consequence 3) is not as serious but still needs assessments. These are still serious threats to whatever descriptor you decide to put there, and therefore still needs significant work in order to reduce.

— The bottom part of the yellow (consequence 1 & 2) is somewhat safe to have further along in the project but beware of the high likelihood! The consequence of these risks is rated as fairly low and therefore don’t necessarily need significant work.

All of this is to say that: RED boxes is very bad and should be handled immediately! But YELLOW boxes are also bad and should in most cases be where the bulk of the mitigative measures are placed. But it can, with the right assessments, be acceptable. GREEN should be the main goal for every risk scenario, but that is often not a realistic accomplishment. And again, beware of top green.

Sources

  1. Risk manager Julian Talbot has a great article about using a risk matrix.
  2. He also has an article stating what is right with Risk Matrices.
  3. The Danish Emergency Management Agency also did some great work on risk matrices in their Handbook for Risk Based Dimensioning in Danish municipalities (Danish only!).
  4. Furthermore CGE Risk has a great Wiki-like page on Risk Matrices.

Posted on

Scenario risk analysis

What is a Scenario Analysis? 

A Scenario Analysis is a tool used to identify possible risks. Usually, this tool is used in succession of a brainstorm where all possible risks are identified. After the most relevant or most commonly known risks are identified a Scenario Analysis will be performed. A Scenario Analysis is then followed by or used in combination with a risk matrix so that the identified and analysed risk can be “rated” according to whatever the organization defines as their impact and likelihood descriptors. 

How to use it 

There is no definitive way to use this tool. You can think of your own way to use it or you can follow some general practices which are as follows: 
— Define the Threat. 
— When does the treat occur? 
— What are the meteorological conditions when the threat occurs? 
— What is the object of the threat (worker(s), tool(s), heavy equipment, etc…). 
— Describe the situation in as much detail as possible.
— Then make an educated guess as to what the likelihood and consequence/impact of this scenario is.

An example of a Scenario Analysis is given here: 
In this scenario an ammonia container is leaking due to poor maintenance and the immediate threat is to employees in the facility and people in homes around the facility.  

Scenario: Ammonia container leaks ammonia. 
Time of day: Time: 09.47, Thursday October 10. 
Meteorological conditions: Wind blowing 3m/sec from SSW 
Object of threat: People/workers in nearby facilities or homes 
Situation: Due to poor maintenance the ammonia container has a broken or bad valve and is therefore leaking. Liquified Ammonia exits the container at 60 litres every minute or 1 litre a second (Imperial Units: 16 gallons a minute).  Employees are instructed to leave the area or use PPE such as masks and chemical suits. The emergency services are to be contacted so they can come in and close the leak and clean up. 
Scenario analysis: 
Likelihood and Consequence Likelihood: Given the nature of the company, rules from the government and safe workplace instalments, this scenario is rated as unlikely.   

Consequence: Is high given the chemical properties of ammonia, which is very dangerous to breath. Ammonia evaporates at –33 degrees Celsius and is deadly at concentration of 5000ppm in air. 
ATT: This scenario is based on Danish geography, rules and regulations, and may therefore differ from other countries in terms of safety measures and rules regarding storage and handling of dangerous chemicals. 

All these factors are, of course, dependent on your organizations main area of operations. The level of detail in these Scenarios are essential to a great threat/risk mitigation. The more you know about the operation procedures the greater detail you can describe the scenario in, and then it is easier to define the risk and threats and therefore to mitigate them in some way. 
With the example as it is right now, there are no definitions or descriptions of what unlikely is or what high consequence is. This is usually where risk matrix would be implemented, at the end of the first scenario analysis, where no mitigation measures have been implemented yet.  

Sources

  1. The Danish Emergency Management Agency has a great explanation of this method in their publication (Danish only): Håndbogen for risikobaseret dimensionering.
  2. We are working on an international source…
Posted on

Brainstorming risk

What it is 

A brainstorm is just a “gathering of ideas” from everyone who participates in the brainstorming session. Usually a theme, or a direction, is chosen and from that theme/direction everyone generates ideas. A simple exercise to perform but difficult to be effective at. 

How it can be used as a risk tool 

How do we use Brainstorming as a risk identification tool then? Simply by gathering up different people from a project, preferably the same project, and then putting them in the same room. A spokesperson or similar (project manager, risk manager etc.) will set the theme or direction of the exercise. Then it is simply a matter of hearing each other’s ideas and then discussing them on based on the different perspectives each person has from their specific field of expertise.  

This exercise relies heavily on listening and not being a “no person”.