R2A was recently commissioned to complete a desktop risk documentation review in the context of the CBA Prudential Inquiry of 2018. The review has provided a framework for boards across all sectors to consider the strength of their risk culture. This has been bolstered by the revelations from The Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
Specifically, R2A was asked to provide commentary on the following:
Organisations with a mature risk culture have a good understanding of risk processes and interactions. In psychologist James Reason’s terms, these organisations tend towards a generative risk culture shown in James Reason’ s table of safety risk culture below.
|Pathological culture||Bureaucratic culture||Generative culture|
Key attributes include:
Risk frameworks and characterisation systems such as the popular 5x5 risk matrix (heat map) approach are good reporting tools to present information and should be used to support the risk management feedback process. Organisations should specifically avoid using ‘heatmaps’ as decision making tool as that is inconsistent with fiduciary, safety and environmental legislative requirements.
Risk Appetite Statements for commercial organisations have become very fashionable. The statement addresses the key risk areas for the business and usually considers both the possibility of risk and reward. However, for some elements such as compliance (zero tolerance) and safety (zero harm), risk appetite may be less appropriate as the consequences of failure are so high that there is simply no appetite for it. For this reason, R2A prefers the term risk position statements rather than risk appetite statements.
To get a feel for the risk culture within an organisation, R2A suggest conducting generative interviews with recognised organisational ‘good’ players rather than conducting an audit.
We consider generative interviews to be a top-down enquiry and judgement of unique organisations rather than a bottom-up audit for deficiencies and castigation of variations for like organisations. R2A believes that the objective is to delve sufficiently until evidence to sustain a judgement is transparently available to those who are concerned. (Enquiries should be positive and indicate future directions whereas audits are usually negative and suggest what ought not to be done).
Individuals have different levels of responsibility in any organisation. For example, some are firmly grounded with direct responsibility for service to members. Others work at the community interface surface with responsibilities that extend deep into the organisation as well as high into the community. We understand that the idea is that a team interviews recognised 'good players' at each level of the organisation. If a commonality of problems and, more particularly, solutions are identified consistently from individuals at all levels, then adopting such solutions would be fast, reliable and very, very desirable.
Other positive feedback loops may be created too. The process should be stimulating, educational and constructive. Good ideas from other parts of the organisation ought to be explained and views as to the desirability of implementation in other places sought.
 Reason, J., 1997. Managing the Risks of Organisational Accidents. Aldershot, Hants, England: Ashgate Publishing Limited. Page 38.
The importance of organisations managing critical risk issues has been highlighted recently with the opening hearings of the coronial inquest into the 2016 Dreamworld Thunder River Rapids ride tragedy that killed four people.
In a volatile world, boards and management fret that some critical risk issues are neither identified nor managed effectively, creating organisational disharmony and personal liabilities for senior decision makers.
The obligations of WHS – OHS precaution based legislation conflict with the hazard based Risk Management Standard (ISO 31000) that most corporates and governments in Australia mandate. This is creating very serious confusion, particularly with the understanding of economic regulators.
The table below summarises the two approaches.
|Precaution-based Due Diligence (SFAIRP)||≠||Hazard-based Risk Management (ALARP)|
|Precaution focussed by testing all practicable
precautions for reasonableness.
|Hazard focussed by comparison to acceptable or
tolerable target levels of risk.
|Establish the context
Risk assessment (precaution based):
Identify credible, critical issues
Identify precautionary options
Risk-effort balance evaluation
Risk action (treatment)
Establish the context
Risk assessment (hazard based):
(Hazard) risk identification
(Hazard) risk analysis
(Hazard) risk evaluation
|Criticality driven. Normal interpretation of
WHS (OHS) legislation & common law
Risk (likelihood and consequence) driven
Usual interpretation of AS/NZS ISO 31000
A paradigm shift from hazard to precaution based risk assessment
Decision making using the hazard based approach has never satisfied common law judicial scrutiny. The diagram below shows the difference between the two approaches. The left hand side of the loop describes the legal approach which results in risk being eliminated or minimised so far as is reasonably practicable (SFAIRP) such as described in the model WHS legislation.
Its purpose is to demonstrate that all reasonable practicable precautions are in place by firstly identifying all possible practicable precautions and then testing which are reasonableness in the circumstances using relevant case law.
The level of risk resulting from this process might be as low as reasonably practicable (ALARP) but that’s not the test that’s applied by the courts after the event. The courts test for the level of precautions, not the level of risk. The SFAIRP concept embodies this outcome.
The target risk approach, shown on the right hand side, attempts to demonstrate that an acceptable risk level associated with the hazard has been achieved, often described as as low as reasonably practicable or ALARP. But there are major difficulties with each step of this approach as noted in blue.
SFAIRP v ALARP
However, there is a way forward that usefully synthesises the two approaches, thereby retaining the existing ISO 31000 reporting structure whilst ensuring a defensible decision making process.
Essentially, high consequence, low likelihood risk decisions are based on due diligence (for example, SFAIRP, ROI, not trading whilst insolvent and the precautionary principle, consistent with the decisions of the High Court of Australia) whilst risk reporting is done via the Risk Management Standard using risk levels, heat maps and the like. This also resolves the tension between the use of the concepts of ‘risk appetite’ (very useful for commercial decisions) and ‘zero harm’ (meaning no appetite for inadvertent deaths).
Essentially the approach threads the work completed (often) in silos by field / project staff into a consolidated framework for boards and executive management.
 From the definition in AS/NZS ISO 31000: 2.24 risk evaluation process of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk (2.1) and/or its magnitude is acceptable or tolerable.