*Company Name*

Quality System Procedures

LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

Risk Assessment and Management

Job Title Prepared By Reviewed By Approved By

Name

Signature

Date

Page | 1
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

Revision History

Revision
Reason and description of the
No. / Issue Review Date Changed Clause
change
No.

Page | 2
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

1. Purpose

This procedure defines the techniques, tools & their application that are used to manage
and control the events that could have a negative impact on delivery and quality of product.
It’s the document for managing and controlling all related risks. This procedure address:

1. Risk Identification
2. Risk Assessment
3. Risk Mitigation
4. Risk Contingency Planning

2. Scope

Risk Management is incorporated to the Quality management system of *Company Name*,

associated with conforming to service and service related product for the Petroleum and
Natural Gas Industry. This Procedure details the process to identify, evaluate and control
risk throughout the organization.

3. Responsibility

Management Representative

Concern Department Engineer/Manager

4. Abbreviation

MOC - Management of Change

RPN - Risk Priority Number

5. Process
5.1 Risk

Page | 3
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

Risk has defined as combination of expected likelihood (occurrence) and consequence

(Impact / Severity) of specific types of events, threats and attacks on the company. It is in
terms of human capital (competent personnel), assets (Facility / equipment / machines /
plants), Supply chain (supplier performance / Material availability / delivery of non-
conforming product), and economic resources to cause a measurable degree of loss.

5.2 Focus

This document envisages identification of risks for each product segment and location,
together with the impact that these may have on the business objectives. It also provides a
mechanism for categorization of risks into Low, Medium and High based on severity of
risks. The procedure shall address risks which can have potential impact on the product
delivery and product Quality. Whilst all risks shall be identified, in the first instance, it is
proposed to address effectively, the evaluation and containment of only High-level risks
(significant risk) in the first phase.

5.3 Risk Strategy

Based on the risk appetite level determined and reviewed from time to time, *Company
Name* shall formulate its Risk Management Strategy. The strategy will broadly entail
choosing among the various options for risk mitigation for each identified risk. The risk
mitigation can be planned by using the following key strategies:

5.3.1 Tolerate

The exposure may be tolerable without any further action being taken. Even if it is not
tolerable, ability to do anything about some risks may be limited, or the cost of taking any
action may be disproportionate to the potential benefit gained.

5.3.2 Transfer

Page | 4
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

For some risks the best response may be to transfer them. This might be done by
conventional insurance or by paying a third party to take the risk. This option is particularly
good for mitigating financial risks or risks to assets. The transfer of risks may be considered
to either reduce the exposure of the organization or because some other organization is
more capable of effectively managing the risk.

5.3.3 Treat

By far, many risks will be addressed in this way. The purpose of treatment is that whilst
continuing with the activity giving rise to the risk, action (internal control) is taken to
constrain the risk to an acceptable level.

5.3.4 Terminate

Some risks can only be treatable, or containable to acceptable levels, by terminating the
activity itself. This option can be particularly important in project management if it becomes
clear that the projected cost-benefit relationship is in risk, as the cost of treating the risk
does not make the activity viable. For example, land acquisition for a project whose
feasibility is based on that particular land may be risky and the cost of treating it in terms of
legal fees is so high, that it may be better to terminate the project.

6. Procedure & Methodology

The procedure shall have following four steps:

1. Risk Identification
2. Analysis, Categorization & Prioritization of identified risks using risk assessments
3. Develop contingency plans & Implement Solutions
4. Reporting

Page | 5
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

6.1 Risk Identification:

This step involves identification of risk or comprehensive list of events that could have an
adverse impact on the product delivery and product Quality. *Company Name* identify and
quantify risks associated with product delivery and quality which includes:

6.1.1 Facility / equipment availability and maintenance

The facility has the complete manufacturing and testing facility to make the products as per
customer requirements. Each of the equipment is backed up by preventive maintenance
plan and pre planned set of spares to take care of any eventuality. Complete assessment
is done for equipment capability at the enquiry stage itself and full preventive plan is
prepared and executed before the execution of any critical order.

6.1.2 Supplier performance and material availability / supply

Documented procedures are implemented for the selection, evaluation, approval, and re-
evaluation of suppliers for various items. Critical spares are directly taken from original
equipment manufacturer. Some of the critical items are Steel plates, Welding consumables
and key spare of critical machinery / equipment’s.

All the critical items identified for the organization of respective departments shall be
identified. The list along with spares availability should be available in concern department.
If minimum number of required spares (critical items) is not available, it is the responsibility
of concern department engineer to communicate this to respective heads. After due
approval Purchase Request shall be done for the items and made readily available for use.

6.1.3 Delivery of non-conforming product

*Company Name* has implemented QMS as per various standards (API Q1 & ISO 9001)
which take care that pipes produced and dispatched are as per client’s requirements.

Page | 6
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

Client’s requirements are well understood and transferred to quality document called
Inspection & Test Plan; which is prepared for every order and at the same time it is backed
by client so that all differences are resolved, and we are on the same page with client.

6.1.4 Availability of competent personnel

*Company Name* always put on the job people who are competent to carry out the job to
the client’s requirement. Necessary competency is imparted through on job training,
internal and external training and qualifying the personnel to client’s requirement. Role
specific Job descriptions are also prepared for competency evaluation and training need
identification.

6.2 Risk Analysis & Prioritization

6.2.1 Impact on Product Quality & Product Delivery (Severity)

The severity (impact on product quality & product delivery) shall be identified as follows:

Category Description score

Low Severity shall be low if the cause of risk has been eliminated 1
High Severity shall be High for all existing potential causes 5

Additional suggestive parameters may be used to categorize the risk on the above
scale and thereafter assess the consequence of the risk.

 Impact of fatality or irreversible disability / impairment to human life

 Impact on the Company’s reputation due to negative publicity in the media, local &
national communities, as well as litigation including public interest litigation
 Knowledge drain due to attrition of key employees.
 Impact on the environment
 Severe compliance issues

Page | 7
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

 Damage to IT systems
 Security / Discipline issues.

6.2.2 Probability / Likelihood of Occurrence

In addition to the identification of the risk and prioritization, the likelihood of occurrence
shall be calculated. Assessment of the likelihood of occurrence is proposed along with
the following scales:

Category Description score

Almost Impossible Incident could happen rarely. 1
Very Unlikely Incident could happen once in a year. 2
Possible Incident could happen once in a month 3
Probable Incident could happen once in a week 4
Certain Incident could happen almost daily 5

6.2.3 Probability / Likelihood of Detection

To identify the risk priority number (RPN), the likelihood of detection shall be calculated.
Assessment of the likelihood of detection is proposed according to the following scales;

Category Description score

Very High No chance of failure, Failure can be detected at every instance 1
High Fully automated detection methods 2
Moderate Semi- Automatic detection methods 3
Low Manual controls 4
Very Low No detection controls are in place 5

Page | 8
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

6.2.4 Risk Severity Level

The severity level of risk shall be ascertained as a multiple of the severity X Likelihood
of occurrence X Likelihood of Detection. This level shall be identified as a risk priority
number (RPN)

Risk Priority
Risk
Implication Number
Category
(Risk Rating)
Risks of this level shall be accepted with existing controls /
Non-
Mitigation plan and managed through normal Monitoring and
Significant ≤ 75
control. Actions shall be proposed and managed by the
Risk
respective functional Heads (Risk Owners) to minimize the risk.

Significant risks shall be identified, and contingency plan shall

be developed. Contingency plan shall consist of information
Significant such as action plan or mitigation plan against significant risk,
> 75
Risk authorized personnel including identification & assignment of
responsibilities and authorities, required external and internal
communication controls.

7. Techniques and tools and their application for risk identification, assessment, and
mitigation
7.1 Brainstorming
7.1.1 Overview

Brainstorming involves stimulating and encouraging free-flowing conversation amongst

a group of knowledgeable people to identify potential failure modes and associated
hazards, risks, criteria for decisions and/or options for treatment.

Page | 9
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

7.1.2 Use

Brainstorming can be used in conjunction with other risk assessment methods

described below or may stand alone as a technique to encourage imaginative thinking
at any stage of the risk management process and any stage of the life cycle of a system.

7.1.3 Inputs

A team of people of each department.

Process

Brainstorming may be formal or informal. Formal brainstorming is more structured with

participants prepared in advance and the session has a defined purpose and outcome
with a means of evaluating ideas put forward. Informal brainstorming is less structured
and often more ad-hoc.

In a formal process:

 The facilitator prepares thinking prompts and triggers appropriate to the context
prior to the session;
 Objectives of the session are defined and rules explained;
The facilitator starts off a train of thought and everyone explores ideas identifying as
many risks as possible. There is no discussion at this point about whether things should
or should not be in a list or what is meant by particular statements because this tends
to inhibit free-flowing thought. All input is accepted and none is criticized and the group
moves on quickly to allow ideas to trigger lateral thinking;

Outputs

Outputs depend on the stage of the risk management process at which it is applied, for
example at the identification stage, outputs will be a list of risks and current controls.

Page | 10
 *Company Name*
Quality System Procedures
LOGO
Risk Assessment and Management
Doc No: ##-QSP-05 Issue No: 00 Rev No.: 00 Rev Date:

Strengths and limitations

Strengths of brainstorming include:

 it encourages imagination which helps identify new risks and novel solutions;
 it involves key stakeholders and hence aids communication overall;
 It is relatively quick and easy to set up.

Limitations include:

 Participants may lack the skill and knowledge to be effective contributors;

 Since it is relatively unstructured, it is difficult to demonstrate that the process
has been comprehensive, e.g. that all potential risks have been identified;

8. Document / Record Reference

Record Retention
S. No. Name of the Record Responsibility
Number Period

1
2
3
4
5

Page | 11