Documente Academic
Documente Profesional
Documente Cultură
4
Contents of ISO Documents
RISK MANAGEMENT
INTERNATIONAL
STANDARD
ISO 31000:2009
IEC 31010
Risk Management Risk
Assessment Techniques 5
ISO 31000:2009 - SCOPE
To provide principles and generic guidelines on risk
management
It can be used by any public, private or community
enterprise, association, group or individual
It can be applied throughout the life of an organisation, and
to a wide range of activities, including strategies and
decisions, operations, processes, functions, projects,
products, services and assets
It can be applied to any type of risk, whatever its nature,
whether having positive or negative consequences
It is not intended to promote uniformity of risk management
across organisations
To harmonize risk management processes in existing and
future standards
ISO 31000 is not intended for the purpose of certification
6
ISO 31000:2009 - USERS
ISO 31000:2009 is intended to meet the needs of a wide range of
stakeholders including:
7
a) Creates value Mandate Establishing
b) Integral part of and C the context (5.3)
organizational Commitment o M
processes (4.2) m o
c) Part of decision u Risk assessment n
making n (5.4) i
d) Explicitly addresses Design of i t
uncertainty framework c o
e) Systematic, Risk
a r
structured and timely identification
(4.3) t i
f) Based on the best (5.4.2)
i n
available information o g
g) Tailored Continual Implementing n
h) Takes human and improvement risk Risk analysis &
&
cultural factors into of the Management (5.4.3)
c
account Framework (4.4) r
o
i) Transparent and (4.6) e
n Risk
inclusive v
s evaluation
j) Dynamic, iterative and i
u (5.4.4)
responsive to change e
Monitoring l
k) Facilitates continual w
and review t (5.6)
improvement and of the a
enhancement of the Framework t Risk treatment
organization (4.5) i (5.5)
o
n
5.2
8
ISO 31000:2009 Relationship between the Principles, Framework and Process
Principles (Clause 3)
Risk management should….
1. Create value
2. An integral part of organisational processes
3. Part of decision making
4. Explicitly address uncertainty
5. Be systematic and structured
6. Be based on the best available information
7. Be tailored
8. Take into account human factors
9. Be transparent and inclusive
10. Be dynamic, iterative and responsive to change
11. Be capable of continual improvement and enhancement
9
Mandate and commitment (4.2)
ISO 31000 Relationship between the components of the framework for managing risk 10
Articulate AND
ISO 31000: MANDATE and COMMITMENT
endorse the risk
แสดงจุดยืนที่
management policy
ช ัดเจนและ
Ensure that the ร ับรองนโยบาย Communicate the
necessary resources การบริหาร benefits of risk
are allocated to risk
management ่
ความเสียง management to all
ดาเนิ นการ ่ stake holders
สือสารกั บผู ม
้ ส
ี ่วน
จัดหาทร
่ ัพยากร ้
ได้เสียทังหลายให้
ทีจาเป็ นสาหร ับ เข้าใจถึง
การบริห่ ารความ The
ประโยชน์
เสียง Management Defineขrisk
องการ
่
Should บริหmanagement
ารความเสียง
Ensure legal and
ผู บ
้ ริหาร performance indicators
จะต้ อง of
regulatory that align with
compliance organizational
ดาเนิ นการ Ensure alignment
risk management จ ัดทาด ัชนี ช ี ้
performance
บริหารความ objectives with the วัดผลของการ่
่
เสียงให้ถูกต้อง
objectives and
strategies of the บริหารความเสียง
ตามระเบียบ organization
ดาเนิ นการให้ ให้สอดคล้องกับ
และกฎหมาย วัตถุประสงค ์ของ ผลประกอบการ
การบริ หารความ ขององค ์กร
่
เสียงสอดคล้อง
กับวัตถุประสงค ์ 11
ISO 31000: FRAMEWORK DESIGN FOR
1. Understand the
MANAGING
organization RISK
and
its environment
ความเข้าใจ
ในองค ์กร
7. Establishing external
และ
่
communication and 2. Risk Management
reporting mechanisms
การจัดท ากลไก สิ งแวดล้ อ ม policy
่
การสือสารและ ขององค ์กร นโยบายบริหาร
การรายงาน ความเสียงที ่ ่
สาหร ับผู ม ้ ส
ี ่วนได้ Risk ช ัดเจน into
เสีย นอกองค ์กร
6. Establishing
Management
Framework 3. Integration
Elements organizational
internal
ส่วนประกอ processes
communication and
reporting mechanisms บของกรอบ การบู รณาการ
การจัดท ่ ากลไก การบริห่ าร การบริหารความ
การสือสารและ ความเสียง เสี ่
ยงเข้ ากับ
การรายงาน กระบวนการของ
ภายในองค ์กร
5. Resources
ทร ัพยากร 4. Accountability
การมอบหมาย องค ์กร
พอเพียงและ ความร ับผิดชอบ
เหมาะสม ทีช่ ัดเจนเป็ น
สาหร ับการ ลายลักษณ์
บริหารความ อ ักษร
่
เสียง 12
RISK FRAMEWORK ELEMENTS
13
ISO 31000 Risk Management Process
Communication Monitoring
and and
Consultation Risk analysis (5.4.3) Review
(5.2) (5.6)
14
Risk Management Process
(Clause 5)
Should be an integral part of management,
be embedded in culture and practices and
tailored to the business processes of the
organization.
Includes five activities: communication and
consultation; establishing the context; risk
assessment; risk treatment; and monitoring
and review.
15
Reporting
• Reporting is incidental to good Risk
Management, not the sole focus of it!
• If you only focus on reporting, you will not
motivate the required culture change
• Advanced Governance Codes (e.g. ASX, LSX)
require two sets of reports:
– The maturity and performance of the RM
framework
– The risk profile and how/why it has changed
16
IEC 31010 RISK ASSESSMENT TECHNIQUES
1. Brainstorming 17. Cause-and-effect Analysis
2. Structured or Semi-structured 18. Layers of Protection Analysis
Interviews 19. Decision Tree Analysis
3. Delphi Technique 20. Human Reliability Assessment
4. Check-lists (HRA)
5. Preliminary Hazard Analysis 21. Bow Tie Analysis
6. HAZOP 22. Reliability Centred Maintenance
7. HACCP 23. Sneak Analysis
8. Toxicological Risk 24. Markov Analysis
Assessment 25. Monte Carlo Simulation
9. Structured What If (SWIFT) 26. Bayesian Statistics and Bayes
10. Scenario Analysis Nets
11. Business Impact Analysis BIA 27. FN Curves
12. Root Cause Analysis (RCA) 28. Risk Indices
13. Failure Modes and Effects 29. Consequence /Likelihood Matrix
Analysis (FMEA) 30. Cost Benefit Analysis
14. Fault Tree Analysis (FTA) 31. Multi-Criteria Decision Analysis
15. Event Tree Analysis (ETA)
16. Cause-consequence Analysis 17
ISO Guide 73 - Scope
Provides a basic vocabulary of the definitions
of generic terms related to risk management
18
Terms included in Guide 73
in Alphabetical order
• COMMUNICATION & CONSULTATION • RISK AVOIDANCE
• CONSEQUENCE • RISK CRITERIA
• CONTROL • RISK EVALUATION
• ESTABLISHING THE CONTEXT • RISK FINANCING
• EVENT • RISK IDENTIFICATION
• EXPOSURE • RISK MANAGEMENT
• EXTERNAL CONTEXT • RISK MANAGEMENT AUDIT
• FREQUENCY • RISK MANAGEMENT FRAMEWORK
• HAZARD • RISK MANAGEMENT PLAN
• INTERNAL CONTEXT • RISK MANAGEMENT POLICY
• LEVEL OF RISK • RISK MANAGEMENT PROCESS
• LIKELIHOOD • RISK MATRIX
• MONITORING • RISK OWNER
• PROBABILITY • RISK PERCEPTION
• RESIDUAL RISK • RISK PROFILE
• RESILIENCE • RISK REGISTER
• REVIEW • RISK REPORTING
• RISK • RISK RETENTION
• RISK ACCEPTANCE • RISK SHARING
• RISK AGGREGATION • RISK SOURCE
• RISK ANALYSIS • RISK TOLERANCE
• RISK APPETITE • RISK TREATMENT
• RISK ASSESSMENT • STAKEHOLDER
• RISK ATTITUDE • VULNERABILITY
19
• RISK AVERSION
ISO 31000
Reducing the Risk in Risk Management
Avoids organisations re-inventing the wheel
Allows all to benefit from proven best practice
Provides a universal benchmark
Reduces barriers to trade
Advises exactly what you need to do and how
you need to do it – no wasted effort and no false
starts
Scalable – works for all sizes of organisation
Risk management = Making optimal
decisions in the face of uncertainty
20
ISO 31000:2009 เปรียบเทียบกับ
ERM(COSO II)
The Leading Edge
ISO31000:2009 ERM (COSO II)
• ISO 31000 fully complying • COSO ERM does not comply
with COSO ERM . with ISO 31000
• ISO 31000 is more practical • COSO is very theoretical
• Easy to apply (less than 30 • Very complicate (over 200
pages) pages)
• Applicable to organisations in • Better suited for large financial
all industries, large or small organisations
• More clearly written and • COSO is not easy to
terms are explicitly defined understand
• Wider acceptance as reference • Limited acceptance, mainly in
for risk management in the US within financial
existing and future standards industry
• No need to redesign existing • Major system modification is
management system to apply required to comply with COSO
• Apply to all levels of • Focus on negative risk at
organisation for any type of corporate level, often very
risk, both positive and confusing when apply at
negative consequences operational level 21
Why 31000?
ISO 31000:2009 is a natural successor to AS/NZS
4360:2004
Hopefully it will influence a revision of COSO
It fits ‘ERM’ requirements, but also allows silo/project
risk management
Following ISO 31000 will provide a low cost, high
chance of success approach to ERM
ISO 31000 adds value and reduces risk in risk
management
ISO 31000 provides generic guidance on how to
embed risk management, and reinforce the concept of
“positive” risk
Managing risk is about creating value out of
uncertainty
22
2. RISK AND RISK MANAGEMENT
23
What is Risk?
่
ความเสียงคื
ออะไร
Minimum
Records
A source An event A cause
An outcome
of risk (including when (how and
(consequence)
(hazard) and where) why)
Operations Employees
Virus H1N1 Pandemic
Interruption contact virus
25
Describing Risk – Poor Example
Finance Interest rate Rate rise more Decrease in Inflationary Extent of loans
than 2% in a profit pressures
year
29
DO NOT CONFUSE TYPES OF RISK
Distinguish
Between Indirect Risk
Direct Risk (Control Failure)
Consequence of Likelihood of
an event occurrence
่ ่
Risk taking is positive, not implicitly negative.
การยอมเสียงเป็ นเรืองบวก ไม่ใช่หมายถึง
่
แต่เพียงเรืองลบ
We take risks not to avoid harm, but to achieve
่ ่ ่
benefits and gains.
เรายอมเสียงไม่ ใช่เพือเพี
ยงหลีกเลียงความ
่ ร ับผลประโยชน์และกาไร
เสียหาย แต่เพือได้
Taking controlled, informed risks is a sensible and
่ ่ เราทราบและควบคุ
่
everyday essential part of life.
การยอมเสียงในสิ งที มได้
่ สมเหตุ
่
เป็ นสิงที สมผลและจาเป็ นใน
ชีวต ิ ประจาวัน
36
The higher the risk the higher the reward.
Risk Management as defined
By ISO 31000:2009
“COORDINATED ACTIVITIES
TO DIRECT AND CONTROL AN ORGANISATION
WITH REGARD TO RISK”
C 1. Strategic Ct M
O O
M N
M I
U 2. Identify Threats T
N O
I R
C
A &
T A 3. Analyze
E S 4. Assess R
S E
E V
S 5. Assess/
C I
O S E
N W
S
U
L 7. Manage the Risk
T
Activities
Processes Opportunities Risks
37
Managing Risk
We all manage risk consciously or unconsciously – but
rarely systematically.
เราทุกคนจัดการความเสี ่
ยงโดยรู ้ตั
ว หรื
อ ไม่
ร ู ้ตั
ว
่
แต่น้อยมากทีจะท าอย่างเป็ นระบบ
-
่
การจัดการความเสียงเกี ่
ยวข้ ้ ยคุกคามและ
Managing risk involves both threats and opportunities.
องทังภั
ผลประโยชน์
่
การจัดการความเสียงต้ ่
Managing risk requires rigorous thinking.
องอาศ ัยความคิดทีทรง
พลัง
่
Managing risk means forward thinking.
การจัดการความเสียงหมายถึ
งการคิดไปข้างหน้า
Managing risk requires accountability and authority for
decision making.
การจั ด การความเสี ่
ยงต้องอาศ ัยความร ับผิ
ด ชอบ
่ นลายลักษณ์อ ักษรและการมอบอานาจในการ
ทีเป็
ตัดสินใจ
38
Managing risk requires communication.
Evolution of Risk Management
The Past The Present The Future
Risk Management Risk Management to Risk Management as Business
as Compliance Prioritise Problems Optimisation
Identify problems Identify problems Identify potential problems and
Rank them Rank them opportunities
Demonstrate every Check if level of risk Understand causes and factors
risk has a control above target level which affect likelihood and
(usually a standard (qualitative) consequence
procedure) Implement improved Optimise treatment considering
Monitor controls controls starting from Effectiveness of current and
highest risks proposed controls
Monitor Causal factors
implementation Costs and benefits of treating the
risk
Costs and benefits of taking the risk
Treat according to risk appetite
Monitor and feedback
39
THE THREE KEY PROCESSES
Risk assessment
Risk identification
Communication Monitoring
and and
Consultation Risk analysis Review
Risk evaluation
Risk treatment
41
3.1 ESTABLISH THE CONTEXT
่
กาหนดวัตถุประสงค ์ ขอบเขต และ สิงแวดล้
อม
2. Identify the Internal
and External
Environment 3. Identify and
1. Identify the
Organisation and/or ระบุ Analyse Relevant
Stakeholders
Function Objectives ่
สิงแวดล้ อม ระบุและ
ระบุ
ภายในและ
THE SIX STEPS วิเคราะห ์ผู ้
วัตถุประสง
ภายนอก
TO ESTABLISH
THE CONTEXT มีสว่ นได้
ค ์ของ
6 ขันตอน้ เสีย
องค ์กรหรือ
กิจกรรม ของการ
กาหนด
วัตถุประสง
4. Specify the Main
Scope of the Risk
ค์
Management Activities
กาหนด
6. Define Key Elements for
Structuring the Risk
ขอบเขต
ขอบเขต
Assessment Process
กาหนด และ
องค ์ประกอบ ่ หลักของ
สิ5.งแวดล้ อ
หลักสาหร ับ กิจกรรม
มRisks
Identify Criteria for
่ กาหนดเกณฑ ์
เสียง สาหร ับการวัดค่า
่
ความเสียงและ
ระด ับความเสียง่ 42
่
ทียอมร ับได้
EXTERNAL CONTEXT - EXAMPLES OF SOURCES OF RISK
Economic Market growth, economic cycle, shares & interest rates, capital
movement, regional stability, credit availability & costs,
exchange rates
46
WHAT NEED TO BE IDENTIFIED?
Generate a comprehensive list of risks, based on those events that
may enhance, prevent, degrade or delay
the achievement of the objectives
(including risks associated with not pursuing an opportunity)
People contact
An outbreak of
Disease Many people die with affected
Bird Flu epidemic
chicken 47
Top 10 Emerging Risks – The Heat Map
(January 2010 Survey Results by the Risk Integration Strategy Council, USA)
48
THE RISK IDENTIFICATION PROCESS
่
กระบวนการระบุความเสียง
Establish Risk Identification Team
Brainstorm Workshop ้
แต่งตังคณะท างาน Knowledge, Commitment and Ownership
ระดมสมอง ่
ความรู ้ ความมุ่งมัน
่
เพือระบุ ่
ความเสียง
Identify Key Business/Function Elements
และความเป็ น
Relevant Business Issues ระบุองค ์ประกอบหลัก เจ้าของ
Business/Function Life Cycle
วัตถุประสงค ์ วัตถุประสงค ์
กิระบุ
จกรรม /ธุกรารณ์
กรรม/
Identify Events/Risks that might Impact the Objectives
ต้นเหตุ
ม ของความเสียงที ่ ่ ก
ถู ผลกระทบของความ
ของความ ระบุ
Evaluate the Existing Controls that Mitigate the Risks ่
เสียงต่
อวัตถุประสงค ์
่ in Place ประเมินการควบคุมที ่
เสียง
Effectiveness of the Existing Controls
Controls that are Already
การควบคุม ี่
มีอยู ่ทบรรเทาความ ประสิทธิผลของ
่ อยู ่
เดิมทีมี ่ การควบคุมที ่ อยู ่
49 มี
เสียง
NEED TO SEPARATE RISK FROM
CONTROL FAILURE
The level of risks cannot be compared against control failures
TRUE RISKS –
Bird flu might enter country (event)
HAZARD •People die
AND/OR •Closing the chicken industry in the country
SOURCE BASED •Other businesses close due to staff absent
MANAGEMENT
SYSTEM •Insufficient research staff in labs doing analysis
FAILURE
50
STRATEGIC RISK IDENTIFICATION
Strategic risk concerned with where the organisation wants to go,
how it plans to get there, and how it can ensure survival. Strategic
risks are generally identified through interviews with managers
and other stakeholders. A structured brainstorming may be
conducted to cover key issues as follow:
KEY ISSUES CONSIDERATION
Objectives How might they not be achieved?
Resources and How might they fail or be lost?
assets to achieve
objectives
Critical functions How they might be harmed?
56
RISK (EVALUATION) CRITERIA
ALARP (As Low as Reasonably Practicable)
การให้คา ่
่ ความเสียง Risk reduction measures
are essential whatever
their cost จาเป็ นต้องม
Generally Intolerable Region
่ ่
ความเสียงทีทนไม่ลดความเสี
ได้ ่
ยงไม่ วา
่ จ
Residual risk tolerable
Tolerable Region only if further risk
(Risk is undertaken only reduction is impractical
if a benefit is desired)
่ จาเป็ นต้องร ับความ
ความเสียง ่
่ เสียงคงเหลื อระดับ
ทีทนได้ ้
Broadly ทนได้นีหากการลด
Acceptable ความเสี ่
ยงลงอี
Risk reduction not
ก
likely to be required
Region
ไม่ เหมาะสม
ความเสี ่ /ไม่อน้อย
ยงเหลื
่
เสียงความ คุแต่
ม
้ ค่ตาอ
้ งคอยเฝ้าระวังต
ทีร่ ับได้
Negligible Risk
่
57
ความเสียงน้ อยมาก
ISO 31000: RISK APPETITE
Risk appetite is not
Some level of risk necessarily measured
is desirable in financial term
Risk Appetite
Amount and type of risk
an organisation is prepared
to pursue or take
10 Customer
Asset exposures
exposure
Likelihood Consequences
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5
A (5) H H E E E
(Almost Certain)
B (4) M H H E E
(Likely)
C (3) L M H E E
(Moderate)
D (2) L L M H E
(Unlikely)
E (1) L L M H H 60
(Rare)
3.6 RISK TREATMENT
่
การบาบัดความเสียง
1. Avoid the risk by deciding not to start or continue
with the activity that gives rise to the risk
2. Taking or increasing the risk in order to pursue an
opportunity
3. Removing the risk source
4. Changing the likelihood
5. Changing the consequences
6. Sharing the risk with another party or parties
(including contracts and risk financing)
7. Retain the risk by informed decision
61
แผนกลยุทธ ์ในการบาบัดความ
่
เสียง
Avoid Risks
High Likelihood
่ ยง
High Consequences
63
RISK CHANGE/REDUCTION
ADVERSE RISKS CAN BE REDUCED EITHER BY REDUCING THE
LIKELIHOOD OF LOSS OR BY REDUCING THE SEVERITY OF
THE EFFECTS. CONTROLS TO REDUCE NEGATIVE RISKS
INCLUDE PREVENTATION, PROTECTION AND DETECTION
65
RETAINED RISK
RISK THAT REMAIN AFTER CONTROL OR
TRANSFER/SHARE IS THE “RESIDUAL RISK”
66
BUSINESS CONTINUITY MANAGEMENT
Why do we need BCM?
SURVIVAL!
• Recovery from a major Incident/Disaster
• Responding to changing environment
67
3.7 MONITORING AND REVIEW
การติดตามกากับดู แล และ ทบทวน
• Few risks remain static ความเสียงจ่ านวนน้อยทีอยู่ ่นิ่ง
• Factors affecting likelihood and consequences may
change ปั จจัยทีมี่ ผลต่อโอกาสเกิดความเสียงและ
่
ผลกระทบ อาจเปลียนไป ่
• Factors affecting the suitability or cost of treatment
options may also change
่ ผลต่อความเหมาะสมหรือค่าใช้จา
ปั จจัยทีมี ่ ยของ
ทางเลือกของการควบคุม อาจเปลียนไป ่
• Ongoing review of risks is essential การทบทวนอย่าง
ต่อเนื่องเป็ นสิงจ
่ าเป็ น
• Necessary to regularly repeat the risk management
้
cycle จาเป็ นต้องทาซาวงรอบการบริ หารความเสียง ่ 68
อย่างสม่าเสมอ
MONITORING PURPOSES
Ensuring that controls are effective and efficient in
both design and operation.
Obtaining further information to improve risk
assessment.
Analyzing and learning lessons from events
(including near-misses), changes, trends, successes
and failures.
Detecting changes in the external and internal
context, including changes to risk criteria and the risk
itself which can require revision of risk treatments
and priorities.
Identifying emerging risks. Progress in implementing
risk treatment plans provides a performance
measure.
69
HIERARCHY OF ASSURANCE ACTIVITIES
้ั
ระดับชนของกิ จกรรมเพือสร ่ ่
้างความมันใจ
ในการติScope
ดตามก ากับดู แล
and Frequency
Day to day ทาเป็ นงานปร
Regular Checking and Continuous - embedded into place
Monitoring and methods of work
ั ดูแลอย่างต่อเนื่ องสม่าเสมอ
การติดตามกากบ ่ างานและวิธ
ให้ฝังต ัวอยู ่ในทีท
Control Self Assessment
Line Management ทาCSAการประเมินตนเองด้าน
Review การควบคุม
การทบทวน - driven by risk profile
โดยสายการบริหาร and Manager’s span
่ นอยู
of control ซึงขึ ้ ่ก ับลักษณะ
่
ความเสียงและการควบคุ
มของ
Third Party
Internalฝor
่ ายบริ
หาร
External
Audit
Auditing ตรวจสอบโดย
การตรวจโดย
่ บุคคลภายในหรือภายนอก
บุคคลทีสาม
70
4. ENTERPRISE RISK MANAGEMENT
71
ENTERPRISE RISK MANAGEMENT
(ERM)
Enterprise Risk Management as defined (by COSO:2004) :
กระบวนการทีจั
ERM หมายถึง ่ ดทาขึนโดย้
้
ฝ่ายบริหารทังหลายเพื ่
อประยุ กต ์ใช้ใน
่ งองค
การจัดทาแผนกลยุทธ ์ทัวทั ้ ์กรโดย
่
ออกแบบมาเพือระบุ เหตุการณ์ทอาจี่ 72
้ ่
FUNDAMENTAL CONCEPT OF
ENTERPRISE RISK MANAGEMENT
The definition of ERM (COSO:2004) reflects certain fundamental
concepts of Enterprise Risk Management as:
• A process, ongoing and flowing through an entity
• Effect by people at every level of organisation
• Applied in strategy setting
• Applied across the enterprise, at every level and unit,
and includes taking an entity-level portfolio view of
risk
• Designed to identify potential events that, if they
occur, will affect the entity and to manage risk within
its risk appetite
• Able to provide reasonable assurance to an entity’s
management and Board of Directors
• Geared to achievement of objectives in one or more
separate but overlapping categories
73
KEY ELEMENTS THAT CHARACTERISE ERM
่ นคุณลักษณะของ ERM
องค ์ประกอบหลักทีเป็
• Takes note of the interrelationships and interdependencies among
risks มีการพิจารณาความสัมพันธ ์และการพึงพากั ่ นของความ
่
เสียงทั ้
งหลายในองค ์กร
• Improve ability to manage risks within and across business units
่ ดความสามารถในการจัดการกับความเสียงภายในและ
เพิมขี ่
่ ั งองค
ให้ทวทั ้ ์กร
• Improve organisation’s capacity to identify and seize opportunities
inherent in future events
่
เพิมความสามารถในการระบุ และฉกฉวยโอกาสใน
เหตุการณ์ในอนาคต
• Considers risk in the formulation of strategy
่
พิจารณาความเสียงในการวางแผน
• Applies risk management at every level and unit of an entity
่
ประยุกต ์ใช้การบริหารความเสียงทุ กระดับและทุกหน่ วยงาน
ในองค ์กร
• Takes a portfolio view of risks throughout the enterprise
่
พิจารณาภาพรวมของความเสียงครอบคลุ ่ ง้
มตลอดทัวทั
74
ERM INTEGRATED FRAMEWORK
COSO (2004)
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
75
Components of Risk Managements
ERM(COSO II) vs ISO 31000:2009
Financial
Profitability, Return on
Investment, Revenue Growth
Customer
Market Share, Customer Internal Business Process
Retention, Customer Satisfaction, Process Time, Quality, Cost
Customer Profitability
78
ERM – THE ATTRIBUTES FOR SUCCESS
Embedded and integrated, consistent process for all risks, holistic
Clearly defined accountability for risks and controls
Line management accountability for risk management
performance and maturity – linked to KPIs
Risk Management is aligned with the achievement of
organisation’s objectives and the strategy development and
management process
Emphasis on control assurance – providing “line of sight” down
the organisation
Emphasis on root cause analysis, for successes and failures –
leading to learning
Governance reporting is not just focussed on risk but on reporting
on risk management performance and progress
Projects are viewed in the context of the organisations objectives,
not just the project outcomes
79
Overall Risk Management Maturity
Risk Governance Change Enterprise
Efficiency of Risk Management Process
Opportunities Risks 81
BUILDING AN EFFECTIVE ROBUST
ERM FRAMEWORK
An effective ERM framework can provide a reasonable
assurance that the organization’s strategic objectives can be
achieved. Building an effective framework requires a number
of interrelated components include:
A strong risk governance structure Clear risk prioritisation and
A clearly articulated risk appetite coordination
A clear risk strategy aligned with Clear line of responsibility and
strategic objectives and key value accountability
drivers A strong compliance focus
A strong risk management culture Continuous risk monitoring and
and capability review
Ongoing review of the risk Efficient and effective processes,
framework, tolerances, and settings with appropriate tools and
A common risk language and technology
criteria A commitment to continuous
82
improvement, training and learning
THE MAIN RISK MANAGEMENT GAPS AND
DEFICIENCIES – THE AUSTRALIAN EXPERIENCE
(Standard & Poor’s Survey November 2006)
87
WHAT IS CONTROL?
การควบคุมคืออะไร
• Control is any action taken by management to enhance
the likelihood that established objectives and goals will
be achieved
• การควบคุมคือกิจกรรมใดๆทีน ่ ามาใช้โดย
่
ฝ่ายบริหารเพือเพิ ่
มโอกาสในการบรรลุ
วัตถุประสงค ์และเป้ าหมายขององค ์กร
In Real-Life Language
กล่าวง่ ายๆในชีวต
ิ จริงก็คอ
ื
88
• Controls are things that help to meet an organisation’s
CONTROLS CLASSIFICATION
ประเภทของการควบคุม
Things Done to Help Meet a Business Objectives
่ ท
สิงที ่ าเพือช่
่ วยให้บรรลุวต
ั ถุประสงค ์ขององค ์กร
90
SIX GENERAL CATEGORIES FOR CONTROL
TECHNIQUES
่
เทคนิ คการควบคุมทัวไป 6 ประเภท
วัตถุประสงค ์ การควบคุม
ความถู กต้องโปร่งใสของรายงานการเงิ
มีการตรวจกระทบยอดอ
น
ENSURE COMPLIANCE ENSURE REGULAR
TO REGULATIONS MANAGEMENT MONITORING
มีความถู กต้องตามระเบีมียกบและกฎหมาย
ารติดตามกากับจากฝ
ENSURE STAFF SAFETY ENSURE EMERGENCY
มีความปลอดภัยของพนักงาน
EVACUATION IS CONDUCTED
มีการซ ้อมการอพยพใน
93
OBJECTIVES, RISK OUTCOME,RISK CAUSES & CONTROLS?
วัตถุประสงค ์ของการเดินทาง
่
คือ ถึงทีหมายด้ วยความปลอดภัย
Key controls:การควบคุม
่
Main Risk Causes: ปั จจัยเสียง
•Police monitoringการกากับ
•Bad road ถนนไม่ด ี
ดู แลของตารวจ •Bad car รถไม่ด ี
•Safe speed limitควบคุมความเร็ว •Bad driver คนขับไม่ด ี
•Unsafe driving rules กฎจราจ
่ กระหว่
•Effective driving Education &Test
ให้ความรู ้ในการขับรถและมีการสอบที•Bad ่ rest area ทีพั
ดี า ง
•Regular car inspection
่
94
่
•Hit by other cars ถู กรถอืนช
BALANCING RISKS AND INTERNAL CONTROLS
Control procedures need to be developed so that they decrease risk to a level where
management can accept the exposure to that risk. To achieve a balance between risk and
controls, internal controls should be proactive, value-added, cost-effective and address
exposure to risk. Being out of balance can cause the following problems:
96
BRAINSTORMING
Brainstorming involves stimulating and encouraging free flowing
conversation amongst a group of knowledgeable people to identify
potential failure modes and associated hazards, risks, criteria for
decisions and/or options for treatment. True brainstorming involves
particular techniques to try to ensure that people's imagination is
triggered by the thoughts and statements of others in the group.
Brainstorming can be used in conjunction with other risk assessment
methods or may stand alone as a technique to encourage imaginative
thinking at any stage of the risk management process and any stage off
the life cycle of a system. Normal facilitated process include:
NO or NOT TEMPERATURE
MORE FLOW
LESS PRESSURE
REVERSE OF QUANTITY
OTHER THAN SPEED
PART OF ETC
AS WELL AS
107
FAILURE MODE AND EFFECT ANALYSIS (FMEA)
•Consider each component individually
•How it might fell
•What would be the result
•Would it matter
Process •How would you detect the failure mode
•Look at safety, performance &operability, and ask
“What would happen if this component failed?”
FMEA traditionally used for equipment failure. FMEA is
similar to Hazop, however it it considers the mechanisms
Applicability whereby the component can fell where Hazop considers
how the intended result may not be achieved.
109
EXAMPLE OF FMEA APPLICATION
ITEM COMPONENT FAILURE MODES FAILURE EFFECT FAILURE
DETECTION
110
HAZARD ANALYSIS AND CRITICAL CONTROL POINT (HACCP)
•Identify hazards – any biological, chemical or physical
property that may cause a food to be unsafe for consumption
•Identify Critical Control Points – step, or procedure in a
Process process at which control can be applied
•Identify Control Point Conditions
•Define monitoring, record keeping, corrective actions and
verification procedures to remain in control
Used by organisations operating anywhere within the food
chain to control risks from physical, chemical or biological
Applicability contaminants of food. Also extended for use in manufacture
of pharmaceuticals and medical devices
conditions
actions
actions of people or
equipment decisions
115
EXAMPLE OF FAILURES OF
REQUIRED OUTPUTS
REQUIRED DEVIATION CAUSE OUTCOME CONSEQUENCE RECOMMENDA
OUTPUT TION
Trench 1 m deep Trench too Specification Extra time Not significant Pay for job not
50 cm wide by 31 deep unclear and money time
December 2008 spent
Miscommunicati Explain job to
on people on duty
116
7. THE THONGSIRI
RISK IDENTIFICATION METHODOLOGY (TRIM)
วิธก ่
ี ารระบุความเสียงแบบ ตงศิร ิ
A Demonstration of Risk Identification for
A Procurement Process
117
SIX STEPS IN THE TRIM PROCESS
้
6 ขันตอน ่
ของการระบุความเสียง
แบบ ตงศิร ิ
6. Develop a TRIM Risk
Map from the Identified
Risks
1. Gain a Clear
Understanding of the System
118
STEP 1: UNDERSTAND THE SYSTEM
(WHAT IS INVOLVED IN THE SYSTEM OPERATIONS?)
้
ขันตอนที ่ 1 ทาความเข้าใจระบบการทางาน
What are the
key activities?
กิจกรร
What is the
scope of this
How are
มหลัก
assessment ?
ขอบเข
activities
being carried
อะไร กิจกรร
งานเป็ น มหลัก
What อย่
is the างไร THE ทา
system
trying to SYSTEM
อย่างไ
achieve?
ระบบ ระบบง ร
ต้องกา key playersาน
Who are the
รบรรลุ
within the Who is
system? responsible
วัตถุประ ใคร
for what?
ใครร ับผิดชอบอะไร
สงค ์ใด บ้างที่
เป็ น
ตัวการ 119
STEP 2:ESTABLISH CLEAR SYSTEM OBJECTIVES
้
ขันตอนที ่ 2: ระบุว ัตถุประสงค ์ของระบบงาน
The System Prime Objective
ให้ ช ัดเจน Other Objectives
are Success Criteria
For “Procurement” is to for the Key Process
‘Meet Organisation Requirements’ วัตถุประสงค ์รองระด
กระบวนการเป็ นองค
ประกอบ แห่งความส
6 ของกระบวนการ
5 1
Good/services
meet the need 2.0
of users Develop
Specificatio
n
1.0 3.0
Determine Purchase
users goods Value for
Requirement and/or money is
s Services achieved
System Prime Objective
= Good/services
purchased meet the
organization 6.0 4.0
requirements in the Managemen Receive and
most effective, efficient, t Distribution
and economical manner Monitoring 5.0 Goods & Good/services
Payment for Services are delivered as
Goods &
per the
Services
agreement
Payment for
Good/services 121
is accurate
STEP 4: IDENTIFY KEY COMPONENTS FOR
EACH KEY PROCESS (INPUTS, OUTPUTS,
ACTIONS AND CONDITIONS)
•Weather – rain, hot, cold
•Regulations, Rules. Policy
•Infrastructure
CONDITIONS
Strategic
•Resources Operation
•People •Objectives Financial
•Equipment •Products Compliance
INPUTS OUTPUTS
•Budget Process •Profits
•Materials 1 •Reputation
•IT System •Security
•Information •Etc etc
ACTIONS
•Action of people
•Functioning of equipment
•Decisions
•Authorization 122
EXAMPLE 4.1: KEY COMPONENTS FOR THE
PROCESS “USERS REQUIREMENTS”
•Time available
•Market/technical availability •Align with Business Plan/Strategy (S)
•Compatible with existing systems
•Government policy/intervention
CONDITIONS
Meet operational requirements (O)
•Stakeholders 1.0
•Buyer Determine Good/services meet the need of
INPUTS OUTPUTS
•Knowledge of the users users (this is the Prime Objective
goods/services Requirements for the Process 1.0)
•Feedback from
stakeholders
•Technical experts
•Approved budget Within budget (F)
•Business plan ACTIONS
•Organization Comply with organizational policy (C)
strategies •Survey of users requirements
•Communication and coordination
between buyers and users
•Decision making to proceed
123
EXAMPLE 4.2: KEY COMPONENTS FOR THE
PROCESS “DEVELOP SPECIFICATION”
•Time available
•Market/technical availability
•Open for competitive bidding (S)
•Government policy/intervention
CONDITIONS
Reflects users requirements (O)
•Users requirements
•Professional
standards 2.0
•Organization OUTPUTS Specification accurately reflecting
INPUTS Develop
standard the users needs (this is the Prime
Specification
•Knowledge of the Objective for the Process 2.0)
goods/services
•Technical experts
in developing
specification Within budget (F)
ACTIONS
•Business plan
•Comply with professional standards (C)
•Organization
•Writing of specification •Comply with organizational standard
strategies
•Review and approval of specification
•Decision making to proceed
124
EXAMPLE 4.3: KEY COMPONENTS FOR THE
PROCESS “PURCHASE GOOGDS/SERVICES”
•Time available
•Market/technical availability
•Government and/or organizational
policy/intervention •Appropriate supply contract (S)
•Specification CONDITIONS
Reflects specification (O)
•Budget
•Suppliers
•Selection committee
•Selection criteria 3.0
•Industry standards OUTPUTS Value for money is achieved (this
INPUTS Purchase goods
•Organization is the Prime Objective for the
and/or Services
procurement Process 3.0)
procedures
•Knowledge of the
goods/services
•Within budget (F)
•Technical product ACTIONS •Competitive price
experts
•Comply with industry standards (C)
•Advertising media •Comply with organizational
•Advertise for quotations and/or tenders
procurement policy and procedures
•Selection and approval of supplier
•Develop supply contract
125
EXAMPLE 4.4: KEY COMPONENTS FOR THE PROCESS
“RECEIVE & DISTRIBUTION OF GOOGDS/SERVICES”
•Natural environment
•Products availability
•Contract terms and conditions
•Meet business plan/strategy (S)
•Synchronize with interrelated
parties
•Supplier CONDITIONS
Meet operational/industry
•Goods/services requirements (O)
•Store
•Users 4.0
•Logistic personnel Receive and Good/services are delivered as per
•Technical product INPUTS Distribution OUTPUTS the purchase agreement (this is
experts Goods & the Prime Objective for the
•Quality assurance Services Process 4.0)
personnel
•Delivery dockets
•Supply contract
•Appropriate security (F)
•Purchasing/delivery ACTIONS
plan
Comply with purchase contract (C)
•Logistic MIS •Deliver of goods/services
•Inspection and/or quality assurance action
•Storage of delivered goods
•Delivery of goods to users
126
EXAMPLE 4.5: KEY COMPONENTS FOR THE PROCESS
“PAYMENT FOR GOOGDS/SERVICES”
•Funds availability
•Contract terms and conditions
•Organizational payment procedures
•Supplier CONDITIONS
•Goods/services
•Budget
•Funds
•Bank 5.0
•Accounts personnel Payment for OUTPUTS Payment for Good/services is
INPUTS
•Store personnel Goods & accurate (this is the Prime
•Approval delegation Services Objective for the Process 5.0)
•Users
•Invoices
•Delivery dockets
•Within budget (F)
•Supply contract ACTIONS
•Accounts MIS •Comply with purchase contract (C)
•Comply with organizational payment
•Receive claims for payment procedures
•Check claims against goods/services
received and terms of payment
•Approval for payment
•Make payment
127
EXAMPLE 4.6: KEY COMPONENTS FOR THE PROCESS
“MANAGEMENT MONITORING”
•Political influence
•Budget availability
•Government/organizational policy
and procedures •Meet business plan/strategy (S)
•Probity and transparency •Synchronize with interrelated
parties
2. Specification
accurately reflecting the
users needs
1. Good/services meet
the need of users
129
STEP 5: IDENTIFY RISKS FOR
THE KEY COMPONENTS
THE MOST SIGNIFICANT RISK IN EACH PROCESS IS A
FAILURE TO ACHIEVE THE PRIME OBJECTIVE OF THE
PROCESS (i.e. EACH OF WHICH WILL STOP THE
BANKNOTE PRODUCTION)
1.0
Restriction by Determine Poor communication lead
stakeholders lead to Users to incorrect goods/services
inappropriate Requirements procured
goods/services procured
131
EXAMPLE 5.2: KEY RISKS FOR THE PROCESS
“DEVELOP SPECIFICATION”
2.0
Poor quality of Develop Poor quality of specification
specification due to Specification due to incompetent technical
unreasonable time pressure writer
132
EXAMPLE 5.3: KEY RISKS FOR THE PROCESS
“PURCHASE GOODS AND/OR SERVICES”
133
EXAMPLE 5.4: KEY RISKS FOR THE PROCESS
“RECEIVE & DISTRIBUTION OF GOODS/SERVICES”
Goods & Services (quality, quantity
and timeliness) are not delivered as
per the supply agreement resulted
in loss and/or disruption to business
Good/services are not
delivered as per the
purchase agreement
Poor delivery planning to
synchronize with interrelated parties
resulted in operations disruption
4.0
Inappropriate and/or Receive and
unclear supply contract Distribution
lead to disputes and loss Goods & Improper inspection resulted
for organization Services in receiving inferior products
Supplier in liquidation or
operations disruption Improper handling and/or security
cause major loss and/or of goods delivered resulted in
disruption to business damages or loss of assets
134
EXAMPLE 5.5: KEY RISKS FOR THE PROCESS
“PAYMENT FOR GOOGDS/SERVICES”
5.0
Payment for
Financial loss from
Inefficient/ineffective Goods &
unauthorized payment due
budget administration Services
to fraud or corruption
lead to shortage of funds
for payment
135
EXAMPLE 5.6: KEY RISKS FOR THE
PROCESS “MANAGEMENT MONITORING”
Good/services purchased
DO NOT meet the Good/services become Financial loss and/or business
organization requirements obsolete due to a lack of disruption due to lack of
in the most effective, management planning appropriate procurement plan
efficient, and economical and/or strategy and coordination of
manner interrelated activities
136
EXAMPLE 5.7: THE SHOW STOPPERS FOR THE
“PROCUREMENT PROCESS”
Good/services purchased meet
Mission Impossible the organization requirements
in the most effective, efficient,
and economical manner
Goods/services do not
meet the need of users 137
STEP 6: DEVELOP THE TRIM RISK MAP
(COMPILE ALL THE IDENTIFIED RISKS FROM STEP 5 INTO A RISK MAP)
้
ขันตอนที ่ 6:พัฒนาแผนทีความเสี
่ ่
ยงแบบ ตงศิร ิ
Goods/services do Goods/services do not
not meet the need meet operational
of users requirements
1 Specification does not
2
Goods/services are not
accurately reflecting the
Restriction by 3 aligned with Business
users’ needs
stakeholders lead to Plan and/or strategy Specification does not comply
7
inappropriate goods/ 1.0 9 with professional and/or
services procured Determine organizational standards
Poor communication Poor quality of 8
Users lead to incorrect goods/ specification due to
Inappropriate goods/services 4
Requirements services procured unreasonable time
due to inaccurate users’ 6
2.0
requirements information Develop Specification consists of
Inferior goods/services 14 Specification inadequate and/or anti-
Good/services purchased Do 5 due to poor judgment by 10 competitive requirements
Good/services become Inaccurate specification
Not meet the organization obsolete due to a lack of decision maker due to unclear users’
requirements in the most 13
management planning requirements and/or
effective, efficient, and and/or strategy Poor quality of specification
poor communication 12 11
economical manner 37 due to incompetent
38 Financial loss and/or business technical writer
disruption due to lack of appropriate Poor quality of specification
Litigation action and/or 39
procurement plan and coordination due to lack of appropriate
financial/reputation loss due to
44 of interrelated activities supervision and/or approval
lack of transparency and probity
in the procurement process 6.0 Inappropriate
Management 40 Fraud/ corruption or supply contract
Financial and/or reputation 43 inefficient/effective resulted in loss
Monitoring Goods and/or Services do
loss due to lack of procurement due to lack of for organisation
appropriate procurement Goods & Services (quality, quantity Value for money is not match specification
42 management monitoring
policy and procedures 41 and timeliness) are not delivered as not achieved and/or meet organisation
per the supply agreement resulted 15 16 & industry standards
Management decision in loss and/or disruption to business 17
Fraud or corruption due
making is not optimal due to non compliance with
to lack of effective MIS Good/services are
mandatory procurement Non compliance with proper
not delivered as per 22 Non competitive
procedures procurement procedures lead 3.0 18
the purchase 23 24 bidding lead to
to loss for the organisation Purchase
agreement inferior products
Financial loss due to Goods and/or and/or high price
Inaccurate payment payment in excess of Poor delivery planning to Services
for goods/services the agreed supply Financial loss due to payment 4.0 synchronize with
terms and conditions for goods and/or services not Receive and interrelated parties resulted
received or inferior quality or 25 in operations disruption 21 Ineffective selection
Distribution 19 process resulting in
31 not properly completed
30 Goods & inferior products
Inefficient/
32 Inappropriate and/or Services Improper 20 and/or high price
ineffective budget 5.0 Unreliable supply of
36 unclear supply contract 29 inspection resulted
administration Payment for 26 critical materials in
lead to disputes and loss in receiving
lead to shortage of 33 terms of availability & Favouritism,
Goods & for organization 28
inferior products
funds for payment quality resulted in corruption and/or
35 Services 27
operations disruption fraud lead to loss for
Financial loss from Supplier in liquidation the organisation
34 Improper handling and/
Inaccurate MIS unauthorized or operations disruption
or security of goods
resulted in payment due to cause major loss and/or
Valuable suppliers delivered resulted in
financial loss due fraud or corruption disruption to business
left due to excessive damages or loss of assets
to overpayment
delay in payment
138
ANALYSE THE TRIM RISK MAP
(USE CONSEQUENCE LIKELIHOOD MATRIX)
Paint the Risk Map (Step 6)
Estimated Level of Risk with appropriate colour code
่
ประเมินระด ับของความเสียง as per the Risk Matrix to show
(โอกาสเกิดxผลกระทบ)
the level of Residual Risk
Monitor and
Periodically Review Risk Treatment
่
จัดการบาบัดความเสียง
ติดตามกากับดู แล ทบทวน เป็ นระยะๆ 139
BOW TIE ANALYSIS
EXAMPLE PROCUREMENT PROCESS
Incompetent contract
administrator
Training
Financial loss
Insurance
Recruitment
Expert
Impractical and/or process
advice
unclear contract
Penalty
terms and conditions
Approval
Legal
Disadvantages advice Contingency
contract terms plan
Approval Inappropriate
and conditions
supply contract Business disruption
resulted in loss
for organization
KPI
Monitoring
Media
control
No enforcement for Job
compliance with contract description
terms and conditions
Procedures
Unclear accountability
Reputation damage
over contract
administration
140
Risk source/Cause Controls Risk Event Controls Consequences
8. RISK AND ANALYSIS
TECHNIQUES IEC 31010
141
METHODS OF RISK ANALYSIS
Quantitative
Qualitative Semi-quantitative Analysis
Analysis Analysis วิเคราะห ์เชิง
วิเคราะห ์เชิง วิเคราะห ์เชิง ปริมาณ
คุณภาพ ่
กึงปริ
มาณ ใช้กระบวนการ
(ตาม กาหนดค่าของ คณิ ตศาสตร ์
(ความน่ าจะเป็ น
ความรู ้สึก) โอกาสเกิดและ
ใช้การอธิบาย ผลกระทบ และสถิต)ิ
ตามสเกลแต่ ่ าหนดค่า
เพือก
โอกาสเกิดและ
ผลกระทบ ไม่ใช่คา
่ จริง โอกาสเกิดและ
Use words to Give values for ผลกระทบ
describe likelihood ranking scales Use numerical
and consequences but not the realistic values for both
142
likelihood and
Risk Analysis – What to Measure?
Normally involves estimation of range of possible consequences
and their associated likelihoods in order to measure risk
144
DETAILED ANALYSIS OF RISK
Which technique to choose?
CONSEQUENCES CAUSES AND CONSEQUENCES
• Scenario Analysis • Cause Consequence Diagrams
• Event Tree Analysis • Bow Tie Analysis
• Consequence
Modelling CONSEQUENCE AND LIKELIHOOD
• Consequence and Likelihood Matrix
CAUSES
• Statistical Analysis ANALYSIS OF CONTROLS
• Root Cause Analysis • LOPA
• Fault Tree Analysis • Bow Tie Analysis
• Ishikawa Analysis • CSA
145
CONSEQUENCE LIKELIHOOD MATRIX
The consequence likelihood matrix is a means of combining
qualitative or semi-quantitative ratings of consequence and
likelihood to produce a level of risk or risk rating. A consequence
likelihood matrix is used to rank risks, sources of risk or risk
treatments on the basis of the level of risk. It is commonly used as a
screening tool to define which risks need further more detailed
analysis or which risks need treatment first, or which risks need not
be considered further at this time. Points to remember:
เสี ยง เสี ยง
multiplying the
life cycle. What are the key to the event to occur. consequence from an
likelihood level with
Key functions success criteria for want to happen. undesirable Can be event, can be
the consequence
positive or negative,
that help a the process? They are risk outcomes. expressed qualitative or level. It helps to
system indicators of a qualitatively or determine the level of
quantitative.
achieves its process failure. quantitatively risk whether it is low,
กระบวนการ medium, high or very
ผลลัพท ์ เหตุการ
mission.
ผลลัพท ์
high
เป็ น
น้อยมาก อาจเกิดได้ในสถานการณ์
2 Unlikely พิเศษเท่านัน ้ (เช่น เกิด 1 ครง้ั
Could occur at some time (e.g. once in 5 years)
สามารถเกิ ้
น้อย ใน 10 ปี ) ดได้ในบางครงั (เช่น
3 Possible เกิดoccur
Might 1 คร ง้ั ใน
at some 5 ปีonce
time (e.g. ) a year)
ปานกลาง อาจเกิดได้ในบางครง้ั (เช่น เกิด
ปี ละ 1 ครง้ั )
4 Likely Will probably occur in most circumstances (e.g. monthly)
มาก น่ าจะเกิดได้ในทุกสถานการณ์
Is expected to occur in้ most circumstances (e.g. daily)
5 Almost Certain (เช่น เกิดขึนทุกเดือน)
่ ด
มากทีสุ คาดว่าจะเกิดได้ในทุก
สถานการณ์(เช่น เกิดขึนทุ ้ ก
149
วัน)
SAMPLE RISK ANALYSIS MATRIX
Likelihood Consequences
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5
A (5) H H E E E
(Almost Certain)
B (4) M H H E E
(Likely)
C (3) L M H E E
(Moderate)
D (2) L L M H E
(Unlikely)
E (1) L L M H H
(Rare)
No delay 0.252
Yes 0.9
Yes 0.7
Delay for
No 0.1 modification 0.026
Yes 0.4
Delay for
Yes 0.9 supply 0.108
Supplier No 0.3
fails to No 0.1
deliver Very late 0.012
No 0.6
Cannot 0.600
complete
1.000
153
MODELLING A NUCLEAR ACCIDENT
SCENARIO (Sizewell Power Station)
The aim of the model was to find out how people would be affected
and the best emergency response strategy
WHAT DO WE WANT TO KNOW HOW WOULD WE FIND OUT
How much radiation would get out Design accident
How far and how fast would it spread Use bomb tests for size and temperature of
radioactive particles and use standard
plume dispersal model
What is the radiation dose to people at Absorbtion distance known from
different distances from the plant penetration tests
How much protection is needed How will people absorb radiation (skin,
soil, food etc)
How would it affect them Dose response – data from bombs and
testing
Identify and assess risk of evacuation From past experience, develop Emergency
154
Evacuation Plan
MODELLING DOSE CONTOURS FOR A
RADIOACTIVE RELEASE FROM SIZEWELL
155
MONTE CARLO ANALYSIS
Monte Carlo is a complex mathematical sensitivity analysis when there
is a known relationship between input parameters (variables) and an
outcome but the values of the parameters are uncertain. The effect of
the variables on the result is calculated many times by computer (using
software Crystal Ball or @risk) to achieve the best estimated outcome.
Root Cause
No preventative Workshop not
Maintenance policy available
Lack of knowledge Old equipment Financial
of managers Low staff level constraints 158
ROOT CAUSE ANALYSIS FOR POSITIVE RISK
Maximum
Objective profitability
Speed of
development
and/or response
High quality
High quality, secure,
hardware, software
satisfied workforce
Base Event
No
Lamp Trip and
spare Operator Internal External
Failure unplug
lamp error
N
Lecture
cancelled
161
CAUSE-AND-EFFECT ANALYSIS
Cause-and-effect analysis is a structured method to identifying possible causes
of an undesirable event or problem. It is used to enable consideration of all
possible scenarios and causes generated by a team of experts. The information
is organized in either a fishbone or sometimes a tree diagram (below)
162
ISHIKAWA – FISHBONE DIAGRAMS
Identify the problem to be solved as the fish head, the main bones
of the fish represent the main categories under which problems
might fall. The team brainstorms each category to identify
potential causes and sub causes and factors which affect the risk.
163
BOW TIE ANALYSIS
Bow tie analysis combines a fault tree and an event tree . The fault
tree investigates the cause of the problem, the event tree the
consequences and the bow tie focuses on the barriers to threats.
Light Projector
Failure Lecture proceeds
Preventative
Setup error maintenance
Lecturer
Training Fixes
Power cut
Ventilation Projector Lecture delayed
Failure
Back up Hard
projector copy
Preventative
Globe failure maintenance
Training
165
INDEPENDENT PROTECTIVE LAYER (IPL)
An IPL is a device system or action that is capable of preventing a scenario
proceeding to its undesired consequence independent of the initiating event
or any other layer of protection associated with the scenario.
Consequence
Fire Occurs
(eg casualties)
Springer Alarm Evacuation
Consequence
Fire Occurs
(eg casualties)
10-3 Springer Alarm Evacuation
169
9. RISK ANALYSIS AND DECISIONS
170
RISK MANAGEMENT vs DECISION MAKING
171
DIFFERENT DECISIONS NEED
DIFFERENT TYPE OF ANALYSIS
Decisions involving risk are not necessarily made on the basis of a level of a risk
$23m
-$2m
173
MULTI-ATTRIBUTE UTILITY THEORY (MAUT)
MAUT combines dissimilar measures of costs and benefits, along with
individual stakeholder preferences, by calculating a value for each attribute
on a common scale from 0 (worst) to 1 (best). All attributes are weighted
subjectively but are defined to add up to 1. Example below showed that
Option B is preferred.