ERM - RMUTT Presentation 8-9 April 10

PRACTICAL RISK MANAGEMENT
AN APPLICATION OF ISO 31000 STANDARD

AND RISK ASSESSMENT TECHNIQUES IEC 31010
RAJAMANGALA UNIVERSITY OF TECHNOLOGY THANYABURI

8-9 APRIL 2010
Siri Thongsiri & Winai Plueksawan
siri.thongsiri@railcorp.nsw.gov.au winaiplus@yahoo.com
Office Tel 001 612 8922 1712 Mobile 081 407 7885 1
SESSION OBJECTIVES
วัตถุประสงค ์ของการสัมมนา
• Understand the Principles and Application

of Modern Risk Management & Internal
Control
• Understand the Principles of Enterprise
Risk Management and its Application
• Able to Apply International Risk
Management Standard ISO 31000 at both
Strategic and Operational Levels
• Gain Hand-on Experience in the
Application of ISO/IEC 31010 Risk
Management Risk Assessment Techniques
2
COURSE CONTENTS
1. The ISO 31000 Risk 7. The Thongsiri Risk
Management Identification
2. Risk and Risk Methodology
Management (TRIM)
3. Risk Management 8. Risk and Analysis
Process Techniques IEC
4. Enterprise Risk 31010
Management 9. Risk Analysis and
5. Internal Control Decisions
6. Risk Identification
Tools
3
1. THE ISO 31000:2009
RISK MANAGEMENT
มาตรฐานการบริหารความ
่
เสียงของ ISO
4
Contents of ISO Documents
RISK MANAGEMENT
INTERNATIONAL
STANDARD
ISO 31000:2009
ISO Guide 73 ISO 31000

Risk Management - Risk Management –
Vocabulary Principles and guidelines
IEC 31010
Risk Management Risk
Assessment Techniques 5
ISO 31000:2009 - SCOPE
 To provide principles and generic guidelines on risk
management
 It can be used by any public, private or community
enterprise, association, group or individual
 It can be applied throughout the life of an organisation, and
to a wide range of activities, including strategies and
decisions, operations, processes, functions, projects,
products, services and assets
 It can be applied to any type of risk, whatever its nature,
whether having positive or negative consequences
 It is not intended to promote uniformity of risk management
across organisations
 To harmonize risk management processes in existing and
future standards
 ISO 31000 is not intended for the purpose of certification
6
ISO 31000:2009 - USERS
ISO 31000:2009 is intended to meet the needs of a wide range of
stakeholders including:
 those responsible for developing risk management policy

within their organisation;
 those accountable for ensuring that risk is effectively

managed within the organisation as a whole or within a
specific area, project or activity;
 those who need to evaluate an organisation effectiveness in

managing risk; and
 developers of standards, guides, procedures, and codes of

practice that, in whole or in part, set out how risk is to be
managed within the specific context of these documents.
7
a) Creates value Mandate Establishing
b) Integral part of and C the context (5.3)
organizational Commitment o M
processes (4.2) m o
c) Part of decision u Risk assessment n
making n (5.4) i
d) Explicitly addresses Design of i t
uncertainty framework c o
e) Systematic, Risk
a r
structured and timely identification
(4.3) t i
f) Based on the best (5.4.2)
i n
available information o g
g) Tailored Continual Implementing n
h) Takes human and improvement risk Risk analysis &
&
cultural factors into of the Management (5.4.3)
c
account Framework (4.4) r
o
i) Transparent and (4.6) e
n Risk
inclusive v
s evaluation
j) Dynamic, iterative and i
u (5.4.4)
responsive to change e
Monitoring l
k) Facilitates continual w
and review t (5.6)
improvement and of the a
enhancement of the Framework t Risk treatment
organization (4.5) i (5.5)
o
n
5.2
Principles Framework Process

(Clause 3) (Clause 4) (Clause 5)
8
ISO 31000:2009 Relationship between the Principles, Framework and Process
Principles (Clause 3)
Risk management should….
1. Create value
2. An integral part of organisational processes
3. Part of decision making
4. Explicitly address uncertainty
5. Be systematic and structured
6. Be based on the best available information
7. Be tailored
8. Take into account human factors
9. Be transparent and inclusive
10. Be dynamic, iterative and responsive to change
11. Be capable of continual improvement and enhancement
9
Mandate and commitment (4.2)
4.3 Design of framework

5.3.1 Understanding the organization and its context
5.3.2 Risk management policy
5.3.3 Integration into organizational processes
5.3.4 Accountability
5.3.5 Resources
5.3.6 Establishing internal communication and reporting mechanisms
5.3.7 Establishing external communication and reporting mechanisms
4.4 Implementing risk management

4.6 Continual improvement of the framework 4.4.1 Implementing the framework
4.4.2 Implementing the risk management process
4.5 Monitoring and review of the framework
ISO 31000 Relationship between the components of the framework for managing risk 10
Articulate AND
ISO 31000: MANDATE and COMMITMENT
endorse the risk
แสดงจุดยืนที่
management policy
ช ัดเจนและ
Ensure that the ร ับรองนโยบาย Communicate the
necessary resources การบริหาร benefits of risk
are allocated to risk
management ่
ความเสียง management to all
ดาเนิ นการ ่ stake holders
สือสารกั บผู ม
้ ส
ี ่วน
จัดหาทร
่ ัพยากร ้
ได้เสียทังหลายให้
ทีจาเป็ นสาหร ับ เข้าใจถึง
การบริห่ ารความ The
ประโยชน์
เสียง Management Defineขrisk
องการ
่
Should บริหmanagement
ารความเสียง
Ensure legal and
ผู บ
้ ริหาร performance indicators
จะต้ อง of
regulatory that align with
compliance organizational
ดาเนิ นการ Ensure alignment
risk management จ ัดทาด ัชนี ช ี ้
performance
บริหารความ objectives with the วัดผลของการ่
่
เสียงให้ถูกต้อง
objectives and
strategies of the บริหารความเสียง
ตามระเบียบ organization
ดาเนิ นการให้ ให้สอดคล้องกับ
และกฎหมาย วัตถุประสงค ์ของ ผลประกอบการ
การบริ หารความ ขององค ์กร
่
เสียงสอดคล้อง
กับวัตถุประสงค ์ 11
ISO 31000: FRAMEWORK DESIGN FOR
1. Understand the
MANAGING
organization RISK
and
its environment
ความเข้าใจ
ในองค ์กร
7. Establishing external
และ
่
communication and 2. Risk Management
reporting mechanisms
การจัดท ากลไก สิ งแวดล้ อ ม policy
่
การสือสารและ ขององค ์กร นโยบายบริหาร
การรายงาน ความเสียงที ่ ่
สาหร ับผู ม ้ ส
ี ่วนได้ Risk ช ัดเจน into
เสีย นอกองค ์กร
6. Establishing
Management
Framework 3. Integration
Elements organizational
internal
ส่วนประกอ processes
communication and
reporting mechanisms บของกรอบ การบู รณาการ
การจัดท ่ ากลไก การบริห่ าร การบริหารความ
การสือสารและ ความเสียง เสี ่
ยงเข้ ากับ
การรายงาน กระบวนการของ
ภายในองค ์กร
5. Resources
ทร ัพยากร 4. Accountability
การมอบหมาย องค ์กร
พอเพียงและ ความร ับผิดชอบ
เหมาะสม ทีช่ ัดเจนเป็ น
สาหร ับการ ลายลักษณ์
บริหารความ อ ักษร
่
เสียง 12
RISK FRAMEWORK ELEMENTS
13
ISO 31000 Risk Management Process
Establishing the context (5.3)
Risk assessment (5.4 )
Risk identification (5.4.2)
Communication Monitoring
and and
Consultation Risk analysis (5.4.3) Review
(5.2) (5.6)
Risk evaluation (5.4.4)
Risk treatment (5.5)
14
Risk Management Process
(Clause 5)
Should be an integral part of management,
be embedded in culture and practices and
tailored to the business processes of the
organization.
Includes five activities: communication and
consultation; establishing the context; risk
assessment; risk treatment; and monitoring
and review.
15
Reporting
• Reporting is incidental to good Risk
Management, not the sole focus of it!
• If you only focus on reporting, you will not
motivate the required culture change
• Advanced Governance Codes (e.g. ASX, LSX)
require two sets of reports:
– The maturity and performance of the RM
framework
– The risk profile and how/why it has changed
16
IEC 31010 RISK ASSESSMENT TECHNIQUES
1. Brainstorming 17. Cause-and-effect Analysis
2. Structured or Semi-structured 18. Layers of Protection Analysis
Interviews 19. Decision Tree Analysis
3. Delphi Technique 20. Human Reliability Assessment
4. Check-lists (HRA)
5. Preliminary Hazard Analysis 21. Bow Tie Analysis
6. HAZOP 22. Reliability Centred Maintenance
7. HACCP 23. Sneak Analysis
8. Toxicological Risk 24. Markov Analysis
Assessment 25. Monte Carlo Simulation
9. Structured What If (SWIFT) 26. Bayesian Statistics and Bayes
10. Scenario Analysis Nets
11. Business Impact Analysis BIA 27. FN Curves
12. Root Cause Analysis (RCA) 28. Risk Indices
13. Failure Modes and Effects 29. Consequence /Likelihood Matrix
Analysis (FMEA) 30. Cost Benefit Analysis
14. Fault Tree Analysis (FTA) 31. Multi-Criteria Decision Analysis
15. Event Tree Analysis (ETA)
16. Cause-consequence Analysis 17
ISO Guide 73 - Scope
 Provides a basic vocabulary of the definitions
of generic terms related to risk management
 Aims to encourage a mutual and consistent

understanding, a coherent approach to the
description of activities relating to the
management of risk, and use of risk
management terminology in processes and
frameworks dealing with the management of
risk.
18
Terms included in Guide 73
in Alphabetical order
• COMMUNICATION & CONSULTATION • RISK AVOIDANCE
• CONSEQUENCE • RISK CRITERIA
• CONTROL • RISK EVALUATION
• ESTABLISHING THE CONTEXT • RISK FINANCING
• EVENT • RISK IDENTIFICATION
• EXPOSURE • RISK MANAGEMENT
• EXTERNAL CONTEXT • RISK MANAGEMENT AUDIT
• FREQUENCY • RISK MANAGEMENT FRAMEWORK
• HAZARD • RISK MANAGEMENT PLAN
• INTERNAL CONTEXT • RISK MANAGEMENT POLICY
• LEVEL OF RISK • RISK MANAGEMENT PROCESS
• LIKELIHOOD • RISK MATRIX
• MONITORING • RISK OWNER
• PROBABILITY • RISK PERCEPTION
• RESIDUAL RISK • RISK PROFILE
• RESILIENCE • RISK REGISTER
• REVIEW • RISK REPORTING
• RISK • RISK RETENTION
• RISK ACCEPTANCE • RISK SHARING
• RISK AGGREGATION • RISK SOURCE
• RISK ANALYSIS • RISK TOLERANCE
• RISK APPETITE • RISK TREATMENT
• RISK ASSESSMENT • STAKEHOLDER
• RISK ATTITUDE • VULNERABILITY
19
• RISK AVERSION
ISO 31000
Reducing the Risk in Risk Management
 Avoids organisations re-inventing the wheel
 Allows all to benefit from proven best practice
 Provides a universal benchmark
 Reduces barriers to trade
 Advises exactly what you need to do and how
you need to do it – no wasted effort and no false
starts
 Scalable – works for all sizes of organisation
 Risk management = Making optimal
decisions in the face of uncertainty
20
ISO 31000:2009 เปรียบเทียบกับ
ERM(COSO II)
The Leading Edge
ISO31000:2009 ERM (COSO II)
• ISO 31000 fully complying • COSO ERM does not comply
with COSO ERM . with ISO 31000
• ISO 31000 is more practical • COSO is very theoretical
• Easy to apply (less than 30 • Very complicate (over 200
pages) pages)
• Applicable to organisations in • Better suited for large financial
all industries, large or small organisations
• More clearly written and • COSO is not easy to
terms are explicitly defined understand
• Wider acceptance as reference • Limited acceptance, mainly in
for risk management in the US within financial
existing and future standards industry
• No need to redesign existing • Major system modification is
management system to apply required to comply with COSO
• Apply to all levels of • Focus on negative risk at
organisation for any type of corporate level, often very
risk, both positive and confusing when apply at
negative consequences operational level 21
Why 31000?
 ISO 31000:2009 is a natural successor to AS/NZS
4360:2004
 Hopefully it will influence a revision of COSO
 It fits ‘ERM’ requirements, but also allows silo/project
risk management
 Following ISO 31000 will provide a low cost, high
chance of success approach to ERM
 ISO 31000 adds value and reduces risk in risk
management
 ISO 31000 provides generic guidance on how to
embed risk management, and reinforce the concept of
“positive” risk
 Managing risk is about creating value out of
uncertainty
22
2. RISK AND RISK MANAGEMENT
23
What is Risk?
่
ความเสียงคื
ออะไร
ISO 31000:2009 defines risk as:
“The effect of uncertainty on objectives”
Deficiency of • Can have different

A deviation from
information aspects e.g. finance,
the expected –
relating to an safety, environment goal
positive and/or
event,its • Can apply at different
negative
consequence, or levels e.g. strategic,
likelihood department, project
What can go wrong? 24
How likely is it? What are the consequences?
How to Describe a Risk?
Risk Register
Minimum
Records
A source An event A cause
An outcome
of risk (including when (how and
(consequence)
(hazard) and where) why)
Estimated cost 100

Fire Fire at head office Short circuit
million Baht
Operations Employees
Virus H1N1 Pandemic
Interruption contact virus
25
Describing Risk – Poor Example
Poor example “ there is a risk that a fraud occurs”
It leaves too many questions:

– How might it occur?
– What parts of the organisation might be affected?
– Who in the organisation might be affected?
– What are the consequences?
– What clues are there for developing treatments?
26
26
Describing Risk – Good Example
A better description
“ there is a risk that a researcher falsifies research findings
resulting in cancelation of the program, loss of grant funds
and reputational harm to the university”
• Allows better consideration of causal factors
• Allows us to better frame consequence and likelihood
• Allows us to consider what controls are in place and
how effective they are. For example:
- Staff codes and professional conduct
- Peer review and quality assurance mechanisms
- Relationship management
- Reputational management
27
27
UNDERSTANDING RISK
A RISK IS GENERALLY DESCRIBED AS AN EVENT WHICH LEADS TO A
RANGE OF CONSEQUENCES. DO NOT CONFUSE A RISK WITH A RISK
CAUSE, RISK FACTOR, AND CONTROL FAILURE.
A risk cause is something that leads to the source of

risk, to an exposure to it, or to a risk event. A cause
RISK CAUSE can also be called contributory factor particularly
when it does not necessarily result in the risk
occurring but increases its likelihood.
A risk factor is something that makes the magnitude
of risk (likelihood or consequence) higher or lower
RISK FACTOR without being specifically a cause. It may also be
called a vulnerability.
A control failure can be considered to be an
CONTROL uncertain event with an outcome that affects
FAILURE objectives. However a control failure only becomes
a problem if there is a source of risk and an event
occurs, i.e. it is a conditional risk. 28
EXAMPLES FOR UNDERSTANDING RISK
RISK RISK EVENT OR CONSEQUE RISK CAUSE RISK FACTOR
TYPE SOURCE EXPOSURE NCE
Safety Working at Fall Injury or Poor design Height from

height death ground
Health Chemical Contact Cancer Lack of Amount of

chemical chemical
knowledge
Finance Interest rate Rate rise more Decrease in Inflationary Extent of loans
than 2% in a profit pressures
year
Project Supply Late delivery Delay in Fire at Alternative

chain of component project factory supplier
29
DO NOT CONFUSE TYPES OF RISK
Distinguish
Between Indirect Risk
Direct Risk (Control Failure)
An event by which a An event which is described

source of risk causes as control failure (but not
harm necessarily causes harm)
e.g. e.g.
A supplier goes out of Failure to organise back up

business resulting in suppliers may result in
delay to the project delay to a project
A person gets his hand A machine guard is missing

caught in a machine which may result in hand
being caught in a machine 30
resulting in serious injury
Risk Management is Part of Our Daily Lives
Annual Risk of dying from….
• Heart disease 1 in 397
• Motor vehicle accident 1 in 6,745
• Homicide 1 in 15,440
• Drowning 1 in 64,031
• Fire 1 in 82,977
• Bicycle accident 1 in 376,175
• Lightening 1 in 4,478,159
• Bioterrorism 1 in 56,424,800
Don’t forget Risk Factor (Vulnerability) that

may apply to you!
31
เข้าใจความหมาย ความเสียง่ ปั จจัยเสียง
่
และ ผลกระทบ
Distinguish
Cause of a Risk Between Effect of a Risk
(Risk Cause) (Risk Outcome)
สาเหตุของความเสียง่ ผลกระทบ
่
ปั จจ ัยเสียง ่
ความเสียง ความเสียหาย
The Ultimate Consequence,
The Reason why the Risk the Harm is Done when the
might be Realised Risk is Realised
ี่
เหตุทอาจท ่
าให้เกิดความเสีผลกระทบที
ยง ่ ดขึน
เกิ ้ (มากหรือน้อย)
Example: Staff Failed to Example: Heavy Financial
Follow Regulations Penalties Incurred
ตัวอย่าง: พนักงานปฏิบต
ั ผ
ิ ด
ิ ตัวอย่
ระเบียางบ: องค ์กรเสียค่าปร ับเป็ นมู ลค่าส
More Effective to Design Often Too Late,
Controls to Manage the Now that We are in Trouble,
“Causes” of the Risk What do We Do?
่
การควบคุมทีต้นเหตุ
มักจสายเกิ
ะได้ผลมากกว่่ า ดความเสียหายแล้วเราจะท
นไป เมือเกิ
32
How can Risk be Measured?
Level of Risk
(Magnitude of a risk)
Consequence of Likelihood of
an event occurrence
Risk is often expressed in

terms of the consequences
of an event or a change in
circumstances and the
associated likelihood of
occurrence
33
RISK CLASSIFICATION (BY TYPE)
่
การจัดประเภทความเสียง
Risks may be classified in a variety of risk frameworks as follows:
• Strategic Riskความเสียงด้ ่ านกลยุทธ ์ – examples include risks related to
strategy, political, economic, regulatory, and global market conditions; also include reputation
ตัวอย่างรวมถึง
่ ่ ยวกั
่
risk, leadership risk, brand risk, and changing customer needs.
ความเสียงเชิ งกลยุทธ ์ทีเกี บ การเมือง
เศรษฐกิจ กฎระเบียบ ภาวะตลาดโลก ชือเสี ่ ยง
ภาวะผู น
้ า ตราสัญลักษณ์ฯลฯ
่
• Operational Riskความเสียงด้
านการดาเนิ นงาน – risks related to
ความเสียง ่
่
the organisation’s systems, processes, technology, and people.
เกียวกั บระบบ กระบวนการ เทคโนโลยี และ
บุคลากร
• Financial Risk ความเสียงด้ ่ านการเงิน– includes risks from
volatility in foreign currencies, interest rates, and commodities; also include credit risk,
liquidity risk, and market risk.เช่น ความอ่อนไหวในอ ัตรา
่ ้ ตลาดซือขาย ้
34
แลกเปลียน ดอกเบีย เครดิต สภาพ
RISK CLASSIFICATION (BY SOURCE OF RISK)
• Business Objectives • Legal/Regulatory
Missing, non-compliance New unfavorable regulation, litigation action,
• Commercial non-compliance
Decline in profit, commercial contract, • Natural Hazards
business partners Climatic conditions, earthquakes, flood,
• Competition bushfires
Increased competition, decrease market • Occupational Health & Safety
share, new competitor Inadequate safety measures, poor safety
• Corporate Governance Environment management
Low integrity, lack motivation, weak internal • Political Influences
control Intervention by politician, new government
• Customers policy/direction
Key customer left, increasing • Product/Service Liability
pressure/demand Design error, substandard quality, inadequate
• Diseases testing
Affecting humans, animals and plants • Professional Liability
• Economic Wrong advice, negligence, design error
Currency fluctuations, interest rates, • Property Damage
recession Fire, water damage, earthquake, contamination,
• Employees human error
Corrupt culture, lack motivation, knowledge • Public Liability
gap Public access, egress and safety
• Environmental • Public Perception
Noise, contamination, pollution Poor public image, bad reputation, brand name
• Financial/Economic erosion
Contractual risks, misappropriation of funds, • Security
fraud, fines Cash handlings, vandalism, theft,
• Fraud/Corruption misappropriation of information, illegal
Corrupted culture, weak control, frequent entry
fraud • Suppliers
• Human Out of business, poor quality/services, high
Riots, strikes, sabotage, error price
• Information • Technological/Equipment
Unreliable, irrelevant, untimely, insecure Obsolescence, innovation, dependability 35
Taking a risk: isn’t all bad
่ ่
 Risk taking is positive, not implicitly negative.
การยอมเสียงเป็ นเรืองบวก ไม่ใช่หมายถึง
่

แต่เพียงเรืองลบ
 We take risks not to avoid harm, but to achieve
่ ่ ่
benefits and gains.
เรายอมเสียงไม่ ใช่เพือเพี
ยงหลีกเลียงความ
่ ร ับผลประโยชน์และกาไร

เสียหาย แต่เพือได้
 Taking controlled, informed risks is a sensible and
่ ่ เราทราบและควบคุ
่
everyday essential part of life.
การยอมเสียงในสิ งที มได้
่ สมเหตุ
่

เป็ นสิงที สมผลและจาเป็ นใน
ชีวต ิ ประจาวัน
36
 The higher the risk the higher the reward.
Risk Management as defined
By ISO 31000:2009
“COORDINATED ACTIVITIES
TO DIRECT AND CONTROL AN ORGANISATION
WITH REGARD TO RISK”
C 1. Strategic Ct M
O O
M N
M I
U 2. Identify Threats T
N O
I R
C
A &
T A 3. Analyze
E S 4. Assess R
S E
E V
S 5. Assess/
C I
O S E
N W
S
U
L 7. Manage the Risk
T
Activities
Processes Opportunities Risks
37
Managing Risk
 We all manage risk consciously or unconsciously – but
rarely systematically.
เราทุกคนจัดการความเสี ่
ยงโดยรู ้ตั
ว หรื
อ ไม่
ร ู ้ตั
ว

่
แต่น้อยมากทีจะท าอย่างเป็ นระบบ
-


่
การจัดการความเสียงเกี ่
ยวข้ ้ ยคุกคามและ
Managing risk involves both threats and opportunities.
องทังภั
ผลประโยชน์


่
การจัดการความเสียงต้ ่
Managing risk requires rigorous thinking.
องอาศ ัยความคิดทีทรง
พลัง


่
Managing risk means forward thinking.
การจัดการความเสียงหมายถึ
งการคิดไปข้างหน้า
 Managing risk requires accountability and authority for
decision making.
การจั ด การความเสี ่
ยงต้องอาศ ัยความร ับผิ
ด ชอบ

่ นลายลักษณ์อ ักษรและการมอบอานาจในการ
ทีเป็
ตัดสินใจ
38
 Managing risk requires communication.
Evolution of Risk Management
The Past The Present The Future
Risk Management Risk Management to Risk Management as Business
as Compliance Prioritise Problems Optimisation
Identify problems Identify problems Identify potential problems and
Rank them Rank them opportunities
Demonstrate every Check if level of risk Understand causes and factors
risk has a control above target level which affect likelihood and
(usually a standard (qualitative) consequence
procedure) Implement improved Optimise treatment considering
Monitor controls controls starting from  Effectiveness of current and
highest risks proposed controls
Monitor Causal factors
implementation Costs and benefits of treating the
risk
Costs and benefits of taking the risk
Treat according to risk appetite
Monitor and feedback
39
THE THREE KEY PROCESSES
The Future •Threats and opportunities

when changes occurs
Risk Assessment •What are the ramifications
“Foresight” •Cost effective risk treatment
The Present •Are controls adequate?

•Are they effective?
Control Assurance •Can they be cost effectively
“Insight” improved?
The Past •Root cause analysis of

successes and failures
Root Cause Analysis •Dissemination of learnings
“Hindsight” •Codification of learnings
40
3. Risk Management Process
Establishing the context
Risk assessment
Risk identification
Communication Monitoring
and and
Consultation Risk analysis Review
Risk evaluation
Risk treatment
41
3.1 ESTABLISH THE CONTEXT
่
กาหนดวัตถุประสงค ์ ขอบเขต และ สิงแวดล้
อม
2. Identify the Internal
and External
Environment 3. Identify and
1. Identify the
Organisation and/or ระบุ Analyse Relevant
Stakeholders
Function Objectives ่
สิงแวดล้ อม ระบุและ
ระบุ
ภายในและ
THE SIX STEPS วิเคราะห ์ผู ้
วัตถุประสง
ภายนอก
TO ESTABLISH
THE CONTEXT มีสว่ นได้
ค ์ของ
6 ขันตอน้ เสีย
องค ์กรหรือ
กิจกรรม ของการ
กาหนด
วัตถุประสง
4. Specify the Main
Scope of the Risk
ค์
Management Activities
กาหนด
6. Define Key Elements for
Structuring the Risk
ขอบเขต
ขอบเขต
Assessment Process
กาหนด และ
องค ์ประกอบ ่ หลักของ
สิ5.งแวดล้ อ
หลักสาหร ับ กิจกรรม
มRisks
Identify Criteria for
กระบวนการ Measurement บริหาร

and Acceptable Level of
่
ความเสียง
ประเมินความ Risks
่ กาหนดเกณฑ ์
เสียง สาหร ับการวัดค่า
่
ความเสียงและ
ระด ับความเสียง่ 42
่
ทียอมร ับได้
EXTERNAL CONTEXT - EXAMPLES OF SOURCES OF RISK
External Risk issues

Sources of
Risk
Economic Market growth, economic cycle, shares & interest rates, capital
movement, regional stability, credit availability & costs,
exchange rates
Political and Legislation, regulation, government policy, political involvement,

Regulatory investment, standards & protocols, acceptable practices,
intellectual property, societal security
Supply Components, outsourcing, contractors, quality assurance,

logistics, costs, availability
Technology Communications, transportation, hardware, software, security,

availability
Competition Resources, skills, funding, market positioning, new entrants
Community Reputation, ethics, partners, practices, stakeholder expectations,

activism, relationships, support, 43
INTERNAL CONTEXT - EXAMPLES OF SOURCES OF RISK
Internal sources of
Risk issues
risk
Knowledge retention, skills, integrity, loyalty, industrial relations,

People competency, currency of expertise, employment costs, equity, workload
management, ethics, demographics, health and safety
Integrity, currency, relevance, access, storage, quality, timeliness, security,

Data/information
communication
Robustness, flexibility, strategic fit, planning capability, implementation,

Strategy
involvement, ownership
Stakeholder Stakeholder needs, segmentation, fulfilment, relationships, service

management proposition, knowledge & understanding
Vision, management capability, innovation, culture, ethics, effectiveness,

Leadership
communication, involvement
Robustness, capability, intellectual property, life cycle, innovation,

Process/product/ser
management controls, currency and relevance, quality, efficiency and
vices
effectiveness
Business objectives, growth, sustainable development, performance,

Business results
resilience, sustainability
44
3.2 COMMUNICATION AND CONSULTATION
่
การสือสารและการให้
คาปรึกษา
Internal and External Stakeholders
ผู ม
้ ส ้
ี ่วนได้เสีย ทังภายใน และ ภายนอก
Two-Way Communication and Consultation
at Each Stage of Risk Management
่
ใช้การสือสารและให้ ้
คาปรึกษาแบบสองทางทุกขันตอน
Improve Ensure varied views Ensure all participants

Understanding of risks of stakeholders are aware of their roles
and risk management are considered and responsibilities
Process ่ั ้ ่ั
่ ่ ่ ทาให้มนใจได้ วา่ ความเห็นทังหลาย ทาให้มนใจได้ วา
่ ผู เ้ ข้าร่วมโครงการ
เพิมความเข้าใจในเรืองความเสียง
่ ของผู ม
้ ส
ี ว ่ นได้เสียได้ร ับการพิจารณา ้
ทังหลายทราบและตระหนั กในบทบาท
และกระบวนการบริหารความเสียง
และความร ับผิดชอบของตนเอง
45
3.3 RISK IDENTIFICATION
46
WHAT NEED TO BE IDENTIFIED?
Generate a comprehensive list of risks, based on those events that
may enhance, prevent, degrade or delay
the achievement of the objectives
(including risks associated with not pursuing an opportunity)
Risk Identification is critical because

what is not identified cannot be managed
Minimum
Records
A source of An event
An outcome A cause (how
risk (including when
(consequence) and why)
(hazard) and where)
People contact
An outbreak of
Disease Many people die with affected
Bird Flu epidemic
chicken 47
Top 10 Emerging Risks – The Heat Map
(January 2010 Survey Results by the Risk Integration Strategy Council, USA)
48
THE RISK IDENTIFICATION PROCESS
่
กระบวนการระบุความเสียง
Establish Risk Identification Team
Brainstorm Workshop ้
แต่งตังคณะท างาน Knowledge, Commitment and Ownership
ระดมสมอง ่
ความรู ้ ความมุ่งมัน
่
เพือระบุ ่
Identify Key Business/Function Elements
และความเป็ น
Relevant Business Issues ระบุองค ์ประกอบหลัก เจ้าของ
Business/Function Life Cycle
กรณี ธุรกรรม ของกิจกรรม/ วงรอบชีวต ิ ของ

่ ยวข้
ทีเกี ่ อง ธุรกรรม
Identify/Clarify Business and Key Elements กิจกรรม/ธุรกรรม
Objectives
ระบุวตั ถุประสงค ์ของ

Organisation Objectives Elements/Activities Objectives
วัตถุประสงค ์ วัตถุประสงค ์
กิระบุ
จกรรม /ธุกรารณ์
กรรม/
Identify Events/Risks that might Impact the Objectives
ขององค ์กร เหตุ ของ

Threats ความเสียง ่ ธุOpportunities
รกรรม/
ภัย ่
ทีอาจมี ผลกระทบต่อ กิจกรรม
คุกคา วัตถุป/ระสงค ์ โอกาส
Determine the Cause/Effect of the Risks Identified
Root Cause of Risks หาสาเหตุ ผลกระทบ Effect of Risks on Objectives
ต้นเหตุ
ม ของความเสียงที ่ ่ ก
ถู ผลกระทบของความ
ของความ ระบุ
Evaluate the Existing Controls that Mitigate the Risks ่
เสียงต่
อวัตถุประสงค ์
่ in Place ประเมินการควบคุมที ่
เสียง
Effectiveness of the Existing Controls
Controls that are Already
การควบคุม ี่
มีอยู ่ทบรรเทาความ ประสิทธิผลของ
่ อยู ่
เดิมทีมี ่ การควบคุมที ่ อยู ่
49 มี
เสียง
NEED TO SEPARATE RISK FROM
CONTROL FAILURE
The level of risks cannot be compared against control failures
TRUE RISKS –
Bird flu might enter country (event)
HAZARD •People die
AND/OR •Closing the chicken industry in the country
SOURCE BASED •Other businesses close due to staff absent
•Control restrictions fail (increased probability)

CONTROL •Slow quarantine action (increased probability)
FAILURE
•Inadequate medicine (increased consequences)
MANAGEMENT
SYSTEM •Insufficient research staff in labs doing analysis
FAILURE
50
STRATEGIC RISK IDENTIFICATION
Strategic risk concerned with where the organisation wants to go,
how it plans to get there, and how it can ensure survival. Strategic
risks are generally identified through interviews with managers
and other stakeholders. A structured brainstorming may be
conducted to cover key issues as follow:
KEY ISSUES CONSIDERATION
Objectives How might they not be achieved?
Resources and How might they fail or be lost?
assets to achieve
objectives
Critical functions How they might be harmed?
Events that might What might be the outcome?

affect organisations
Sources of risk How might they cause harm?
51
Strategic Risk Classification
Strategic risk is the array of external events and trends that can devastate a
company's growth trajectory and shareholder value. Typical strategic risks are:
• Industry: Margin Squeeze, Rising R&D / capital expenditure costs,
Overcapacity, Deregulation, Increased power among suppliers, Extreme
business-cycle volatility
• Technology: Shift in technology, Patent expiration, Process becomes
obsolete
• Brand: Erosion, Collapse
• Competitor: Emerging global rivals, Gradual market-share gainer, One-
of-a-kind competitor
• Customer: Customer priority shift, Increasing customer power, Over-
reliance on a few customers
• Project: R&D failure, IT failure, Business development failure, Merger or
acquisition failure
• Stagnation: Flat or declining volume, Volume up-price down, Weak
pipeline
• Others: Certain financial-, operational-, and hazardous risks can
potentially also be of strategic significance
52
3.4 RISK ANALYSIS AND TYPE OF ANALYSIS
Risk analysis is a process to comprehend the nature of risk
and to determine the level of risk. Risk analysis provides the
basis for risk evaluation and decisions about risk treatment.
There are three main types of analysis:
WEIGHTING •Outsource maintenance or not

Which option? •Which technology to choose
•Introducing new IT system

UNDERSTANDING •Move operations to new location
How do we deal with •Reduce safety risks
a situation?
•Minimising project risk
SORTING •Rating gives rough idea of relative importance

What shall we do •Priorities for budget
first? •What needs detailed assessment
53
PURPOSE OF RISK ANALYSIS
 To provide more information about possible positive
and negative outcomes to improve the quality of
decisions in strategic planning.
 To gain a better understanding of the factors which
will affect risks so that negative impacts can be
reduced.
 To prioritise risks so that important risks are dealt with
first.
 To find a level of risk which can be compared with
criteria for acceptability.
 To define the best treatment.
 To see which of a number of options has the best
balance positive and negative risks.
 To meet regulatory requirements.
54
RISK ANALYSIS INVOLVES
CONSIDERING
 Causes and sources of risk
 Positive and negative consequences
 The likelihood particular consequences will
occur
 Factors affecting likelihood and
consequence
 Existing controls
(ISO31000 more focus on understanding rather
than measuring compared with AS4360) 55
3.5 RISK EVALUATION
RISK EVALUATION INVOLVES COMPARING
ESTIMATED LEVELS OF RISK TO DETERMINE THE
SIGNIFICANCE OF THE LEVEL AND TYPE OF RISK
TO MAKE DECISIONS ABOUT FUTURE ACTIONS
• Whether a risk needs treatment

• Priorities for treatment
• Which option to choose
• Whether an activity should be undertaken
• Which of a number of paths should be followed
56
RISK (EVALUATION) CRITERIA
ALARP (As Low as Reasonably Practicable)
การให้คา ่
่ ความเสียง Risk reduction measures
are essential whatever
their cost จาเป็ นต้องม
Generally Intolerable Region
่ ่
ความเสียงทีทนไม่ลดความเสี
ได้ ่
ยงไม่ วา
่ จ
Residual risk tolerable
Tolerable Region only if further risk
(Risk is undertaken only reduction is impractical
if a benefit is desired)
่ จาเป็ นต้องร ับความ
ความเสียง ่
่ เสียงคงเหลื อระดับ
ทีทนได้ ้
Broadly ทนได้นีหากการลด
Acceptable ความเสี ่
ยงลงอี
Risk reduction not
ก
likely to be required
Region
ไม่ เหมาะสม
ความเสี ่ /ไม่อน้อย
ยงเหลื
่
เสียงความ คุแต่
ม
้ ค่ตาอ
้ งคอยเฝ้าระวังต
ทีร่ ับได้
Negligible Risk
่
57
ความเสียงน้ อยมาก
ISO 31000: RISK APPETITE
Risk appetite is not
Some level of risk necessarily measured
is desirable in financial term
Risk Appetite
Amount and type of risk
an organisation is prepared
to pursue or take
Risk appetite is not

Risk appetite is necessarily uniform
directly related to an against different type
organisation’s strategy of risk
58
AN EXAMPLE OF RISK APPETITE LEVEL
All Risk Total

Organisational strategy 100’000 Product design
and stability 10’000
Security exposures 1’000 Time to market
restrictions
100
10 Customer
Asset exposures
exposure
Finished product or Contract

service quality expectation management
Installation and Reliance on suppliers

maintenance activity
Goods are stored Production activities
and transported
Expected Loss Unexpected Loss

Expected and Unexpected Loss by Vulnerability (Euro ‘000) 59
Implementing Risk Appetite
through Risk Appetite Table
The risk appetite table helps an organisation to align real risk exposure
with its management and escalation activities. An event or risk is assessed
in the risk appetite table and assigned a risk score by multiplying the
consequence and likelihood scores. Ranges of risk scores are then
associated with different levels of management attention.
Likelihood Consequences
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5
A (5) H H E E E
(Almost Certain)
B (4) M H H E E
(Likely)
C (3) L M H E E
(Moderate)
D (2) L L M H E
(Unlikely)
E (1) L L M H H 60
(Rare)
3.6 RISK TREATMENT
่
การบาบัดความเสียง
1. Avoid the risk by deciding not to start or continue
with the activity that gives rise to the risk
2. Taking or increasing the risk in order to pursue an
opportunity
3. Removing the risk source
4. Changing the likelihood
5. Changing the consequences
6. Sharing the risk with another party or parties
(including contracts and risk financing)
7. Retain the risk by informed decision
61
แผนกลยุทธ ์ในการบาบัดความ
่
เสียง
Avoid Risks
High Likelihood
่ ยง
High Consequences
Share Risks หลี

กเลียง
ความเสี ่
Medium Likelihood โอกาสเกิดสูง
High Consequences
ผลกระทบสูง
แบ่งปั น ่
โอกาสเกิดปานTreat Risks with Controls
กลาง High Likelihood
ผลกระทบสูง Medium Consequences
บ าบั
ด ความเสี
ยง่
Retain Risk
Low Likelihood ด้วยการควบคุม
Low Consequence โอกาสเกิดสูง
ย
เสีอยง
ค ่ วมาร ม
ับ ผลกระทบปานกลาง
โตอา่ ก า ส เ กิ ด
ผลกระทบตา่
Likelihood โอกาสเกิด
62
RISK AVOIDANCE/ELIMINATION
• Reduce the probability of occurrence or the

impact of the risk to zero
• Can avoid risk by not undertaking a specific
activity or choosing an alternative path, but
may:
• Lose potential benefit
• Often substitute one risk for another
• Impossible to eliminate risk completely
63
RISK CHANGE/REDUCTION
ADVERSE RISKS CAN BE REDUCED EITHER BY REDUCING THE
LIKELIHOOD OF LOSS OR BY REDUCING THE SEVERITY OF
THE EFFECTS. CONTROLS TO REDUCE NEGATIVE RISKS
INCLUDE PREVENTATION, PROTECTION AND DETECTION
Change Probability of Change Consequence

Occurrence
Fire – Separate combustion Fire – Automatic Sprinkler
from ignition sources Systems
Fraud – perform Fraud - Audits

background checks
Key Staff – Offer attractive Key Staff – Succession

retention package Planning
64
RISK SHARING/TRANSFER
CANNOT COMPLETELY “TRANSFER RISK” OR RESPONSIBILITY.
RESIDUAL RISK OR ALTERNATIVE RISK WILL STILL EXIST.
Share the risk with Example of Risk

someone else Transfer/Share
The financial burden and/or •Contracting
consequences of the risk •Outsourcing
•Insurance
The level of uncertainty
•Alternative Risk Transfer
Some of the responsibility
65
RETAINED RISK
RISK THAT REMAIN AFTER CONTROL OR
TRANSFER/SHARE IS THE “RESIDUAL RISK”
• Those risk that can be tolerated

• Those risks not identified
• Residual risks which are not transferred
• Develop recovery plans for residual risk
66
BUSINESS CONTINUITY MANAGEMENT
Why do we need BCM?
SURVIVAL!
• Recovery from a major Incident/Disaster
• Responding to changing environment
67
3.7 MONITORING AND REVIEW
การติดตามกากับดู แล และ ทบทวน
• Few risks remain static ความเสียงจ่ านวนน้อยทีอยู่ ่นิ่ง
• Factors affecting likelihood and consequences may
change ปั จจัยทีมี่ ผลต่อโอกาสเกิดความเสียงและ
่
ผลกระทบ อาจเปลียนไป ่
• Factors affecting the suitability or cost of treatment
options may also change
่ ผลต่อความเหมาะสมหรือค่าใช้จา
ปั จจัยทีมี ่ ยของ
ทางเลือกของการควบคุม อาจเปลียนไป ่
• Ongoing review of risks is essential การทบทวนอย่าง
ต่อเนื่องเป็ นสิงจ
่ าเป็ น
• Necessary to regularly repeat the risk management
้
cycle จาเป็ นต้องทาซาวงรอบการบริ หารความเสียง ่ 68
อย่างสม่าเสมอ
MONITORING PURPOSES
 Ensuring that controls are effective and efficient in
both design and operation.
 Obtaining further information to improve risk
assessment.
 Analyzing and learning lessons from events
(including near-misses), changes, trends, successes
and failures.
 Detecting changes in the external and internal
context, including changes to risk criteria and the risk
itself which can require revision of risk treatments
and priorities.
 Identifying emerging risks. Progress in implementing
risk treatment plans provides a performance
measure.
69
HIERARCHY OF ASSURANCE ACTIVITIES
้ั
ระดับชนของกิ จกรรมเพือสร ่ ่
้างความมันใจ
ในการติScope
ดตามก ากับดู แล
and Frequency
Day to day ทาเป็ นงานปร
Regular Checking and Continuous - embedded into place
Monitoring and methods of work
ั ดูแลอย่างต่อเนื่ องสม่าเสมอ
การติดตามกากบ ่ างานและวิธ
ให้ฝังต ัวอยู ่ในทีท
Control Self Assessment
Line Management ทาCSAการประเมินตนเองด้าน
Review การควบคุม
การทบทวน - driven by risk profile
โดยสายการบริหาร and Manager’s span
่ นอยู
of control ซึงขึ ้ ่ก ับลักษณะ
่
ความเสียงและการควบคุ
มของ
Third Party
Internalฝor
่ ายบริ
หาร
External
Audit
Auditing ตรวจสอบโดย
การตรวจโดย
่ บุคคลภายในหรือภายนอก
บุคคลทีสาม
70
4. ENTERPRISE RISK MANAGEMENT
71
ENTERPRISE RISK MANAGEMENT
(ERM)
Enterprise Risk Management as defined (by COSO:2004) :
“A process, effected by an entity’s board of directors,

management and other personnel, applied in strategy setting
and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.”
กระบวนการทีจั
ERM หมายถึง ่ ดทาขึนโดย้
้
ฝ่ายบริหารทังหลายเพื ่
อประยุ กต ์ใช้ใน
่ งองค
การจัดทาแผนกลยุทธ ์ทัวทั ้ ์กรโดย
่
ออกแบบมาเพือระบุ เหตุการณ์ทอาจี่ 72
้ ่
FUNDAMENTAL CONCEPT OF
ENTERPRISE RISK MANAGEMENT
The definition of ERM (COSO:2004) reflects certain fundamental
concepts of Enterprise Risk Management as:
• A process, ongoing and flowing through an entity
• Effect by people at every level of organisation
• Applied in strategy setting
• Applied across the enterprise, at every level and unit,
and includes taking an entity-level portfolio view of
risk
• Designed to identify potential events that, if they
occur, will affect the entity and to manage risk within
its risk appetite
• Able to provide reasonable assurance to an entity’s
management and Board of Directors
• Geared to achievement of objectives in one or more
separate but overlapping categories
73
KEY ELEMENTS THAT CHARACTERISE ERM
่ นคุณลักษณะของ ERM
องค ์ประกอบหลักทีเป็
• Takes note of the interrelationships and interdependencies among
risks มีการพิจารณาความสัมพันธ ์และการพึงพากั ่ นของความ
่
เสียงทั ้
งหลายในองค ์กร
• Improve ability to manage risks within and across business units
่ ดความสามารถในการจัดการกับความเสียงภายในและ
เพิมขี ่
่ ั งองค
ให้ทวทั ้ ์กร
• Improve organisation’s capacity to identify and seize opportunities
inherent in future events
่
เพิมความสามารถในการระบุ และฉกฉวยโอกาสใน
เหตุการณ์ในอนาคต
• Considers risk in the formulation of strategy
่
พิจารณาความเสียงในการวางแผน
• Applies risk management at every level and unit of an entity
่
ประยุกต ์ใช้การบริหารความเสียงทุ กระดับและทุกหน่ วยงาน
ในองค ์กร
• Takes a portfolio view of risks throughout the enterprise
่
พิจารณาภาพรวมของความเสียงครอบคลุ ่ ง้
มตลอดทัวทั
74
ERM INTEGRATED FRAMEWORK
COSO (2004)
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information & Communication
Monitoring
75
Components of Risk Managements
ERM(COSO II) vs ISO 31000:2009
ERM(COSOII) เปรียบเทียบกับ ISO 31000:2009

ERM (COSO II) ISO31000
• Internal Environment • Establish the Contextกาหนด
สภาพแวดล้อมภายใน ้
เนื อหา .
• Objective Settingกาหนด • Establish the Contextกาหนด
วัตถุประสงค ์ ้
เนื อหาวั ตถุประสงค ์
• Identify Risks ระบุความเสียง่
• Event Identificationระบุ
• Analyse Risks วิเคราะห/์ ค่า
เหตุการณ์ ่
• Risk Assessmentประเมิน ่
่ • Evaluate Risks ค่าความเสียง
ความเสียง .
• Treat Risks จัดการกับความ
• Risk Responseตอบสนองต่อ ่
่ เสียง
• Communicate and Consult
• Control Activitiesกิจกรรม ่
การสือสารและปรึ กษา
การควบคุม ่
แลกเปลียนความคิ ดเห็น
• Information and ข้อมู ลและ • Monitor and Reviewการ 76
การ Communication ติดตามกากับดูแลและ
่
CORE PERFORMANCE MEASURES FOR ORGANISATION
BALANCED SCORE CARD APPROACH
Financial
Profitability, Return on
Investment, Revenue Growth
Customer
Market Share, Customer Internal Business Process
Retention, Customer Satisfaction, Process Time, Quality, Cost
Customer Profitability
Innovation and Growth

Employee Capabilities,
Motivation Empowerment,
Information Systems Capabilities 77
BALANCED SCORE CARD APPROACH FOR ERM
(AN EXAMPLE OF UNIVERSITY PERFORMANCE)
PERSPECTIVE OBJECTIVES KPI RISK OUTCOME
Financial Revenue growth Market share in Lose/gain market

students% share
Customer Improved student Better performance Better/worse rating

satisfaction on rating scale
Internal operations Top research Number of research More/less grants

University in grants
Thailand
Learning and Employee % academics with a More/less academics

growth capabilities PHD with PHD
78
ERM – THE ATTRIBUTES FOR SUCCESS
 Embedded and integrated, consistent process for all risks, holistic
 Clearly defined accountability for risks and controls
 Line management accountability for risk management
performance and maturity – linked to KPIs
 Risk Management is aligned with the achievement of
organisation’s objectives and the strategy development and
management process
 Emphasis on control assurance – providing “line of sight” down
the organisation
 Emphasis on root cause analysis, for successes and failures –
leading to learning
 Governance reporting is not just focussed on risk but on reporting
on risk management performance and progress
 Projects are viewed in the context of the organisations objectives,
not just the project outcomes
79
Overall Risk Management Maturity
Risk Governance Change Enterprise
Efficiency of Risk Management Process
Specific RM Driven RM Driven RM Wide RM

•There are different •RM is motivated by •RM is associated •RM is implicit in all
type of processes for reporting with the management decisions
different type of risk •High level risk of change •RM processes are
•Risk categorization assessment is •RM is driven by integrated in all
is largely stimulated by a performance based processes
consequence based reporting Standards •RM is culturally
•There may be requirements •Risk is seen as driven
attempts at some •RM measures varied uncertainty •Risk is seen as
form of “integrated” according to types of •There is a uniform uncertainty
measurement risk system for the •RM is about gaining
•Risk is seen as loss, •Risk is seen as analysis of all types strategic advantage
harm and detriment events – mostly with of risk
•RM is closely linked negative
to insurance consequences
•The terms ‘Risk’ and •There are some
‘hazards’ and inconsistent
‘threats’ are used approaches to
interchangeably managing different
types of risks
Stage 1 Stage 2 Stage 3 Stage 4

80
Degree of Integration of Risk Management
ERM AT ITS MOST MATURE
ERM has the potential both to mitigate downside exposures
and optimizing opportunities to add the greatest value and
using risk information to gain long-term competitive
advantage.
•Facilitating the •Compliance

identification of •Hazard & adverse
strategic opportunity event management
•Realising •Minimising loses
opportunities for •Protecting the
gain entity’s
•Driving long-term key values
competitive
advantage and value
creation
Opportunities Risks 81
BUILDING AN EFFECTIVE ROBUST
ERM FRAMEWORK
An effective ERM framework can provide a reasonable
assurance that the organization’s strategic objectives can be
achieved. Building an effective framework requires a number
of interrelated components include:
A strong risk governance structure Clear risk prioritisation and
A clearly articulated risk appetite coordination
A clear risk strategy aligned with Clear line of responsibility and
strategic objectives and key value accountability
drivers A strong compliance focus
A strong risk management culture Continuous risk monitoring and
and capability review
Ongoing review of the risk Efficient and effective processes,
framework, tolerances, and settings with appropriate tools and
A common risk language and technology
criteria A commitment to continuous
82
improvement, training and learning
THE MAIN RISK MANAGEMENT GAPS AND
DEFICIENCIES – THE AUSTRALIAN EXPERIENCE
(Standard & Poor’s Survey November 2006)
The 4 Gaps where •New project risk

•Change Management
Risk Not Actively •People Risk
Managed •Innovation Risk
Top 3 Issues that •Strategic risks

Keep Management •People Risk
“Awake at Night” •Operating Risk
Key Areas •Better aligning performance incentives with

Earmarked for risk management objectives
•Using risk information to add greater value
More Investment •Increasing risk accountability
•Creating an enterprise-wide more
integrated approach
•Balancing risk and reward
83
THE KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT
• Board/CEO support
• Responsibility/accountability
• Risk measurement
• Link to corporate strategy
• Link and impact to good corporate governance
• Adding value
• Common risk language
• Management buy-in
• Link to control self assessment
• Risk reporting
• Technology
84
Common Excuses for NOT do
Risk Management
 We have no risk
 The program is too small to do risk
management
 Making risks public performance and maturity
will kill the program
 The customer goes ballistic whenever he/she
hears of a potential problem
 We deal with problems as they arise
 Identifying risks is bad for my career
 Risk management creates more work for me
 How can you predict what will happen from
now
 We plan to start implementing risk management
next year 85
WHY ERM IMPLEMENTATION FAILS?
• Allowing too much complacency

• Failing to create a powerful coalition
• Underestimating power of vision
• Under-communicating vision
• Permitting obstacles to block vision
• Failing to create short term wins
• Declaring victory too soon
• Neglecting to anchor changes in culture
86
5. INTERNAL CONTROL
87
WHAT IS CONTROL?
การควบคุมคืออะไร
• Control is any action taken by management to enhance
the likelihood that established objectives and goals will
be achieved
• การควบคุมคือกิจกรรมใดๆทีน ่ ามาใช้โดย
่
ฝ่ายบริหารเพือเพิ ่
มโอกาสในการบรรลุ
วัตถุประสงค ์และเป้ าหมายขององค ์กร
In Real-Life Language
กล่าวง่ ายๆในชีวต
ิ จริงก็คอ
ื
88
• Controls are things that help to meet an organisation’s
CONTROLS CLASSIFICATION
ประเภทของการควบคุม
Things Done to Help Meet a Business Objectives
่ ท
สิงที ่ าเพือช่
่ วยให้บรรลุวต
ั ถุประสงค ์ขององค ์กร
Preventive Detective Directive

ป้ องกัน ตรวจพบ แนะนา
Stop a Risk Determine if Avoid Risks by
from Occurring a Risk Providing Specific
่
หยุดความเสียงไม่ ้
ให้เกิดขึน Has Occurred Ways to Do Things
ตรวจดู วา ่
่ ความเสียงได้ ้ หลี
เกิดขึนหรื
อไม่ ่
กเลียงความเสี ่
ยงโดยแนะนาวิธป
ี ฏิบต
ั
Example: Example: Example:

Prior Approvals Exception Reports, Guidelines and
of Purchases Reconciliation Training
องมีการอนุ มต
ั อ การรายงานสิ
ิ ย่างเหมาะสมก่ ่ ดปกติ การตรวจกระทบยอดบัคูญ
อนจัดซือ้ งผิ ม
่ ชี
อ
89
ื แนะนาและการฝึ กอบรม
CONTROL DESIGN CONCEPT
แนวคิดในการออกแบบการควบคุม
Controls Required to Mitigate
The Risks Identified
่ าเป็ นเพือลดความเสี
การควบคุมทีจ ่ ่
ยงที ่ กระบุ
ถู
Design as Few Design Controls Only Excess Control

Control As Possible for Risks with Material are All Negative
แบบการควบคุมให้น้อยแต่มป
ี ระสิทธิภาพ Consequences to ้ น ้
การควบคุมส่วนเกินเป็ นผลลบทังสิ
Reaching Objectives
ใส่การควบคุมเฉพาะความเสียงที่ ่ ผลกระทบ
มี
่ าค ัญต่อวัตถุประสงค ์
ทีส
90
SIX GENERAL CATEGORIES FOR CONTROL
TECHNIQUES
่
เทคนิ คการควบคุมทัวไป 6 ประเภท
• Competent, trustworthy personnel with clear

lines of authority and responsibilityต้องใช้
่ ความรู ้ความสามารถและซือสั
บุคลากรทีมี ่ ตย ์ มีการมอบ
อานาจหน้าทีร่ ับผิดชอบช ัดเจน
• Adequate segregation of dutiesมีการแบ่งแยก
่ างเพียงพอ
หน้าทีอย่
• Proper procedures for authorisationมี
่
กระบวนการทีเหมาะสมในการอนุ มต
ั ต
ิ า
่ งๆ
• Adequate documents and recordsมีการทาบันทึก
และเอกสารอย่างเพียงพอ
• Physical control over assets and recordsมีการ
เก็บร ักษาทร ัพย ์สินและบันทึกต่างๆอย่างดีดว้ ยการควบคุม 91
ทางกายภาพเช่นตู เ้ ซฟ กุญแจ ล็อคฯลฯ
UNDERSTANDING CONTROLS
ทาความเข้าใจกับการควบคุม
Distinguish
Between
แยกแยะระหว่าง
Hard Control Soft Control
Formal and/or Tangible Informal and/or Intangible

ไม่
เป็ นทางการ จับต้องได้(เป็ นรู ป เป็ นทางการ
ธรรม ) จับต้องไม่ได้(เป็ นนามธรร
Easier to Determine
the Existence Harder to Evaluate
ตรวจสอบง่ ายว่ามีหรือไม่ ยากต่อการประเมินค่า
Example: Example:
Written Approvals
จรรยาบรรณ
Ethics
Reconciliations
Segregation of Duties Integrityความถู กต้องโปร่งใส
่
ช่นกฏระเบียบต่างๆ การแบ่งแยกหน้าที่ Commitmentความมุง่ มัน
92
CAN YOU TELL THE DIFFERENCE?
ลองพิจารณาความแตกต่าง
ระหว่าง วัตถุประสงค ์ และ การ
OBJECTIVES
ควบคุ ม CONTROLS
วัตถุประสงค ์ การควบคุม
ENSURE INTEGRITY OF ENSURE RECONCILIATION

FINANCIAL RECORDS IS REGULARLY CONDUCTED
ความถู กต้องโปร่งใสของรายงานการเงิ
มีการตรวจกระทบยอดอ
น
ENSURE COMPLIANCE ENSURE REGULAR
TO REGULATIONS MANAGEMENT MONITORING
มีความถู กต้องตามระเบีมียกบและกฎหมาย
ารติดตามกากับจากฝ
ENSURE STAFF SAFETY ENSURE EMERGENCY
มีความปลอดภัยของพนักงาน
EVACUATION IS CONDUCTED
มีการซ ้อมการอพยพใน
93
OBJECTIVES, RISK OUTCOME,RISK CAUSES & CONTROLS?
ความสัมพันธ ์ระหว่าง วัตถุประสงค ์

่ ปั จจัยเสียง
ความเสียง ่ และ การควบคุม
The Risk outcome is “not arriving at
the destination due to
accident,car breakdown etc.”
่
ความเสียงคื ่
อไม่ถงึ ทีหมาย
(เนื่ องจากอุบต
ั เิ หตุ รถเสีย ฯลฯ)
The objective of a journey is “to arrive at the
destination safely”
วัตถุประสงค ์ของการเดินทาง
่
คือ ถึงทีหมายด้ วยความปลอดภัย
Key controls:การควบคุม
่
Main Risk Causes: ปั จจัยเสียง
•Police monitoringการกากับ
•Bad road ถนนไม่ด ี
ดู แลของตารวจ •Bad car รถไม่ด ี
•Safe speed limitควบคุมความเร็ว •Bad driver คนขับไม่ด ี
•Unsafe driving rules กฎจราจ
่ กระหว่
•Effective driving Education &Test
ให้ความรู ้ในการขับรถและมีการสอบที•Bad ่ rest area ทีพั
ดี า ง
•Regular car inspection
่
94
่
•Hit by other cars ถู กรถอืนช
BALANCING RISKS AND INTERNAL CONTROLS
Control procedures need to be developed so that they decrease risk to a level where
management can accept the exposure to that risk. To achieve a balance between risk and
controls, internal controls should be proactive, value-added, cost-effective and address
exposure to risk. Being out of balance can cause the following problems:
Excessive Risks Excessive Controls

• Loss of Assets • Increased Bureaucracy
• Poor Business • Reduced Productivity
Decisions • Increased Complexity
• Noncompliance • Increased Cycle Time
• Increased Regulations • Increase of No-Value
• Public Scandals Activities
95
6. RISK IDENTIFICATION TOOLS
An Organisation faces Three
Categories of Risks
The Known Risks The Known Unknown The Unknown

Risks Unknowns
• Past Data
• Checklists • Work System Analysis • Analysis of the
• Thinking • Pathway Analysis past combined
Prompts • HAZOPS with
• Human Error • FMEA imaginative
Analysis • HACCP thinking
96
BRAINSTORMING
Brainstorming involves stimulating and encouraging free flowing
conversation amongst a group of knowledgeable people to identify
potential failure modes and associated hazards, risks, criteria for
decisions and/or options for treatment. True brainstorming involves
particular techniques to try to ensure that people's imagination is
triggered by the thoughts and statements of others in the group.
Brainstorming can be used in conjunction with other risk assessment
methods or may stand alone as a technique to encourage imaginative
thinking at any stage of the risk management process and any stage off
the life cycle of a system. Normal facilitated process include:
 Objectives of the session are defined and rules explained.

 The idea is to collect as many diverse ideas as possible for later
analysis.
 There is no discussion at this point about whether things should
or should not be in a list or what is meant by particular statements
because this tends to inhibit free flowing thought.
 All input is accepted and none is criticised and the group moves
on quickly to allow ideas to trigger lateral thinking.
97
PAST DATA
Risk can be identified from past records such as:
•Financial statements
Process •Incidents statistics
•Non-compliance or complaints
•Project debriefing reports
Where a loss occurs relatively frequently within

Applicability
organisation or industry wide
Strength A good way of identifying known common failures
Rare but severe events may be ignored

Weakness because it has not happened before within
the organisation 98
CHECKLISTS
The technique provides a listing of typical
uncertainties which need to be considered. Users
refer to a previously developed list, codes or
Process
standards and review whether items on the
checklist are present.
When there is a large experience of risk which

demonstrates that the same problems occur on
Applicability many occasions. It is applied to check that
everything has been covered.
•May be used by non experts

Strength •Combine wide ranging expertise for easy to use
•Help ensure common problems are not forgotten
•Tend to inhibit imagination

•Address only “known knowns” risks
Limitation •Encourage ‘tick the box’ behaviour
•Tend to miss problems not readily seen 99
THINKING PROMPTS
List of topics or reminders which help establish a
train of thought in identifying risks in an
imaginative way, for example:
Process •Project/activity objectives and critical resources
needed to achieve these objectives
•Risk categories such as financial, reputation, safety
Thinking prompts encourage imagination more

Applicability than most checklists so are appropriate when there
is more variation in the things which occur than can
be included in a checklist.
•May be used by non experts, easy to use

Strength
•Help ensure key issues are not overlooked
Limitation •Address mainly “known knowns” risks

•Tend to miss problems not readily seen
100
HUMAN ERROR ANALYSIS
A human error is a cause of risk events but not a risk itself.
For each task (operation, maintenance, communication etc)
apply error check list below to identify “failure modes and effect”
e.g Clerk enters incorrect data resulting in incorrect billing.
• Action omitted • Action in wrong direction

• Action too early • Right action wrong object
• Action too late • Wrong action right object
• Action too much • Wrong action wrong object
• Action too little • Information not obtained
• Action too long and/or transmitted
• Action too short • Wrong information
obtained/transmitted
101
WORK SYSTEM ANALYSIS
Work to be performed is separated into tasks and sub tasks to
form a structure for identifying risks, for each task think about:
• The environment in which it operates

• Objective of the step and what could go
wrong and what are opportunities
• Sources of risk
• Human errors
• Equipment failure
• Existing controls and how they could fail
102
PATHWAY ANALYSIS
(SOURCE – TARGET MODEL)
Undesirable Event = Risk
Barriers failed = Control Failure

Chemical Barriers may be at
e.g. Chemical spills into Target
source, pathway, target:
waterway Local wildlife
e.g. Chemical treatment,
Regulation over use of
chemical
103
MULTIPLE SOURCES AND PATHWAYS
Barriers placed in Barriers along each

either pathway can pathway can prevent
prevent explosion escalation and the
consequences
104
HAZARD AND OPERABILITY (HAZOP)
•Separate process into components
•Define what the component is supposed to do
•Define operating conditions
Process
•Use Hazop key words to see how performance or
conditions could vary from design intent
HAZOP was developed by the chemical and
processing industry to identify safety and
Applicability operational problems of new plant. It is applicable
to any process.
•Provides effective systematic means to examine a
system, process or procedure
Strength
•It generates solutions and risk treatment action
•It involves a multidisciplinary team
•Very time consuming
•Hazop does not identify all risks (outside
Limitation the process) or apply to all circumstances
•Focus on finding solutions rather than 105
challenging “why are we doing this”
HAZOP SUMMARY
KEY WORDS CONDITIONS
NO or NOT TEMPERATURE
MORE FLOW
LESS PRESSURE
REVERSE OF QUANTITY
OTHER THAN SPEED
PART OF ETC
AS WELL AS
WHAT CAUSES IT HOW WOULD WE KNOW

HOW MUCH DOES IT MATTER
WHAT ARE THE CONSEQUENCES WHAT SHOULD BE DONE
106
EXAMPLE OF HAZOP APPLICATION
OPERATING TYPE OF CAUSE CONSEQUENCES DETECTION
CONDITIONS DEVIATION MECHANISM
Chemical Flow None Valve shut Process stop Flow meter in

(in glue mixing pipe
process)
Too slow Valve partly Product outside spec Flow meter in

blocked pipe
Information No Do not talk to Dissatisfied customer No record of

Transfer customer customer needs
(in project
management)
Too little Insufficient time Project delayed Inadequate
for discussion records
Too much Over enthusiasm Difficult to pick out Large volume of

information key requirements records
107
FAILURE MODE AND EFFECT ANALYSIS (FMEA)
•Consider each component individually
•How it might fell
•What would be the result
•Would it matter
Process •How would you detect the failure mode
•Look at safety, performance &operability, and ask
“What would happen if this component failed?”
FMEA traditionally used for equipment failure. FMEA is
similar to Hazop, however it it considers the mechanisms
Applicability whereby the component can fell where Hazop considers
how the intended result may not be achieved.
•Identify component fault modes, their causes and effects

on the system, and present in an easy readable format
Strength
•It identifies problems early in the design process
•Identify single point failure modes
•Only identify single failure modes not

combinations of failure modes
Limitation •Can be time consuming and costly
•Can be difficult and tedious for complex
108
multi-layered systems
EXAMPLE OF FMEA APPLICATION
Activity/component Enter name and address
from list
Function To link data to correct
person
Failure mode Wrong name entered
Failure mechanism Lost place on list
Failure effect Data for wrong person
Current controls Use ruler to keep aligned
How would you know Name checked before action
(before too late)
109
EXAMPLE OF FMEA APPLICATION
ITEM COMPONENT FAILURE MODES FAILURE EFFECT FAILURE
DETECTION
1 Valve Valve mechanism Low flow of A Flow meter line A

jammed close
Motor which operates Low flow of A Warning lights

valve fails to start
Motor operating valve High flow of A Warning lights

fails to stop
Valve gasket fails Leak of A Low flow meter

reading
Valve leaks when closed Unwanted flow of A Direct observation
110
HAZARD ANALYSIS AND CRITICAL CONTROL POINT (HACCP)
•Identify hazards – any biological, chemical or physical
property that may cause a food to be unsafe for consumption
•Identify Critical Control Points – step, or procedure in a
Process process at which control can be applied
•Identify Control Point Conditions
•Define monitoring, record keeping, corrective actions and
verification procedures to remain in control
Used by organisations operating anywhere within the food
chain to control risks from physical, chemical or biological
Applicability contaminants of food. Also extended for use in manufacture
of pharmaceuticals and medical devices
•A structured process for quality control as well as

identifying and reducing risks
Strength •Focus on how and where hazards can be prevented
•Encourage risk control throughout the process
•HACCP requires identification of hazards, risks,

controls as inputs to the process in order to specify
Limitation critical control points and control parameters
•Take action when control parameters exceed
111
defined limits may miss gradual changes
EXAMPLE OF HACCP APPLICATION
CRITICAL CONTROL SOURCE OF CONTROL MONITORING
POINTS RISK CONTROL PARAMETER MECHANISM
(Food Manufacturing)
Receipt of ingredients Biological Correct Temperature under 4 Alarm in

contamination refrigeration degree celcious refrigerator when
temperature temperature over
4 degree
Storage of ingredients Biological Storage time Less than 24 hours Red flag for
contamination prior to use ingredients stored
over 24 hours
Mixing Biological Temperature Temperature under 4 Alarm in mixing

contamination of mixing degree celcious room when
temperature over
4 degree
Cooking Biological Time and Cooking at 100 System report for
contamination temperature degree for 5 minutes deviation from
of cooking cooking time and
temperature
Packing Biological Time Packing within 5 Alarm when
contamination between minutes after cooked packing time
cooking and exceed 5 minutes
packaging 112
GENERAL MODEL FOR IDENTIFYING RISK
conditions
actions
actions of people or
equipment decisions
What could go wrong? How would we know? 113

METHODOLOGY FOR GENERIC RISK
IDENTIFICATION MODEL
THE GENERIC MODEL CAN BE APPLIED TO MOST
PROCESSES OR PROJECTS. IT CAN ALSO BE USED IN
A POSITIVE SENSE TO IDENTIFY OPPORTUNITIES
• Divide the process or project into steps
• For each step identify required inputs, actions and outputs
ie the things that should be there
• Seek things that can cause deviations to inputs, actions and
outputs. List these as risks ie an event or deviation and its
consequences
• This will produce one set of risks. Continue as follows:
• List the required outputs of the step
• Consider how those outputs may not be achieved list these
as risks – (ie events and the effect on outputs). 114
EXAMPLE OF FAILURES OF
REQUIRED INPUTS
PROJECT INPUTS REQUIRED ACTIONS EVENTS OUTCOMES RECOMME
STEPS CONDITIONS NDATION
Dig trenches Digger Digger not Delay in Choose

for cable machine available completion reliable
contractor
Digger machine Cost of with good
fails digger maintenance
repairs process
Fine weather Rain Delay Exclude

Rain causes weather
slippery surface Injuries related delays
– people fell from penalty
Trench collapse clause
Time cost
Employ Choice of Delay or Recruit own
contractors contractor not incompetent staff
available contractor
115
EXAMPLE OF FAILURES OF
REQUIRED OUTPUTS
REQUIRED DEVIATION CAUSE OUTCOME CONSEQUENCE RECOMMENDA
OUTPUT TION
Trench 1 m deep Trench too Specification Extra time Not significant Pay for job not
50 cm wide by 31 deep unclear and money time
December 2008 spent
Miscommunicati Explain job to
on people on duty
Trench not Time pressure Have to re- Significant Inspect on

deep enough employ financial cost completion before
contractors contractor leave
and diggers Delay
Trench Poor weather Extra time Significant Allow

completed Contractor has required financial cost contingency time
late too many jobs Review
Soil harder than Delay contractor before
expected appointing
116
7. THE THONGSIRI
RISK IDENTIFICATION METHODOLOGY (TRIM)
วิธก ่
ี ารระบุความเสียงแบบ ตงศิร ิ
A Demonstration of Risk Identification for
A Procurement Process
117
SIX STEPS IN THE TRIM PROCESS
้
6 ขันตอน ่
ของการระบุความเสียง
แบบ ตงศิร ิ
6. Develop a TRIM Risk
Map from the Identified
Risks
5. Identify Events and their

Consequences (Risks) that can
cause Deviations to Inputs,
Outputs, Actions and Conditions
4. Identify the Key Components

(inputs, outputs, actions and
conditions) for each Process
3. Identify the Key Processes and

their Prime Objectives
2. Establish Clear System

Objective
1. Gain a Clear
Understanding of the System
118
STEP 1: UNDERSTAND THE SYSTEM
(WHAT IS INVOLVED IN THE SYSTEM OPERATIONS?)
้
ขันตอนที ่ 1 ทาความเข้าใจระบบการทางาน
What are the
key activities?
กิจกรร
What is the
scope of this
How are
มหลัก
assessment ?
ขอบเข
activities
being carried
ตของ คือ out?
อะไร กิจกรร
งานเป็ น มหลัก
What อย่
is the างไร THE ทา
system
trying to SYSTEM
อย่างไ
achieve?
ระบบ ระบบง ร
ต้องกา key playersาน
Who are the
รบรรลุ
within the Who is
system? responsible
วัตถุประ ใคร
for what?
ใครร ับผิดชอบอะไร
สงค ์ใด บ้างที่
เป็ น
ตัวการ 119
STEP 2:ESTABLISH CLEAR SYSTEM OBJECTIVES
้
ขันตอนที ่ 2: ระบุว ัตถุประสงค ์ของระบบงาน
The System Prime Objective
ให้ ช ัดเจน Other Objectives
are Success Criteria
For “Procurement” is to for the Key Process
‘Meet Organisation Requirements’ วัตถุประสงค ์รองระด
กระบวนการเป็ นองค
ประกอบ แห่งความส
6 ของกระบวนการ
5 1
The Prime Objective 4 3 2

of a Key Process is
a Success Criteria for
the System
วัตถุประสงค ์หลักระดับกระบวนการ
เป็ นองค ์ประกอบแห่งความสาเร็จของระบบ 120
STEP 3: IDENTIFY THE KEY PROCESSES AND THEIR OBJECTIVES
Example: Procurement Process
Specification
accurately
reflecting the needs
Good/services
meet the need 2.0
of users Develop
Specificatio
n
1.0 3.0
Determine Purchase
users goods Value for
Requirement and/or money is
s Services achieved
System Prime Objective
= Good/services
purchased meet the
organization 6.0 4.0
requirements in the Managemen Receive and
most effective, efficient, t Distribution
and economical manner Monitoring 5.0 Goods & Good/services
Payment for Services are delivered as
Goods &
per the
Services
agreement
Payment for
Good/services 121
is accurate
STEP 4: IDENTIFY KEY COMPONENTS FOR
EACH KEY PROCESS (INPUTS, OUTPUTS,
ACTIONS AND CONDITIONS)
•Weather – rain, hot, cold
•Regulations, Rules. Policy
•Infrastructure
CONDITIONS
Strategic
•Resources Operation
•People •Objectives Financial
•Equipment •Products Compliance
INPUTS OUTPUTS
•Budget Process •Profits
•Materials 1 •Reputation
•IT System •Security
•Information •Etc etc
ACTIONS
•Action of people
•Functioning of equipment
•Decisions
•Authorization 122
EXAMPLE 4.1: KEY COMPONENTS FOR THE
PROCESS “USERS REQUIREMENTS”
•Time available
•Market/technical availability •Align with Business Plan/Strategy (S)
•Compatible with existing systems
•Government policy/intervention
CONDITIONS
Meet operational requirements (O)
•Stakeholders 1.0
•Buyer Determine Good/services meet the need of
INPUTS OUTPUTS
•Knowledge of the users users (this is the Prime Objective
goods/services Requirements for the Process 1.0)
•Feedback from
stakeholders
•Technical experts
•Approved budget Within budget (F)
•Business plan ACTIONS
•Organization Comply with organizational policy (C)
strategies •Survey of users requirements
•Communication and coordination
between buyers and users
•Decision making to proceed
123
PROCESS “DEVELOP SPECIFICATION”
•Time available
•Market/technical availability
•Open for competitive bidding (S)
•Government policy/intervention
CONDITIONS
Reflects users requirements (O)
•Users requirements
•Professional
standards 2.0
•Organization OUTPUTS Specification accurately reflecting
INPUTS Develop
standard the users needs (this is the Prime
Specification
•Knowledge of the Objective for the Process 2.0)
goods/services
•Technical experts
in developing
specification Within budget (F)
ACTIONS
•Business plan
•Comply with professional standards (C)
•Organization
•Writing of specification •Comply with organizational standard
strategies
•Review and approval of specification
•Decision making to proceed
124
PROCESS “PURCHASE GOOGDS/SERVICES”
•Time available
•Market/technical availability
•Government and/or organizational
policy/intervention •Appropriate supply contract (S)
•Specification CONDITIONS
Reflects specification (O)
•Budget
•Suppliers
•Selection committee
•Selection criteria 3.0
•Industry standards OUTPUTS Value for money is achieved (this
INPUTS Purchase goods
•Organization is the Prime Objective for the
and/or Services
procurement Process 3.0)
procedures
•Knowledge of the
goods/services
•Within budget (F)
•Technical product ACTIONS •Competitive price
experts
•Comply with industry standards (C)
•Advertising media •Comply with organizational
•Advertise for quotations and/or tenders
procurement policy and procedures
•Selection and approval of supplier
•Develop supply contract
125
EXAMPLE 4.4: KEY COMPONENTS FOR THE PROCESS
“RECEIVE & DISTRIBUTION OF GOOGDS/SERVICES”
•Natural environment
•Products availability
•Contract terms and conditions
•Meet business plan/strategy (S)
•Synchronize with interrelated
parties
•Supplier CONDITIONS
Meet operational/industry
•Goods/services requirements (O)
•Store
•Users 4.0
•Logistic personnel Receive and Good/services are delivered as per
•Technical product INPUTS Distribution OUTPUTS the purchase agreement (this is
experts Goods & the Prime Objective for the
•Quality assurance Services Process 4.0)
personnel
•Delivery dockets
•Supply contract
•Appropriate security (F)
•Purchasing/delivery ACTIONS
plan
Comply with purchase contract (C)
•Logistic MIS •Deliver of goods/services
•Inspection and/or quality assurance action
•Storage of delivered goods
•Delivery of goods to users
126
“PAYMENT FOR GOOGDS/SERVICES”
•Funds availability
•Contract terms and conditions
•Organizational payment procedures
•Supplier CONDITIONS
•Goods/services
•Budget
•Funds
•Bank 5.0
•Accounts personnel Payment for OUTPUTS Payment for Good/services is
INPUTS
•Store personnel Goods & accurate (this is the Prime
•Approval delegation Services Objective for the Process 5.0)
•Users
•Invoices
•Delivery dockets
•Within budget (F)
•Supply contract ACTIONS
•Accounts MIS •Comply with purchase contract (C)
•Comply with organizational payment
•Receive claims for payment procedures
•Check claims against goods/services
received and terms of payment
•Approval for payment
•Make payment
127
“MANAGEMENT MONITORING”
•Political influence
•Budget availability
•Government/organizational policy
and procedures •Meet business plan/strategy (S)
•Probity and transparency •Synchronize with interrelated
parties
CONDITIONS Meet operational & OHS

•Managers
requirements (O)
•Management
information system
•Security system
Good/services purchased meet the
•Budget 6.0 OUTPUTS
INPUTS organization requirements in the
•Procurement staff Management
most effective, efficient, and
•Policy and Monitoring
economical manner (this is the
procedures
Prime Objective for the Process 6.0)
•Strategy
•Risk Management
•Internal Controls
ACTIONS •Value for money (F)
•Within budget
•Regular monitor the performance of the
procurement process Meet all stakeholders requirements (C)
•Plan and coordinate interrelated activities
•Communicate and provide report and/or
feedback to relevant stakeholders
•Ensure compliance with organizational,
regulatory and standards requirements
•Provide appropriate strategy, direction and 128
resources
EXAMPLE 4.7: THE SUCCESS CRITERIA FOR THE
“PROCUREMENT PROCESS”
6. Good/services purchased meet
the organization requirements in
the most effective, efficient, and
economical manner
5. Payment for Good/services

is accurate
4. Good/services are delivered

as per the purchase
agreement
3. Value for money is

achieved
2. Specification
accurately reflecting the
users needs
1. Good/services meet
the need of users
129
STEP 5: IDENTIFY RISKS FOR
THE KEY COMPONENTS
THE MOST SIGNIFICANT RISK IN EACH PROCESS IS A
FAILURE TO ACHIEVE THE PRIME OBJECTIVE OF THE
PROCESS (i.e. EACH OF WHICH WILL STOP THE
BANKNOTE PRODUCTION)
CONSIDER HOW THE OTHER OUTPUTS (SUCCESS

CRITERIA) MAY NOT BE ACHIEVED. LIST THESE AS
RISKS (EVENTS AND THE EFFECT ON OUTPUTS).
SEEK THINGS THAT CAN CAUSE DEVIATIONS TO

ACTIONS & INPUTS; AND ALSO ADVERSE CONDITIONS.
LIST THESE AS RISKS (AN EVENT OR DEVIATION AND
ITS CONSEQUENCE) 130
EXAMPLE 5.1: KEY RISKS FOR THE
PROCESS “USERS REQUIREMENTS”
Goods/services do not meet

operational requirements
Goods/services do not meet
the need of users Goods/services are not
aligned with Business
Plan and/or strategy
1.0
Restriction by Determine Poor communication lead
stakeholders lead to Users to incorrect goods/services
inappropriate Requirements procured
goods/services procured
Inferior goods/services due to

Inappropriate goods/services poor judgment by decision
due to inaccurate users maker
requirements information
131
EXAMPLE 5.2: KEY RISKS FOR THE PROCESS
“DEVELOP SPECIFICATION”
Specification does not

comply with professional
Specification does not and/or organizational Specification consists of
accurately reflecting the standards inadequate and/or anti-
users needs competitive requirements
2.0
Poor quality of Develop Poor quality of specification
specification due to Specification due to incompetent technical
unreasonable time pressure writer
Poor quality of specification due

to lack of appropriate
Inaccurate specification due to supervision and/or approval
unclear users’ requirements
and/or poor communication
132
“PURCHASE GOODS AND/OR SERVICES”
Inappropriate supply contract

resulted in loss for organisation Goods and/or Services do
not match specification
Value for money is not and/or meet organisation
achieved & industry standards
Non competitive bidding

Non compliance with lead to inferior products
proper procurement 3.0
and/or high price
procedures lead to loss Purchase
for the organisation Goods and/or
Services
Ineffective selection process
resulting in inferior
products and/or high price
Unreliable supply of critical materials
in terms of availability & quality
resulted in operations disruption
Favouritism, corruption and/or
fraud lead to loss for the
organisation
133
“RECEIVE & DISTRIBUTION OF GOODS/SERVICES”
Goods & Services (quality, quantity
and timeliness) are not delivered as
per the supply agreement resulted
in loss and/or disruption to business
Good/services are not
delivered as per the
purchase agreement
Poor delivery planning to
synchronize with interrelated parties
resulted in operations disruption
4.0
Inappropriate and/or Receive and
unclear supply contract Distribution
lead to disputes and loss Goods & Improper inspection resulted
for organization Services in receiving inferior products
Supplier in liquidation or
operations disruption Improper handling and/or security
cause major loss and/or of goods delivered resulted in
disruption to business damages or loss of assets
134
“PAYMENT FOR GOOGDS/SERVICES”
Financial loss due to payment

in excess of the agreed supply
terms and conditions
Financial loss due to payment
for goods and/or services not
Inaccurate payment
received or inferior quality or
for Good/services
not properly completed
5.0
Payment for
Financial loss from
Inefficient/ineffective Goods &
unauthorized payment due
budget administration Services
to fraud or corruption
lead to shortage of funds
for payment
Valuable suppliers left

Inaccurate MIS resulted due to excessive delay
in financial loss due to in payment
overpayment
135
EXAMPLE 5.6: KEY RISKS FOR THE
PROCESS “MANAGEMENT MONITORING”
Good/services purchased
DO NOT meet the Good/services become Financial loss and/or business
organization requirements obsolete due to a lack of disruption due to lack of
in the most effective, management planning appropriate procurement plan
efficient, and economical and/or strategy and coordination of
manner interrelated activities
Litigation action and/or Fraud/ corruption or

financial/reputation loss inefficient/effective
due to lack of transparency 6.0 procurement due to lack of
and probity in the Managemen management monitoring
procurement process t
Monitoring
Financial and/or reputation Fraud or corruption due to
loss due to lack of non compliance with
appropriate procurement mandatory procurement
policy and procedures Management decision procedures
making is not optimal due
to lack of effective MIS
and Risk Management
136
EXAMPLE 5.7: THE SHOW STOPPERS FOR THE
“PROCUREMENT PROCESS”
Good/services purchased meet
Mission Impossible the organization requirements
in the most effective, efficient,
and economical manner
Inaccurate payment for

Good/services
Good/services are not

delivered as per the purchase
agreement
Value for money is not

achieved
Specification does not

users needs
Goods/services do not
meet the need of users 137
STEP 6: DEVELOP THE TRIM RISK MAP
(COMPILE ALL THE IDENTIFIED RISKS FROM STEP 5 INTO A RISK MAP)
้
ขันตอนที ่ 6:พัฒนาแผนทีความเสี
่ ่
ยงแบบ ตงศิร ิ
Goods/services do Goods/services do not
not meet the need meet operational
of users requirements
1 Specification does not
2
Goods/services are not
Restriction by 3 aligned with Business
users’ needs
stakeholders lead to Plan and/or strategy Specification does not comply
7
inappropriate goods/ 1.0 9 with professional and/or
services procured Determine organizational standards
Poor communication Poor quality of 8
Users lead to incorrect goods/ specification due to
Inappropriate goods/services 4
Requirements services procured unreasonable time
due to inaccurate users’ 6
2.0
requirements information Develop Specification consists of
Inferior goods/services 14 Specification inadequate and/or anti-
Good/services purchased Do 5 due to poor judgment by 10 competitive requirements
Good/services become Inaccurate specification
Not meet the organization obsolete due to a lack of decision maker due to unclear users’
requirements in the most 13
management planning requirements and/or
effective, efficient, and and/or strategy Poor quality of specification
poor communication 12 11
economical manner 37 due to incompetent
38 Financial loss and/or business technical writer
disruption due to lack of appropriate Poor quality of specification
Litigation action and/or 39
procurement plan and coordination due to lack of appropriate
financial/reputation loss due to
44 of interrelated activities supervision and/or approval
lack of transparency and probity
in the procurement process 6.0 Inappropriate
Management 40 Fraud/ corruption or supply contract
Financial and/or reputation 43 inefficient/effective resulted in loss
Monitoring Goods and/or Services do
loss due to lack of procurement due to lack of for organisation
appropriate procurement Goods & Services (quality, quantity Value for money is not match specification
42 management monitoring
policy and procedures 41 and timeliness) are not delivered as not achieved and/or meet organisation
per the supply agreement resulted 15 16 & industry standards
Management decision in loss and/or disruption to business 17
Fraud or corruption due
making is not optimal due to non compliance with
to lack of effective MIS Good/services are
mandatory procurement Non compliance with proper
not delivered as per 22 Non competitive
procedures procurement procedures lead 3.0 18
the purchase 23 24 bidding lead to
to loss for the organisation Purchase
agreement inferior products
Financial loss due to Goods and/or and/or high price
Inaccurate payment payment in excess of Poor delivery planning to Services
for goods/services the agreed supply Financial loss due to payment 4.0 synchronize with
terms and conditions for goods and/or services not Receive and interrelated parties resulted
received or inferior quality or 25 in operations disruption 21 Ineffective selection
Distribution 19 process resulting in
31 not properly completed
30 Goods & inferior products
Inefficient/
32 Inappropriate and/or Services Improper 20 and/or high price
ineffective budget 5.0 Unreliable supply of
36 unclear supply contract 29 inspection resulted
administration Payment for 26 critical materials in
lead to disputes and loss in receiving
lead to shortage of 33 terms of availability & Favouritism,
Goods & for organization 28
inferior products
funds for payment quality resulted in corruption and/or
35 Services 27
operations disruption fraud lead to loss for
Financial loss from Supplier in liquidation the organisation
34 Improper handling and/
Inaccurate MIS unauthorized or operations disruption
or security of goods
resulted in payment due to cause major loss and/or
Valuable suppliers delivered resulted in
financial loss due fraud or corruption disruption to business
left due to excessive damages or loss of assets
to overpayment
delay in payment
138
ANALYSE THE TRIM RISK MAP
(USE CONSEQUENCE LIKELIHOOD MATRIX)
Paint the Risk Map (Step 6)
Estimated Level of Risk with appropriate colour code
่
ประเมินระด ับของความเสียง as per the Risk Matrix to show
(โอกาสเกิดxผลกระทบ)
the level of Residual Risk
Prioritised List of Risks

่
จัดลาด ับของความเสียง
Compare Against Organisation Compare Against Organisation

Risk Appetite Risk Tolerance
่
เปรียบเทียบก ับความอยากในความเสียงขององค ์กร ่
เปรียบเทียบก ับความเสียงที ่
ทนได้
ขององค ์กร
Low Risk Acceptable Risk Unacceptable Risk

่
ความเสียงต ่
า ่ ่ ่
ความเสียงที ่
ยอมร ับไม่ได้
ความเสียงที
ยอมร ับได้
Monitor and
Periodically Review Risk Treatment
่
จัดการบาบัดความเสียง
ติดตามกากับดู แล ทบทวน เป็ นระยะๆ 139
BOW TIE ANALYSIS
EXAMPLE PROCUREMENT PROCESS
Incompetent contract
administrator
Training
Financial loss
Insurance
Recruitment
Expert
Impractical and/or process
advice
unclear contract
Penalty
Approval
Legal
Disadvantages advice Contingency
contract terms plan
Approval Inappropriate
and conditions
supply contract Business disruption
resulted in loss
for organization
KPI
Monitoring
Media
control
No enforcement for Job
compliance with contract description
Procedures
Unclear accountability
Reputation damage
over contract
administration
140
Risk source/Cause Controls Risk Event Controls Consequences
8. RISK AND ANALYSIS
TECHNIQUES IEC 31010
141
METHODS OF RISK ANALYSIS
Quantitative
Qualitative Semi-quantitative Analysis
Analysis Analysis วิเคราะห ์เชิง
วิเคราะห ์เชิง วิเคราะห ์เชิง ปริมาณ
คุณภาพ ่
กึงปริ
มาณ ใช้กระบวนการ
(ตาม กาหนดค่าของ คณิ ตศาสตร ์
(ความน่ าจะเป็ น
ความรู ้สึก) โอกาสเกิดและ
ใช้การอธิบาย ผลกระทบ และสถิต)ิ
ตามสเกลแต่ ่ าหนดค่า
เพือก
โอกาสเกิดและ
ผลกระทบ ไม่ใช่คา
่ จริง โอกาสเกิดและ
Use words to Give values for ผลกระทบ
describe likelihood ranking scales Use numerical
and consequences but not the realistic values for both
142
likelihood and
Risk Analysis – What to Measure?
 Normally involves estimation of range of possible consequences
and their associated likelihoods in order to measure risk
 Level of risk should be expressed in suitable terms for the type of

risk and to aid evaluation. In some instances risk can be expressed
as a probability distribution across a range of consequences
 Taking a single consequence and its likelihood as required in the

matrix is an approximation to the level of risk
 One must either take maximum consequences and their

likelihood or most likely consequences and their likelihood
really it is the sum of all consequences and their likelihoods
143
RISK AND ANALYSIS TECHNIQUES
Human error Fault trees Event Trees and Consequence
Analysis Casual Scenario Analysis modelling
Organisational analysis
analysis Detect events and Respond and
reduce Consequences recover
Source of risk Risk Event

Individual and Risk Event Loss to people
Response
organisational Cause of events Assets,
Recovery
motivators/drivers Reputation etc
Hazards
Remove underlying Reduce/eliminate Prevent Event Protect targets Contingency plans

causes sources of Recovery plans
Detect Event Insert Barriers Rehabilitation
risk/hazards
Detect early damage
Limit consequences
Share risk
Return to
preconditions occurrence consequence
normal
144
DETAILED ANALYSIS OF RISK
Which technique to choose?
CONSEQUENCES CAUSES AND CONSEQUENCES
• Scenario Analysis • Cause Consequence Diagrams
• Event Tree Analysis • Bow Tie Analysis
• Consequence
Modelling CONSEQUENCE AND LIKELIHOOD
• Consequence and Likelihood Matrix
CAUSES
• Statistical Analysis ANALYSIS OF CONTROLS
• Root Cause Analysis • LOPA
• Fault Tree Analysis • Bow Tie Analysis
• Ishikawa Analysis • CSA
145
CONSEQUENCE LIKELIHOOD MATRIX
The consequence likelihood matrix is a means of combining
qualitative or semi-quantitative ratings of consequence and
likelihood to produce a level of risk or risk rating. A consequence
likelihood matrix is used to rank risks, sources of risk or risk
treatments on the basis of the level of risk. It is commonly used as a
screening tool to define which risks need further more detailed
analysis or which risks need treatment first, or which risks need not
be considered further at this time. Points to remember:
 The consequence scale should cover the range of different types

of consequence to be considered (for example financial loss,
safety, environment or other parameters depending on context).
 The lowest likelihood must be acceptable for the highest defined
consequence otherwise all activities with the highest
consequence are defined as intolerable.
 Many risk events may have a range of outcomes with different
associated likelihood. It is appropriate to focus on the most
serious outcome, or to rank both common problems and unlikely
catastrophes as separate risks. 146
CONDUCT RISK ANALYSIS
่
ทาการ วิเคราะห ์ความเสียง
Key Objectives Risk Risk Likelihood Consequence Risk
(1-5)
วัตถุประ
Process Outcome Cause (1-5) Rating
กระบว สงค ์ ผลกระ สาเหตุ โอกาส ผลกร (1-25)
นการ ทบของ ของ เกิด ะทบ อ ัตรา

หลั ก
Critical path
for a system
What the process
try to achieved? ความ
The outcomes
of the process ความ
The event that
cause or lead
Probability or
frequency of an
Outcome or impact
of an event. There ่
เสียง
Risk rating or risk
score is the product of
that we่ do not ่
can be more than one
เสี ยง เสี ยง
multiplying the
life cycle. What are the key to the event to occur. consequence from an
likelihood level with
Key functions success criteria for want to happen. undesirable Can be event, can be
the consequence
positive or negative,
that help a the process? They are risk outcomes. expressed qualitative or level. It helps to
system indicators of a qualitatively or determine the level of
quantitative.
achieves its process failure. quantitatively risk whether it is low,
กระบวนการ medium, high or very
ผลลัพท ์ เหตุการ
mission.
ผลลัพท ์
high
เส้นทาง ต ้องการ ความน่ าจะ ค่าของ

ของ ่ า หรือ
สาคัญ บรรลุ
กระบวนกา
ณ์ท ท
ี เป็ นหรือ ่
อ ัตราเสียง
ของ วั
ต ถุ ป ระสงค ์ ให ้เกิด ่ ผลกระทบ
่
รทีเราไม่ ความถีของ มาจากผล
วงรอบ ใด จาก
ต ้องการให ้ หรือ เหตุการณ์
เหตุ
ก ารณ์
คู ณของ
ชีวต
ิ เกิดขึน้ นาไปสู่ ่
ทีจะเกิดขึน้ โอกาสเกิด
ของ อาจมี
อะไรคือ ผลลัพท ์ ผลลัพท ์ อาจแสดง และ
ระบบ มากกว่า 147
่
เงือนไขแห่ ้ น
ง เหล่านี เป็ ของ ในเชิงอนุ หนึ่ ง อาจ ผลกระทบ
SAMPLE CONSEQUENCES RANKING
ตัวอย่างการจัดลาดับ ผลกระทบ
Level Descriptor Description/Impact
ระดับ
1
ความ Low financial
Insignificant
คาอธิloss,
บาย /ผลกระทบ
no injuries
รุ น แรง
น้อยมาก สู ญเสียทร ัพย ์สินน้อย ไม่มก
ี าร
บาดเจ็บ
Medium financial loss, first aid treatment, on-site release immediately contained
2 Minor
น้อย สู ญเสียทร ัพย ์สินปานกลาง ใช้
3 Moderate ปฐมพยาบาล สามารถควบคุมได้
High financial loss, medical treatment required, on-site release
contained with outside assistance สู ญเสียทร ัพย ์สิน

ปาน ทันที
สู ง ต้องร ักษาพยาบาล ควบคุม
4 กลาง
Major สถานการณ์ได้โดยต้องอาศ ัยความ
Major financial loss, extensive injuries, loss of production capability,
off-site release with no detrimental effects สู ญเสีย

มาก ช่วยเหลือจากภายนอกด้วย
ทร ัพย ์สินสู งมาก บาดเจ็บสาหัส
5 สู ญfinancial
Catastrophic Huge เสียloss,
ความสามารถในการผลิ
death, toxic release off-site with detrimental effect
่ ต
สู ญเสีษ ยทร ่ ั ัพย ์สินมากทีสุด ไเสี ยชี วต
ิ
่ สารพิ ร วออกภายนอกแต่
มากทีสุด สารพิษรวออกภายนอกและเกิ่ั ม่ ม ี
ผลกระทบมากนัก ด 148
ผลกระทบร ้ายแรง
SAMPLE LIKELIHOOD RANKING
ตัวอย่างการจัดลาดับ โอกาสเกิด
เหตุการณ์
Level Probability Description
ระดับ
1
ความน่
Rare
า จะ คาอธิบาย
May occur only in exceptional circumstances (e.g. once in 10 years)
เป็ น
น้อยมาก อาจเกิดได้ในสถานการณ์
2 Unlikely พิเศษเท่านัน ้ (เช่น เกิด 1 ครง้ั
Could occur at some time (e.g. once in 5 years)
สามารถเกิ ้
น้อย ใน 10 ปี ) ดได้ในบางครงั (เช่น
3 Possible เกิดoccur
Might 1 คร ง้ั ใน
at some 5 ปีonce
time (e.g. ) a year)
ปานกลาง อาจเกิดได้ในบางครง้ั (เช่น เกิด
ปี ละ 1 ครง้ั )
4 Likely Will probably occur in most circumstances (e.g. monthly)
มาก น่ าจะเกิดได้ในทุกสถานการณ์
Is expected to occur in้ most circumstances (e.g. daily)
5 Almost Certain (เช่น เกิดขึนทุกเดือน)
่ ด
มากทีสุ คาดว่าจะเกิดได้ในทุก
สถานการณ์(เช่น เกิดขึนทุ ้ ก
149
วัน)
SAMPLE RISK ANALYSIS MATRIX
Likelihood Consequences
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5
A (5) H H E E E
(Almost Certain)
B (4) M H H E E
(Likely)
C (3) L M H E E
(Moderate)
D (2) L L M H E
(Unlikely)
E (1) L L M H H
(Rare)
E: Extreme Risk, Immediate Action Required ่ งมาก ต ้อง

ความเสียงสู
จัดการทันที
H: High Risk, Senior Management Attention Needed ่ ง ผูบ้ ริหาร
ความเสียงสู
ระดับสูงต ้องลงมาดูแล 150
SCENARIO ANALYSIS
Scenario analysis can be used to assist in making
Applicability policy decisions and planning future strategies as well
as to consider existing activities.
Scenario analysis consists of defining a simplified ‘model’

of a real system and using the model to consider what
might happen given various possible future
developments. Sets of scenarios reflecting best case, worst
Process
case and ‘expected’ case may be used to identify what
might happen under particular circumstances and
analyse potential consequences and their likelihood for
each scenario
Strength •It takes account of a range of possible futures

rather than focus on the use of historical data
•Where there is a high uncertainty some of

the scenarios may be unrealistic
Limitation
•Data may not be available to develop
realistic scenario 151
EVENT TREE ANALYSIS (ETA)
ETA identify possible pathways following an initiating event or failure
and assessing the frequency of the various possible outcomes.
Applicability
ETA can be used at any stage in the lifecycle of a product or process.

It may be used qualitatively or quantitatively to help brainstorm
potential scenarios and sequences of events following an initiating
event and how outcomes are affected by various treatments, barriers
or controls intended to mitigate unwanted outcomes.
•Select an initiating event.

•List as headings for functions or systems which are in place to
mitigate outcomes in sequence.
Process
•For each function draw a line to represent their success or failure.

There can be only 2 branches for each function (yes it will happen
or no it won’t).
•Estimate the probability of success or failure for each branch.
•The frequency of the outcome is the product of the individual
probabilities and the frequency of the initiation event.
152
EXAMPLE OF AN EVENT TREE
Initial Alternative Immediate No modification Outcome Probability
event supplier supply needed
No delay 0.252
Yes 0.9
Yes 0.7
Delay for
No 0.1 modification 0.026
Yes 0.4
Delay for
Yes 0.9 supply 0.108
Supplier No 0.3
fails to No 0.1
deliver Very late 0.012
No 0.6
Cannot 0.600
complete
1.000
153
MODELLING A NUCLEAR ACCIDENT
SCENARIO (Sizewell Power Station)
The aim of the model was to find out how people would be affected
and the best emergency response strategy
WHAT DO WE WANT TO KNOW HOW WOULD WE FIND OUT
How much radiation would get out Design accident
How far and how fast would it spread Use bomb tests for size and temperature of
radioactive particles and use standard
plume dispersal model
What is the radiation dose to people at Absorbtion distance known from
different distances from the plant penetration tests
How much protection is needed How will people absorb radiation (skin,
soil, food etc)
How would it affect them Dose response – data from bombs and
testing
Identify and assess risk of evacuation From past experience, develop Emergency
154
Evacuation Plan
MODELLING DOSE CONTOURS FOR A
RADIOACTIVE RELEASE FROM SIZEWELL
It was estimated that:

•400 face immediate death
•2000 risk of cancer next 20 years
•Dust settled after 24 hrs
155
MONTE CARLO ANALYSIS
Monte Carlo is a complex mathematical sensitivity analysis when there
is a known relationship between input parameters (variables) and an
outcome but the values of the parameters are uncertain. The effect of
the variables on the result is calculated many times by computer (using
software Crystal Ball or @risk) to achieve the best estimated outcome.
• Monte Carlo analysis is a means of including

uncertainty in models and equations
• It is a way of doing the calculation with distributions
of values rather than single values
• Estimate range of outcomes can be obtained by
repeating the calculation with lowest estimates and
highest estimates
• It is very unlikely all variable will be the minimum at
once or all the highest estimate
156
ROOT CAUSE ANALYSIS
The analysis of a major loss to prevent its reoccurrence is
commonly referred to as Root Cause Analysis (RCA), Root
Overview
Cause Failure Analysis (RCFA) or Loss Analysis. RCA is

focused on asset losses due to various types of failures while
Loss Analysis is mainly concerned with financial or economic
losses due to external factors or catastrophes. It attempts to
identify the root or original causes instead of dealing only
with the immediately obvious symptoms.
•For accident investigations and occupational health & safety

Applicability
•In technological systems related to reliability & maintenance

•Quality control for industrial manufacturing
•On business processes
•In change management, risk management and systems
analysis
157
EXAMPLE OF ROOT CAUSE ANALYSIS
Problem Symptom
Leak from paint factory Yellow discharge
in creek
First Level Cause
Pump leaked
Second Level Cause

Seal failed
Third Level Cause

Pump not maintained
Fourth Level Cause

No preventative maintenance
Root Cause
No preventative Workshop not
Maintenance policy available
Lack of knowledge Old equipment Financial
of managers Low staff level constraints 158
ROOT CAUSE ANALYSIS FOR POSITIVE RISK
Maximum
Objective profitability
Necessary Conditions Dominant

(Success Criteria) market share
Customer Leading edge

satisfaction technology
World class World class

communication customer Innovation
systems/products support
Speed of
development
and/or response
High quality
High quality, secure,
hardware, software
satisfied workforce
Highly competent Fulfillment of

159
associates individual needs
EXAMPLE OF A FAULT TREE
The fault tree below demonstrates the causes of the
problem of a projector failure during a lecture.
Projector
Lamp
Head Event Outage
OR (Any one of the events
Top Event below causes the one above)
Unresolved Accidental Wiring

Power Lamp Failure
outage Shutdown Failure
Base Event
No
Lamp Trip and
spare Operator Internal External
Failure unplug
lamp error
AND (All of the events below

needed to cause events above) 160
EXAMPLE OF AN EVENT TREE
The event tree below demonstrates the consequences
of the problem of a projector failure during a lecture.
Lecturer fixes Lecture

Light Y proceeds
Projector Technician fixes Slight delay
Failure N
Y
Back up projector available Lecture
N delayed
Y
Lecturer has to print out Lecture
N delayed
Y
N
Lecture
cancelled
161
CAUSE-AND-EFFECT ANALYSIS
Cause-and-effect analysis is a structured method to identifying possible causes
of an undesirable event or problem. It is used to enable consideration of all
possible scenarios and causes generated by a team of experts. The information
is organized in either a fishbone or sometimes a tree diagram (below)
162
ISHIKAWA – FISHBONE DIAGRAMS
Identify the problem to be solved as the fish head, the main bones
of the fish represent the main categories under which problems
might fall. The team brainstorms each category to identify
potential causes and sub causes and factors which affect the risk.
163
BOW TIE ANALYSIS
Bow tie analysis combines a fault tree and an event tree . The fault
tree investigates the cause of the problem, the event tree the
consequences and the bow tie focuses on the barriers to threats.
Light Projector
Failure Lecture proceeds
Preventative
Setup error maintenance
Lecturer
Training Fixes
Power cut
Ventilation Projector Lecture delayed
Failure
Back up Hard
projector copy
Preventative
Globe failure maintenance
Training
Accidentally Design Tape down cable Lecture Cancelled

unplug
164
Risk source/Cause Controls Risk Event Controls Consequences
LAYER OF PROTECTION (LOPA)
Layer of Protection Analysis (LOPA) LOPA is a semi-quantitative technique for
analysing the effectiveness of controls. It considers the different layers of
controls along the time line of risk from the initiating event to response and
recovery. An initiating event and a consequence pair is selected. The possible
controls which could be put in place for the particular cause consequence pair
and layer of protection from the diagram below are then identified.
165
INDEPENDENT PROTECTIVE LAYER (IPL)
An IPL is a device system or action that is capable of preventing a scenario
proceeding to its undesired consequence independent of the initiating event
or any other layer of protection associated with the scenario.
The IPL must be:

 Effective in preventing consequences if functions as designed
 Independent of Initiating event and of other IPLs already included
 The effectiveness of an IPL must be auditable
Safeguards which are not IPLs:

× Training
× Procedures
× Normal testing and inspection
× Maintenance
× Communications
× Signs
× Information
These are considered normal conditions not preventative measures
166
They are also common mode failures ie not independent
COMPARISON BETWEEN LOPA
AND EVENT TREE ANALYSIS
IPL1 IPL2 IPL3
Consequence
Fire Occurs
(eg casualties)
Springer Alarm Evacuation
Success Safe Outcome

Initiating Event
Success Undesired but
tolerable outcome
Failure Success Undesired but
tolerable outcome
Failure
Consequence
Failure exceeding criteria
167
QUANTIFICATION OF LOPA
LOPA estimates the likelihood of the undesired consequence by
multiplying the frequency of the initiating event by the product of
the PDFs (Probability of Failure on Demand) for the applicable IPLs.
Frequency of consequences = Frequency of initiating event x

the Probability of Failure on Demand of each IPL
C I J
fi = fi × I IPFDij
f=1
C I
(fi = fi × PFDi1 × PFDi2 ×…. × PFDiJ)
Where fiC = frequency for consequence C for initiating event i
fiI = initiating event frequency for initiating event i
PFDij = probability of failure on demand of the jth IPL that
protects against consequence C for initiating event i 168
EXAMPLE QUANTIFICATION OF LOPA
IPL1 IPL2 IPL3
Consequence
Fire Occurs
(eg casualties)
10-3 Springer Alarm Evacuation
10-2 10-1 10-1 Frequency of Protection

Barriers Failure
Frequency of
Occurrence
C I
fi = fi × PFDi1 × PFDi2 ×…. × PFDiJ
Frequency of Fire = 10-3× 10-2 × 10-1 × 10-1 = 10-7 (one in ten million chance)
with Casualties
169
9. RISK ANALYSIS AND DECISIONS
170
RISK MANAGEMENT vs DECISION MAKING
• Establishing Context • Explore Backgrounds

• Define Problem
• Identify Risks • Identify Issues
• Analyse Risks • Analyse Issues
• Decide Acceptability
• Evaluate Alternatives • Evaluate Alternatives
• Decide Treatment • Make Decision
• Implement Treatment • Implement Decision
• Monitor • Check It Works
171
DIFFERENT DECISIONS NEED
DIFFERENT TYPE OF ANALYSIS
Decisions involving risk are not necessarily made on the basis of a level of a risk
DECISION ANALYSIS & EVALUATION METHOD

Deciding whether Define criteria for when risk can be accepted
treatment is required and compare the level of risk with these criteria
Deciding whether controls Assess controls against a standard or analyse
are good enough the level of risk with existing controls and
compare this risk with defined criteria
Deciding how to treat a Analyse risk cause (causal factor), the way
risk event can be prevented or modified and the
ways consequences can be reduced
Deciding priorities – Use a rating tools
which to treat first
Deciding between options Weigh positive and negative risks and

incorporate this into normal cost benefit
172
analysis
DECISION TREE ANALYSIS
A decision tree is similar to an event tree but rather than considering only
chance events, both events and decisions are included in the analysis. Decision
nodes an a decision tree are indicated by rectangles and chance events by circles.
Below is a decision tree whether to proceed with a development project.
$23m
High demand $55m $43m
0.55 Medium $33m $21m
Low demand $15m $3m
-$2m
173
MULTI-ATTRIBUTE UTILITY THEORY (MAUT)
MAUT combines dissimilar measures of costs and benefits, along with
individual stakeholder preferences, by calculating a value for each attribute
on a common scale from 0 (worst) to 1 (best). All attributes are weighted
subjectively but are defined to add up to 1. Example below showed that
Option B is preferred.
Attribute Option Option Option Weight

A B C
Cost 0 0.3 1 0.25
Reliability 1 0.6 0 0.25
Safety 0.6 1 0 0.30

Performance 1 0 0.5 0.20
Total Score 2.25 2.45 0.45 1.0 174
And Finally
The greatest risk of all

is to take no risk at all!
The End
Questions?
175

ERM - RMUTT Presentation 8-9 April 10

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ERM - RMUTT Presentation 8-9 April 10

Încărcat de

Drepturi de autor:

Formate disponibile

PRACTICAL RISK MANAGEMENT

AN APPLICATION OF ISO 31000 STANDARD

RAJAMANGALA UNIVERSITY OF TECHNOLOGY THANYABURI

• Understand the Principles and Application

ISO Guide 73 ISO 31000

 those responsible for developing risk management policy

 those accountable for ensuring that risk is effectively

 those who need to evaluate an organisation effectiveness in

 developers of standards, guides, procedures, and codes of

Principles Framework Process

4.3 Design of framework

4.4 Implementing risk management

4.5 Monitoring and review of the framework

Establishing the context (5.3)

Risk assessment (5.4 )

Risk identification (5.4.2)

Risk evaluation (5.4.4)

Risk treatment (5.5)

 Aims to encourage a mutual and consistent

ISO 31000:2009 defines risk as:

“The effect of uncertainty on objectives”

Deficiency of • Can have different

Estimated cost 100

Poor example “ there is a risk that a fraud occurs”

It leaves too many questions:

A risk cause is something that leads to the source of

Safety Working at Fall Injury or Poor design Height from

Health Chemical Contact Cancer Lack of Amount of

Project Supply Late delivery Delay in Fire at Alternative

An event by which a An event which is described

A supplier goes out of Failure to organise back up

A person gets his hand A machine guard is missing

Don’t forget Risk Factor (Vulnerability) that

Risk is often expressed in

The Future •Threats and opportunities

The Present •Are controls adequate?

The Past •Root cause analysis of

Establishing the context

กระบวนการ Measurement บริหาร

External Risk issues

Political and Legislation, regulation, government policy, political involvement,

Supply Components, outsourcing, contractors, quality assurance,

Technology Communications, transportation, hardware, software, security,

Competition Resources, skills, funding, market positioning, new entrants

Community Reputation, ethics, partners, practices, stakeholder expectations,

Knowledge retention, skills, integrity, loyalty, industrial relations,

Integrity, currency, relevance, access, storage, quality, timeliness, security,

Robustness, flexibility, strategic fit, planning capability, implementation,

Stakeholder Stakeholder needs, segmentation, fulfilment, relationships, service

Vision, management capability, innovation, culture, ethics, effectiveness,

Robustness, capability, intellectual property, life cycle, innovation,

Business objectives, growth, sustainable development, performance,

Improve Ensure varied views Ensure all participants

Risk Identification is critical because

กรณี ธุรกรรม ของกิจกรรม/ วงรอบชีวต ิ ของ

ระบุวตั ถุประสงค ์ของ

ขององค ์กร เหตุ ของ

Root Cause of Risks หาสาเหตุ ผลกระทบ Effect of Risks on Objectives

•Control restrictions fail (increased probability)

Events that might What might be the outcome?

WEIGHTING •Outsource maintenance or not

•Introducing new IT system

SORTING •Rating gives rough idea of relative importance