2. Principles of Risk Management
Risk management can be defined as:
The eradication or minimisation of
the adverse affects of risks to which
an organisation is exposed.
3. Risk Management Process
• Establish the
context
• Identify risk
• Analyse risks
• Evaluate risks
• Treat risks
4. Establish The Context
Before risk can be clearly understood and dealt with, it
is important to understand the context in which it exists.
You should define the relationship between your club and
the environment that it operates in so that the
boundaries for dealing with risk are clear.
Establish the context by considering:
• The strategic context – the environment within which
the organisation operates
• The organisational context – the objectives, core
activities and operation’s of the club.
5. Identify The Risks
The purpose of this step is to identify what could go wrong
(likelihood) and what is the consequence (loss or damage) of it
occurring.
Key questions to ask include:
• What can happen? List risks, incidents or accidents that might
happen by systematically working through each competition,
activity or stage of your event to identify what might happen at
each stage.
• How and why it can happen? List the possible causes and
scenarios or description of the risk, incident or accident.
• What is the likelihood of them happening?
• What will be the consequences if they do happen?
6. Analyse the risks
• This involves analysing the likelihood and
consequences of each identified risk and deciding
which risk factors will potentially have the greatest
effect and should, therefore, receive priority with
regard to how they will be managed.
• The level of risk is analysed by combining estimates
of likelihood (table 1) and consequences (table 2), to
determine the priority level of the risk (table 3).
7. Table-1 Likelihood Scale
Rating
LIKELIHOOD
The potential for problems to occur in a year
5
ALMOST CERTAIN: will probably occur, could occur several times per
year
4 LIKELY: high probability, likely to arise once per year
3
POSSIBLE: reasonable likelihood that it may arise over a five-year
period
2 UNLIKELY: plausible, could occur over a five to ten year period
1
RARE: very unlikely but not impossible, unlikely over a ten year
period
8. Table-2 Loss or damage impact
scale
Rating
POTENTIAL IMPACT
In terms of the objectives of the club
5
CATASTROPHIC: most objectives may not be achieved, or several
severely affected
4 MAJOR: most objectives threatened, or one severely affected
3
MODERATE: some objectives affected, considerable effort to
rectify i.e. sport injury – requires medical attention and has
some impact on participation in sport and/or other activity
2
MINOR: easily remedied, with some effort the objectives can be
achieved i.e. sport injury requires first aid treatment and
prevents immediate participation in sport and/or other activity
1
NEGLIGIBLE: very small impact, rectified by normal processes
i.e. sport injury but does not prevent participation
10. Key of Risk Priority Scale
Extreme Extreme risks that are likely to arise and have potentially serious
consequences requiring urgent attention
Major Major risks that are likely to arise and have potentially serious consequences
requiring urgent attention or investigation
Medium Medium risks that are likely to arise or have serious consequences requiring
attention
Minor Minor risks and low consequences that may be managed by routine procedures
11. Treat the risks
• Risk treatment involves identifying the range of options
for treating the risk, evaluating those options, preparing
the risk treatment plans and implementing those plans.
It is about considering the options for treatment and
selecting the most appropriate method to achieve the
desired outcome.
12. Monitor and review
• As with communication and consultation, monitoring
and review is an ongoing part of risk management
that is integral to every step of the process.
• It is also the part of risk management that is most
often given inadequate focus, and as a result the risk
management programs of many organisations become
irrelevant and ineffective over time.
• Monitoring and review ensure that the important
information generated by the risk management
process is captured, used and maintained.
13. Example- Cricket Club
• Step 1 & 2: Establish Context & Identify risk
A risk identified under physical sporting environment -
“Does our cricket club take all reasonable steps to check
field for foreign objects which may result in injury to
players” would be considered as follows:
• Step 3 Analyse the risk
Is it likely that some of our club home field games may
not be checked properly or at all using the Cricket NSW
field check requirements [likelihood]?
Answer:
Maybe (probability Yes)
14. Example- Cricket Club
Question:
If yes, how likely?
Answer: Table 1
Likelihood rating would be a “3” (reasonable likelihood) over a
season.
Question: Table 2
If yes, what would be the consequences and/or the loss or damage
impact of those consequences [severity]?
Answer:
Impact rating would be a “3” (moderate, some objectives threatened
i.e. player injury may occur but can be easily remedied (prevented),
with some effort, objectives can be achieved).
15. Example- Cricket Club
• Question:
• What is the nature of the risk and the action
required?
• Answer: Table 3 rate the risk
• Given the likelihood rating is a “3” (possible) and the
impact rating is a “2” (minor), the risk rates as a
medium (level 3) risk on the risk rating scale.
• So it is a medium risk that is possible to arise over a
five year period but can be easily remedied.
16. Example- Cricket Club
• Question: Step 4 Treat the risk
• How should it be treated?
• Answer: Step 4 and 5.
• Ensure all volunteer cricket team coaches/managers
are aware of their game day obligations as required
by Cricket NSW and Cricket Australia under their risk
management program. Club office bearers should
ensure that volunteer cricket team coaches/managers
receive the appropriate training, information and
compliance checklists and provide feedback. They
should have first aid kits and medical plan.
17. The Risk Assessment Process
Define Hazards
Quantify Hazard Frequency
And Consequences
Compare Against Criteria
Document
18. The Risk Assessment Process
• What can go wrong? Initiating events
(scenario definition, e.g. small-break
LOCA) Event sequence logic
• How frequently does it happen?
Quantification
• What are the consequences? Consequence
modeling.
19. Human Reliability Assessment
• HRA has three parts:
1. Human error identification – to identify what errors can
occur
2. Human error quantification – to say how likely the
errors are
3. Human error reduction – to improve human reliability
• HRA integrates HF into RA through the concept of
Human Error
20. Human Reliability Assessment
(HRA) Techniques
In order to assess how likely it is that a process will fail based on the
potential of human error, a human reliability assessment (HRA) has
been undertaken.
HRA addresses the following questions:
• Which types of human error may occur (e.g. action error,
information retrieval error, communication error, violation)?
• What is estimated probability of such errors being made?
• What factors may influence this probability (e.g. time pressure,
stress, poor working environment, low morale)
• How can the identified human errors be prevented in the design or
how can their impacts be reduced by additional mitigating controls?
22. HEART Methodology
• The HEART technique was developed by Williams (1986)
and is based on human performance literature.
Step Task Output
1 Generic Task Unreliability: Classify the task
in terms of its generic human unreliability
into one of the 8 generic HEART task types
Nominal human
unreliability probability
2 Error Producing Condition & Multiplier:
Identify relevant error producing
conditions (EPCs) to the scenario/task
under analysis which may negatively
influence performance and obtain the
corresponding multiplier
Maximum predicted
nominal amount by
which unreliability may
increase (Multiplier)
23. Step Task Output
3 Assessed Proportion of Effect: Estimate
the impact of each EPC on the task
based on judgement
Proportion of effect
value between 0 and 1
4 Assessed Effect: Calculate the ‘assessed
impact’ for each EPC according to the
formula:
((Multiplier-1)Assessed proportion of
effect)+1
Assessed impact value
5 Human Error Probability: Calculate
overall probability of failure of task
based on the formula:
Nominal Human Unreliability×Assessed
impact 1×Assessed impact2 etc.
Overall probability of
failure
HEART Methodology
27. Incident
Five experienced individual operators with independent
tasks are involved in loading the drums onto the truck from
the barge and performing checks.
• One operator operates the crane.
• One operator is on the barge delivering the drums.
• One operator is on the truck receiving the drums by guiding
the drums from the crane into position on the truck and
fastening the lashing around the drums.
• One operator is on the ground fixing the clamps onto the
drums.
• The last operator performs the leak test by spraying
ammonia near the valve.
28. • The working environment is in an open space outdoors.
Since deliveries are not daily, it is assumed that weather
conditions are always favourable and loading of drums do
not occur under poor weather conditions;
• The overall failure probability for each scenario is
presented per truck trip.
Incident
29. Event- Insecure Load
• Once the operator on the truck lowers a drum into position,
the drum is secured in place with lashing belts to prevent
the drum from rolling or sliding off the truck during
transport.
• Since these lashing arrangements already exist, no further
credit has been taken.
• The drums are then further secured by custom-designed
clamps by an operator on the ground.
• It is recommended to have the operator on the truck
perform an independent check of the clamps to ensure that
the load is secured.
30. Insecure load which
could result in load
shedding during
transport
Failure to detect
insecure clamping by
self check and
independent check
Failure to detect
insecure clamping by
ground operator self
check
Failure of
independent check
to detect insecure
clamp
Failure to correct
insecure clamping
Event-
Insecure Load
31. Failure to Detect Insecure Clamping
By Ground Operator Self-Check
• Once the drum is in position on the truck, an operator
on the ground secures the drum with custom-designed
clamps to prevent load shedding during transport
• The Generic HEART Task Type : a complex task
involving the securing and checking of 12 clamps (2
clamps per drum) in a relatively short amount of time
• Nominal Unreliability= 0.16
32. Error Producing Conditions
• Error Producing Conditions (EPC) –Values are from Table
Shortage of time available for error detection &
correction
Multiplier=11
Little or no intrinsic meaning in a task
Multiplier=1.4
Low workforce morale
Multiplier=1.2
33. Assessed Proportion of Effect(APE)
• Assessed Proportion of Effect*(APE)
Shortage of time available for error detection &
correction
APE=0.3
Little or no intrinsic meaning in a task
APE=0.05
Low workforce morale
APE=0.3
* Proportions of effects lie in the range of 0 to 1 based on judgement.
34. Assessed Effect
Assessed Effect= {(multiplier-1)×APE}+1
• For Shortage of time available for error detection &
correction
Assessed Effect= {(11-1)×0.3}+1= 4
• Little or no intrinsic meaning in a task
Assessed Effect= {(1.4-1)×0.05}+1= 1.02
• Low workforce morale
Assessed Effect= {(1.2-1)×0.3}+1= 1.06
35. Human Error Probability
Human Error Probability (HEP)= Nominal Human Probability ×
Assessed Effect 1 × Assessed Effect 2 × … × Assessed Effect N
Human Error Probability (HEP)= 0.16 × 4 × 1.02 × 1.06 = 0.69
36. HEART Calculation
Task GTU EPCs Multiplier APE
Assessed
Effect
HEP
Failure to
detect
insecure
clamping
by ground
operator
self-check
0.16
Shortage of
time available
for error
detection &
correction
11 0.3 4
0.69Little or no
intrinsic
meaning in a
task
1.4 0.05 1.02
Low workforce
morale
1.2 0.3 1.06
37. Failure Of Independent Check To
Detect Insecure Clamp
After fastening the lashing around the load, the
operator on the truck will proceed to check the clamps
to ensure that the load is secured.
• The generic HEART task type :Routine, highly
practised, rapid task involving relatively low level of
skill
• Nominal Unreliability= 0.02
38. HEART Calculation
Task GTU EPCs Multiplier APE
Assessed
Effect
HEP
Failure of
independe
nt check
to detect
insecure
clamping
0.02
Low signal-to
noise ratio
10 0.1 1.9
Shortage of
time available
for error
detection &
correction
11 0.01 1.1
0.045Little or no
intrinsic
meaning in a
task
1.4 0.05 1.02
Low workforce
morale
1.2 0.3 1.06
39. Failure To Correct Insecure
Clamping
• Following the detection of insecure clamping of the
load, the operator would fix the clamping arrangement
such that the drum is properly secured. However, due to
time pressure or assumed low workforce morale, it is
possible that the insecure clamping may fail to be
corrected.
• The generic HEART task type :Completely familiar,
highly practised, routine task occurring several times
per hour, but without the benefit of significant job aids
• Nominal Unreliability = 0.0004.
40. HEART Calculation
Task GTU EPCs Multiplier APE
Assessed
Effect
HEP
Failure to
correct
insecure
clamping
0.0004
Shortage of
time available
for error
detection &
correction
11 0.01 1.1
4.76E-4Little or no
intrinsic
meaning in a
task
1.4 0.05 1.02
Low workforce
morale
1.2 0.3 1.06
41. Advantages
• Very quick and straightforward to use and also has a
small demand for resource usage.
• Provides the user with useful suggestions as to how to
reduce the occurrence of errors.
• It provides ready linkage between Ergonomics and
Process Design, with reliability improvement measures
being a direct conclusion which can be drawn from the
assessment procedure.
• It allows cost benefit analyses to be conducted.
• It is highly flexible and applicable in a wide range of
areas which contributes to the popularity of its use.
42. Disadvantages
• The EPC data has never been fully released and it is therefore not
possible to fully review the validity of Williams EPC data base.
Kirwan has done some empirical validation on HEART and found
that it had "a reasonable level of accuracy" but was not necessarily
better or worse than the other techniques in the study.
• It relies to a high extent on expert opinion, first in the point
probabilities of human error, and also in the assessed proportion of
EPC effect. The final HEPs are therefore sensitive to both
optimistic and pessimistic assessors
• The interdependence of EPCs is not modelled in this methodology,
with the HEPs being multiplied directly. This assumption of
independence does not necessarily hold in a real situation.
43. The HRA Methods Reviewed
Tool In full
FACE
Framework for Analysing Commission
Errors
HCR Human Cognitive Reliability
HEART
Human Error Assessment and
Reliability Technique
HORAAM
Human and Organizational Reliability
Analysis in Accident Management
HRMS Human Reliability Management System
JHEDI
Justified Human Error Data
Information
MAPPS
Maintenance Personnel Performance
Simulation
44. Tool In full
NARA Nuclear Action Reliability Assessment
OATS Operator Action Tree System
OHPRA Operational Human Performance
Reliability Analysis
PC Paired comparisons
PHRA Probabilistic Human Reliability
Assessment
SHARP Systematic Human Action Reliability
Procedure
SLIM-MAUD Success likelihood index methodology,
multi-attribute utility decomposition
SPAR-H Simplified Plant Analysis Risk Human
Reliability Assessment
STAHR Socio-Technical Assessment of Human
Reliability
TESEO Tecnica empirica stima errori operatori
(Empirical technique to estimate
operator errors)
45. HRA in Probabilistic Risk
Assessment
Project Planning
Work
Familiarization
Sequence
Identification
System Analysis
Data Analysis
Participating in Planning, Establish Reporting
Identify Human Actions
Identify Human Actions
Select key actions for detailed analysis
Add human Actions to module
PSA Activities HRA Activities
46. HRA in Probabilistic Risk
Assessment
Quantification
Results
Recovery Analysis
Report
Write Report
Peer Review
Identify PSFs and Evaluate
Identify PSFs and Evaluate, Determine impact
of human actions
Identify PSFs and Evaluate, Determine impact
of human actions
Determine impact of human actions, Evaluate
remedial Actions
Participate in report writing
Respond to comments and Revise
PSA Activities HRA Activities
47. Incidents Are An Indicator
To Improve Our Performance
Understanding what
happened and why
enables us to
improve our business
48. The “Conventional” View of
Accidents
• Once again there is a clear
recognition that defences
of some kind have been
breached, usually because
of an unsafe act carried
out in a specific situation
and in the presence of
hazards of some kind.
• That infers that the
hazards were not
controlled (otherwise
nothing or no one would
have been harmed). Thus
far nothing is new.
49. The “Tripodian” View of
Accidents
• It uses the Conventional”
diagram above but adds a
third component “General
Failure Types” (GFTs).
• What changed this long
established view was some
highly original research
sponsored by one of the oil
majors and carried out at
two major universities,
one in Holland and one in
the UK.
50. The “Tripodian” View of
Accidents
• The research originally set out to establish the
role of the human being in the accident
equation but very quickly established an
“alternative” theory of accident causation.
• Because of the triangular shape of the basic
model of the theory, it became known as the
“Tripodian” view of accident causation.
51. The Tripod Causation Model
• The research delved deep into the
causation theory in order to establish a
concrete link between breached defences
and controls and active and latent failures
thus the Tripod causation model was born
52. Tripod – Useable Tool
Tripod-BETA
• Useful in assisting
the investigation
process, is aimed
primarily at
providing a well-
structured and
highly disciplined
approach to
analysing
accidents.
Tripod-DELTA
• Is a proactive
safety health
check.
54. What Is Tripod-BETA ?
• A methodology for incident analysis during an
investigation
• Combine concepts of hazard management
and the Tripod theory of accident causation.
55. How Does Tripod-BETA Work ?
The incident facts are built into a tree diagram
showing ...
- What happened ?
- What hazard management elements failed ?
- Why each element failed ?
56. How Does The Tree Work ?
Let’s walk through a simple incident
introducing the terminology and logic that
underpins Tripod-BETA
57. Example
• Location: An offshore platform
• Incident: An operative coming off shift slips and
falls in the shower room
• Consequence: He hurts his back and is off work.
In the past three months there have been two
similar incidents
58. Initial Findings
• The incident occurred at 18:20 hours
• The operative slipped on the wet floor
• Cleaning staff are supposed to keep
the shower room floor dry
59. Starting A Tripod Tree
We start by identifying:
• An EVENT – Where a hazard and a target get together
• A TARGET - A person or an object that was harmed
• A HAZARD - The thing that did the harm
60. The Hazard, Event, Target
They are shown in a Tripod tree like this:
Hazard
Event
Target
61. Hazard, Event, Target
In this incident:
The HAZARD is : Wet floor (slipping hazard)
The EVENT is : Operative falls in shower
room
The TARGET is : Operative
62. Hazard, Event, Tree Diagram
The Hazard,
Wet floor
(slipping
hazard)
Event
Target
63. Hazard, Event, Tree Diagram
The Hazard, acting on the Target,
Wet floor
(slipping
hazard)
Event
Operative
64. HET Diagram
The Hazard, acting on the Target, resulted in the
Event
Wet floor
(slipping
hazard)
Operative falls
in shower room
Operative
65. Is The Investigation
Complete ?
• Does this show full understanding ?
Finding: The man must have been careless
Recommendation: He should take more care
on a wet floor
• Or is there something more ?
66. Was The Incident
Preventable ?
• We know that a hazard management
measure was in place
• Cleaning staff were assigned to keep the
floor dry
• That ‘barrier’ to the incident failed.
68. Incident Mechanism
The incident mechanism looks like this:
Wet floor
(slipping
hazard)
Operative falls
in shower room
Operative
Floor
drying
69. Further Investigation
What caused the barrier to fail ?
• The cleaner could not keep the floor dry .
• because the shower room was always
congested between 18:00 and 19:00 hours.
70. Active Failure
Wet floor
(slipping
hazard)
Operative falls
in shower room
Operative
Floor drying
Active
Failure
An Active
Failure
defeated the
barrier
Active failures can be viewed as ‘the straw that broke the
71. Active Failures: Unsafe Acts or
Conditions
Active failures are the failures close to the
accident event that defeat the controls and
defences on the hazard and target trajectories
Active Failure: Cleaner unable to keep floor dry
73. End of Investigation ?
• Is this the end of the investigation ?
Finding: The cleaner was incompetent
Recommendation: Cleaner should be
replaced or retrained
Or is there still something more ?
74. Further Investigation
• We know that congestion was a factor that
prompted the active failure.
• Telephones are only available for private
calls up till 19:00 hours.
• The congestion is caused by day shift crew
hurrying to call home.
75. The Full Picture
Now we have the full picture:
• The congestion is a ‘Precondition’ that
influenced the cleaner’s task
• Restriction on telephones is a ‘Latent Failure’
that created the precondition
77. Precondition
• Preconditions are the environmental,
situational or psychological “system states” or
even “states of mind” that promote, or directly
cause, active failures.
• Preconditions form the link between active and
latent failures and can be viewed as the sources
of human error.
Precondition: Congestion 18:00 – 19:00 hours
80. Latent Failure
• “A defining characteristic of latent
failures is that they have been
present within the operation before
the onset of a recognisable accident
sequence
82. The Eleven Latent Failures
• The eleven latent failures, which constitute
what are known as the General Failure Types
(GFTs).
• “The eleven latent failures represent the vital
organs of the safety equation – failure to ensure
their inherent good health will increase your
propensity to have accidents”.
Latent Failure: Restriction on private phone
calls
84. Recommendations
Action items should address:
• The failed barrier ...
to restore safe conditions on a temporary
basis
(provide extra cleaner between 18:00 and
19:00)
• The latent failure ...
to remove the underlying cause
(extend the availability of shore telephone)
85. The Tripod Incident Chain And
Feedback loop
The Tripod causation model can be further
expanded to show the various ways of learning
from
• Accidents themselves;
• From what are called observed unsafe acts
and:
• By proactively measuring or assessing the
state of health of the eleven GFTs.
86.
87. Summary Of Tripod-BETA
• Investigate
• Identify each event starting with the main one – do not
proceed until this is done
• For each event identity the hazard and target (object of
harm)
• For each hazard identify the breached or missing control(s)
• For each target identify the breached or missing defence(s)
• Confirm the changed status of each event i.e. each event
(except the final one) becomes either a target or a hazard
in its own right
• Confirm the totality of the sequence and that no events are
missing i.e. the whole tree should following a continuous
and verifiable sequence
88. • Make sure that you have not omitted any events in the
response/recovery stage of the incident
• Seek out missing information identified during the first phase
and repeat the process if necessary
• Graphically display the resultant event tree and recheck once
more
• For each breached or missing control on each hazard leg
identity the active failure
• For each breached or missing defence on each target leg
identity the active failure
• For each active failure identify the relevant precondition
Summary Of Tripod-BETA
89. • For each precondition identify the latent failure
and categorise into GFTs (up to three GFTs may
be involved per latent failure)
• Add up all the GFTs and graphically plot them in
the form of vertical bars–the highest bars are
indicators of greatest weakness and therefore
greatest concern
• Identify the (fallible) decision behind each GFT
where possible
• Seek out missing information identified during
phase 2 and repeat the process if necessary
Summary Of Tripod-BETA
91. Tripod-DELTA
• “Tripod-DELTA addresses the latent failures that
are behind the active failures, most of which are
caused by human error. It reveals the factors
that increase the likelihood of human errors so
that they can be proactively addressed
92. Tripod-DELTA
• Whereas Tripod-BETA is able to identify,
amongst other things, latent failures after
an incident, Tripod-DELTA is able to identify
and quantify (at least in relative terms) the
existence of latent failures before an
incident happens.
• It is a proactive safety health check in every
sense of the word.
93. How It Works?
• Use Indicator questions to measure and assess
organizational health.
• Input the questions to computer programme.
• Computer select 20 questions randomly from each bank of
indicator questions.
• The questions are then displayed randomly and issued as
a questionnaire.
• Teams of operatives are then invited to answer the
questionnaire.
• The results are fed into the computer which then
categorises them in terms of GFTs.
94. • Computer analyses them comparing the yes/no answers
with the preferred answers in the system.
• The resultant analysis is then displayed as a “DELTA
profile” based on the number of differences per GFT
between the preferred answers and the answers given.
• The greater the difference the greater the height of
the vertical bar and the greater the concern.
• Each vertical bar represents one GFT i.e. Hardware,
Housekeeping etc. In this case the greatest differences
involve Maintenance management, Communications and
Defences.
How It Works?
95. • After diagnosis delta gives the organisation time to
correct problems before they potentially develop into
incidents.
• Team involved with the profiling will be invited to
identify specific concerns and to apply (usually) three
remedial measures for each of the three worse GFT.
• This involves a two or three hour “brainstorming”
session based on a “what”, “when” and “who” format,
i.e. what the action is, when it is to be completed and
who is responsible for its implementation.
How It Works?
97. Benefits of DELTA
• Resource prioritisation
• Proactive approach
• Self diagnostic
• Profiling between audits
• Addresses hidden failures
• Good cost/benefit ratio
• Human-tolerant system
98. Conclusion
• Tripod-DELTA looks at safety in a new light, examining
the entire organisation at every level for latent failures
instead of “traditional” safety problems.
• It provides feedback on potential incident causes
before any incident has occurred.
• It identifies the strongest and weakest areas of an
operation, therefore allowing the accurate
prioritisation of resources.
• As a self-diagnostic tool it is run by the line efficiently
and is flexible enough to avoid peak work periods.