Enterprise risk assessment methodologies: conclusions and strategic recommendations
Risk management and assessment are not new concepts and have been evolving for decades. Many methodologies and techniques originate from the military, aviation, shipping and petroleum industries, such as FMEA and bow-tie analysis. Today, they remain some of the major risk assessment tools in various industries, such as mining, manufacturing and construction
Enterprise risk can be categorised by the consequence of an incident and the research focuses on hazard, operational, and strategic risks. Many risk assessment methodologies and techniques are common in managing these risks including OHSEQ. From a risk assessment perspective, it is a systematic process that forms a part of the iterative risk management feedback loop, as recommended by the ISO 31000 risk management principle and guideline.
The revised ISO standard is expected to become less prescriptive and allow organisations more freedom to develop their own in-house risk assessment frameworks, processes and methods that fit in their risk profiles. In line with this trend, organisations are expected to deploy a combination of qualitative, semi-quantitative and quantitative methods that are complementary to each other, as there is no single, perfect method for an organisation and its work activities.
Internal risks, such as OHS and operational risks, are more specific and controllable than external risks that are often systematic to the entire country where the organisation operates. High-impact incidents should use quantitative or semi-quantitative risk assessment methods, which typically require a large amount of data and more sophisticated approaches, such as Value-at-Risk and Monte Carlo simulation to improve the reliability of risk assessment outcome. Qualitative and semi-quantitative approaches, such as brainstorming and risk matrices, are simple and easy to use at a lower cost than quantitative methods, but they are to a large extent restrained by subjective assumptions and opinions.
Most qualitative and semi-quantitative risk assessment techniques are based on the risk matrix approach, which includes frequency (likelihood, or probability) and severity (impact, consequence) elements. Some quantitative methods extended the risk matrix approach by incorporating exposure and/or vulnerability elements for more technical risk assessment, such as health and cybersecurity risks. Moreover, some risk assessment techniques only focus one element of the model, for example, frequency or severity, such as HAZOP and fault tree, while others are more comprehensive, covering identification, analysis and/or evaluation techniques, such as the bow-tie analysis. This research has focused on those risk analysis and evaluation techniques that provide a comprehensive assessment instead of only one element of the risk evaluation equation.
Quantitative techniques, such as mathematical modelling and simulation with analytics software, are most effective to assess high-severity events such as natural disasters and terrorist attacks. However, the measurement of probability of such rare events is less reliable due to the high level of uncertainty. The integration of qualitative knowledge and judgement with quantitative models is a current practice to alleviate the issues of uncertainties, knowledge dimension, time dynamics, and the other disadvantages of risk assessment techniques. Despite a challenge, risk assessment or measurement should take into account the interrelationships among risk categories and risks in order to assess risk from a portfolio perspective, for example, regression and root cause analyses. There is also a need for substantial research and development to obtain adequate modelling and analysis methods to handle different types of systems, such as electrical utility infrastructure.
By adapting to the OHSE context, NOSA is expected to incorporate the commonly-used methodologies and techniques deployed in different industries and recommend for incorporating into training courses a combination of qualitative and quantitative approaches that are currently most effective in industries, such as mining, construction and manufacturing.