A Novel Software Platform Based On Fuzzy Models For Risk Assessment And Decision-Making About Integrated Management System

D

I

’E

S

,

T

C

RELAZIONE PER IL CONSEGUIMENTO DELLA LAUREA MAGISTRALE IN INGEGNERIA GESTIONALE

A Novel Software Platform Based On Fuzzy Models

For Risk Assessment And Decision-Making About

Integrated Management System

RELATORI IL CANDIDATO

Prof. Ing. Gionata Carmignani Antonio Tartarisco

Dipartimento di Ingegneria dell'Energia,

dei Sistemi, del Territorio e delle Costruzioni antonio.tartarisco@gmail.com

Sessione di Laurea del 24/09/2014 Anno Accademico 2013/2014

2

SUMMARY 4

CHAPTER 1 AN OVERVIEW OF INTEGRATED RISK MANAGEMENT 18 1.1 Getting Started – Planning and Designing the Approach and Process 23

1.1.1 General 23

1.1.2 Understanding the Organization and its Context 24 1.1.3 Establishing and Articulating Direction for Integrated Risk Management 25

1.1.4 Accountability 26

1.1.5 Resources 26

1.1.6 Defining the Risk Management Process 27

1.2 Putting It in Place – Implementing Integrated Risk Management 32

1.2.1 Implementing the Risk Management Approach and Process 32 1.2.2 Providing the Environment and Infrastructure 34

1.3 Doing It – Practicing Integrated Risk Management 37

1.3.1 Ongoing Integrated Risk Management 37

1.3.2 Ensuring Continuous Risk Management Learning 38

1.4 Improving it – Continuously Improving Integrated Risk Management 39

1.4.1 Monitoring and Review of the Approach and Process 39

1.5 References 42

CHAPTER 2 THE USE OF FUZZY MODELS FOR RISK ASSESSMENT AND

DECISION- MAKING 44

2.1 Fuzzy Logic and Fuzzy Set Theory 46

2.1.1 Alternative models 57

2.2 Application of Fuzzy set theory and Fuzzy logic: a Literature Review 64

2.3 References 68

CHAPTER 3 DESIGN OF A FUZZY DECISION SUPPORT FRAMEWORK FOR THE IDENTIFICATION, ASSESSMENT AND QUANTIFICATION OF

RISKS 69

3.1 Risk assessment and decision-making framework based on fuzzy logic models 70 3.2 Selection of Quality, Environment and Safety (QES) features 76

3.3 References 82

CHAPTER 4 QEST: A GRAPHICAL USER INTERFACE FOR RISK

ASSESSMENT AND DECISION-MAKING 83

4.1 The graphical user interface development 84

4.2 Preliminary Results and Discussions 89

4.3 References 92

FINAL REMARKS 93

D

I

’E

S

,

T

C

RELAZIONE PER IL CONSEGUIMENTO DELLA LAUREA MAGISTRALE IN INGEGNERIA GESTIONALE

A Novel Software Platform Based On Fuzzy Models For

Risk Assessment And Decision-Making About Integrated

Management System

SINTESI

RELATORI IL CANDIDATO

Prof. Ing. Gionata Carmignani Antonio Tartarisco

Dipartimento di Ingegneria dell'Energia,

dei Sistemi, del Territorio e delle Costruzioni antonio.tartarisco@gmail.com

Sessione di Laurea del 24/09/2014 Anno Accademico 2013/2014

Summary

Despite the growing availability of computing resources and the use of complex models, we still suffer a lack of formal and structured tools of decision making to reduce risk, control and manage processes, in the field of integrated management systems (IMS). The aim of this work is the development of a practical user interface based on fuzzy models for risk assessment and decision-making about IMS. The study encompass quality, safety and environmental (QES) management systems and provides QES evaluation criteria to select the most important features to configure the fuzzy model. In the first part of work is presented an overview on IMS and the comparison with the classical approach for risk assessment and the implemented fuzzy logic framework. In the last part follows the description of the developed tool QEST in Matlab with preliminary tests performed with simulated data.

Abstract

Nonostante la crescente disponibilità di risorse di elaborazione e l'uso di modelli complessi, è evidente tutt’oggi la mancanza di strumenti formali e strutturati di decision-making per ridurre il rischio, per il controllo e per la gestione dei processi, nel campo dei sistemi di gestione integrata (IMS). Lo scopo di questo lavoro è lo sviluppo di un'interfaccia utente pratica basata su modelli fuzzy per la valutazione del rischio e decision-making. Lo studio comprende sistemi di gestione Qualità, Ambiente e Sicurezza e fornisce criteri di valutazione per selezionare i parametri più importanti per configurare il modello fuzzy. Nella prima parte del lavoro viene presentata una panoramica IMS e il confronto tra l'approccio classico per la valutazione del rischio e il fuzzy logic framework implementato. Nell'ultima parte segue la descrizione dello strumento QEST sviluppato in Matlab con prove preliminari eseguite con dati simulati.

Introduction

The introduction in the last years of quality, safety, health and environmental programs, such as ISO 9000, ISO 14000, OHSAS 18000, and risk management is impacting the way industry will control processes, risks and the needs of the customer in the future. Managing processes within an organization typically “evolve” over time, as needs arise, and most often are based on informal or semi-formal practice. Because the informal/semiformal evolution lacks structure, companies are often left thinking “We should have done this differently”. Clearly a more formal, structured means to manage processes is needed to reduce risk, control processes, manage organizational/process. To overcame this problem, most often probability models are used in risk quantification and assessment. They have become the fundamental basis for informed decision-making related to risk in many areas. However, a probability model built upon classic set theory may not be able to describe some risks in a meaningful and practical way. In this work, the choice of a fuzzy logic approach respect to other probabilistic model of decision-making related to risks, starts from the context of a lack of experience data and entangled cause-and-effect relationships which make it difficult to assess the degree of exposure to certain risk types. The use of fuzzy logic architectures can provide a valuable support for the analysis of risk exposure. It allows users to focus on the foundation of risk assessment, which involves the cause-and-effect relationship between key factors as well as the exposure for each individual risk. Rather than a direct input for the likelihood and potential severity of a risk event, it encourages human reasoning from the facts and knowledge to the conclusion in a consistent and well-documented way. In literature we can find some interesting works about risk management. Lahsasna (2009) [1], Cheng at el. (2006) [2], Matsatsinis at el. (2003) [3], used fuzzy rules to formulate the dependencies between the variables in the context of classification analysis for a business failures model. Li at el. (2011) [4] used a fuzzy linear programming classification method with soft constraints to analyze credit cardholders’ behavior. Cherubini and Lunga (2001) [5] observed that in pricing contingent claims, the probability measure used may not be precisely known, and therefore used a class of fuzzy measures to account for this uncertainty. Yu et al. (2009) [6] proposed a multi-criteria decision analysis tool for credit risk evaluation using fuzzy set theory. Reveiz and Leon (2009) [7] studied operational risk using the fuzzy logic inference system (FLIS) to account for the complex interaction as well as nonlinearity in these inputs. To highlight this concept in this work are described respectively the classical method of risk assessment and the designed architecture based on fuzzy logic models. After an overview of the framework, follows a description of the input features selected for the model. Finally, is presented the developed QEST tool in Matlab with preliminary tests, using data simulating risks and processes over the years.

Method

The classical approach of risk assessment, starts from the analysis of individual risk exposure, while the fuzzy decision support framework starts from the analysis of the process and the opinion provided by the experts. Both the systems are based on a bottom-up structure. The classical approach of risk assessment for IMS implementation was developed as a response to major accidents risk assessment requirements and is systematic and fully applicable to any company. This methodology typically consists in the following steps:

1. Identification of sources of hazard and possible target systems

2. Scenarios—combination of sources and targets, identification of possible actions

3. Evaluation of risk—definition of risk, likelihood (probability) and consequences, setting-up the acceptable level of risk in various areas, likelihood of proposed scenarios and acceptability of their consequences in the form of a matrix, the so called risk matrix (Figure 1). The scenarios found within point 2 are placed according to assessed probability and possible consequences into matrix. The scales on the risk matrix axes are the result of top management decision. The position of scenario within the risk matrix shows the acceptability of risk (combination of probability and consequences) caused by this scenario

Fig. 1 The risk matrix (probability vs. consequences) [8]

4. Setting-up the objectives—this is based on the position of scenarios in the risk matrix (acceptable, conditionally acceptable, unacceptable)—the objectives are agreed upon according to legal, political, or social acceptability of scenarios for moving them to acceptable levels by decreasing of either their likelihood or consequences or both, primarily dealing with non-acceptable risks

5. Definition of means of prevention and protection — this point is devoted to the planning of programs for reaching the objectives. The risk can be decreased through prevention (cleaner production approach), or using protections

6. Management of risk—personal, technical and financial resources for programs. The main goal of risk management is to keep the risks at an acceptable level by maintaining the tolerable risks and following the programs for reaching the goals to move unacceptable risks to an acceptable level. Risk management must involve procedures, resources, timetables, etc., so as to be able to fulfil safety programs, leading to a reduction of the risk level. All this is designed to avoid accidents, incidents, injury, or occupational diseases. In the event of an accident that has already occurred, a necessary part of risk management is the management of crisis for minimizing of losses/impacts.

The fuzzy logic strategy is an alternative to the classical method where every proposition must either be “true” or “false”. Instead, fuzzy logic asserts that things can be simultaneously “true” and “not true”, with a certain membership degree to each class. Fuzzy logic techniques are used to deal with uncertainty and can be very powerful when having poorly characterized parameters. Moreover, the risk assessment results expressed in linguistic terms (fuzzy logic uses linguistic parameters) leads to an understandable approach for the decision makers.

In this study, a methodology to assess the QES risk using fuzzy logic has been developed. The main steps to feed the system are:

 The inputs and outputs must be defined and then converted from values to linguistic parameters by creating fuzzy sets for each of them (feature selection and fuzzification process)

 A set of rules must be established. These rules will allow going from the input to the output. But now the process has to be inverted: from the linguistic parameter it is necessary to attain a crisp numeric value by the defuzzification process

 Finally, an output is obtained which is directly related with a certain level of risk. All these steps were carried out developing a graphical user interface in Matlab

 Once each of these steps has been reached through fuzzy logic application, a categorization of the risk of the process can be obtained: No risk, Low risk, Medium risk, High risk.

After the identification of the top risks, the fuzzy logic approach incorporates the steps 5 and 6 of the classical method. In Figure 2 is reported the flow chart which provide a global overview of the implemented fuzzy decision support framework based on QES scores for risk assessment.

Process selection Investigation of process parameters Identification of QES parameters Quality Environment Safety Plan Valuation of environmental issues Occurrence frequency Do Effects on human health Gravity Check Ecological end effects Contact factor Act Effects on resources Adeguacy protective measures

Fuzzy Model Setting

QES Index Investigation

Risk assessment

Fig. 2 Flow chart of the implemented fuzzy decision support framework for risk assessment

Feature Selection

In this study the QES evaluation criteria to select the features, were defined through expert's ideas and the weight of each one. Moreover a literature research combined with the study of ISO management standards was performed to identify the most important QES features and to build the membership functions and the inference rules. The QES features were identified and selected from a literature review and using ISO 9001, ISO 14001, OHSAS 18001 considering the following important factors:

• Importance Potential for Improvement • Scientific Acceptability Reliability and Validity • Feasibility Implementation and cost

• Usefulness Comprehensive

In order to improve the process strategies, the features of Quality are represented by the PDCA (Plan-Do-Check-Act) cycle [9]. In particular the “Plan” process has been simplified using the Five Ws (Who, What, When, Where, Why) and one H (How) [10] questions whose answers are considered basic in information-gathering about the Plan. All the answers then are converted in numerical values for each process analyzed using the following normalized empirical range: 0 If the process correctly satisfy all the six questions and 1 vice versa. The “Do” process has been represented by the “time to perform the planned activities” using the following empirical range: 0 If the time process is << time planned (tp) and 1 vice versa. The “Check” process has been

represented by the “trend of performance indicators” using the following empirical range: 0 If all the indicators of the process are into a specific correct range and 1 vice versa. The “Act” process has been represented by the “achieved positive results” using the following empirical range: 0 If all the results of process are outperforming and 1 vice versa. The features selected of Environment are 4 big macro variables in order to carry out a proper risk assessment. In particular was selected

the “Valuation of environmental issues” that refers to a “change in an environmental parameter, over a specified period and within a defined area, resulting from a particular activity compared with the situation which would have occurred had the activity not been initiated” (Wathern 1988) [11]. Analyses all such changes likely to occur as a consequence of the construction, the presence, and whenever applicable the dismantling of a process. First of all, impacts are identified, and secondly they are studied more in detail. The impact identification is typically carried out by resorting to tools such as checklists, matrices or networks. Checklists simply consist of lists of environmental parameters potentially subjected to impacts. They are usually subdivided into the different environmental components (e.g., water, soil, air, etc.). The second Environmental feature was the “Effects on human health” that consists in the evaluation of the significance of the impacts that have been predicted on human health. The third feature was the assessment of the “Ecological end effects” as well as the judgment of scientists and other professionals. The assessment can rely on the use of existing quality standards (e.g., concentration of pollutants in the air or noise level) or on case-by-case evaluations. It is fundamental to make explicit the criteria upon which the evaluation is based. In Edwards-Jones et al. (2000) [12] the following criteria are proposed to assess the significance of an environmental impact:

 The frequency, duration and geographical extent;

 The reversibility or recoverability of the changes;

 The possibility of mitigation;

 The social and political acceptance;

 The existence of pre-defined legal limits (e.g., air quality standards).

The last Environmental feature selected was “Effects on resources” which encourages business to understand the full spectrum of their environmental costs and integrate these costs into decision making.

Finally, also for Safety were selected 4 features extracted from a previous analysis proposed by INAIL [13,14]:

1. the frequency of occurrence of an event 2. the probable damage from it derived 3. the factor of contact

4. an appraisal of the adequacy of the existing systems of protection at the moment of the accident

In Table 1,2,3 are summarized all the selected QES features identifying empirically the optimum range of target: PLAN 5W+H DO Time to perform the activities planned CHECK Trend performance indicators ACT Achieved positive results

QUALITY Proposals for improvements Complete

planning << TP Under control Outstanding Outstanding Propose new _{areas for} improvement

0-0.3 0-0.3 0-0.3 0-0.3 0-0.25

Incomplete

planning <= TP

Not under

control Average Average Reproposing _{areas for} improvement

0.2-0.5 0.2-0.5 0.2-0.5 0.2-0.5 0.26-0.45

Incorrect planning > TP Not out of

control Poor Poor Optimize the

process

0.4-0.7 0.4-0.7 0.4-0.7 0.4-0.7 0.46-0.75

Absent planning >> TP Out of control Not acceptable Not

acceptable Remapping the process

0.6-1 0.6-1 0.6-1 0.6-1 0.76-1

Table 1: Features extracted for Quality system

Valuation of environmental issues Effects on human health Ecological end effects Effects on resources ENVIRONMENT Proposals for improvements Outstanding Outstanding Outstanding Outstanding Outstanding Propose new

areas for improvement

0-0.3 0-0.3 0-0.3 0-0.3 0-0.25

Average Average Average Average Average Reproposing

areas for improvement

0.2-0.5 0.2-0.5 0.2-0.5 0.2-0.5 0.26-0.45

Poor Poor Poor Poor Poor _{Optimize the}

process

0.4-0.7 0.4-0.7 0.4-0.7 0.4-0.7 0.46-0.75

Not acceptable Not

acceptable Not acceptable Not acceptable

Not

acceptable _{environmental}Valuation of issues

0.6-1 0.6-1 0.6-1 0.6-1 0.76-1

Occurrence frequency (events/month) Gravity (days of recovery of the initial conditions) Contact factor (time of exposure) Adeguacy protective measures

SAFETY Proposals for improvements

Remote Very slight Low Outstanding Outstanding _{Tolerable risk:}

no actions

0-0.3 0-0.3 0-0.3 0-0.3 0-0.25

Low Slight Average Average Average Moderately

intolerable risk: medium-scale

actions

0.2-0.5 0.2-0.5 0.2-0.5 0.2-0.5 0.26-0.45

Average Average High Poor Poor Intolerable risk:

important actions

0.4-0.7 0.4-0.7 0.4-0.7 0.4-0.7 0.46-0.75

High Severe Very High Not acceptable Not

acceptable Decidedly intolerable risk: urgent and important actions 0.6-1 0.6-1 0.6-1 0.6-1 0.76-1

Table 3: Features extracted for Safety system

For all each feature is given a score between 0 and 1; the score signifies the relative importance of that category (fuzzy element) to the decision maker. Equal membership means equal importance. For each of the four categories, a qualitative judgment is employed to determine the degree of system performance for that category. These qualitative judgments could be: “not acceptable”, “poor”, “average”, and “outstanding”. The final step is to combine the scores of Quality, Environment and Safety fuzzy models obtaining an overall evaluation of QES index calculated according the following empirical equation:

QES Index= (Quality Index * 0,5 + Environment Index * 0,5 + Safety Index * 1)/2

Application

After the design of the fuzzy decision support framework, in this work of thesis was developed a Fuzzy based Graphical User Interface (GUI) for modeling of QES risk parameters. The GUI for Fuzzy based modeling has been developed using GUIDE and Fuzzy Toolbox in MATLAB [15]. The developed GUI has been programmed to interact with fuzzy variables in order to model three different fuzzy systems: quality, environment and safety.

In this work, the input membership functions were divided into four linguistic values adapted respectively for quality, environment and safety models. The determination of the membership

function is done by using the FUZZY Toolbox in MATLAB. Figure 3 shows an example of the membership function plots of environmental fuzzy model.

Fig.3 Example of membership function plot of environmental system with input variable “valuation of environmental issue”

This technique enabled excellent model development for non-linear process in which the rules were generated under FUZZY environment.

After the membership functions, a set of rules were written into the system in determining the response. Each rule in the system was extracted and is considered very important and critical to generate the predictions in numeric form. The snapshot of the fuzzy rules fed into the system is shown in Figure 4. Knowing the non-linear behavior of QES risk parameters, therefore 32 rules were set respectively for each fuzzy model to ensure the gaining desired outputs are reliable and satisfactory.

The GUI is divided into a main interface and several sub-GUIs. The main GUI as shown in Figure 5, is able to predict the risk scores of the system once the input parameters [0-1] are keyed-in by the user into the respective Quality, Environment and Safety boxes accordingly. Moreover, for each system is possible to open the sub-GUIs and plot the corresponding fuzzy model structure as shown in Figure 6 with the button “Plot FIS”, to set up the membership functions as shown in Figure 3 with the button “MF editor”, to add/remove the inference rules as shown in Figure 4 with the button “Rule Editor” and to plot in 3D as shown in Figure 7 examining the output surface of the corresponding fuzzy model for any one or two inputs. After tuning the parameters of each model, it is possible to estimate the total QES index.

Fig. 5 Running main GUI after loading simulated data

Once the fuzzy model is set up, it is possible to simulate the output risk of each system, using the fuzzy rule viewer of the established model. It indicates the behavioral of the response over the change in values of all the twelve significant QES features. Finally, the developed GUI provides also the possibility to load the historical data collected during months, analyze all the processes and provides reports about the top risks to the user. Once the ‘fuzzy models are selected, the user can analyze the result of the selected system. The main aim of the developed GUI is to model Risk processing phenomenon and predict the QES Index of process. Therefore, twelve significant QES variables; Plan, Do, Check, Act, Valuation of Environment Issues, Effects on Human Health, Ecological end effects, Effects on Resources, Occurrence Frequency, Gravity, Contact Factor and Adequacy Protective Measures were used for fuzzy predictive modeling with the best combination of fuzzy variables to predict the QES Index. The best fuzzy model was selected based on the analysis of QES Index which were obtained via various combinations of fuzzy variables. Each combination setting differs depending on type of membership functions and defuzzification methods.

Preliminary tests

From the analysis, it was found that the best fuzzy variable combination is with triangular membership function. The model’s results are then plot on Figure 8 to provide better Macro Process visualization.

Fig. 8 Quality, Environment, Safety, QES scores simulated for each month of the year for each process

Each subplot is a specific month of the year and on x-axis is reported each single process, while on y-axis is reported the corresponding output of the implemented fuzzy model. The 4 overlapped

Fig. 9 Colormap of the processes for each month. The colors ranges from blue to red proportionally to the gravity of risk for each system

graphs represents respectively Quality, Environment, Safety and QES scores as written into the legend. This plot is very useful to highlight the most critical processes and areas to the user. The same information is provided according another point of view by the colored maps represented for each system as is shown in Figure 9.

On x and y-axis we have respectively Months and Processes and each color represents the gravity of risk using a colormap ranging from blue (low risk) to red (high risk).

Conclusions

Graphical User Interface (GUI) for fuzzy modeling has been successfully developed to predict the QES risk by optimizing the fuzzy variables on Matlab environment. The potential impact of the developed fuzzy decision support framework for assessment of quality, environment and safety risks is remarkable. While the main focus of classical approach is to start from the analysis of individual risk exposure, the fuzzy decision support framework starts from the analysis of the process and the opinion provided by the experts. Fuzzy model is extremely flexible, allowing the decision maker to use a broad range of linguistic variables and modifiers for finer discrimination or to make changes to membership values and/or QES performance categories. It is also an useful system when the decision maker is faced with a series of sub-decisions where available data is based on vagueness, uncertainty, and opinion. These sub-decisions are then combined into an overall system for QES performance evaluation. In the next future , this pioneering solution may pave the way to a novel QES risk assessment and management tool . This envisage concept turned into reality through exploitation at the Oxylane company who agreed to test it.

References

[1] Lahsasna, Adel. “Evaluation of Credit Risk Using Evolutionary-Fuzzy Logic Scheme.” Master’s diss., Faculty of Computer Science and Information Technology, University of Malaya, 2009.

[2] Cheng, Wen-Ying, Ender Su and Sheng-Jung Li. “A Financial Distress Prewarning Study by Fuzzy Regression Model of TSE-Listed Companies.” Asian Academy of Management Journal of Accounting and Finance 2, no. 2 (2006): 75–93. http://web.usm.my/journal/aamjaf/vol%202-2/2-2-5.pdf

[3] Matsatsinis, M., K. Kosmidou, M. Doumpos and C. Zopounidis. “A Fuzzy Decision Aiding Method for the Assessment of Corporate Bankruptcy.” Fuzzy Economic Review 3, no. 1 (2003): 13–23.

[4] Li, Aihua, Yong Shi, Jing He and Yanchun Zhang. “A Fuzzy Linear Programming-Based Classification Method.” International Journal of Information Technology and Decision Making 10, no. 6 (2011): 1161–74.

[5] Cherubini, Umberto, and Giovanni Della Lunga. “Liquidity and Credit Risk.” Applied Mathematical Finance 8, no. 2 (2001): 79–95.

[6] Yu, Lean, Shouyang Wang and Kin Keung Lai. “An Intelligent-Agent-Based Fuzzy Group Decision-Making Model for Financial Multicriteria Decision Support: The Case of Credit Scoring.” European Journal of Operational Research 195, no. 3 (2009): 942–59.

[7] Reveiz, Alejando, and Carlos Leon. “Operational Risk Management using a Fuzzy Logic Inference

System.” Borradores de Economia 574 (2009): 9–24.

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1473614.

[8] Labodová, A. (2004). Implementing integrated management systems using a risk analysis based approach. Journal of Cleaner Production, 12(6), 571-580.

[9] Quality Improvement Methodologies – PDCA Cycle, RADAR Matrix, DMAIC and DFSS. VOLUME 43 ISSUE 1 November 2010 Journal of Achievements in Materials and Manufacturing Engineering. [10] Five Ws From Wikipedia, the free encyclopedia. http://en.wikipedia.org/wiki/Five_Ws

[11] Wathern, P. (1988), An introductory guide to EIA. In: Wathern P., ed., Environmental impact assessment. Theory and practice. London: Unwin Hyman, pp. 3-30.

[12] Edwards-Jones, G., B. Dvies, S. Hussain (2000), Ecological Economics. An introduction. Cornwall: Blackwell Science.

[13] Metodi di data mining associati all’approccio fuzzy:metodologia integrata per l’analisi degli infortuni sul lavoro R.Luzzi, G.Fois, S.Murè, F.Palamara, n. piccinini, INAIL.

[14] Environmental risk assessment of accidental releases in chemical plants through fuzzy logic R.M. Darbra and J. Casal Centre d’Estudis del Risc Tecnològic (CERTEC).

18

Chapter 1

An overview of Integrated Risk

Management

19

The value of integrated management systems has been underlined in recent years by the development of a set of aligned ISO management standards for quality, environment and health and safety. The implementation process was found to have been strongly influenced by a number a factors including: the background experience of the implementation team; communication between team members; input to the implementation process from quality and health and safety management; the contract nature of company business; the integrated nature of interfaces with clients; and the high level of influence exerted over relatively large numbers of subcontractors.

Risk management is recognized as a core element of effective organization. In a dynamic and complex environment, organizations require the capacity to recognize, understand, accommodate and capitalize on new challenges and opportunities. The effective management of risk contributes to improved decision-making, better allocation of resources and, ultimately, better results for Customers.

Risk

Risk is unavoidable and present in virtually every human situation. Public and private sector organizations face risks everyday. The word risk generally connotes the notion of loss, injury or hazard. However, the commonly accepted modern definition of risk is "the effect of uncertainty on objectives". The Framework for the Management of Risk and this Guide explicitly adopt this neutral definition of risk, recognizing that risks involve both threats and opportunities.

Technically speaking, a risk is the expression of the likelihood and impact of an event with the potential to affect the achievement of an organization's objectives. The phrase "the expression of the likelihood and impact of an event" implies that, as a minimum, some form of quantitative and/or qualitative analysis is required for assessing risks. For each risk, two calculations are required: its likelihood or probability of occurring and the extent of the impact or consequences, should it occur. It should be emphasized that as risk is about the effect of uncertainty, and therefore future-oriented, risks are distinct from

20

existing issues, problems, or business conditions, where likelihood of occurrence would not be an issue.

The risk level prior to taking into account existing controls and any existing risk responses is referred to as the "inherent" risk level. The remaining risk level after taking into account existing controls and any existing risk responses is referred to as the "residual" risk level.

Risk Management

Risk management, which involves a systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, making decisions on, and communicating risk issues, is an integral component of good management. It does not necessarily mean risk avoidance in the case of potential threats. Rather, risk management equips organizations to make decisions that are informed by an understanding of their risks, and ultimately to respond proactively to change by mitigating the threats, and capitalizing on the opportunities, that uncertainty presents to an organization's objectives.

Integrated Risk Management

Risk management cannot be practiced effectively in silos. As a result, integrated risk management promotes a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective in a cohesive and consistent manner. It is about supporting strategic decision-making that contributes to the achievement of an organization's overall objectives. It requires an ongoing assessment of risks at every level and in every sector of the organization, aggregating these results at the corporate level, communicating them and ensuring adequate monitoring and review. Integrated risk management involves the use of these aggregated results to inform decision-making and business practices within the organization.

Integrated Risk Management – Overview

Risk management should be a fundamental underpinning of good management and decision-making at all levels of an organization. Risk management does not operate in isolation but needs to be built into existing decision-making structures

21

and processes in order to support planning, priority setting, program management, financial reporting, audits and evaluations, the development of corporate business plans, business continuity, operations and performance assessment and other key functions throughout an organization at the departmental, branch and program levels. Embedding risk management into an organization's structures and programs using a consistent risk management process creates a cohesive integrated risk management environment.

Organizations that practice risk management in an integrated manner generate better information for decisions thereby improving on the achievement of their objectives. It is essential, therefore, to link risk management directly with the achievement of objectives at every level of the organization. If risk management does not appear to be helping decision-making, it might come to be seen as an additional administrative requirement that can be ignored.

The steps taken to implement integrated risk management in various organizations may differ greatly as will the resulting risk management approach and process. However, at a high level, there are a number of elements that could be considered when designing, implementing, conducting and improving integrated risk management in any organization. These elements are presented in the following sections and provide guidance to help organizations strengthen their overall integrated risk management practices. They are organized as follows:

Getting Started – Planning and Designing the Approach and Process Putting It in Place – Implementing Integrated Risk Management Doing It – Practicing Integrated Risk Management

Improving it – Continuously Improving Integrated Risk Management

Two key components of an organization's integrated risk management strategy are focused upon: the risk management approach[1], which provides the overall framework for the management of risk within an organization, and the risk management process, which provides the organization with a specific set of steps for managing risks in a consistent manner.

22

Risk Management Approach

The success of integrated risk management is dependent on the effectiveness of the risk management approach which provides the overall context for integrated risk management in the organization along with the various instruments required to design, implement, monitor, review and continually improve risk management throughout all levels of an organization in a cohesive and consistent manner. A risk management approach is not a particular management system or methodology and is dependent on the organization's specific needs. The risk management approach adopted by an organization will provide the framework for embedding the risk management process and effectively managing risks at all levels of an organization. The result is a risk-informed approach to management.

A risk management approach provides a picture of risk management within the overall policy, program, planning, and audit and evaluation processes for the organization. Depending on the size, needs and complexity of an organization, the instruments of a risk management approach may include such things as policies, objectives, plans, relationships, accountabilities, resources, processes and activities which are used for designing, implementing, conducting, monitoring, reviewing and continually improving risk management throughout the organization.

The risk management approach establishes the context of the risk management process by providing a framework and adequate resources.

Risk Management Process

Generically, the risk management process can be thought of as a series of inter-connected and inter-related steps that are repeatable and verifiable. It offers a systematic way to structure the identification, assessment, response, communication and monitoring of significant risks through an established governance structure. In addition to assisting individuals in their day-to-day decision-making, such a process can also bring a strategic and comprehensive focus to addressing the broader key risks that require sustained attention by senior management in any organization.

23

1.1

Process 1.1.1 General

The purpose of this section is to provide guidance to Organizations in designing:

1) a risk management approach which will develop, structure and strengthen risk management within their organizations by embedding risk management into their organizational structures and processes and 2) a risk management process needed to operationalize risk management across the organization. Not all elements will be applicable in the design of every risk management approach and process nor will the same level of detail be required for any particular element. As a result, the structure of risk management approaches and processes will vary considerably among organizations.

In general, the resulting risk management approach and process should be documented in some manner to facilitate their implementation (outlined in the next section) as well as provide a means to communicate the approach to all stakeholders, thereby ensuring a common and clear understanding.

To assist with the design process, staff should be provided with the training and other resources needed to ensure that they have the appropriate skills, competencies and experience to carry out their responsibilities. General competencies for staff involved in the design activities may include:

 knowledge of an organization's overall management framework including roles, responsibilities, accountabilities, reporting structures and escalation procedures;

 understanding of risk management and how to apply it to their area of responsibility; and ability to engage in discussions about risk.

Regardless of the process used to design a risk management approach and process, there are several activities which are likely to occur at some point in the design process. They include:

24

 developing an understanding of the organization and its context in order to identify factors that could significantly influence the design of the approach and process;

 developing an overall risk management policy statement that is organization specific and supported by senior management;

 specifying accountabilities for risk management within the organization;

 allocating resources for implementing and supporting risk management within the organization;

 outlining a standard risk management process including common terminology; and

 establishing communication and reporting mechanisms for risk management.

1.1.2 Understanding the Organization and its Context

When designing a risk management approach and process, it is important to examine the internal and external context of the organization. By establishing the context, the organization articulates its objectives, and defines the external and internal parameters to be taken into account when managing risk. These internal and external factors may be identified through a scan which can be used to shape the design of the risk management approach and process.

In conducting an internal and external scan, organizations may want to look at:

 results of audits, evaluations, reviews or other documentation that provide information regarding the organization's risk management, strategic leadership, values and ethics, integrated performance information, stewardship, and accountability;

 departmental strategic planning documents such as the corporate plan, departmental performance report (DPR), report on plans and priorities (RPP), capital assets, and functional plans;

 key external scanning factors (e.g., social, economic, etc.).

In addition to information collected during the scan, it is important to develop an understanding of the organization's willingness to accept the possibility of negative. An organization's tolerance for risk varies with its culture and with evolving conditions in its internal and external environments. Risk tolerance can

25

be determined through consultation with affected parties, or by assessing stakeholders' response or reaction to varying levels of risk exposure.

1.1.3 Establishing and Articulating Direction for Integrated Risk Management

The establishment and articulation of the organization's overall direction for integrated risk management, including vision, objectives and operating principles, supports the successful integration of the risk management function into the organization. A clear articulation of the vision, objectives and operating principles could also help foster the creation and promotion of a supportive risk management culture. The organization should consider making a statement that clearly articulates the organization's objectives for integrated risk management activities, and demonstrates a commitment to implementing integrated risk management throughout the organization. This statement may be a specific risk management policy or similar document but, in support of risk management as an integral part of all the organization's structures and processes, it may best be included in existing corporate policies regarding the organization's objectives and commitments. Establishing and articulating the organization's direction for integrated risk management provides the high-level framework for further design activities.

When establishing and articulating the overall direction for integrated risk management, an organization may wish to consider:

 the rationale for managing risk, including internal and external contexts;

 links between the organization's mandate and objectives and the risk management objectives;

 the necessary and appropriate accountabilities and responsibilities for managing risks;

 the way in which conflicting interests are managed;

 the commitment to adequately resource risk management activities;

 the manner in which risk management will be integrated into the organization;

26

 the methodology in which risk management performance will be measured and the avenues for reporting risk management performance; and

 the commitment to review and update the risk management approach as appropriate, whether in response to an event or based on an appropriate periodic cycle.

 Aligning the risk management vision and objectives with corporate objectives and strategic direction helps make risk management meaningful and relevant to all employees.

1.1.4 Accountability

Accountabilities throughout the governance structure can ensure that key risks have been appropriately managed (identified, assessed, responded to, communicated, monitored, adjusted as required, and reported on). In the design of an approach and process, clear risk management roles, responsibilities and networks should be defined at appropriate levels within the organization, relative to its size and complexity. In determining and documenting the appropriate accountabilities, organizations should consider:

 specifying appropriate risk owners that have the accountability and authority to manage risks;

 communicating that all staff have a role to play in identifying and managing risks;· establishing performance measurement and internal and/or external reporting and escalation processes; and

 ensuring appropriate levels of recognition, reward, approval and sanction.

1.1.5 Resources

Appropriate resources (people, tools, etc.) need to be allocated for the design, implementation and maintenance of the risk management approach and process as well as for the ongoing conducting of risk management activities. Start-up costs (time, attention, training, systems, and communications) may be incurred until the practice becomes an integral part of organizational structures and processes. It may take time and effort to gain momentum, train managers

27

and specialists, and establish good tools and processes. Once fully implemented, initial start-up investments may be re-allocated as appropriate.

There is no standard size or allocation of resources for integrated risk management activities. Organizations are encouraged to determine their own specific needs based on their current situation and make adjustments accordingly. In order to assess resource requirements for establishing and maintaining a risk management approach and process, it is important to identify the nature, adequacy, and usefulness of existing organizational tools, techniques, human resources skills, and expertise for managing risk to determine incremental requirements.

In the ongoing management of risks, specific attention should be given to the allocation of resources for risk response activities. While the identification and analyzing of risks is much easier to embed into day-to-day decision-making activities, specific resources may need to be assigned to risk response action items. These resources should be at the appropriate level given the severity of the risk and should take into account any necessary trade-offs due to resource constraints. It is important to note that resource allocations should be aligned with the level of risk to be managed with resources being focused on the main risks – not necessarily every risk.

1.1.6 Defining the Risk Management Process

A risk management process is needed to operationalize integrated risk management across the organization in a consistent manner. The development of a cohesive and integrated set of mechanisms for identifying, assessing, responding to, communicating and monitoring risk in the form of a "risk management process", informed by the organization's risk management approach, can enable organizations to better understand the nature of the risks that affect their mandate and to manage these risks more systematically.

The risk management process, once defined, would be used to conduct formal risk assessments and would also be embedded into existing structures and processes (as described in the next section) in order to support risk-informed decision-making.

28

As with the risk management approach, the risk management process should be reflective of the organizational culture, corporate processes and stakeholder base of a given department or agency. Consideration of these factors in the development of the overall approach will facilitate the development and implementation of the risk management process by setting the tone at the top of the organization and building engagement and consensus at the strategic, operational and business/project levels.

The risk management process provides common language and allows organizations to tailor their activities at the local level. The risk management process should be flexible enough to be applied at different levels in a organizations and to programs, sub-activities or projects. The process should also endeavor to incorporate the concept of opportunity, where possible. While the process allows tailoring for different uses, having a consistent framework for managing risks throughout the organization assists in aggregating information to deal with risk issues at the corporate level.

The following sections outline a generic risk management process and provide an overview of elements an organization may consider when defining their risk management process. Organizations are encouraged to select or develop a process, including terminology, best suited to its environment.

1.1.6.1 Risk Identification

During risk identification, risks are identified and a solid understanding of the risk is developed. This includes any risks with the potential to significantly affect the achievement of objectives at various levels of the organization (corporate, program, project, etc.) depending on the context of the risk identification activity.

Organizations should provide staff with clear direction regarding expectations with respect to identifying risks and provide the necessary tools to support this activity. There are numerous tools and techniques for identifying risks (e.g. workshops, checklists, etc.) and organizations may have a range available so that an appropriate method can be selected depending on the particular context in which risks are being identified. In some cases, risks may be identified using

29

a structured approach as part of a formal risk assessment exercise while in other cases they may be identified on an ongoing basis as part of regular meetings.

In defining risk identification activities within the risk management process, organizations may wish to provide direction regarding:

 who should be involved in the identification of risks;

 how much rigour is required for particular risk identification exercises;

 what type of information needs to the collected and what level of detail is required; and

 how identified risks should be documented for assessment purposes. 1.1.6.2 Risk Assessment

During the assessment of risk, risks are analyzed and prioritized. At a minimum, analyzing the risks typically involves assessing the likelihood of the risk occurring and the impact on objectives should the risk occur. The likelihood and impact can be quantified as appropriate based on risk criteria[2].

The analysis of risks helps to prioritize them, which typically involves ranking risks that need responses in order to focus effort and resources on the most appropriate risks. The prioritizing of risks should take into consideration the organization's risk tolerance as, for each risk, the organization's risk tolerance will indicate whether there is a gap between the assessed risk level and what the organization would consider to be an acceptable risk level, and the extent of this gap.

Generally, there are numerous tools and techniques for analyzing (e.g. workshops, surveys) and prioritizing (e.g. risk maps) risks. Organizations are encouraged to design a process that is appropriate for their own operating environment.

In defining risk assessment activities within the risk management process, organizations may wish to provide direction regarding:

30

 who should be involved in the assessment of risks;

 how much rigour is required for a particular risk assessment exercise;

 what type of information needs to the collected and what level of detail is required; and

 how assessed risks should be documented for response purposes. 1.1.6.3 Risk Response

Risk response is the process of selecting and implementing measures to respond to a risk. Typically, a general response strategy is selected (accept risk, monitor risk, transfer risk, avoid threat, reduce likelihood and/or impact of threat or increase likelihood and/or impact of opportunity, etc.). The organization's tolerance for the risk should determine the type and extent of the response.

If it is decided that action will be taken (i.e., the risk is not accepted), a plan is put in place outlining specific actions, responsibilities and timelines. The strategy should include all the activities that would accompany the response, including communications, outreach, etc.

1.1.6.4 Risk Communication

Risk communication is an integral part of the decision-making process and refers to the communication and reporting of risk information[3] to the appropriate levels of the organizations at the right times to support decision-making. Risk communication occurs throughout the risk management process and is important to ensure that those responsible for managing risks and those who may be affected by the risks or associated risk responses understand the basis on which decisions are made and why particular actions are required. This includes communicating risk information internally, in a useful and meaningful way, with staff across different operational areas of the organization, as well as externally with clients and stakeholders who may be involved in, or affected by, an organization's decisions and actions. An important aspect of effective risk communication is providing individuals with enough information to allow them to contribute to the decision-making process in an informed way, where possible,.

31

Risk communication also allows for the re-use of risk information for other processes thereby avoiding the need to conduct multiple risk assessments on the same area for different purposes (e.g. for planning, for auditing, for resource allocations, etc.).

As is the case for risk identification and assessment, there are numerous tools and techniques for communicating risk information and an organization should consider implementing a standardized mechanism to communicate risks. For example, corporate, sector and division level risk registers, dashboards or profiles can provide an opportunity to effectively communicate important risks across the department in a routine manner, thereby making the connections between and among risks with respect to the sectors, programs, projects, processes, regions and stakeholders.

In defining risk communication activities within the risk management process, organizations may wish to provide direction regarding:

 what type of information needs to be communicated at various stages (i.e. what type of information do interested and affected parties need and want);

 who is the audience for the various types of information (internal staff, management, external stakeholders, including the public and Parliament, etc.); and

 what means should be used to communicate the information to the intended audience.

1.1.6.5 Risk Monitoring

The ongoing monitoring of risks is essential to ensuring that risk information remains relevant. It involves the regular review of risk information to ensure that the impact of changing circumstances on existing risk responses is considered. It also involves the review of the risk responses to ensure that they are effectively implemented and achieve their planned results.

The monitoring of risks also provides an opportunity to identify potential improvements to the risk management process.

32

In defining risk monitoring activities within the risk management process, organizations may wish to provide direction regarding:

 who should be involved in the monitoring of risks;

 how changes to the nature and level of risks due to evolving circumstances should be monitored, and how the continuing relevance of risk responses should be monitored;

 how progress on implementing risk responses should be monitored;

 how the effectiveness of risk responses in terms of moving risks toward tolerable levels should be monitored;

 what indicators are required for monitoring and how they can be integrated with other performance measurement indicators;

 how often risk information should be reviewed; and

 who is responsible for making changes or taking corrective action if required.

1.2

1.2.1 Implementing the Risk Management Approach and Process

Once the risk management approach and process have been designed they will need to be implemented.

1.2.1.1 Implementing the Risk Management Approach

Implementing the risk management approach involves ensuring that the overall risk management strategy (i.e., approach and process) is applied throughout the organization within the guiding approach the organization has established. When implementing the risk management approach in an organization, consideration could be given to conducting the following activities:

 defining an implementation strategy and plan that responds to compliance requirements (e.g., policy, program, legislative), addresses organizational capacity and capability priorities, and is proportionate to an organization's risks;

 tracking and reporting on the progress being made in the implementation of the risk management approach;

33

 establishing a performance measurement strategy for measuring the success of the integrated risk management strategy and practices within the organization including indicators for determining whether or not risk responses have been successful;

 demonstrating that planning, decision-making, and performance management are informed by risk management principles and practices in a tangible, cohesive and consistent manner;

 educating and enabling staff to raise awareness and improve their understanding of the organization's risk management approach and their roles and responsibilities; and

 communicating to, and consulting with, internal and external stakeholders in a timely and relevant manner.

1.2.1.2 Embedding the Risk Management Process

In order to take a risk-informed approach to management, risk management activities should be embedded into existing organizational structures and processes at both the operational and strategic levels. Integrating the risk management function into existing strategic management and operational processes will ensure that risk management is a key component of decision-making, business planning, resource allocation, and operational management. It also allows organizations to capitalize on existing capacity and capabilities (e.g., communications, committee structures, existing roles and responsibilities, etc.).

Organizations would consider during the embedding process:

 how will risks, including threats and opportunities, be identified?

 how will risks, including threats and opportunities, be assessed using the defined criteria?

 how will risk tolerance be determined?

 how will risk responses be determined and managed?

 how will risk information be communicated?

 how will risks be monitored?

A successful implementation will be characterized by individuals making risk-informed decisions as part of their daily work and not seeing risk management as something superimposed on their usual activities.

34

1.2.2 Providing the Environment and Infrastructure

The organization may wish to determine the environment and infrastructure needed to support the successful implementation of the approach and process and their ongoing execution and improvement.

In ensuring that an appropriate environment and infrastructure are in place, the organization may wish to consider its culture and capacity.

1.2.2.1 Creating the Culture

In some organizations, making risk management an integral part of decision-making may involve a cultural change. How ready an organization is, and its ability to adapt, may affect how fast and far it will progress in its implementation of integrated risk management. Assessing readiness is essential if integrated risk management is to be aligned with management initiatives already underway and built on existing systems and processes. It will also contribute to better management of the discomfort inherent in change and will help people move beyond simple compliance and embrace the underlying purpose.

When implementing the risk management approach and process, organizations may want to look at the current organizational culture for risk management and determine how the culture may need to change. In doing so, organizations may wish to consider:

how are employees going to react to the changes being made (readiness)? This will depend, in part, on:

 the extent to which risk management is already incorporated into strategic or business planning and operations;

 staff awareness of and/or capacity to manage the risks; and

 the existence of systems and protocols to respond to potential threats or opportunities.

how can the organization help employees practice integrated risk management despite any potential discomfort for change? This may involve:

 borrowing and using the lessons and practices of change management to foster the will and capacity for change; and

35

 ensuring regular interaction between those overseeing the implementation and ongoing maintenance of the risk management approach and process, and those involved in overseeing departmental processes (i.e. planning, etc.).

Management should visibly encourage the practice of risk management and information sharing across all business lines and functional units. The extent to which senior leaders model the principles of integrated risk management sets the tone for a sustained integrated risk management culture throughout the organization.

1.2.2.2 Building Capacity

Organizations will need to develop their own capacity strategies based on their specific situation and risk exposure. Just as risk management must be integrated with existing processes, organizational capacity for practicing integrated risk management should be built on what already exists. Assessing and building on existing capacity helps tailor the approach to deal with the organization's specific needs.

To build the necessary capacity, organizations may want to: determine what already exists, identify where changes, enhancement or improvements are required and make the required changes. To build sustainable capacity for integrated risk management within an organization, consideration may be given to two key areas: human resources, and tools and processes.

1.2.2.3 Human Resources

Some consideration in building human resources capacity include:

 determining the existing understanding of risk or risk management;

 building awareness of risk management initiatives and culture;

 broadening the skills base through formal training (including guidance on the application of tools and techniques) taking into consideration staff turnover;

 increasing the knowledge base by sharing best practices and experiences; and

36

In general, an organization should consider ensuring that all staff members have adequate training, access to proven tools for risk management, and a clear understanding of the common risk management language in order to facilitate communication.

1.2.2.4 Tools and Techniques

There are numerous tools and techniques available that can be used for managing risk. Some examples include:

 risk heat maps, risk registers/dashboards and action plans: summary charts and diagrams that help organizations identify, discuss, understand and address risks by portraying sources and types of risks and disciplines involved/needed;

 modelling tools: such as scenario analysis and forecasting models to show the range of possibilities and to build scenarios into contingency plans;

 frameworks on the precautionary approach, including the use of scientific information: a principle-based framework that provides guidance on the precautionary approach in order to improve the predictability, credibility and consistency of its application across the federal government;

 qualitative techniques such as workshops, questionnaires, and self-assessment to identify and assess risks; and

 internet and organizational intranets: promote risk awareness and management by sharing information internally and externally.

Some considerations in building capacity to use tools and techniques include:

 the use of existing committees, systems, and processes (executive and operational committees, planning and reporting processes);

 the use of common risk management language and a framework or parts of it;

 allowing for the development and/or the use of alternative tools and techniques that may be better suited to managing risk in specialized applications.

Building risk management capacity is an ongoing challenge even after integrated risk management has become firmly entrenched. Activities

37

conducted as part of monitoring and review, can continue to identify new areas and activities that require attention, as well as the risk management skills, processes, and practices that need to be developed and strengthened.

1.3

With the risk management approach and process defined and implemented, organizations would begin to practice integrated risk management as they use those organizational structures and processes that now have the risk management process embedded in them. The defined departmental risk management process would now be applied to all relevant levels and functions of an organization through these organizational structures and processes. Applying the risk management process would ensure that risks are understood, managed, communicated and integrated into informed decision making and priority setting (strategic, operational, management, and performance reporting) in a consistent and cohesive manner. Organizational acceptance of integrated risk management will depend on the extent to which an organization has been successful in using the risk management approach and risk management process to achieve results.

In practicing integrated risk management on an ongoing basis as part of organizational structures and processes, organizations may want to consider:

 documenting the decision-making process and the outcome of key decision points as this demonstrates accountability, transparency and due diligence (reasonable efforts should be made without generating excessive administrative burden);

 ensuring the effort applied to risk management is commensurate with the nature, scope and scale of the risk being addressed.

 involving all interested and affected parties (including partners, the public, and other stakeholders) throughout the process so that all key risks are identified including risks shared with other departments, organizations and stakeholders;

 ensuring that risk information is not only used in decision-making related specifically to the area where risks are identified and assessed but that