3.2.2 The Risk Management Context



3.2.2 The Risk Management Context

The Organisational Framework

A consistent risk framework should be applied within organisations across corporate, activity and operational levels to enable comparison of risks.

Risk assessments at the corporate level focus on risks affecting the organisation as an entity, such as:

civil defence emergencies;

business continuity risks;

organisational health and safety risks;

political and legal risks;

financial and cashflow risk; and

risks relating to strategic direction options.

Risk assessments at the activity level focus on risks associated with management of the activity and the enabling infrastructure. Activity risk assessment considers risks identified at both the corporate and the operational level as indicated in Figure 3.2.3. Risk assessment at this level is the principal focus of this section.

Guides Polley

Influences key activities

Guides strategies

Key Input Into works


Guides specific actions

Key Input Into procedures and


Figure 3.2.3: Risk Application Across Organisation




Asset Managers

Operations and



Operational level or specialist risk assessments are undertaken to meet specific, sometimes project, product or process-specific needs. There may be legislative or

regulatory requirements specifying the risk approach to adopt. Examples of these assessments include:

public health and safety risk assessments;

dam safety assessments;

slope stability analysis;

seismic screening of bridges;

community impact risk assessments; and

project risk analysis.

3136 IIMM International Infrastructure Management Manual 2015

Developing the Risk Policy and Objectives

The first step in risk management (in fact, with any management system) is to establish the objectives and scope of the risk management process with clear consideration of its business context.

Risk objectives are generally presented in a corporate risk policy document. This document should demonstrate the organisation’s commitment to risk management and be able to be understood and applied at all levels within the organisation.

Deciding the Scope of Risk Process

In deciding the scope and level of advancement of the risk management process (core-advanced), an organisation needs to consider:

The nature of the service provided. Organisations providing essential community services, such as water supply or power, typically have minimisation of risk as a core business driver. Other organisations, with lower consequences of service failure, may have other drivers such as community recreational or cultural enhancement.

Legislation. Risk management processes may be mandated, typically to protect public health and safety or the environment.

Costs. The effort put into assessing and managing the risk needs to be proportional to the risk exposure, to avoid implementing risk processes where the benefits gained are likely to be lower than costs incurred. Take into account that insurance premiums may reduce where there is a strong risk management programme in place, and also that insurance policies may limit liability when there is a failure to act to address a known risk.

Context. Some organisations focus on risk relating to the business success, but organisations managing public infrastructure commonly broaden their risk context to include “community risk”.

Organisations adopting core risk management should have

a clear picture of:

the services to be delivered;

which assets are critical to the continued delivery of those services;

what could happen to compromise the continued service delivery or which may have an adverse social, environmental or economic effect;

level of risk that is acceptable to the organisation; and

options to mitigate all those risks deemed unacceptable.

Organisations adopting more advanced risk management practices:

apply the risk management process to all significant/ critical assets at an individual level, and to less critical assets at a ‘group’ or ‘facility’ level;

adopt a uniform approach to risk reduction across all business units. This allows corporate management to clearly compare different risks within different service areas of the organisation, which, in turn enables organisation-wide prioritisation of risk reduction activities;


integrate risk processes into all key decision-making processes;

quantify failure for different failure modes (condition, hazard etc), likelihood of hazard and likelihood of asset failure resulting from that hazard; and

quantify the rehabilitation or replacement required to meet the minimum acceptable level of service without compromising the acceptable level of risk.

Examples of risk policy statements are shown in the case studies following.

Asset managers wishing to progress risk management

without a corporate policy should clearly state risk objectives and scope for their specific activity.

Case Study 3.10: Water Supply Risk

Management Policy

Risk Management is about responsibility and taking care. It is the policy of the Hong Kong Water Supplies Department (WSD) to adopt a consistent approach to the management of risk across the organisation. This approach involves defining and managing the risks that WSD is to take in order to achieve its corporate objectives and deliver the required level of service, and those that it is not. WSD’s risk management processes and practices are to be consistently applied, effective and evidential to identify and respond to the range of risks that WSD, and the community WSD works with, face.

WSD is implementing an integrated risk management programme to assist in meeting this objective. Comprehensive Risk Management Plans enable WSD to play its part in managing risks and to promote a wide awareness of risk issues.

Critical to WSD’s success is the sustainable delivery of water supply services to Hong Kong and the protection of community assets and environment.

Policy Statement:

WSD will take considered risks within defined parameters. However at all times WSD will take due regard for the protection and well being of the community, its employees and contractors, the environment and the assets used to deliver services.

WSD has adopted a risk management process to ensure that:

All significant operational and organisational opportunities and risks are understood and identified.

The highest risks that should be addressed in the short to medium term are identified.

Risk reduction treatments which best meet business needs are applied.

Responsibilities for managing risk are allocated to specific staff.

Emphasis is placed on the identification, assessment and management of significant business risks (whether hazard or opportunities) that may exist within a ten year planning horizon.

To monitor the activity in areas of significant risk, arrangements have been set up which provide for regular monitoring and review of the key risk components and assessments, and reporting.

Courtesy of Water Supplies Department, Hong Kong and AECOM


Case Study 3.11: State Government Risk

Management Polley

The government of South Australia embraces the following policy which makes chief executives accountable to a State Minister for the implementation of risk management standards and practices.

“The Government’s total resources provide the basis on which its continuity, viability and services to its constituents is built. These resources cover employees, production and technology capability, assets and the

provision of efficient and effective services. Government also has a responsibility to protect the environment in which it operates.

It is Government policy to protect and enhance these resources to enable its corporate objectives to be achieved.

Risk management is the systematic, positive identification of threats to resources and the development of appropriate strategies which minimise risk.

It is the responsibility of chief executives to develop risk management standards and practices in the areas for which they are accountable, and to ensure that these standards and practices are fully communicated to, and have the active support of, all employees.

The South Australian Government Captive Insurance Corporation has the responsibility for developing a Government risk management policy and assisting management to fulfil their responsibilities under the policy”.

Courtesy of South Australian Government

Case Study 3.12: Water Risk Management Policy

The Lower Murray River urban water authority risk management policy states:

“Through risk management, Lower Murray Water aims to:

Protect the quality and continuity of its service delivery

Protect customer and employee well-being

Protect assets, including property and customer goodwill

Reduce the Authority’s legal exposure

Promote due diligence and responsibility.

This will be achieved through:

Identifying, decreasing the likelihood, and mitigating the consequences of risks, within the constraints of sensible commercial objectives and practices

Working in a risk management culture, where identification, consideration and management of risk is built into decision-making processes

Maintaining safe and reliable plant, equipment, facilities and practices

Preparing and maintaining appropriate contingencies

Reviewing the risk profile at appropriate intervals and when circumstances dictate.”

Courtesy of Lower Murray Water, Australia

IIMM International Infrastructure Management Manual 2015 3137



Risk Management Framework

An organisation needs to be able to define what an ‘acceptable’ level of risk is. The risk management framework enables risks to be systematically assessed in a

consistent manner.

The framework should include guidance on how to evaluate probabilities and consequences and rank the risks, specifically for each organisation. The framework should clearly identify the risks considered unacceptable, generally done by considering risk severities as further discussed in Section 3.2.5. A $50,000 failure may be an extreme event

for some organisations but a day-to-day activity for others. Several examples of risk management frameworks are illustrated later in this section.

3.2.3 Identifying Risks

Risk Types

Some examples of activity level risk types are shown in Figure 3.2.4.

Risks can be assessed at different levels of detail. For example, a risk event defined as “structural failure of a bridge due to deterioration” may be an acceptable level of detail for some organisations, while others may wish to

individually assess this risk for each bridge. Others may wish to undertake a specialist assessment of each failure mode for each component of each bridge.

In deciding the level of detail to be captured by the framework, consider those aspects discussed in 3.2.2 relating to the scope of the risk process.

A common approach is to progressively and systematically “drill down” as required. For example, a broad risk assessment can be quickly undertaken to identify where the largest risks lie (for example earthquake risk) and to get a feeling for the level of overall risk exposure.

Public unhappy with OSH prosecution

Scattered Risks


Risks Spectrum


Specific Risk



Figure 3.2.S: The Risk Spectrum

CBD upgrade


e.g. Non-compliance

with legislation

Risks by each item of legislation

3138 IIMM International Infrastructure Management Manual 2015

Planning Risks

Management Risks

Delivery Risks

Physical Asset Risks

Figure 3.2.4: Risk Types

· Strategic planning nsks

· Asset management planning risks

· Service level risks

· Natural event and environmental risks

….. . .

· Procurement risks

· Project management risks

· Contract management risks

· Communication risks

· Risks common to all assets

· Risks associated with specific asset types

Critical or high risk assets, failure modes and risk event types can then be defined and analysed in greater detail. This “Risks Spectrum” to “Specific Risk Analysis” approach is illustrated in Figure 3.2.5.

Processes for Identifying Risks

Risks can be identified through a range of processes. Workshops can be a useful way of getting a wide range of input and knowledge into the process.

Some organisations choose to combine risk identification and assessment within a single workshop, although many

prefer to separate the activities. Dedicated risk identification workshop(s) can be facilitated to be more of a free flowing brain-storming session to maximise the capture of risks within the allocated time.

Identification and briefing of suitable workshop participants

is a key part of preparing for the risk identification workshop. Participants need to understand the risk management policy and framework, strategic level at which the risk is being applied and scope of the risk process.

I 111

Footpath renewal

programme not met


e.g. Failure of

critical assets

Lifelines risks and


risks by each critical asset or asset type



Identification of a risk grouping framework will give the workshop more structure and will help identify which

participants should attend. For example, risk events can be separately identified by supply chain or asset function and by broad risk type. In the case of water supply, this may involve separate breakout groups, or workshops for source, treatment, storage, pipes and pumping stations.

The following questions can be considered as part of the risk identification process:

1. What are the risks to achieving the organisations objectives, particularly relating to sustainable delivery to the agreed levels of service?

2. What is the source of each risk?

3. What might happen?

4. What would the effect be?

5. When, where, why and how are these risks likely to occur?

6. Who might be involved or impacted?

7. What controls presently exist?

8. What could cause the control to not have the desired effect on the risk?

A risk event can be defined as an occurrence with a cause and a chain of possible impacts. The cause itself can often be defined as an impact of a precursor event. Case study

0 0 c5l� � Q) u


i1: ::J Description


3.18 (later in this Section) demonstrates a framework developed to recognise the range of impacts a risk event

may have and allow for scenario analysis to identify the critical risk case.

Once risks are identified, they are generally recorded in a risk register. There would normally be rationalisation, moderation and grouping of risks identified in the workshop to enable the structured formation of an asset register and a structured approach to the risk assessment as the next phase.

Usually there will be formal monthly or annual review of the

risk register. There should also be processes for recording other risks as they are identified.

Two risk register extract examples are presented in figures 3.2.6 and 3.2.7. The first is the risk register for aquatic facilities considering risk with no controls in place (“gross risk”) as well as risk with the current controls active. The second represents a more advanced approach at the detailed level for a water supply network. Further explanation on this framework is presented in Case Study 3.18 at the conclusion of this Section.

Public Health Issues Public Health 4 16 Operations procedures manual Excellent 2 6 Monitor contractor, – Pool users sick due covers steps for prevention and operations report to poor water quality. procedures for dealing with audits (Cryptosporidium or problem. similar) Water testing cai:_ci� o�t

Public Health and Safety Public Health 5 3 15 Training of staff Excellent 5 5 Review processes – Drowning at one of the Number lifeguards specified in the with contractor facilities contract Review sight lines

Signage provided Develop safety

Safety is taken into account in procedures for adding

design any new assets in the

Behaviour controls are enforced pools

and no access to pools that are not in use

Public Health and Safety Public Health 4 4 16 Standard procedures Good 3 2 6 Safety inspections – accidents causing Reputation/ Sign age Ongoing review of injury to Kapiti residents/ Image

Compliance with legislation and Council’s liability and visitors resulting in claims Financial H & S Policy. and or negative publicity standards

( e.g., falls and trips over Proactive maintenance protruding assets)

� Environmental Public Health 4 4 16 Chemical handling procedures Good 3 2 6 Ongoing approved contamination – from Reputation/ I documented and in place. training chemicals spillage Image Plant rooms are secured from Review of chemical

Environmental public storage and signage Legislative

Electronic dosing use where

_L appropriate

Operations manuals/emergency procedures

– Dangerous goods registering

Figure 3.2.6: High Level Risk Register Example

IIMM International Infrastructure Management Manual 2015 3139

w � 0

Risk Identifier:

Service Asset Group Risk No. Region Supply Chain Type of Risk Major Zone Reservoir Zone Affected Asset Sub-Group Location Key Corporate Objective Affected

Lion Rock High To provide a reliable and adequate supply of S-NTW-0-1-PD New Territories Distribution Operational Sha tin Level FW Prtmar, Pipes – Distribution Critical 1 pipes Pink route wholesome potable water and sea water to our -00001 West SR customers in the most cost-effective way.

Lion Rock High Lion Rock High Level FW Lion Rock Higt To maintain and motivate an effective. efficient and S-NTW-ST-2-RS New Territories Storage Work practices Sha tin Level FW Primar, Reservoirs – Service Level FW -00002 West SR

Primary SR Primary SR committed workforce to serve the community.

Lion Rock High Intakes/Treatment Shatin treatment works

Risk Description and Assessment

Cause Initiating Event Primary Impact Se condary Impact Tertiary Impact

tl tl tl tl 0 0 0 0 0 0 0 0 � � � � -.; ]i -.; ]i

Description -“‘

Description Description -“‘

Description Description :::; :::; ::::; :::;

3rd party contractor c Pipe burst A

Temporary localised B Traffic disruption A damage outage

Unsafe work practices D Crushed by machlner) B Single worker fatallty c

during maintenance

Controls, Timeframes and Responsibilities



(‘, <!) to :5 0

<!) u VJ :::J 0 <Ou

Existing Controls

Other Controls in Place

Yes Gu idelines. markout service. penalties

No Contractual requirements construction observation. hazard Identification

<O Residual Likelihood D ·v;

.._, <!) 0 Cl::

� rn <ll D <O Cl. �800 � c >, .._, D ,-, >, ._, +:i +-‘ � u c u :u u 8.£ <O c -� � 0 <O ·- <O cii E a3 +:i a., u Cl. t Cl. .c·- > o::� Ji � w E 0 o�.s w I- – u -‘

<!) (‘, (‘, <il <!) <!) 0 :0 0 :0 c �� � .Q <!) <!) <!) .._, O U) 0 <!)

ru a. I- 0 I- .:,,;: .._, .:,,;: Controls to oo E .� ::> VJ Develop �8 Cl:: <{ �


No Develop contingency 1-Aug-10 plan

Residual Risk Assessment

Residual Consequences

D c <O :5 0 “‘ffi� <!) <O I U1

Figure 3.2.7: Detailed Level Risk Register Example

<iic 3 0 .:,,;: VJ �


tl 0 0 � -.; -“‘ ::::;

0 .._, VJ c

.E D <{ .:,,;: VJ �


Other Impact


� 3 0 c 0 :;:; 0 <{



tl 0 0 � -.; -“‘ ::::;

D Q.)

Q) -� …, > <O <!) O Cl::

Consequences t, 0 QJ u ill � !’l (J QJ 2l c -“‘ ±,U tl O C c

i� c QJ <I)

“‘ 0 c ….JO � QJ � ‘1ij ·v; :, er 0 0 QJ:;::; i :ll’ e u

o cr ‘1ij a .c :5 a (J (J a a, c � c:

E � :,

E = – QJ

-� “@ c: E gi, 81’ “‘ c:

o� “‘� ·5 QJ “‘ 88 0 .s c:

c: 0 0 c: u:::; I Vl V) 0: UJ u:: uu <(

0.0243 2 3 3 4 I 2 61.020.000 1,482.786

0.0006 4 I 1 4 1 1 90.080.000 54,048



1′ -� > QJ



High –

Low –

�1 QJ�

�� :§ � 0: a..


(/) m 0 -I 0 z !’-‘ “” � l> z

e; z

G) 32 (f) ;:,;:



the consequences of “failure” for the identified risk events (noting that “failure” refers to failure to achieve objectives and is not necessarily limited to structural failure); and

the probability of failure.

At a simple level, the risk can be assessed using a qualitative matrix approach illustrated in Figure 3.2.8.

A more mature organisation may quantify its risk in terms of risk dollars, where

Risk $ = Activity Risk Exposure

= Cost of Consequences x Probability of Failure

Data underpinning this analysis can include:

subjective assessment based on experience and professional judgement;

asset attribute data, location and operating context. This information is commonly held in AM information systems, GIS and, in the case of linear assets, network models;

data sets capturing and analysing natural events, such as rainfall, tides, temperature, earthquakes, tsunamis, cyclones, electrical storms, etc;

specific studies into asset or service issues such as analysis of past failure events to identify causes, consequences and likelihoods; and

outcomes from user or community consultation into expectations and perceptions.

The progression from basic to advanced risk management would typically see decreasing reliance on subjective experience and increasing reference to data.

Case Study 3.18 demonstrates an approach taken where risk is expressed in terms of annual risk cost exposure and risk severity thresholds are set with reference to the costs.

Probability of Failure

Probability can be assessed in a qualitative way (e.g.: A to F scale) or a quantitative way (e.g.: probability of 0.02) as illustrated in Table 3.2.1. The qualitative assessments feed into the risk matrix approach, whereas the statistical probability is required for those quantifying risk in monetary terms.

The probability of physical failure of an asset is related directly to the current condition of the asset, hence the importance of realistic and accurate condition assessment. Factors such as redundancy of systems should be accounted for when developing probabilities of failure of assets or systems.

The probability of natural and external events is determined less easily but scientific studies are usually available. Similarly, the probability of other events, such as poor work practices or planning issues can be difficult to ascertain. These probabilities can be determined from fault tree and event tree analyses, expert opinion and computer modelling.

A risk event can be described as a core initiating event, which may lead to a number of different consequences, each with its own probability. This recognises that the likelihood of an initiating event occurring (e.g. a severe rainfall event) would be expected to be less than the

3142 IIMM International Infrastructure Management Manual 2015

likelihood of “failure” (e.g. insufficient capacity leading to flooding of houses).

Probability tree analysis can be used to assess the composite likelihoods of these events.

Case study 3.18 demonstrates a framework developed to recognise the range of impacts a risk event may have and allow for scenario analysis to identify the critical risk case.

Case Study 3.13: Asset Criticality Analysis

North Shore City Council in Auckland, New Zealand, ranked each of its assets on a 1-5 basis as to how critical they are in a range of categories such as service availability, health and safety. The 1-5 scores were weighted to an overall 1-5 score that can then be used for asset management processes such as maintenance planning and renewal prioritisation.

Community Category

Outcome Areas

Social Service Availabil1ty Public Health and Safety

Environmental 1 Pollution I Contamination Economic Financial Loss to council

Economic loss to Public Cultural Treaty of Waitangi

Places with cultural significance For each category there are a number of measures used to rate the criticality. For example, the criticality with respect to ‘service availability’ for water supply assets is dependent on both: 1 . The number of water supply connections on length of

local main where: Criticality 1 = 1 connection, Criticality 2 = 2 to 10 connections Criticality 3 = 11 to 50 connections Criticality 4 = 51 to 500 connections Criticality 5 = < more than 500 connections

2. The type of customers connected (dialysis patients, industrial areas, etc).

The measures have been selected with consideration of what data is available on the GIS, and include (some measures are only applicable to water, wastewater or stormwater assets):

volume of discharge (usually applied through rules such as diameter of pipe) location (soil, beach, stream) proximity to road and type of road pollutant potential (e.g.: industrial areas assume higher pollutant) serving special custome_rs characteristics of asset (size, depth) number of customers without service if asset fails cost of repair (based on diameter and depth).

Many of these measures are used across multiple categories. For example, the volume of discharge will impact on the level of contamination (environmental outcome) and the repair costs to Council (economic outcome). Courtesy of North Shore City Council ( now Auckland Council)



Case Study 3.15: Australian Road Authorities

Are No Longer Immune From Liability

The law of negligence is a fault-based system in that a person who carelessly causes injury or loss to another person should compensate that person. The Australian High Court has ruled that this principle should apply to roads and highway authorities that do not maintain a road to the appropriate standard. Traditionally, the common law was that a road authority had a duty of care to design and construct roads safely, but was not liable for failing to maintain a road. This was known as the “nonfeasance rule”. In May 2001, the High Court gave its judgement in the case of Brodie v Singleton Shire Council and decided that the nonfeasance rule was no longer part of the common law of Australia.


This decision has enormous economic ramifications for authorities from all tiers of government. The abolition of the nonfeasance immunity reflects laws in other countries such as England and Canada, where highway immunity has also been revoked for road authorities. The changes mean that Australian road authorities now owe a ‘duty of care’ to road users by exercising their maintenance powers to protect them from foreseeable risks. The decision leaves roads authorities and local councils open to claims for alleged failure to maintain roads to an appropriate standard. The wide variety of circumstances under which they are maintained makes it difficult to define ‘appropriate standard’.

Key Issues

The issues are complex because they straddle the spheres of responsibility. When a municipality decides to allocate its money it is a political, managerial and engineering decision. If a person is injured who might not have been had the council given another job the higher priority, a court may decide that a Council “should have done more” and may require it to compensate the injured party. This highlights the need for a process to define the appropriate maintenance standard, which involves:

establishing road condition standards that are appropriate and affordable identifying and assessing needs and priorities allocating limited public money to the above making decisions through political, legislative and administrative processes about needs and priorities making judgments through legal proceedings about how well decisions and actions have satisfied the legal duty to take reasonable care.

Role of Asset Management Planning

A possible defence for road authorities and local councils will be to ensure that robust AM policies, strategies and plans are in place which demonstrate a ‘duty of care’ in the allocation of scarce resources. Linking the inspection history relevant to each asset item using the AM System can assist in providing a defence against public liability claims.

3146 IIMM International Infrastructure Management Manual 2015

Option l Close facilities

l 6 00pm 7.00am Option 2 Increase lighting in and around fac�ty Option 3 Install CCTV/ signage and implement monitoring programme Option 4 Option 2+3 Option 5 Increase security patrol presence Option 6 Option 4+5 Option 7 Manned facilities



30% 10%

50% 10%

25% 15%

60% 20%

80% 30%

Table 3.2.3: Example of Risk Mitigation Options Analysis

Risk Action Plan


– —


$10,000 + $20,000 pa

$15,000 + $20,000 pa $5,000 pa

$15,000 +

t $25,000 pa $40.000 pa

This is a key document which consolidates the risk assessments, actions to be undertaken, timeframes and responsibilities. Information from this plan should be routinely reported to the organisation’s executive management team and the Board or political decision makers. Further, this information can be summarised into an organisation’s AM plan and should be one of the key inputs into AM and asset lifecycle improvement programmes.

An example of a water supply Risk Action Plan structure is provided below: 1. Summary

2. Introduction/Purpose/Structure

3. An overview of the activity, objectives relationships, responsibilities (may reference to the Strategic AM Plan)

4. Approach to managing risk

5. Risk management policy

6. Risk management framework

7. Risk management responsibilities

8. Risk assessments

9. Risk action plans

10. Monitoring and review plan

Appendix A – Risk Register

Appendix B – Risk Treatment Options Analyses



Consequences of Failure Consequences to the community:

Consequences of a risk event occurring leading to “failure” extend beyond the immediate financial implications.

social consequences, such as loss of life, injury or health impacts, loss of service;

Organisations managing community infrastructure should recognise effects on the community as well as implications to the organisation itself.

environmental consequences, such as damage to aquatic receiving waters, atmospheric pollution or land contamination;

Consequences to the organisation:

economic consequences, such as repair costs, fines or litigation costs and loss of income, or income potential; and

economic consequences, such as the community costs associated with damage to property or other third party losses, which may include business impacts, traffic delays, etc.

For organisations using a qualitative ranking system for consequences, a table such as that shown in Table 3.2.2 may be used.

social consequences, such as loss of life, or injury and reputation/organisational integrity damage.

The legal liability for nuisance, negligence and third party damage also needs to be recognised (refer Case Study 3.15). Code Likelihood of Current Equivalent

occurrence probability of statistical condition based probability occurrence

y B Unlikely Within 10- 20 years–1 __ 0 _.0_5 __ __. C Possible Within 6- 10 years 0.1

,_D ____ M_ o _d_e_ra_t_e __ –<–W_it_hin 3- 5 years 0.3 � Likely _w_it_hi_n __ 2�y_e_a _rs __ –+_0.7 l£.._______, Almost Certain Within 1 year 0.9 Table 3.2.1: Probability of Failure

Consequence Impact (Risk)

TBL Description Weight 1 Insignificant 2 Minor

Overall Risk Ranking

The following types of risk can be assessed:

“Gross” or inherent risk. This is the risk assessed assuming that there are no systems, processes or resources to manage the event. Comparison of gross risk with current risk assesses the effectiveness of existing risk management practices. This may reinforce the need to maintain these practices, or may indicate where practices could be improved. Further, including an assessment of gross risk reduces the temptation to not consider a risk simply because it is currently well managed.

3Severe 4Major 5 Catastrophic Aspect (<$2,000) ($2,000- ($20,000- ($0.2M-$2M) (>$2M)

$20,000) $100,000)

Safety & 5 Negligible injury Minor injury Serious Injury Loss of life Multiple loss Health Medical attention Hospitalisation ($0.2M- $2M) of life or city-


CJ 0 Vl

0 c 0 CJ w

3rd Party Losses

‘Loss of Service- Extent/ Duration

Corporate Image


Business Costs (Total Recovery)






I Minimal liability for consequential

j loss

_ Small number of customers experiencing minor service disruption

Event only of interest to individuals Nil effect or community concern


Liability for consequential loss

Significant service disruption affecting small number of customers

I required.

Liability for consequential loss -($20,000-

.J._$100,000_) _ Significant localised disruption over extended period ($20,000- $100,000)

Minor community Public interest Local community media report discussion Broad

adverse media coverage

Liability for consequential loss

I Major localised disruption over extended period ($0.2M-$2M)

Loss of confidence in Council National publicity. Public agitation for action

wide epidemic (>$2M) Liability for consequential loss- (>$2M)


Major long term city wide service disruption

Public investigation International coverage. Management changes demanded

Negligible impact Material damage Reversible within of local l week importance.

Serious Serious damage Serious damage damage of local of national of national importance importance importance

Total direct revenue loss &

J cost_ to restoreservice

Prosecution possible. Impact fully reversible within 3 months Total direct revenue loss & cost to restore service

Prosecution I Prosecution Prosecution. probable. Impact expected. Impact Long term study. fully reversible reversible within Impact not fully within 1 yr 5 yrs reversible Total direct Total direct Total direct revenue loss & revenue loss & revenue loss & cost to restore cost to restore cost to restore service service service

Table 3. 2.2: Example of a Risk Consequence Rating System

3144 IIMM International Infrastructure Management Manual 2015



Consequences of Failure Consequences to the community:

Consequences of a risk event occurring leading to “failure” extend beyond the immediate financial implications.

social consequences, such as loss of life, injury or health impacts, loss of service;

Organisations managing community infrastructure should recognise effects on the community as well as implications to the organisation itself.

environmental consequences, such as damage to aquatic receiving waters, atmospheric pollution or land contamination;

Consequences to the organisation:

economic consequences, such as the community costs associated with damage to property or other third party losses, which may include business impacts, traffic delays, etc. economic consequences, such as repair costs, fines or litigation costs and loss of income, or income potential;

and social consequences, such as loss of life, or injury and reputation/organisational integrity damage.

For organisations using a qualitative ranking system for consequences, a table such as that shown in Table 3.2.2 may be used.

The legal liability for nuisance, negligence and third party damage also needs to be recognised (refer Case Study 3.15).

Overall Risk Ranking

The following types of risk can be assessed: Code Llkellhood of Current Equivalent

“Gross” or inherent risk. This is the risk assessed assuming that there are no systems, processes or resources to manage the event. Comparison of gross risk with current risk assesses the effectiveness of existing risk management practices. This may reinforce the need to maintain these practices, or may indicate where practices could be improved. Further, including an assessment of gross risk reduces the temptation to not consider a risk simply because it is currently well managed.

A B c D E F

occurrence probabillty of statlstical

Rare Unlikely Possible Moderate Likely Almost Certain

condition based probability occurrence

> 20 years 0.02 Within 10- 20 years 0.05 Within 6- 10 years 0.1 Within 3- 5 years 0.3 Within 2 years 0.7 _J Within 1 year 0.9

Table 3.2.1: Probability of Failure

Safety & 5 Negligible injury Health


13rd Party 3 Minimal liability Losses for consequential loss

14 Loss of Small number I Service- of customers Extent/ experiencing Duration I minor service


Corporate 3 Event only Image of interest to

individuals Nil effect or

iii community “ij 0 concern


Minor injury Serious Injury Medical attention Hospitalisation required. required.

Liability for Liability for consequential consequential loss loss -($20.000-

Significant I $100.000) Significant

service localised disruption disruption over affecting small extended period number of ($20.000- customers $100.000) Minor communit


Public interest Local community media report discussion Broad

adverse media coverage

iii I Environment 5 Negligible impact Material damage Serious Reversible within of local damage of local c 1 week importance. importance E Prosecution

c Prosecution possible. Impact probable. Impact



fully reversible fully reversible c within 1 yr w within 3 months u Business Total direct Total direct Total direct ·e Costs (Total revenue loss & revenue loss & I revenue loss & 0 Recovery) cost to restore cost to restore cost to restore 0 service service service u w

Table 3.2.2: Example of a Risk consequence Rating System

3144 IIMM International Infrastructure Management Manual 2015

Loss of life Multiple loss ($0.2M- $2M) of life or city-

wide epidemic (>$2M)

Liability for Liability for consequential consequential loss loss- (>$2M)

– Major localised Major long term disruption over city wide service extended period disruption ($0.2M- $2M)

Loss of Public confidence in investigation Council National International publicity. Public coverage. agitation for Management action changes

demanded Serious damage Serious damage of national of national importance importance Prosecution Prosecution. expected. Impact Long term study. reversible within Impact not fully 5 yrs reversible Total direct Total direct revenue loss & revenue loss & cost to restore cost to restore service service

Current risk. This is the risk assessed assuming the current systems, processes or resources are in place to manage the event. Comparison of current risk against maximum acceptable risk, as defined in the risk management policy, identifies improvement actions required to reduce current risk levels.

Residual risk. This is the risk assessed assuming the

additional systems, processes or resources associated with the selected treatment option to reduce current risk are in place.

Comparison of residual risk with current risk assesses the effectiveness of the risk management practices proposed by the selected treatment option.

For qualitative analysis, a matrix of consequences against likelihood can be used to combine consequence and probability into an overall risk score. An example is

illustrated in Figure 3.2.8.

A L L L M s

B L L M s s –

c L M s s H

D M M s H

E M s H

F s H H

Figure 3.2.8: Example of a Risk Rating Matrix

The organisation’s risk management policy should define

its “risk appetite”, or the amount of risk an organisation is

willing to accept in pursuit of its objectives. In so doing, the risks requiring further consideration for action can be defined by these risk severity ratings. Further ranking of these “unacceptable” risks is possible through use of risk scores, or collective judgement. Risk ranking is readily achieved if the risk management framework quantifies risks in monetary terms.

3.2.6 Managing the Risks

Treatment Options

Treatment options should be identified for all risks assessed

to be unacceptable to the organisation, as defined in the risk management policy. These may include:

high risks, where the product of likelihood and consequence exceeds the nominated threshold, e.g. all

risks assessed as “high” or “extreme”;

Gap Indicates


actions required

to decrease


Figure 3.2.9: Gross and Residual Risk


high consequence events, even where the likelihood may be very small, e.g. tsunami risk;

risks with legal or compliance requirements; and

risks which may be readily reduced for little cost.

A comprehensive range of options can be identified within workshop “brainstorming” sessions. This can include discussion and assessment of the effectiveness of current risk treatments to enable a thorough assessment and identification of the best management options.

Several strategies to manage the total activity risk are


reduce the risk by capital or maintenance expenditure, i.e. reduce the probability of asset failure;

reduce the risk by implementing operational and management initiatives;

reduce the impact of failure by actions such as

preparing emergency response plans, a common approach for high consequence, low probability events;

accept some risk and carry the consequential costs;

insure against the consequential costs; and

a combination of the above.

Implementation of these strategies will require an evaluation of:

the cause of failure and the failure mode;

the impact and probability of failure and its criticality;

the current strategies implemented to manage risk;

what treatment options are available to:

a. reduce the probability of failure

b. reduce the impact of failure; and

the suitability and economics of those treatments to reduce activity risk.

There will be many options to reduce probability and/ or consequence of failure which may range from minor

reductions to almost total reductions. Some risks can be addressed more easily (and cost effectively) than others, as illustrated in Table 3.2.3. The treatment costs may range

significantly and it is the analysis of this risk reduction (benefit) against the cost that assists the identification of the optimal solution. The analysis of treatment options is critical in advanced AM processes and is discussed further in Section 3.1.

Gap indicates

Current practices and strategies effectiveness

of exist! ng practices

Gap Indicates

Additional practices and strategies effectiveness of

proposed practices

IIMM International Infrastructure Management Manual 2015 3145



Case Study 3.16: Risk Management Process for a Sewer Business

Barwon Water’s sewer business has developed a quantifiable risk consequence methodology used in their strategic AM planning decisions. Each asset is assigned a criticality rating based on five major factors. Each factor is

assigned a score based on the system shown below.

Criticality Factor Scoring

1. Public health & Multiple illness or injury 15 safety Single illness or injury 5

No effect 0

2. Environmental Major 10

Minor 5

No effect 0 –

3. Cost of Repair More than $20,000 6

Between $5 K & $20 K 4

Less than $5 K 2

4. Effect on Major or repeat occurrence 8 Customers Minor 4

No effect 0

5. Difficulty of Repair More than 3 days 6

Between 1 and 3 days 4

Less than 1 day 2

T he scores are added and assigned a criticality rating: AAA, A, B, or C. Each asset is assessed on the following

factors and assigned a structural rating as a measure of the likelihood of failure, based on:


installed date;

air valves;

nature of soil;

excessive vibrations; and

date of last failure.

Based on the assigned criticality and likelihood ratings the asset risk is classified as Extreme, High, Medium, Low or

None, which drives treatment options such as:

1. Replacement: Decision for replacement is based on the service life and hydraulic capacity of the main.

2. Undergo further investigation: Testing required for all mains with a structural rating of 1 or 2.

3. Develop a Contingency plan: A contingency plan is required for all mains rated as extreme, high or medium. A specific plan is required for assets with a criticality rating of AAA and A.

4. No action required.

Criticality Calculation Likelihood Calculation Classification ,.

Structural Afr Aggressive Excessive Date of last Sort

,,.. Asset No 1 2 3 4 5 Sum Criticality

Rating Material Installed

Valves Soil vibrations failure E H M L N

134 15 10 8 4 4 41 AAA 2 DICL 1998 N N y E 1 y 2001102 128 15 5 8 4 4 36 A 2 RC 1961 N N N 31105/2001 E 1 v 200210

88 5 10 8 6 6 35 A 1 MSCL 1969 N y N 4/07/2002 E 1 y 2001102 3 5 10 8 6 6 35 A 2 AC 1975 y N N 24/03/200 E 1 y 2001/02

106 5 10 8 6 6 35 A 2 RC 1955 N N N 6/06/2001 E 1 y 2002/0 94 5 10 8 6 6 35 A 2 Cl 1971 y y N 19/01/1999 E 1 y 200010 78 15 10 8 6 6 45 AAA 4 Cl 1973 N N N H 2 y 2003/0 73 15 10 4 4 4 37 A 3 RC 1970 y N N H 2 Done

127 15 5 8 2 4 34 8 2 RC 1958 y N y H 2 y 200010 87 15 5 4 2 4 30 8 2 Ci 1971 N N N 4/06/2001 H 2 y 200010 22 5 10 8 2 4 29 8 1 Cl 1922 N N N 26/10/1999 H 2 y 2002/0

109 5 10 8 2 2 27 8 2 VC 1986 N N N H 2 Required 60 5 10 4 2 4 25 B 2 AC 1986 y N N H 2 ReQuired

133 15 10 8 4 4 41 AAA 5 DICL 1998 y N N M 3 36 15 5 8 6 6 40 AAA 5 PE 1996 N N N M 3

Courtesy of Barwon Water, Victoria, Australia

3148 IIMM International Infrastructure Management Manual 2015

Case Study 3.17: Risk Management Framework for Roads

Moira Shire Council began the journey of changing its organisational culture by utilising a risk solution for the inspection, collection, prioritising and works programming of defects. Unsealed roads were used as the pilot project.

The overall objective of the risk methodology is to provide a consistent approach to prioritising asset maintenance and capital works to minimise human and financial risk by setting realistic and meaningful service levels within Council’s available budget and resources.

The first step was to classify and identify the infrastructure. The road network was then divided into individual road assets to provide unique identifiers.

The road assets were created from intersection to intersection; this assisted in making the road network more manageable and narrowed down the location of the defects.

All defects detected during field inspections are recorded into a database. Defects that have been identified from the field inspection will automatically be assigned the relevant work codes, associated risk and average cost of repair. All defects have a measurement relating to quantity of material required to repair or the distance required to be graded.

Definition of risk


Criteria have been established for both the likelihood of an incident occurring due to the location of the defect, and the consequence of any such incident (severity), taking into account the surrounding environment rather than a perceived risk based on dimensions.

The criteria are based on factors that are relevant to the geographic makeup of the Moira Shire and have been extensively tested and refined using knowledge from experienced staff.

Results from the likelihood and consequence ratings are combined to determine the risk score .


Consequence of Deprival (Financial Risk)

Criteria have also been established for the consequence of deprival (financial risk) rating. This criterion enables Council to determine the financial effect on the asset lifecycle by not attending to the defect within a specified timeframe. Some of these factors include:

Increased cost

Rapid deterioration of asset

Increased traffic hazard

Effect on other assets

Once all the defect information from the field inspection has been loaded into the corporate system a series of criteria previously established by the Asset Management Team rates each defect in order of priority.

Utilisation Criteria

E – Extreme Priority Usage

H – High Priority Usage

M – Medium Priority Usage

L – Low Priority Usage

N/A- Not Applicable

Dealing with immediate risks

The parameters developed to manage the risk have been set to make extreme and high risks safe within a specified period of time.

The strategies for dealing with all other risks are evaluated and the appropriate action is determined taking into consideration costs and benefits.

The process ensures that the limited resources available are utilised in the areas that will give the most benefit to the community by minimising the exposure to risk.

The process is now being fully utilised for unsealed road

defects, sealed road defects, rural tree canopy defects, signage defects and footpath defects.

The following figure is a screen display of the software developed by Moira Shire Council.

Likelihood Rating 1Ji6″ fo.1t � run F<.:f””‘t 8_(,,,))’.:k I@� l:?’4)

An incident may occur due to the following contributing factors:

Deviation from travelling alignment and/or braking

Sight distance of defect

Lack of traction

Hazard to other road users

Consequence Rating

The severity of the incident may be contributed to by the following factors.

Width of road

Road speed limit

Depth of table drains

Structures or trees that may be impacted

Courtesy of Moira Shire Council

• M55.J’l$S(rl • 8 � B I 1l II: 9′ � � .. .Q”” ,d •

I Gravel On Road lnspeciions J @111#,le,U”.p(lcl1111 I� !Procedural Steps

@e.1.ictA.s�etboi119ln5poctad )� Fernt,fa;anlCMl\ttuetu �u.ne.Plal .. r.larllAi>M·S•.l!<ret,� “‘ �=� .. ��,a�D,H11il1A9ei>os1″5n1 i u).O•til6ndi,.9Do1ec1t

joutllhll’!dinsOelccu;Recorded I L•·KM � N�QfG,.,tdepo11a001Ac;i.�S•i1.,..,,. r—- R,,.,..rdNdwDttfoct•U…:le,11.pp,opunlu� .. b ;’,.\$Qt ADDI\ MOR� DMit h:Jlon��”d Celftl Lugti OliMli/t Rtsll Lilw.Jlood Cbr!Mt�(II Ollpn,N NcltM

fsiif””li(i&Ffu·G.r:i:t;119ZSI0′){20 1 nros1roosr-ror�f1=i.:fl6·Vi,’tl,;1tf(O!i1·Mod1101e P·IAffl•�· �–­

fsfifi»iop:icki·S?OIFr,uhn•w; 11�{!1).’lOO� r-roftoo� �to·�Y:�(ool3•Mod..-6111 P·t.t�•ld• ��Fs-u-�-….stt 11�,��r.oosr-rore��l6-�•1t1ool1·�” 11·1.tll’IQI( ….. �—

�N-Oefecu to b11 n11cord11d


� 6di”$-n!S I Cb>S<•MOo� I ROt!t.Odi!MWo<1,;� 11!Pd”1,iA&s,:,ts I G,•di�g j follloting 1 SpolBo•h.,•h11g I .:l_11HJ<:1!.og..,�11t !

IIMM International Infrastructure Management Manual 2015 3149


Case Study 3.18: Implementing an Organisational

Risk Framework for Water Supply

The Water Supplies Department (WSD) of Hong Kong is in the process of establishing a consistent risk framework to be implemented throughout the organisation. Key aspects to this framework are:

Ability to rapidly screen worst risks and progressively “drill down”. Definitions have been established to enable

Overall Corporate Objectives • To provide a reliable and ad�le suppfy of wholesome potable M\et and sea wat� to our

cu�omers in the most cost·elfectr.1e way • To adopt a customer-o:1emed ap proach 1nou1 sel\’Jces. • To ma1nta1n and mo11vate an effKtN’t. efficient and committed wOfkfom· to stlVe 1he community • to rema1nconsoM of our l!�n�bt�ties towards the enviroMJeril. • To make the besl use of 1esoo,ces and technology in ou1 strMn.g for co nunuous 1mprovemen1 in


Key —> Elements


HongKCMlg ar,d1slarx:h �owloon

New Tem1ones East emtorttsY,e


Risk —> Prompts

Supply Chain Component

Source Treatment

Type of Risi<


Different scenarios are assessed using a simplified probability tree approach. To enable this, each risk event scenario is described by an initiating event with a ’cause’ and up to 4 consequential events, each with associated likelihoods. The composite risk event is then quantified in

critical assets to be systematically identified using tools such as GIS, and risk events to be rapidly assessed. All events with risk severities exceeding defined acceptability thresholds are identified for more detailed investigation.

Risk event definition. WSD developed a structured record of risk events to be considered. Each of these risk events may result in a number of consequential outcomes with differing consequence severities and overall likelihoods.

Context for …_ considering risk

Key Service Standards Applicable to each Component

E.g. Storage: • Wate1qualiry • Water slO’age volumM •Saltty •Etc

Risi< Sub-type

E.g.Operationalrislc: • Con1amnat1:in • sset,a1ure

Risk Cause

t9.�tla1lu” • De terioration • atural event

• Climate change • Thrrd pany damage • �er-Joa<f;ng • C.1pao1y1upabtl1ty

Risk Sub-cause

E.g. Na1ural �nl •hrt ua\:e •Flood1 • Storm •landslide

• ligh!l’llng • Fr,uing • (>,:erhrnmg •Wexposure • Volcarncer1.1pt,on • Tsunami

terms of the sum of the risk assessed for each scenario. The risk for each scenario is assessed as the product of the individual scenario likelihoods and the scenario consequence.

Likelihood P (a)= PO x Pl x P2a

Traffic accident fatality

Mid-term traffic Disruption

Significant costs to WSD to _.. restore service and address

reputation Issues

Scenario A Risk A= P(a) x ((a)

Contractor damage

® Pl

Pipe failure

Significant road damage and

short-term outage

Minor road damage and temporary

localised outage

I· (P2 + Pl)




likelihood P (b) = PO x Pl x Pl x P2b

No traffic accident

Mid·tcrm traffic Disruption

likelihood P (cl= PO x P 1 x P3

3150 IIMM International Infrastructure Management Manual 2015

Some costs toWSD to __,.. restore service and address

reputation Issues

Negligible consequence

Minor costs to WSD to

restore service and address reputation issues

Negligible consequence

Negligible consequence

Scenario B Risk 8 = P(b) x C(b)

Scenario C Risk C = P(c) x C(c)

Likelihood definitions. Likelihoods are defined in bands of increasing size. The model allows for input of specific probabilities should this information be available, and would be expected for all risk events which have been identified as unacceptable in the initial analysis.

Consequence definitions. Consequences are assessed across multiple areas of impact representing the triple bottom line considerations. Consequence severities are consistent within the framework across the different impact areas, so that, for example, the description of a “moderate” health and safety consequence is of equal severity as a “moderate” environmental consequence, noting that there is a level of subjectiveness associated with this assessment. Consequences are then expressed in dollar terms for the purposes of calculation and prioritisation.

Criticality definition. Asset attributes, operating context and locational factors are identified and linked directly

Asset Attributes

Size/capacity Material

Component type

Operating Context

function No/type of consumers serviced


Locational Factors

Proximity to slopes Proximity to major uansponation

routes/facilities Proximity to business/tourist areas

Proximity to watercourses


Social/Cultural Health And Safety

Impacts Service Impacts Consequential

Damage Organisational

Integrity Impacts

Environmental Environmental Impacts

Financial financial Impacts

to the consequence tables within the overarching risk framework. A geo-spatially enabled model will quickly and effectively assign a criticality rating from 1 (highly critical) to 5 (non-critical)

Total Consequence of Failure Cost Criticality Risk severity. Risk severity is calculated as the product of the composite consequence (in dollar terms) and the composite likelihood (in statistical probability terms) to calculate an annual risk cost exposure. WSD’s risk framework reports actions for managing risks of different severities, including those events which may be extremely unlikely to occur, but which would have catastrophic consequences if they did. Any risk event assessed as High or Extreme is treated as unacceptable unless further, more detailed analysis indicates otherwise.

Risk Event Identified Core event in itiator and cause

Primary consequence Secondary consequence Tertiary consequence Other consequence

Assess composite likelihood

$50 million+

$10 million – $50 million

$2 million – $10 million

$200,000 – $2 million


Assess composite consequence

Product Of likelihoods Of Each Defined Event From Almost Certain (90%) To Rare (1%)

Core Event

Cause P (cause)

Primary Consequence

Primary Consequence

Secondary Consequence

Secondary Consequence

Tertiary Consequence

Tertiary Consequence

-t Other


Other Consequence

Note: all cost values are for assessment and prioritisation purposes and are subject to further review by WSD.




5 –

Sum of Consequences of Defined Event Across Multiple Areas

of Impact From Insignificant (<=$20,000) To Catastrophic (>$30 Million)

Health and Safety Loss of Service

Consequential Damage Organisational Integrity

Environmental financial

Risk Severity Rating From Low (<$200,000)

To Extreme (>$5 Million) Risk assessed as the product of likelihood (annual

probability) and consequence($)

Options Analysis for High and Extreme Risks

Identify best option to reduce risk using benefit cost analysis:

Benefit= reduction in risk cost Cost = cost of implementing mitigation option

IIMM International Infrastructure Management Manual 2015 3151


$5 million+ Extreme

$1 million – $5 million High

$200.000 – $1 million Moderate

<$200,000 Low


Treatment Strategy

Immediate action required to reduce risk. Treatment options must be investigated and action plans developed at the earliest opportunity, with clear assignment of individual responsibilities and timeframes. Executive Management Team must be briefed following identification of the risk. and following any significant change in risk status. Senior management attention needed. Treatment options must be investigated and action plans must be developed. with clear assignment of individual responsibilities and timeframes. __ _ Management responsibility must be specified. Risk requires specific ongoing monitoring and review. Risk can be accepted or ignored. Manage by routine procedures. however unlikely to need specific application of resources.

Treatment Strategy

$50 million+ $10 million – $50 million $2 million – $10 million $200,000 – $2 million <$200.000

Catastrophic_ Assess contingency planning options and develop action plans Major ——-1-A_ s_s _e _ss_co_ n_ t _in-=gency planning options and develop action plans

Moderate Refer risk severity strategy for this event Minor Refer risk severity strategy for this even!_

Insignificant Refer risk severity strategy for this event

Responsibilities. The risk register clearly allocates

responsibilities. The Risk Owner holds ultimate accountability for a specific risk item, the Risk Administrator is assigned by Risk Owner to assess and

register risk and propose action items, and the Action

Owner is responsible for implementing improvement action/ treatment measures

Options analysis. The risk framework includes a risk

reduction options analysis to identify the best approach to managing the risk. Option benefits, calculated as the present value of the reduction in risk cost exposure, are evaluated against the present value of the option costs,

which may include initial capital outlay, as well as ongoing operation and maintenance costs.

Courtesy of Water Supplies Department, Hong Kong and AECOM

3152 IIMM International Infrastructure Management Manual 2015


Admimistrator Action Owner