With growing automation and more complex assets comes growing risk, where risk is defined as the probability and impact of a negative consequence. In the world of asset management, negative consequences can take many forms, such as premature failure, a more catastrophic failure than anticipated, or an incident or near miss involving an asset. This is why regulatory bodies have increased their vigilance and reporting requirements in almost every industry. It is also why accurate risk scoring using your CMMS has risen in importance.
This column provides guidelines and considerations in establishing a risk score. Whatever method you use to generate a risk score must be simple to learn and use, but sufficiently comprehensive to be effective in managing total risk.
Objective of a risk score
An effective risk scoring model helps you find the right balance when trying to
- Minimize risk
- Maximize asset performance and reliability
- Minimize the total cost of ownership for your physical assets
Risk scoring ensures you focus on the right work on the right assets at the right time, in order to manage the tradeoffs above. Too much attention spent on mitigating every risk is very expensive, but so is ignoring a risk that is highly probable and carries catastrophic consequences. These extremes are obvious, but risk scoring helps manage the more nebulous middle ground.
When to risk score
The risk score is derived from three components, namely the criticality of things, the priority of work, and change factors that affect criticality and priority over time. These three components are described below and are depicted graphically in Exhibit 1 – A Model for Risk Scoring. Modern CMMS packages can be used to capture all of these components, but have varying degrees of sophistication for generating and changing a risk score over time.
Exhibit 1 - A Model for Risk Scoring
The work program within the CMMS can be used to record a risk score on job plans for all expected or planned work, including job plans triggered by asset failure, condition, or usage (i.e., time, meter, or event). For all unexpected or unplanned work generated from compliance audit deficiencies, vendor recalls, events, incidents, an unanticipated condition assessment, and other anomalies, a case is initiated and a risk score is associated with the overall case. As well, all work resulting from that case will be risk scored, such as corrective work to immediately address the issue (e.g., clean a spill and temporarily fix the leak), or work to permanently prevent recurrence (e.g., replace all old piping).
Components of a risk score
The risk score is derived from three components, namely the criticality of things, the priority of work, and change factors that affect criticality and priority over time. These three components are described below and are depicted graphically in Exhibit 1 – A Model for Risk Scoring. Modern CMMS packages can be used to capture all of these components, but have varying degrees of sophistication for generating and changing a risk score over time. Some companies never combine any of the components to formulate an overall risk score, while others use complex algorithms, especially for critical assets and high priority work.
Work Priority – Job plans should be created on your CMMS for all expected work, including at least a single field for “priority”. Priorities can be alphanumeric values ranging from high (e.g., regulatory work, safety inspections) to low (e.g., no safety or production consequence if work not done). For unexpected work, a case or equivalent is opened, and all related work requests will be assigned a priority when initiated (e.g., to repair a safety system that has tripped).
Criticality of Things – When acquiring a new asset, component, or part, almost all CMMS packages allow users to define its criticality. As with work priority, criticality can be an alphanumeric value ranging from high (e.g., safety equipment, equipment required to prevent catastrophic failure, essential part with enormous lead time) to low (e.g., redundant equipment exists, part is cheap and accessible).
Change Factors – This is the most complex component of the risk score and by far the most underutilized. There are change factors that affect the work priority, such as work orders that are past due. There are also ones that affect criticality, such as the age of the equipment. Change factors might affect both these components through the combined risk score, such as environmental conditions, how hard the equipment has been running, and end of life issues.
Change factors can be represented by a comprehensive formula that considers multiple variables. However, sometimes a simple algorithm will suffice: for example, adding 20% to the risk score each day that high priority work on a critical asset is overdue. Additionally, most modern CMMS packages can link escalation of the risk score with their notifications feature. In the example above, suppose the first day the work is overdue an email is sent to the manager, the second day to the VP, and the third day to the President.
Risk categories to consider when scoring
When quantifying criticality, priority, and ultimately a risk score subject to possible change factors, it is imperative to build a model that considers all of the following risk categories:
- Health and safety risk –incident or near miss
- Environmental risk – spill of hazardous material
- Security risk – hack into key equipment
- Asset reliability risk – key asset fails often or is replaced early
- Operational risk – delay in production
- Financial risk – lost profit if customer takes business elsewhere
- Legal/regulatory risk – non-compliance with local bylaw
- Reputational risk – poor quality product goes viral
- Latent risk – competitor with same equipment has explosion
The difficulty, of course, is keeping the model simple yet effective, by making it easy for users to assess the risk across all relevant risk categories each time a risk score is calculated. In some cases, this can be pre-determined such as asset criticality and job plan priorities built into the work program, or automated such as an algorithm for generating a risk score combining the asset criticality and job plan priority. The CMMS can help in this regard with a few simple algorithms.
Risk scoring guidelines
When you design a risk scoring model, bear in mind that some users tasked with determining the risk score will be highly cognizant of the time and effort required to calculate a score, versus the perceived value in doing so. Some may find the whole process unnecessary, or at the very least inaccurate. They may consider the exercise as a public relations gesture imposed upon them by relevant regulatory bodies, auditors, lawyers, and/or top management. As a result, it is important to build a model that:
- Is perceived as value added in the eyes of those creating and working with the risk score.
- Is easy to understand and takes users little time to create a score.
- Is difficult to bypass or manipulate results without having to actually think about how to respond.
- Is designed with a simple user interface, but built on a sophisticated framework supporting comprehensive calculations, as well as error and reasonableness checking, with immediate feedback to the user during data entry.
- Analyzes scoring to ensure that the model satisfies management objectives, and that users are entering scores accurately, consistently, and in a timely manner.
- Offers sufficient online Help (e.g., a wizard feature), to ensure that users enter data efficiently and effectively.
- Has a "zero out" capability at any time in the scoring process, in order to contact a knowledgeable person directly (e.g., by phone or using an online chat) if the user is genuinely struggling and requires assistance.
- Includes false questions to help determine whether users are responding properly.
- Contains optional fields or questions that allow users to provide greater explanation (e.g., a text field or additional coded fields).