Risk management and well-managed companies

John Moubray's article speaking out against streamlined RCM approaches was a watershed article. For the first time, Moubray spoke about the coming age of accountability for those charged with managing assets, and the need for defensibility in decision-making.

He was slammed by many at the time as a scaremonger, however, the reality has proved to be far more frightening than anything any of us could have imagined.

The Hatford rail disaster, the BP refinery explosion in Houston, and Buncefield explosion and the passing of the C-45 bill in Canada have proved, beyond a shadow of a doubt, that defensibility in decision-making should be firmly on the mind of any asset manager, or any company charged with managing physical assets.

That's the frightening angle, but there is another angle to this. One that is far more frightening for corporate executives, particularly in light of the recent financial meltdowns in the UK and USA.

For example, in Australia (and USA and UK environment is similar) the Australian Stock Exchange has released a guidance for companies called Principle 7. The thrust of this guidance note is to state that well-governed and well-managed companies need to have a functioning process in place for managing risk.

The guidance note specifically states that:

"Recommendation 7.1: ‘Companies should establish policies for the oversight and management of material business risks and disclose a summary of those policies’."

and...

"Recommendation 7.2: ‘The board should require management to design and implement the risk
management and internal control system to manage the company’s material business risks and report to it on whether those risks are being managed effectively. The board should disclose that management has reported to it as to the effectiveness of the company’s management of its material business risks’."

The implications of this are dramatic, and drives home two points related to risk management. First, that the often tactical approaches that we generally adopt are probably not enough to fulfill these requirements. And second, that there is probably a need for a larger registeration and management process for defining, reporting on and monitoring the material risks of a business.

In fact, their guidance notes point out that compliance with this area of corporate governance must be provable.

If you haven't already done so I strongly recommend that you check out Australian Standard AS/NZ4260. This is, as far as I understand it, the only existing globally recognized standard on how to create and implement a corporate process for the management of risk.

As Moubray pointed out, it is wise to be able to make decisions in an environment that can be defended if required. And it will be far easier to defend decisions made according to a recognised global standard than trying to explain the companies reasons behind choosing not to use such a standard.

I am working with a range of organizations today to try to implement corporate risk-management processes and systems. And it is challenging, to say the least.

One of the things that is proving significantly challenging is moving away from the child-like dependance on risk matrices that many in our industry seem to have, and moving organizations toward quantifiable risk profiles.

I don't think now is the time for dumbing down the discipline; now is the time for driving understanding deeper and higher into the corporate hierarchy.

Your thoughts are welcomed.

You can network with other reliability practitioners here, ,and see the latest in reliability jobs here.