| |
What is Risk?
4 April 2014 • Ype Wijnia
risk management
Within asset management, risk management is a very important element. That was already the case in the first formalisations of asset management ( like the International Infrastructure Management manual and its predecessors), and it became evident in the definition of asset management in PAS55:
Systematic and coordinated activities and practices through which an organization optimally manages its physical assets, and their associated performances, risks and expenditures over their lifecycle for the purpose of achieving its organizational strategic plan.
Furthermore, the specification included many requirements with regard to risk management, like the existence of a risk management process, methodology, alignment with corporate risk management policies and many more. There was only one gap: it was not specified what was meant by risk, as risk was not one of the terms in the glossary. Apparently, it was assumed that everybody understood what risk was.
In the new norm about asset management, ISO55000[1], risk management is perhaps even more important. It has become such an integral part of asset management that it does not have a separate set of requirements, it isincluded everywhere. For a change, it has been defined what is meant with risk. Unfortunately, the fact that a definition of risk is included is the only positive thing that can be said about it. ISO55000 uses the definition of risk that is in ISO 31000 which states the following:
Risk is the effect of uncertainty on objectives
Few people will recognize this as a definition of risk. If you search for risk in a dictionary, it is usually defined as bad luck, the possibility that something bad will happen. Sometimes risk is regarded as the expected amount of misery (risk equals probality times consequence). In more advanced approaches, risk is regarded as an event with multiple scenarios for the consequences. To judge a risk, it has become clear that it is not good enough only to regard the expected outcome, the distribution of outcomes and extremes should be taken into account as well, alongside with perception and acceptance of risk. Certainly, uncertainty is important (both about the occurrence of the event as in the consequences of the event, but in all of these concepts of risks there somewhere is a notion of an undesirable event. That seems to have disappeared in the ISO definition. Have they lost their mind at ISO, or did they really discover the grand unifying definition of risk?
In a certain perspective, ISO has a point. The assets exist to realize some objectives of the owner, and anything that makes them deviate can be regarded as a risk. However, acting as a Homo Linguisticus, that is not what the definition states. It is not about the realization of objectives, but about the objectives themselves. And why is it a risk if uncertainty influences the objectives? If there is uncertainty whether the objectives are realistic, it can be wise to relax the objectives a little bit. But the effect of uncertainty on objectives then is a mitigation, not a risk. So, what do they mean? We have to take into account that we, being Dutch, did not understand all the nuances hidden in the definition, but we regard that risk as negligible[2].
Let us assume that our first interpretation wat the correct one, that is, ISO means the effect of uncertainty on the realization of objectives. That makes much more sense, it is even reasonable to state that without objectives, risk cannot exist, as it is impossible to have undesired events. However, that is a philosophical approach to risk, which is of little value in practice. Many objectives are not formulated explicitly, simply because they are extremely obvious. Everybody understands that crossing a busy highway by foot is risky, but what is the associated objective? Is it to cross the road within a certain time? Or would it simply be to stay alive? And what is the uncertainty? The probability you would not get across? The normal definition of risk is much clearer: The risk is that you will be hit by a car and die.
This objection against the ISO definition applies as well to assets as it does to your own life. Certainly, some assets are used to produce something, and it has meaning to speak about production targets. But many assets just have to function, and the risk is that they will fail or their functionality deteriorates. Furthermore, targets are hardly ever formulated for individual assets, they tend to be formulated at the system level (factory, infrastructure, portfolio). We visualized this in the diagram below.
The basis is formed by issues or bottlenecks, problems occurring in a specific asset on a specific location, e.g. bearing x is noisy or pump y leaks. With these acute issues, there is little uncertainty. Issues can be potential: cable z could be overloaded in case of a emergency situation. The uncertainty is complete, this happens or it does not happen for the specific cable. When such an issue is generalized, it becomes a risk: overloading cables in emergency situations. This could happen on many locations. With such generalized issues, the uncertainty changes: from a management perspective it is much smaller. The number will be reasonably certain, though there is uncertainty about the locations where the risk will materialize. Summing all risks will result in the total impact on the whole system performance, for which often a maximum allowed level is agreed. The uncertainty in this combined effect is smaller than that of the individual risks. Some risk may produce more impact, but others will impact less, and uncertainties cancel each other out. Issues and risks can be detected without knowledge about the objectives, but whether the targets have been met can only be determined given knowledge of the agreed target. It is for this reason that we refer to problems on this level as violations. The augmented ISO definition of risk only has meaning on the system level.
Is this all that could be commented on the ISO definition of risk? Fortunately not. For passive assets like infrastructures, but also your own life, objectives tend to be formulated in terms of absence of risks. The ISO definition then becomes: risk is the effect of uncertainty on the absence of risk. To me it seems quite certain that ISO, for a full 100%, certified itself against the norm for circular reasoning.
Ype Wijnia is partner at AssetResolutions BV, a company he co-founded with John de Croon. In turn, they give their vision on an aspect of asset management in a biweekly column. The columns are published on the website of AssetResolutions, http://www.assetresolutions.nl/en/column
[1] The norm consists of 3 parts: 55000, terminology, 55001, requirements and 55002, guidelines. When we mention ISO55000, we mean this series., and requirements refer to 55001.
[2] Actually, we checked by some native speakers and they did not understand the definition either.
<< back to overview
|
