830 likes | 1.34k Vues
SHE & the Risk Management Standards. LEIGHTON BENNETT (BSc, MDP dip, ROSProf, FIoSM, AIRMSA) SHE & RISK MANAGEMENT CONSULTANT BENRISK CONSULTING 083 325 4182 benrisk@mweb.co.za. BENRISK. Overview. Early OHS in RSA OHS “MBO” grading systems
E N D
SHE & the Risk Management Standards LEIGHTON BENNETT (BSc, MDP dip, ROSProf, FIoSM, AIRMSA) SHE & RISK MANAGEMENT CONSULTANT BENRISK CONSULTING 083 325 4182 benrisk@mweb.co.za BENRISK
Overview • Early OHS in RSA • OHS “MBO” grading systems • Introducing the SANS OHSAS 18000 & SANS ISO 14000 Management Systems … (SHE) Business’s new compliance focus: • New Company Act & King III requirements • SANS ISO 31000 Risk Management Standards • Introducing the Principles, Framework & Process • Moving to risk-based SHE management? BENRISK BENRISK
RSA’s Early OHS History • 1941 Factories, Machinery & Building Work Act • 1941 Workman’s Compensation Act • 1956 Mines & Works Act • 1983 Machinery & Occupational Safety Act • 1993 Occupational Health & Safety Act • 1993 Compensation for Occup. Injuries & Diseases Act • 1996 Mines Health & Safety Act • 11/4/1951 National Occupational Safety Association established • 1968 Regional manager Wyn Burger’s first grading system introduced in KZN (A, B, C, D, +ve & -ve, across 4 categories) • 1970 NOSA’s Star Grading “MBO” management system • 1972 Introduction of Loss Control BENRISK
NOSA’s “MBO” OHS programme OHS Objectives were originally set by establishing a checklist of certain basic elements, against which compliance could be measured: • Under 5 main headings (ie. Housekeeping, Mechanical Guarding, Fire Prevention, Accident/Incident Recording & Safety Organisation) • With some 73 sub-items that need to be managed to achieve & maintain OHS compliance This was the only real local OHS management system available for many years BENRISK
RSA’s Adopted OSHE Systems South Africa has adopted the OHSAS Occupational Health and Safety Standards as • SANS OHSAS 18001:2011 OHS MANAGEMENT SYSTEM - REQUIREMENTS • SANS OHSAS 18002:2011 OHS MANAGEMENT SYSTEM - IMPLEMENTATION GUIDELINES And for environmental • SANS ISO 14001:2005ENVIRONMENTAL MANAGEMENT SYSTEMS - REQUIREMENTS WITH GUIDANCE FOR USE BENRISK
What does this mean? These OHSAS Requirements have been developed : • in response to customer demand for a recognizable occupational health and safety management system standard • To have an OHS management standard against which their management system can be assessed and certified .... for benchmarking! BENRISK
Why Adopt this OHS System? Organizations of all kinds are increasingly concerned with achieving & demonstrating sound occupational health & safety (OH&S) performance by controlling their OH&S risks, consistent with their OH&S policy & objectives. They do so in the context of increasingly stringent legislation, the development of economic policies and other measures that foster good OH&S practices, and of increased concern expressed by interested parties (customers) about OH&S issues BENRISK
ISO/OHSAS Management Standards • ISO/OHSAS Standards Certificates, like ISO 9000 , ISO 14000 or OHSAS 18000, only attest to compliance with minimal requirements for documentation and administrative procedures. • So the relationship between the certification and the actual product quality, environmental or safety/health performance of a particular organisation, for example, is very debatable. • Often certification is obtain to satisfy suppliers or customers, but not because of it giving added value to an organisation Alan Waring & AIan Glendon – Managing Risks 2001 NOTE: The SANS 31000 Risk Management standard was designed as a general guide BENRISK
Increasing SHEQ Pressure With endeavours to improve competitiveness companies are adopting the SHEQ management systems: • ISO 9000s Quality management systems • ISO 14000s Environmental management systems and now the • SANS OHSAS 18000s Health & Safety management systems BENRISK
SHEQ by MBO All the SHEQ ISO/OHSAS systems are “MBO” based systems, where a standard is set against audit elements against which your management system is measured & can be certified. There is little compliance latitude given if aspects of the your management system does not conform to the required “MBO” audit standard. Non-conformances are readily issued BENRISK
General OHS System Requirements The organization shall: • establish, • document, • implement, • maintain & • continually improve an OH&S management system in accordance with the requirements of this SANS OHSAS Standard & determine how it will fulfil these requirements BENRISK
The OHS Management System Model > Continual improvement Management review OH&S policy Checking & corrective action Planning Implementation & operation BENRISK
4.2. OH&S Policy Top management shall: • define & • authorize the organization’s OH&S policy & • ensure that there is a defined scope for its OH&S management system BENRISK
4.3. Planning The organization shall establish, implement and maintain procedures for: • the ongoing hazard identification, risk assessment, & the determination of necessary controls. • identifying & accessing the legal & other OH&S requirements that are applicable to it • Documented & measurable OH&S objectives, at relevant functions & levels within the organization. BENRISK
4.4. Implementation & Operation • Top management shall take ultimate responsibility for OH&S & the OH&S management system. • The organization shall ensure that any person under its control performing tasks that can impact on OH&S is competent on the basis of appropriate education, training or experience, & shall retain associated records. BENRISK
4.4. Implementation & Operation With regard to its OH&S hazards & OH&S management system, the organization shall establish, implement & maintain procedures for: • Adequate communication, participation & consultation on OHS matters • The establishment & control of documentation for or required by the OH&S management system & by this SANS/ OHSAS Standard • The organization shall determine those operations & activities that are • Managing the implementation of the OHS risk control measures associated with the identified hazard(s). • The establishment, implementation and maintenance of emergency preparedness & response measures. BENRISK
4.5. Checking & Corrective Action The organization shall establish, implement and maintain procedures to: • Monitor & measure OH&S performance on a regular basis • Monitoring the OHS objectives being met & the effectiveness of the OHS control measures • Periodically evaluating compliance with applicable legal & other relevant requirements • Monitoring the recording, investigation and analyse of incidents & the corrective actions applied • Deal with the actual & potential nonconformities & the taking of corrective action & preventive action. • Establish & maintain records to demonstrate conformity to the requirements of its OH&S management system & of this SANS/OHSAS Standard BENRISK
4.6. Management Review • Top management shall review the organization’s OH&S management system, at planned intervals, to ensure its continuing suitability, adequacy & effectiveness. • Reviews shall include assessing opportunities for improvement & the need for changes to the OH&S management system, including the OH&S policy & OH&S objectives. • Records of the management reviews shall be retained • The outputs from management reviews shall be consistent with the organization’s commitment to continual improvement & shall include any decisions & actions related to possible OHS system improvements BENRISK
ISO Integration of the Management Silos The management disciplines: Risk Integration Safety & Health Environmental Quality Finance, Legal, etc Administration Marketing Finance, Legal, etc Engineering Production Procurement INTEGRATING RISKS ACROSS THE “SHERQ” SILOS BENRISK
Risk Integration: RM vs ISO RM can be applied to all the business management disciplines/silos & this is called Enterprise-wide RM when all the silos are being risk managed. The ISO approach is usually focused on specific business areas, like quality, safety & the environment, so the other business areas are often not adequately risk managed BENRISK
Business’s New Compliance Focus The business compliance focus of the SA’s companies has been changed because of : • 2008: The new Companies Act No 71 – wef May 2011 • 2009: King III Code on Corporate Governance • SANS/ISO 31000:2009 – Risk Management: Principles & Guidelines Standard • SANS/ISO 31010:2010 – Risk Management: Risk Assessment Techniques Standard New: • SANS/ISO 19011:2012 - Guidelines for Auditing Management Systems Standard This now requires business to adopt a risk based approach when assessing their operations BENRISK
Companies Act No 71 of 2008 – w.e.f. May 2011 Act’s Purpose: 7.b.iii: To encourage transparency and high standards of corporate governance as appropriate …. within the social & economic life of the nation 7.j: To encourage the efficient and responsible management of companies This involves managing the risks … & OHS? BENRISK
King III - Code on Corporate Governance2009 – w.e.f. March 2010 • Details a code of principles & practices to be applied on an ‘apply or explain’ basis. • Applies to all entities regardless of the manner & form of their incorporation or company establishment. • Good governance is not something that exists separately from the law. • Directors & management must discharge their legal duties, that are grouped into two categories, namely duty of care, skill & diligence, & fiduciary duties. BENRISK
King III - Code on Corporate Governance2009 – w.e.f. March 2010 • Corporate governance mainly involves the establishment of structures & processes, with appropriate checks & balances that enable directors to discharge their legal responsibilities • Risk involves operational, strategic, financial and sustainability issues • A risk-based approach is more effective as it allows internal audit to find out whether controls are adequate for the risks which arise BENRISK
KING III: Chapter 4 Risk Management 4.1: Risk management is inseparable from the company’s strategic & business processes 4.2: The management should be responsible for the implementation of the RM process 4.3: Risk management should be practiced by all staff in their day-to- day activities 4.4: The board should be responsible for the process of risk management 4.5: The board should approve the company’s chosen risk philosophy 4.6: The board should adopt a risk management plan 4.7: The board may delegate the responsibility of risk management to a risk committee 4.8: Risk assessments should be performed on an ongoing basis 4.9: The board should approve key risk indicators & tolerance levels Do these principles also apply to managing OHS? BENRISK
KING III: Chapter 4 Risk Management 4.10: Risk identification should be directed in the context of the company’s purpose 4.11: The board should ensure that key risks are quantified & are responded to appropriately 4.12: Internal audit should provide independent assurance on the risk management process 4.13: The board should report on the effectiveness of risk management 4.14: The board should ensure that the company’s reputational risk is protected 4.15: The board should determine the extent to which risks relating to sustainability are addressed & reported on 4.16: The board should ensure that IT is aligned with business objectives & sustainability 4.17: The board should consider the risk of the unknown as part of the qualitative & quantitative risk assessment process Do these principles also apply to managing OHS? BENRISK
KING III: Chapter 7 Compliance with laws, regulations, rules & standards 7.1: Companies must comply with applicable laws & regulations 7.2: Companies should consider adherence to applicable rules & standards 7.3: The board & each individual director should be aware of the laws, regulations, rules & standards applicable to the company 7.4: The board is responsible for the company’s compliance with laws & regulations, & should ensure that the company implements an effective compliance framework & processes 7.5: Compliance should form part of the risk management process BENRISK
The need for risk management If something can go wrong, it will go wrong! (One of Murphy's laws!) Risk Management is about trying to prevent 'things‘ from going wrong, or to reduce the impact if something does go wrong BENRISK
So what risk/s went wrong? • System/s failures: • Titanic 1921 • Three Mile Island 1970 • Flixborough 1974 • Bhopal 1984 • Challenger 1986 • Chernobyl 1986 • Piper Alpha 1988 • Toulouse Fertilizer 2001 • World Trade Centre 2002 • Deepwater Horizon 2010 • Natural disasters: • Indonesia’s earthquake & tsunami 2004 • Hurricane Katrina 2005 • Iceland’s volcano ash 2010 • Japan’s earthquake & tsunami 2011 BENRISK
SANS/ISO 31000:2009 – Risk Management: Principles & Guidelines Standard The standard describes three aspects: • 3. Principles for Risk Management (11 off) • 4. The Framework (5 steps) • 5. The Risk Management Process (5 stages) BENRISK
The Risk Management Principles, Framework & Process Relationships: (SANS 31000) PRINCIPLES FRAMEWORK PROCESS BENRISK
3. Principles for Risk Management(SANS /ISO 31000) 3a. Creates & protects value – (objectives & improving performance) 3b. RM is an integral part of all organisational processes 3c. RM is part of decision making 3d. RM explicitly addresses uncertainty 3e. RM is systematic, structured & timely 3f. RM is based on the best available information 3g. Risk Management is tailored 3h. Risk Management takes human & cultural factors into account 3i. Risk Management is transparent & inclusive 3j. Risk Management is dynamic, interactive & responsive to change 3k. Risk Management facilitates continual improvement of the organisation Can “Risk Management” above be replaced by OSHE? BENRISK
4. The relationship between the RM framework components PLAN DO ACT RM Process CHECK 4.2. Mandate & Commitment Principles 4.3. Design a framework for managing risk 4.4. Implementing risk management 4.6. Continual improvement of the framework 4.5. Monitoring & review of the framework BENRISK
4.2. Mandate and commitment The introduction of RM & ensuring its ongoing effectiveness require strong & sustained commitment by management of the organization, as well as strategic & rigorous planning to achieve commitment at all levels. Is the mandate & commitment required for OHS compliance any less than that for risk management ? BENRISK
4.3. Design a framework for managing risk • Understand the organisation & its contexts • Establish a risk management policy • Set accountability • Integrate into the organisation RM processes • Provide resources • Establish internal communications & reporting mechanisms • Establish external communications & reporting mechanisms Establishing a OHS programme is no different from establishing this framework for managing OHS BENRISK
4.4. Implementing risk management • Implementing the framework for managing risk: ⎯ Define the appropriate timing & strategy for implementing the framework; ⎯ Apply the RM policy and process to the organizational processes; ⎯ Comply with legal & regulatory requirements; ⎯ Ensure that decision making, including the development and setting of objectives, is aligned with the outcomes of risk management processes; ⎯ Hold information and training sessions; and ⎯ Communicate and consult with stakeholders to ensure that its risk management framework remains appropriate. • Implementing the risk management process : ⎯ Ensuring that the risk management process is applied through a risk management plan at all relevant levels & functions of the organization as part of its practices & processes. Implementing any system is a process irrespective of it being for RM or OHS BENRISK
4.5. Monitoring & review of the framework To ensure that RM is effective & continues to support organizational performance, the organization should: • Measure RM performance against indicators, which are periodically reviewed for appropriateness; • Periodically measure progress against, & deviation from, the RM plan; • Periodically review whether the RM framework, policy & plan are still appropriate, given the organizations' external & internal context; • Report on risk, progress with the RM plan & how well the RM policy is being followed; & • Review the effectiveness of the RM framework. To ensure system effectiveness all management systems need to be reviewed BENRISK
4.6. Continual improvement of the framework • Based on results of monitoring & reviews, decisions should be made on how the RM framework, policy & plan can be improved. • These decisions should lead to improvements in the organization's management of risk & its risk management culture. For continual improvement to occur the RM process must have a closed loop to restart the process The overall aim of a management system is to eliminate issues & continually improve BENRISK
5. SANS / ISO 31000 RM Process . Establish the Context Communicate & Consult Monitor & Review Risk Assessment Identify risks Analyse risks Evaluate risks Treat risks BENRISK
5.2. Communication & Consultation • Communication and consultation with external and internal stakeholders should take place duringall stages of the RM process • A plan for communication & consultation should be developed at an early stage. • This plan should address issues relating to: • risk itself, • its causes, • its consequences (if known), & the measures being taken to treat it. BENRISK
5.3. Establishing the context By establishing the context, the organization: • articulates its objectives, • defines the external & internal parameters to be taken into account when managing risk, & • sets the scope & risk criteria for the remaining process What context is to be considered concerning SHE ? What are the desired SHE targets & the achievement criteria set? BENRISK
5.3. Establishing the context of the risk management process • The objectives, strategies, scope & parameters of the activities of the organization, or those parts of the organization where the RM process is being applied, should be established. • The management of risk should be undertaken with full consideration of the need to justify the resources used in carrying out RM. • The resources required, responsibilities & authorities, & the records to be kept should also be specified. BENRISK
5.4. The Process to Manage Risk • Before managing any risk/s, one has to identify, analyse & evaluate “all” the actual & potential risks • This process is the Risk Assessment stage of the RM process SHE legislation requires risk assessments to be performed to not only identify risks, but to also develop risk mitigation measures to reduce risks to an acceptable level BENRISK
WHAT IS A RISK? The term ‘risk’ is an abstract term which has different meanings depending on the context of use: • ONE: A SITUATION ELEMENTS meaning: • Hazard = A condition or practice with the potential for causing harm &/or • Exposure = An unprotected situation against potential harm BENRISK
WHAT IS A RISK? • TWO: The EVALUATION PARAMETERS meaning: • Likelihood or Frequency (3x /year) or Probability(1 in 50) & • Consequence or Severity(in R/$/£/€) • THREE: An INSURANCE RISK meaning: The Insured or the Insured’s property BENRISK
Risk Defined (SANS 31000) Risk is the effect of uncertainty on objectives Where the effect is a deviation from the expected – positive &/or negative … &… Objectives can have different aspects (such as financial, H&S, environmental goals) & can apply at different levels (such as strategic, organization-wide, project, product or process) Alternative risk definitions: Are like those previously described BENRISK
King III – Risk Assessments 1.7: The Board should be responsible for the process of risk management 4.4: The Board is responsible for the process of risk management 4.8: The Board should ensure that risk assessments are performed on an ongoing/ continual basis 7.5: The Board should ensure that the company implements an effective compliance framework & process BENRISK
5.4. RISK ASSESSMENT THE IDENTIFICATION OF UNDESIRED EVENTS, THEIR CAUSES & ANALYSINGTHEIR LIKELIHOOD & POTENTIAL CONSEQUENCES - CONSIDERING EXISTING CONTROL MEASURES- IN ORDER TO MAKE AN EVALUATION AS TO THEIR ACCEPTABILITY BENRISK
5.4.1. RISK IDENTIFICATION Risk identification a process of finding, recognising and describing risks • Involving the identification of risk sources, events, their causes & their potential consequences • A risk source is an element which alone or in combination has the intrinsic potential to give rise to a tangible or intangible risk Every business requires some 7 critical resources to exist BENRISK
WHAT RESOURCES ARE “AT RISK”? P = People E = Equipment P = Process/ Procedures M = Materials E = Environment L = Legal & Liability F = Finances BENRISK