Risk governance –
improved accountability in
the environmental goods
and services sector
Prof. Simon Pollard
Professor of Environmental Risk Management
Head, Sustainable Systems Department, SAS
Director, ‘The Risk Centre’
Welcome to my world!
Reality, thesis
“Risk analysis tools, risk management
frameworks, risk champions, risk matrices and
risk committees are important organisational
commitments …
… but alone, they are not enough to secure a
risk management culture within an
organisation”.
Beyond insurance and
loss prevention
(after Hartford, 2007)
Carried by society
Probability
of loss
Carried by organisation
Risk appetite
Government
Typical limits of
insurance
premium
106 £ Consequences
(loss)
109 £
Long journey –
offshore oil sector
(Piper Alpha, 1988-)
Towards preventative risk
management
Safety culture: factor of 5-10
improvement demonstrated
Loss (€)
operating staff had no commitment to
€ € €The
€
the written procedure; and that the
procedure was knowingly and flagrantly
disregarded (Official report into Piper Alpha
Disaster, The Cullen Inquiry, 1990)
Risk management culture:
additional factor of 3-5 believed
€
Risk mature, self learning organisations
0
(after DNV, 1999)
5
Implementation (years)
10
Structure
•
•
•
•
•
•
Axioms
Environmental goods and services sector
We lost our way (for a while)
Rebuilding confidence
Risk governance – 8 things to do
Implications for leadership – vigilance, an
antedote to complacency
Axioms
(a risk primer)
•
•
•
•
•
•
•
•
•
Human progress is bound with taking risk
Hazard and risk
Risk = probability x consequence
Multidimensional concept (financial, social,
reputational, environmental, safety, insurance)
Perceived risk = hazard + outrage
Risks and values (consequences and bias)
Risk analysis only as good as the evidence
Risk acceptability and risk appetite
Cultures of measured risk-taking - competencies
Environmental goods and
services sector (2005)
•
•
•
•
•
£25 bn turnover in 2004 (UK), and growing
employs ca. 400,000 people in the UK
>17,000 companies in the sector
on a par with aerospace and defence
delivers clean water, waste management,
power, flood defence, support services
• as such, major contributor to public health and
environmental protection/conservation
• routine discharges necessary, strictly controlled
• risk management and confidence of citizens is
critical to delivery
(after BERR, 2005)
Corporate and
environmental risk
The probability that an event or action will adversely affect
the delivery of organisational objectives
All risks
financial, reputation
health & safety, operational,
legal, political, market etc.
Environmental
risks
Key business
risks
The probability that an event or action
will adversely affect the achievement
of strategic corporate objectives.
(after Environment Agency, 2001)
Preventative risk
management
probability
High risk event
L
H
Low risk event
consequence
Risk and the statute
s.13 Radioactive Substances Act 1993
(authorisation of disposal facilities)
COMAH Regulations 1999
(safety report structure)
s.78C of Part IIA Environmental Protection Act 1990
(identification of special contaminated land sites)
Water Supply (Water Quality) Amendment Regulations 1999
(Cryptosporidium risk assessments)
s.11 Pollution Prevention and Control (England and Wales)
Regulations 2000
(preventing accidents and their consequences)
PR04 (AMP4) (2002-3)
(risk-based asset management planning)
Sewage sludge regs. and possible biosolids directive (2003/4?)
(HACCP methodologies for critical control points)
WHO Drinking water quality guidelines, 3rd Revision (2003)
(Water safety plans)
Tools and techniques
Increasing Resolution,
sophistication and cost
A, B and C represent risks requiring assessment
Quantitative
B
Line representing
acceptability level of
risk
Semi-quantitative
B
C
B
C
Qualitative
A
Increasing Risk (log scale)
(after Pollard et al., 1995)
Regulating the sector
Business
performance
Potential to
cause harm
Cost to regulator
and business
Regulatory
impact
Regulatory
mechanisms
No action
Inform
Good
Low
Low Deregulatory
Educate
Advise
Influence
Instruct
Poor
High
High
Regulatory
Warn
Enforce
Prosecute
(after Leinster, 2001)
Modern regulation –
the regulator as
facilitator and
enforcer
• Organisations take full responsibility for their activities
(business risk management)
• Look to organisations to go beyond compliance
(EMS / continuous improvement / TQM/ ISO14001)
• Focus on environmental benefits and outcomes
- goal-orientated (target processes and operators
presenting the greatest environmental risks)
• Prevention at source, upstream, through waste
minimisation, prevention and better design (source control)
• Incentives for better performers (economic instruments)
• Match regulatory approach to the operator’s performance
and attitude (‘risk = hazard x management’)
• Retain firm and proportionate prosecution and enforcement
Overall risk
Whither regulation, and
the Hampton agenda
Strategy:
reduce resource,
maintain constant
risk
Conventional
resource planning
Strategy:
reduce risk,
maintain constant
resource
Combination of
reducing risk
resource and risk
residual risk
Risk-informed
resource planning
Overall resource
Risk-informed regulation
Operator performance
appraisal score
High
In
Low
(after HMIP, 1995)
cr
e
as
i
ng
re
so
ur
ce
High
Pollution hazard appraisal score
Risk dynamics:
waste management
Risk
Zero management
Operational incident
Progressively
deteriorating
facility
Residual risk
Episodic risks with
management change
Effective waste management
Post-operational risks
Operational
(Pollard, 2004)
Post-operational
Annual individual risk
of a radiological detriment
Probability of an incremental
radiological detriment to a
maximally exposed individual (yr-1)
10-2
10-3
10-4
Regulatory pressure
As low as is
reasonably achievable
10-5
10-6
deemed
negligible
t0
time
Optimisation
Radioactive waste disposal
t10 000
Strategic landscape:
Risk ‘futures’?
[…] and the strategic choices that follow:
are a partworld
of the world
•• AWe
borderless
•• The
transition
to a knowledge
Establishing
priorities
and focussociety
•• Individualization,
new groupsand
andprojects
changing
Concentrating on investments
forvalues
the
• IT
and biotechnology are transforming society and
future
production
• Modernizing public sector commitments
• Increased technological and social complexity and
• vulnerability
Making full use of human resources
•• Climate
change
finite
natural resources
Taking firm
stepsand
toward
a sustainable
(low carbon)
society
(after Swedish Technology Foresight, 2004)
Strategic risk appraisal
Probability of occurrence
Communicate,
participate
• Issues – ‘apples’ and ‘oranges’, accounting for
Group risks, so we can prioritise and
harm,
Risk 1 prioritising risk management
implement appropriate strategies
together
act now,
firmly
• Comparative risk analysis – tools for the
Risk 2
Environment Agency, informing ‘state of the
environment’
reporting; business
risk (AwwaRF)
Higher Priority
monitor,
Risk 3
educate
Risk 5
• Measuring the effectiveness of risk-based
decisions – responding to the ‘Hampton
Implementation
Review’ (EA)
Risk 6
precaution
Medium Priority
Risk 4
• Lower
Portfolio
in risk governance – informing
Priority
investment (YW) & resource planning (EA OPRA)
Consequences
Coastal flooding
(Chiswell, 1979)
Assumed Flood Risk Profile
(EconomicEstimated
Damage f rom
Fluvial & Coastal
Flooding
in England,
exposure
to flooding:
£400m
to £600m
Probabilitybased on adjusted NaFRA model calibrated to historic data)
30%
Typical
damages
25%
Mean = £0.5bn
95%ile = £1.6bn
99%ile = £3.3bn
Annual spend
(£550m)
20%
15%
1953
floods
Easter 1998
Autumn 2000
10%
5%
-5
5+
2
-1
8
1.
Economic Damages (£bn)
(after Defra, 2006)
.9
.7
6
1.
-1
.5
4
1.
-1
2
1.
-1
.3
.1
-1
1
.9
8
0.
-0
6
0.
-0
.7
.5
4
0.
-0
.3
-0
2
0.
0
-0
.1
0%
Managing risk:
flood defence
‘raw’ risk
impacts following
flood event
H
New capital works
improved flood
warnings
development
control
development
in flood plain
climate change, asset deterioration
increase in impervious ground
probability of flooding
(after Meadowcroft, 2002)
H
Selected events in the risk agenda, 1992 Strategy unit
work on risk
ILGRA sat
OGC ‘management
of risk’
HMT orange book
Modernising government
Royal
Society
‘Risk’
BSE
‘Phillips’
Hampton
HoL ‘Risk in Govt’
BRC ‘Whose risk?’
‘Turnbull’
1995
1992
Better regulation
Strategy Unit
FMD
2001
2007
2004
1998
Policy/regulatory approach
Broader risk landscape
Risk & Reg Advisory
Council
2010
‘SAC’ on risk
Defra risk
management
strategy
‘Green Leaves I’
Departmental
guidance on ERA
(DoE)
Risk advice in Govt.
‘Green Leaves II’
(DETR, EA, IEH) First cut
‘strategic
risk appraisal’
Departmental
Risk coordinator
2013
2018
2021
Defra performance
programme
Top 200 consider ‘Risk’
Defra/Research
Councils’ Risk Centre
Defra initiatives
Incertitude, risk,
uncertainty and ignorance
The Unknown
As we know,
there are known knowns.
There are things we know we know.
We also know there are known unknowns.
That is to say, we know there are some things
we do not know.
But there are also unknown unknowns,
the ones we don't know we don't know.
—Feb. 12, 2002, US Department of Defense
news briefing
(after Stirling, 1999)
We lost our way
(for a while)
• The precautionary principle (hazard or risk)
• Quantified risk analysis – a focus on the end result
rather than in generating insight
• ‘Announce and defend’ instead of engage
• John Gummer and that hamburger (promise no
more risk than you can deliver!)
• BSE, risk, science, trust, FMDv 2001
• FMDv (reprise, 2007)
We forgot how risks occur and propagate in
organisations and sectors, and the true value of
risk analysis
Incidental ingestion of
contaminated fill for adult
worker
‘Superfund’ risk assessments
Mean
Intake
(mg/kg-d)
Upper Bound
Intake (mg/kg-d)
Slope
Factor
(mg/kg-d)-1
Specific
Risk
(mean)
Specific
Risk
(upper)
As
3.1 x 10-6
4.5 x 10-6
1.8
5.6 x 10-6 8.1 x 10-6
B[a]P
2.1 x 10-7
6.4 x 10-7
11.5
2.4 x 10-6 7.6 x 10-6
Chemical
Potential
Carcinogens
Total
8.0 x 10-6 1.6 x 10-5
Proportion of avoidable
human cancer deaths for
both sexes of the US
population
Factor
Tobacco
Alcohol
Diet
Reproductive and sexual
Occupation
Food additives
Pollution
Industrial products
Sunlight, UV light, other
Medicines, medical
Total
% of total cancer deaths
Best
Range
30
25-40
3
2-4
35
10-70
7
1-13
4
2-8
less than 1
minus 5-2
2
less than 1-5
less than 1 less than 1-2
3
2-4
1
0.5-3
85-87
The remaining 13-15% are due to infectious agents (certain viruses and parasites)
and certain genetic factors that predispose certain individuals
(after Doll and Peto, 1980)
Rebuilding confidence in
risk governance
• Confidence: trust, impartiality, knowledge and
evidence
• Capability: competence, legal power and
technical feasibility (practicability)
• Communication: of risk, actions taken and
results (engagement)
(after Worthington, 1997)
Communication and
deliberation
Community involvement good value?
What about the ...
cost
Risks
delay and
prevarication
volatile
unstable
have own
agendas
Box above their
weight
alliances outside
community
Community and social organizations are dynamic and evolving
“difficult to manage ”
Strategic focus, 2002(Turnbull, Strategy
Unit)
•
•
•
•
•
strategic decisions
strategic
decisions
transferring strategy
into action
decisions
required for
implementation
(after Strategy Unit, 2002)
programme
project and
operational
prioritising corporate plans
multidimensional issues
‘incommensurate’ risks
data availability
limited resources
Enterprise risk
management
11%
14%
8%
7%
32%
5%
4%
13%
Other
19%
18%
External service provider/
advisor
55%
45%
42%
Senior management intuition
and experience
55%
23%
19%
7%
All
(after AON, 2007)
5%
The Americas
Business Unit registers or key
risk indicator worksheets
12%
Europe
3%
Asia/Pacific
Board workshops or scenario
planning
Risk governance as
strategic competitive
advantage
Capabilities
are
characteristic
of individuals,
not of the
organization
Initial
Process
established
and
repeating:
reliance on
people is
reduced
Established
Policies,
processes
and practices
defined and
formalized
across the
organization
Uniform
Risks
measured,
managed and
aggregated
on an
enterprisewide basis
Organization
focused
on RM as a
source of
competitive
advantage
and
continuous
improvement
Managed
Optimizing
RISK
OPPORTUNITY
Systematically Build and Improve Risk Management Capabilities
(after Franklin, 2007)
1. Agree your risk appetite,
and tell your people
(after Strutt, 2001)
2. Find pockets of good
practice and spread the
word
(courtesy of BAE Systems)
3. Use risk knowledge to
drive organisational
learning
Data
Evidence
observation,
reflection,
and analysis
Information
‘Lessons
learnt’
knowledge
base
Knowledge
Organisational learning
(after Strutt, 2001)
decisions with authority
simulations/ analyses
experiments
tests & observations
monitoring operations
benchmarking
Decision making
4. Root out latent flaws
operational procedures absent
inadequate training
rapid deterioration in
raw water quality
poor communication of importance
of chlorine residual
INCIDENT OCCURS
absence of near
miss reporting
loss of chlorine residual
Latent and active flaws lie dormant - “if you don’t
actively manage risk, it doesn’t go away, it just builds
up”.
(after Reason, 2000)
5. Ensure hard and soft
cultural items in place –
for power structures
Hard, measurable existence of:
• Risk actively reviewed &
reported to CEO
• Audit Committee governance
of risk – actions by Audit Chair
• Used in decision making
processes
• Visible ownership of Risks and
actions
(after Johnson, 1992; Content, 2005)
Soft, observable evidence of:
• Are reports lip service, or
part of decision making
process?
• CEO views of the value of
risk management
• Are “rising stars” on board
• Just compliance with
requirements, or beyond
compliance?
• Deference to expert
judgement
• Challenge is welcomed
6. Benchmark against
others and ‘best in class’
Risk capability maturity level
Risk management process
1
Strategic risk planning
Establishing risk acceptance criteria
Risk analysis
Risk based decision making and review
Risk response
Risk monitoring and feedback
Integrating risk management
Supply chain risk management
Change management
Education and training
Risk knowledge management
(after MacGillivray et al., 2007)
2
3
4
5
Processes
Core
Strategic risk planning (SRP)
Establishing risk acceptance
criteria (ERAC)
Improving
Risk analysis (RA)
Risk based decision making
and review (RBDM)
Risk response (RR)
Risk monitoring (RM)
RKM
Integrating risk management
(IRM)
Supporting
Supply chain risk
management (SCRM)
Education and training in risk
management (E&T)
Risk knowledge management
(RKM)
3
E&T
RA
2
1
CRM
RBDM
RR
SCRM
IRM
(MacGillivray et al., 2007a, b)
ERAC
4
Change risk management
(CRM)
Long-term
SRP
5
RM
7. Retain organisational
slack (high reliability
organisations)
Reduce costs, more efficient
Before you go here, have you
assessed and shared your
appetite for risk?
marginal
Healthy (assets, organisations,
teams, individuals)
The danger is one of
becoming failure
tolerant. This not only
increases failures, but
makes them acceptable.
failed
8. Raise the bar on
accountability
ACTIONS
NO.
KEY INDICATORS
Risk of what to
whom
1
Possibility of poor
access to key
Agency staff
MEASURES AND
CONTROLS
Risk management
actions
PERFORMANCE
INDICATORS
Risk monitored
through:
Early discussion of
needs with Agency;
support to Project
Board on likely key
individuals; sound
preparation thus
minimising interview
time; feedback postdiscussion
Level of
engagement
with project;
uptake of interim
and final
documents
REVIEW
of risk
RESPONSIBILITY
Risk
owner
Monthly
Contractor
and Project
Board
Organisational risk
management maturity
New strategic tools
Link risk analyses and evidence
• Strategic
risk tools
work, and getting
beyond the
Improved
riskthat
management
maturity
analysis – managing risk, defensibly with confidence
• Risk and evidence
• Capacity building – competencies, leadership and
behaviours (vigilance)
Implications for leaders
• Set the tone – risk governance is not a cottage
industry
for head
office for
types,
it’s central
to your
‘XXXX’
fined
£100,000
hazwaste
incident
strategic
competitive
advantagehas been made to
The
UK’s largest
waste company
• Good
= confidence
= business
value
pay
overgovernance
£160,000 following
an incident
which
sent
Preventative
or incident
a• plume
of toxicrisk
gasmanagement
across Merseyside
and
management?
resulted
in four members of staff being taken to
• Measured risk taking (opportunity) or risk aversion
hospital.
(cost)
• Protecting your licence to operate
• Rediscovering your ‘basic assumption’
Summary
• Protecting public health and the environment, is
inherently bound up with sound risk governance
• Strategic capability and operational vigilance
should be risk-informed
• Regulation is changing – expect more of this
• Citizens are central – without confidence and
legitimacy none of the utility infrastructure can be
built
• Governments play a central role - one increasingly
engaged in promoting risk-sharing
References
Pollard, S.J.T., Yearsley, R., Reynard, N., Meadowcroft, I.C., Duarte-Davidson, R. and Duerden,
S. (2002) Current directions in the practice of environmental risk assessment in the United
Kingdom, Environ. Sci. Technol. 36(4): 530-538
Pollard, S.J.T., Kemp R.V., Crawford, M., Duarte-Davidson, R., Irwin, J.G. and Yearsley R.
(2004) Characterising environmental harm: developments in an approach to strategic risk
assessment and risk management, Risk Anal., 24(6): 1551-1560
B.H. MacGillivray, J.V. Sharp, J.E. Strutt, P.D. Hamilton and S.J.T Pollard (2007) Benchmarking
risk management within the international water utility sector. Part II: a survey of eight
water utilities, J. Risk Research 10(1): 105-123
MacGillivray, B.H. and Pollard, S.J.T. (2008) What can water utilities do to improve risk
management within their business functions? An improved tool and application of process
benchmarking, Environ. Intl. 34: 1120-1131
Pollard, S.J.T., Bradshaw, R., Tranfield, D., Charrois, J.W.A., Cromar, N., Jalba, D., Hrudey,
S.E., Abell, P. and Lloyd, R. (2009) Developing a risk management culture – ‘mindfulness’
in the international water utility sector, Awwa Research Foundation Research Report 91242
(TC3184), Awwa Research Foundation, American Water Works Association and IWA
Publishing, Denver, CO, ISBN 978-1-60573-045-5.