Any organisation implementing a risk framework should have as a minimum a:
- Risk Policy
- Risk Strategy
- Risk Procedures
- Risk Register
- Internal audit process to support the framework
The overall objectives of a formal risk management approach are to:
- Outline the process by which an organisation will manage risk associated with its assets, so that all risks can be identified and evaluated in a consistent manner
- Identify operational and organisational risks at a broad level
- Allocate responsibility for managing risks to specific staff to improve accountability
- Prioritise the risks to identify the highest risks that should be addressed in the short to medium term.
Infrastructure risk can be driven by:
- The asset (e.g. structural failure or failure to deliver required level of service)
- The service the asset is expected to support (e.g. raw water quality), or
- Events (e.g. power outage, flooding)
Event-based risks require separate consideration, because assets that are a low risk when considered individually may be part of a much higher risk if an event causes multiple failures. A common example occurs with multiple pumping facilities: the failure of each pump or station on its own may have an insignificant effect (due to duplication), but an event like a power outage could result in total system failure.
Risk management criteria relating to assets include:
- Financial risk – direct costs
- Public health and safety
- Economic impact on users and businesses
- Environmental and legal compliance
- Network, asset and project performance
- Image and reputation
The establishment of risk management criteria is one of the most important steps in the risk management process, as it sets the framework for consistent risk decision-making.