Risk Management, as all aspects of an Enterprise, may be divided into three main components:
- People (Human and Organizaitonal aspects of the Enterprise),
- Facilities (Physical process equipment, buildings, etc.), and
- Systems (Control and Information Systems from regulatory control devices to Corporate IT).
Supply Chain may be considered a fourth component, but it is unique in that does not operate within the Enterprise facilities, but may still have an impact on the Enterprise.
PERA also divides Enterprise Risks into General Risks, Industry-specific Risks and Facility-specific Risks.
- General Risks are those that may apply to any Enterprise. Examples may include cybersecurity risks to Corporate IT Systems. Such IT systems tend to be similar across all Enterprises, so risk assessment can be done without considering Industry-specifc factors.
- Industry-specific Risks might include risk that a company that operates oil pipelines could experience a cyber attack on its SCADA systems.
- Facility-specific Risks are unique to a particular production facility. For example, a facility in a 100-year flood area may face risks specific to that location.
The ability to assess risks varies widely by industry and facility, and mitigation measures often involve standards and regulations that are specific to that industry or regulatory jurisdiction.
PERA has therefore established a PERA Enterprise Classification System which may be used to identify User Guides in similar industries. Here is the current list of PERA Industry Classes
In addition, a Risk Summary Report is recommended for each industry class.
It should be noted that in the Risk Summary Report, the Professional Role (or Roles) responsible for managing that Risk, are indicated on the right.
These may, of course, be changed in the Enterprise, Program or Project Master Plan, however, consistency in an Enterprise or an Industry is probably advisable.
Secondary Professional Roles (such as Procurement or H/R) may be engaged as considered appropriate by the responsible role.
Risk Management Standards
PEOPLE
- OSHA 29 CFR Most often cited Human safety standards.
- HACCP (Hazard Analysis, Critical Control Point).
Used in Food and Beverage Industries to control risk of producing dangerous products.
- 40 CFR Part 68 EPARMP provides a systematic method for the analysis of risks associated with potential equipment and piping failures.
FACILITIES
- HAZOP (HAZard and OPerability Study). Used in chemical, petrochemical and other large scale continuous process industries to systematically evaluate and mitigate risk.
- SIS/SIL Safety Instrumented Systems for the process industry sector - Part 1: Framework, definitions, system, hardware and application programming requirements
- ISO 14000 defines the environmental risk
mitigation required for all operating facilities.
- US Coast Guard Standards are used to assess and mitigate Offshore Platform Hazards (link to follow later).
- 40 CFR Part 63 Outlines key Emissions Standards established by the US Government which will require many refining and petrochemical facilities to reassess their flare systems. Pay special attention to National Emission Standards for Hazardous Air Pollutants for Source Categories.
- 40 CFR Part 68 EPARMP provides a systematic method for the analysis of risks associated with potential equipment and piping failures.
- ISO Risk Management vocabulary document is ISO 73:2009
- ISO Risk Management Standard are ISO 31000 and ISO/IEC 31010
SYSTEMS
SUPPLY CHAIN
- HACCP (Hazard Analysis, Critical Control Point). Used in Food and Beverage Industries to control risk of consumers receiving dangerous products.
- Material Safety Data Sheets describing the hazards associated with a large number of chemicals, provided by 3E Company.
In most cases, the first step in risk management involves finding all applicable standards for that particular industry and geographic (political) jurisdiction.
If these standards are met, at least the legal requirements have been addressed.
We welcome your Comments and Suggestions
Back to PERA Home Page
