Every organisation naturally likes to tell people about the projects it’s doing. However, it’s what’s not being done, and what’s not being communicated, that can quite literally be a matter of life or death.

intouch spoke to asset management guru Jeff Roorda, General Manager Strategic Asset Management with TechnologyOne, about the vital role risk analysis plays in protecting communities and organisations from foreseeable failures. Importantly, Roorda explains that there are different kinds of risk.

“If someone died or there was a major failure, that is called operational risk. It’s not the only kind of risk – it’s the most visible and most public – but there are other kinds of risk that may be as important,” he says.

“For example, economic risk; if we spend money in the wrong place and don’t even know it and are creating a major problem for future generations, that’s really important. Environment – if we destroy something we can never get back, that’s pretty important. Then, there’s reputational risk.” 

Here, Roorda lists three of the most critical mistakes organisations commonly make in their risk analysis, and the processes that should be put in place to avoid them.  

1. Not clearly communicating the projects you’re not doing and the consequences of that

“Organisations like to communicate what they are doing and the projects they are constructing, but are less interested in what talking about what they’re not doing,” Roorda explains.

Projects that are funded manage risk, such as environmental risk, or reputational risk. The things we’re not doing contain the hidden risk.

“When we have a project that we’ve decided not to do because something else is more important, and that project has risk in it, we need to very clearly communicate what that risk is. Often organisations don’t do that and the consequences of the decision is hidden," Roorda says. 

2. Not clearly communicating the underlying maturity of evidence that’s attached to projects you’ve decided to do and not do

Roorda says it’s vital that operational staff communicate the limits of evidence and business processes to the executive. In other words, they should be free to communicate what they don’t know, without fear of reprisal.

Roorda calls this ‘giving risk a voice’, and says there are a range of processes that should be put in place to achieve this, including a robust and independent audit committee.

“There needs to be a process and a culture where anyone can report a risk to the audit committee. The role of an audit committee is to be independent of the political and hierarchy process,” Roorda says.

3. Assuming that the level of risk management is connected to a resources limitation

Roorda is blunt on this point. “There’s no resource limitation on risk management,” he states. Once the risk of not going ahead with a project is understood, any perceived resource limitation becomes artificial. 

“Resource limitations are based on a set of assumptions, which include the assumptions that everyone clearly communicates within their risk framework both what we are doing and especially what we’re not doing, the risk of what we’re not doing, and the limits of our knowledge,” Roorda says.

“Once any political process realises that budget decisions are about accepting risk, the resource limitation conversation is changed to a risk acceptance conversation.”

When it all goes wrong

To drive home these points, Roorda references (with permission) a tragic case from NSW that resulted in the deaths of five people, including three children, when a major culvert failed during heavy rain. The coronial inquiry that followed found gaping holes in the council’s risk analysis and reporting processes.

“The coronial inquiry uncovered that some people in both the state and local government organisations had identified that there was the potential for that asset to fail,” Roorda explains.

“There were documents and estimates to repair the fault, but it never actually made it into a final project. Nobody actually communicated that there was a known risk that needed a project and it wasn’t being done.”

In addition, the council knew very little about the asset, but failed to communicate to anybody that they had a high-risk asset they knew almost nothing about. Most asset intensive organisations have these unknown risks where insufficient resources have been allocated to the systems, processes and technology to manage these risks.

“The second thing that happened is there were gaps in information about that particular culvert. The asset/liability was transferred from the State Government to local government, who didn’t want the asset/liability and didn’t allocate enough resources to manage it,” Roorda says.

“When there was a failure, the coronial inquiry then said, “Where is this detail, where is this business process, where did you communicate to your council that a) you weren’t going to do it and  b) you knew almost nothing about it?’.”

“What do you think the council’s defence was as to why they didn’t do it? They said ‘We don’t have the resources’. Whilst this is a common reason for inaction, it is something you as an asset manager must not ever say, because a risk process says, ‘So tell me, what is your budget?’ At this point, it doesn’t matter whether your budget is $1 million, or a $100 million, or $10 billion, or a $100 billion. The coroner's judgement was that you are in control of the asset and you are in control of community wealth and you are responsible. The council decided to spend money on other projects instead of managing this risk, because there was no system in place to clearly communicate the risk.

Roorda says the council in question then took steps to improve its processes. 

“In all these things, the underlying cause takes many years and many administrations to create and whoever happens to be sitting in the chair when the music stops, happens to face the full fury of the consequences. It's grossly unfair, but it’s how our system works,” he says.

“The people in that position then immediately took steps to make a series of changes to improve and that included an independent asset and risk management review, improving the evidence, putting in place asset and risk management plans, and putting in place improved processes.” 

Giving risk a voice: The importance of audit committees

During the inquest, the coroner found both RTA and council staff had identified potential risk , but there was no way for that voice to go into the risk management framework, and the memos and reports had fallen through the cracks. “Except, the coroner found it,” Roorda points out.

To avoid this, Roorda say organisations need a clear channel of communication to wherever the decision-making rests for the allocation of resources.

“What should have been in place was a framework and system that allowed clear communication to the political level. It’s one of the reasons that audit committees are so important – but there’s a lot of room for improvement in audit committee,” he says.

“Audit committees are independent entities, that are able to, and statutorily required to, report to an executive on risks the organisation faces. But in lots of cases audit committees don’t have people with skill sets that understand infrastructure risk.”

Roorda recognises that organisational culture that is focused on serving political priorities, which can create roadblocks for reporting risks.

“To address this, there are two things that should be put in place. The first is an independent risk and governance framework. There needs to be a process and a culture where anyone can report a risk to the audit committee. The role of an audit committee is to be independent of the political and hierarchy process. It’s to give risk a voice,” he says.

“If there’s someone in the organisation that sees something, which is exactly what happened in the culvert example, they need to be able to report it and ensure it is the risk management plan. When that’s not in place, the operations people further down the organisation end up wearing the risk.

“The second is a formal risk maturity audit. That is a process that’s done by someone expert, who looks at an organisation and says, ‘Here is a structure for reporting what you do know and what you don’t know in an established framework’.”

IPWEA’s International Infrastructure Management Manual (IIMM) is an example of an established framework for the proper management of infrastructure risk, Roorda says.

About Jeff Roorda

Jeff Roorda is General Manager Strategic Asset Management for TechnologyOne. As a civil engineer with more than 35 years experience in asset management, his role is to provide collaborative guidance and leadership as our technology, society and environment changes. Our current old infrastructure and supporting systems were built when the world was very different; this is a time of great change and opportunity to learn from our past and provide the knowledge to guide our leaders to make wise decisions about what infrastructure is needed for future generations.