This paper describes the benefits of applying a risk pathway method as an evidence-based whole of supply chain risk assessment approach in the delivery of efficient and effective quality management frameworks for water. It presents a new approach for assessing water service provision risk that considers the chronology of the series of causes, impacts and consequences to business outcomes including reputational, public health and supply continuity. The approach allows assessment of the relationship between causes and impacts, the potential for threat convergence, and the appropriateness, effectiveness, interdependence and criticality of controls. The provision of whole-of-system risk visibility allows better targeting of controls along the supply chain in preventive, detective or corrective timeframes, and at local site to corporate business levels. The approach allows enabling functions of the business such as information technology, human resources and safety to be assessed within the context of supply quality and continuity. An example of the application of this method to provision of water services shows the benefits of the method. Application of the methodology to the assessment of the whole-of-business risk is discussed.
In an urban context, the uncertainties facing the water industry are becoming increasingly difficult to manage. For example, water scarcity driven by climate change and population growth, a greater frequency and intensity of extreme weather events, and increased rates of urbanisation have resulted in new and constantly evolving challenges to managing water supply. Similar factors affect the adequacy of wastewater services and the protection of the environment. Furthermore, the supply of water, wastewater and recycled water services in an urban context is complex. It involves a range of enterprise-level considerations including safety, skills and capability, information technology, and planning. In addition, there are a variety of external regulatory and reputational pressures, as well as potential public health and environmental risks.
A robust risk management framework that accounts for this identified evolving complexity and uncertainty should be considered a fundamental management tool to ensure the successful delivery of water industry business objectives. Effective risk management identifies risks, assesses their tolerability, and implements control measures to prevent or mitigate negative impacts on products and services. Importantly, risk assessment identifies any improvement actions that minimise risk and are required to ensure the continuing provision of services. In this context, it is necessary to take an evidence-based approach to assessing risk informed by data and based on effective risk management frameworks. An evidence-based approach ensures that water service providers focus resources on realistic threats and allocate resources to appropriate, effective control mechanisms.
Various frameworks have been developed that provide key concepts, principles and guidelines for risk management. For example, the water quality management framework set out in the Guidelines for Drinking-Water Quality (WHO 2011) was a significant step forward in risk-based management of drinking water quality and supply. The development of the water safety plan framework was heavily influenced by the risk management principles in the Australian national drinking water guidelines (NHMRC & NRMMC 2011), which in turn is based on the Australian and New Zealand standard AS/NZS 4360 (1999), the international standard ISO 9001 (2000) and the Hazard Analysis and Critical Control Point management system (CAC 1997). Each of these risk management frameworks focused on understanding the potential hazards across the supply chain.
In 2009, a new international standard was introduced, ISO 31000:2009, with the intention of clarifying risk management principles, expanding the risk management framework from AS/NZS 4360 and broadening the applicability across all industries. ISO 31000:2009 shifted the concept of risk in AS/NZS 4360 from ‘the chance of something happening that could impact on business objectives’ to defining risk as ‘the effect of uncertainty on objectives’ (AS/NZS ISO 31000 2009). In this way, the emphasis moved from the event to the effects and the focus was on using the most appropriate controls to increase the likelihood of achieving the stated objectives (Purdy 2010). ISO 31000:2009 outlines the key elements of risk management as involving an iterative process of establishing the context, conducting a risk assessment and treating the risk. Risk assessment, consisting of identifying, analysing and evaluating risk forms the core component of this risk management framework and can be executed in various ways.
Water utilities generally use frameworks that highlight a preventive, risk-based approach centred on understanding and assessing the supply system (NHMRC & NRMMC 2011; WHO 2011). The assessment consists of identifying hazards, estimating the likelihood and consequences and focussing on a multiple-barrier approach to controls (Miller et al. 2005). While hazard identification is qualitative, risk evaluation can be either qualitative or quantitative.
Among the methods used by the industry to assess drinking water supply risks, the ‘hazard identification and risk assessment’ (HIDRA) method is common. This method first involves identification of hazards through various techniques such as brainstorming, experience from the past, and inspection of data and reports. This is typically followed by a qualitative assessment of likelihood and consequence of risk, based on the judgement of subject matter experts. The output of the process is a tabular summary of risks, known as a ‘risk register’. Hokstad et al. (2009) describe hazard identification and subsequent assessment as a coarse risk analysis method. Coarse risk analysis provides a useful overview of the key risks to a water utility's activities and allows a level of risk treatment prioritisation.
It is arguable whether the HIDRA approach, being based on identifying and managing individual risks, is adequate to accommodate the multiple-barrier approach used by the water industry for controlling identified hazards or to address the complexity of supply. A more comprehensible approach is to adapt a bow-tie diagram to couple a fault tree and an event tree linked to a hazardous event (e.g. water treatment failure) to illustrate the complete chain of causes that can lead to an event and the possible resulting consequences (Chevreau et al. 2006; Ferdous et al. 2013). This depiction is then useful to identify appropriate locations for controls, or ‘barriers’ (Hokstad et al. 2009). Furthermore, the diagram is an effective communication tool, shown to have improved HIDRA (Contos & Crawford 2016). The bow-tie method can also include a quantitative analysis of the risk (Ferdous et al. 2013).
Fault tree and event tree analyses, as referred to above, are means of qualitative identification of potential scenarios and sequences of events and their related causal factors. Fault tree analysis involves a structured logic diagram detailing causes that lead to a specified event, known as the ‘top event’ (Lee et al. 1985). The event tree details the sequence of events (i.e. the consequences) that can occur after a hazardous event has occurred (Andrews & Dunnett 2000). These tools were intended as methods to be applied across a system and so can be time-consuming to construct when applied in detail. However, as discussed, there is also precedence in applying these tools in a simplified way to develop a bow-tie diagram to improve risk assessment, treatment and communication. As for bow-tie diagrams, fault tree and event tree analyses can be both qualitative and quantitative (Hokstad et al. 2009; Gnavi et al. 2015).
Methods assessing quantifiable aspects of drinking water quality risk, such as quantitative microbial risk assessment (WHO 2016), are relatively newer than qualitative techniques. Such methods allow for the association of catchment condition and treatment performance to health outcomes (WSAA 2015), contributing to effective drinking water safety planning and practices (Smeets et al. 2010; Petterson & Ashbolt 2016). Quantitative methods can also be leveraged in more complex analyses involving Bayesian modelling (Beaudequin et al. 2015).
Risk assessment at Sydney Water
Sydney Water provides water, wastewater and some stormwater products and services to over 4.6 million people. These services are governed by quality management frameworks, which have risk management at the core. Currently, Sydney Water applies ISO31000:2009 by conducting risk assessments using HIDRA. This results in individual risks being defined as a line item described by the hazardous event and the expected effect, or outcome, of that event. The risk is rated according to the consequence and likelihood of that event. For each line item described, relevant controls and risk ownership is allocated to the risk. When applying this risk assessment method to a product or service supply-chain, a number of limitations have been identified:
Resultant risk registers are complex and contain an impracticable number of risks for assessment and regular review.
The relationships between risks are difficult to derive.
Focus is placed on product or service delivery inputs and outputs without considering relationships with and the implications of wider corporate risks.
It is difficult and time consuming to conduct scenario analysis.
Long lists of controls are defined for each risk and are not differentiated based on chronology or hierarchy of application, and as such it is difficult to assess the appropriateness, effectiveness, and criticality of controls.
A consensus of expert opinion is relied upon, which can limit how comprehensive the assessment is and can cause confusion with differences in risk evaluation based on language and opinion.
These limitations can lead to risk management decisions that overlook how risks are experienced at local site, system or corporate levels of the business. The limitations also prevent an assessment of the adequacy of controls or their priority in the context of the whole supply chain. These limitations highlight the need for an understanding of risk and control that cannot be described simply by a single hazard and effect approach. They also identify the need for a method that investigates all possible causes and consequences and efficiently prioritises risk controls. In response to these challenges, the risk pathway method was developed based on an adapted event tree/fault tree approach, so that risks could be better understood and controls better allocated to manage causes, impacts or consequences within the context of a complex water supply chain and business operating system.
This paper outlines the methodology of the risk pathway method and the supporting tool that has been developed to address the above requirements and improve risk management for the water industry. An example of implementation of the risk pathway method that illustrates the benefits of the method is presented.
MATERIAL AND METHODS
Risk pathway method
The risk pathway method was based on identifying and depicting risks as a map of possible causes, impacts and consequences. In the risk pathway method, ‘impacts’ refer to changes to the business's operational performance (e.g. water treatment process failure). The ‘impacts’ are created by upstream internal and external ‘causes’ (e.g. inadequate operational procedures, bushfire). The ‘impacts’ create downstream ‘consequences’ for the customer and community (e.g. failure to meet regulation, sickness).
Risk pathways were established by linking points (or ‘nodes’) on the map using a combination of fault tree and event tree methods. For any given impact on business function the cascade of causes, impacts and consequences were mapped in the pathway, as conceptualised in Figure 1.
In this way, a comprehensive risk pathway map was incrementally developed that identified how the various risk pathways were interconnected through shared causes, events and consequences based on the consideration of all possible causes and outcomes for every node.
Each node of the risk pathway map was characterised by identifying a risk owner and identifying the relevant controls used to manage that node. In the risk pathway method, the ‘risk owner’ is responsible for ensuring that the controls for that node are appropriate for managing the linked upstream nodes and that the controls are effective for decreasing the risk of the linked downstream nodes.
Controls were also classified for the whole risk pathway both temporally as being preventive (controls applied to prevent a consequence from occurring), detective (controls applied to detect a consequence when it occurs and initiate a response) or corrective (controls applied to remediate a consequence after it has occurred), and spatially as being applied at either a local site, at a system level or at the corporate level (Figure 2). Each node in the map was characterised by a unique set of controls (Figure 3), with each control assigned to a position in the overall risk pathway control analysis matrix (Figure 2). The nodes, node links and controls were reviewed by subject matter experts relevant to each area.
To evaluate the risks on a risk pathway map (Figure 1), each risk pathway was evaluated individually for its current risk rating, using a typical risk matrix approach. Both the likelihood and consequence of any given node occurring were considered relative to the ‘upstream’ causes on the left hand side of the pathway, the ‘downstream’ consequences on the right hand side of the pathway, and the effectiveness of the controls at managing each node along the pathway.
The evaluations were quantified or qualified depending on the subject matter. Pathways presenting the greatest risk were identified, as well as the controls that are critical to the management of multiple high-risk pathways.
Risk pathway mapping tool
The risk pathway mapping methodology was supported by a modelling tool established in Microsoft Excel 2013 using Visual Basic for Applications coding.
The tool's user interface was developed to display all possible causes, impacts, consequences, node links, controls, risk ratings and risk ownership. Given the complexity of entire risk pathway maps, the model was developed with a filter capability. The filter provided the user with the ability to isolate and view risk pathways for individual nodes or by risk rating. The tool was also developed to allow the user to display controls by status or effectiveness.
To assist the end user, the tool incorporated a simple, single user interface for developing and reviewing risk pathway maps. The tool also incorporated a number of risk pathway templates and libraries so users could learn from previous risk assessments. The risk pathways map could be readily exported to a traditional risk register format, if required.
RESULTS AND DISCUSSION
The advantages of the developed risk pathway method were many-fold. The method allowed the complexity of supply chains, including corporate and operational inputs, to be visualised in entirety (not shown) while still providing the ability to visualise individual pathways (Figure 3) in isolation to facilitate assessment. In this example of risks impacting drinking water quality, there are multiple causal events leading to multiple consequences. The highest risk pathway is shown in bold (Figure 3). This pathway shows an upstream causal scenario of a contaminated catchment, occurring at the same time as a storm causing power loss and treatment plant failure. Treatment plant failure leads to an impact of abnormal quality in the drinking water supply network. The abnormal water quality leads to downstream consequences of adverse public health outcomes and reputation damage (Figure 3).
Although the simplified example in Figure 3 shows only one central impact node (‘abnormal quality’), the risk pathway method is able to represent the linkages between multiple impacts in a supply chain, taking into consideration a range of causes and consequences from the operational to corporate levels. The developed risk pathway method addressed the risk assessment requirements described in ISO 31000:2009. It fulfilled the requirements of risk identification, risk analysis, risk evaluation, and risk treatment. It also enhanced the processes of communication and consultation and facilitated monitoring and review.
In comparison, the HIDRA approach using a risk register does not readily allow for a comprehensible assessment of complex supply chains. As can be seen in the example from an existing risk register (Figure 4; three risks shown out of more than 200), each risk was identified, analysed, evaluated and treated in individual risk register line items. This approach fails to show the linkages that exist between the three example risks, potentially leading to poor evaluation and risk treatment. In comparison to the risk pathway method, the HIDRA method shows tendency for poor risk evaluation due to the following:
Multiple line items (risk descriptions) for one risk pathway. The HIDRA risk register does not visualise the interaction between the risk descriptions and so it is possible to miss issues of risk convergence and control interdependence.
The HIDRA risk consequences focus on the ultimate impacts at an enterprise level (e.g. reputational impacts) and so can miss the causal impacts along the risk pathway where controls can be applied.
It is difficult to effectively prioritise and allocate controls for each risk description and across the risk register.
A novel aspect of the developed method is the ability to identify the application of controls for each node along the pathway. Under the HIDRA method, risks may be assigned a common risk owner (i.e. a person within the organisation responsible for oversight of that risk), since each risk is assessed individually (Figure 4). This prevents a comprehensive assessment of control prioritisation or effectiveness due to the ownership of controls generally being different to the ownership of risk. Instead, the effectiveness of the management of individual risks is generally assessed based on the presence of controls rather than their effectiveness. The risk pathway method addressed the need for better assessing control effectiveness by allowing a greater level of control characterisation (Figure 2). The characterisation and visualisation of controls across the entire risk pathway (Figure 3) provided a greater ability to prioritise and apply controls more effectively through better placement either temporally (preventive, detective or corrective), or spatially (local site, system or corporate) to better manage risk.
The risk pathway method was used for the risk review process required under Sydney Water's water quality management systems. It was found that once the risk pathway map was completed, it became a reference point requiring minimal upkeep. This shifted the discussion during risk reviews away from individual risks and toward the adequacy of controls and their management. In practice, this reflects key business activities (e.g. the management of critical control points), enabling a clearer assignment of accountability for business processes. Uncertainties were better defined through analysing the likelihood and consequence at each node, which facilitated the identification of areas where improvement to controls or the assessment of their effectiveness could be made. Notwithstanding, it was accepted that the first iteration of the risk pathway map would not cover all possible risks. The structure of the tool easily allowed additional risks to be included when identified, with appropriate nodal links, changes to risk ratings and inclusion of controls.
Additional benefits from application of the risk pathway method were identified. The establishment of a comprehensive and interconnected risk pathway map will be a valuable planning tool by better facilitating scenario analysis. The risk pathway map provided the ability to assess the impact on the risk rating of an entire risk pathway with changing conditions (data not shown). For example, changes to the intensity or likelihood of causes, additional causes or changes to the effectiveness of controls were reflected in changes to consequence.
The most economical and effective measures for risk treatment opportunities become evident in the evaluation and prioritisation of the risk pathway and through the analysis of controls. Improvement opportunities also take into account scenario analysis and the opportunity to standardise controls across portfolios of projects.
The primary objective for developing the risk pathway approach was to provide the ability to view risk in the full context of a complex supply chain and to be able to better characterise the adequacy of controls. A secondary objective was to provide a meaningful and efficient way to undertake risk reviews that focussed on assessing control management rather than reviewing the risks themselves. The developed risk pathway method addressed these issues.
The method was found to greatly enhance the value of the risk assessment process for water service provision by offering a more robust risk identification and management process than is typically used, while still addressing the requirements of risk management standards. The benefit of the process is demonstrably the ability to visualise the connectivity of causes, impacts and consequences at an enterprise level and therefore provide clarity of risk ownership, as well as control adequacy and ownership. The approach is highly adaptable; it is being applied by Sydney Water to all aspects of the water cycle including drinking water, wastewater, recycled water and stormwater in a whole of water cycle context. It is also being applied at the business management level in terms of safety, finance, urban growth, assets and people capability. It is planned in the near future to join all individual risk pathway maps to create a complete water cycle risk pathway map, describing all business risk. Further work is also progressing on translating the risk pathway approach to a Bayesian belief network to better quantify nodes and control effectiveness and to assist in scenario testing.