Risk Management Decisions

Posted on by John Munno

Here is a cheat sheet for new risk engineers that provides the framework for making risk management decisions in a refinery:

  • Risk management is the process of identifying, assessing, and controlling risks that may affect the safety, performance, and sustainability of a refinery.
  • Risk management involves three main steps: risk identification, risk analysis, and risk treatment.
  • Risk identification is the process of finding and describing the sources and causes of potential hazards, threats, and opportunities that may affect the refinery’s objectives and operations.
  • Risk analysis is the process of estimating the likelihood and consequences of risk events, and evaluating the level of risk based on the criteria of acceptability and tolerability.
  • Risk treatment is the process of selecting and implementing the appropriate measures to modify the risk level, such as avoiding, reducing, transferring, or retaining the risk.
  • Risk management should be integrated into the system development life cycle, and follow the principles of the Risk Management Framework (RMF)², which consists of six steps:
    • Categorize the system and its information
    • Select the applicable security and privacy controls
    • Implement the controls and document how they are deployed
    • Assess the effectiveness of the controls
    • Authorize the system to operate based on the risk assessment
    • Monitor the system and the controls continuously
  • Risk management should also follow the guidelines of the Oil and Gas Industry Management System Standards (OMS)¹, which provide a holistic approach to risk in the context of oil and gas asset operational lifecycles. The OMS framework is based on the Three Lines Model, which defines the roles and responsibilities of the different functions in the organization:
    • The first line is the business assets and facilities functions, which identify and manage the risks at the operational level
    • The second line is the risk and control functions, which monitor and report the risks, and provide guidance on the effectiveness of the internal control systems
    • The third line is the internal audit function, which provides independent assurance on the adequacy and compliance of the risk management processes
  • Risk management should also consider the best practices and lessons learned from the industry, such as the case studies of the Aramco³ and the BP⁵ refineries, which demonstrate the importance of having a robust and proactive risk management system to prevent and mitigate major accidents and incidents.

Source: Conversation with Bing, 12/4/2023
(1) NIST Risk Management Framework | CSRC. https://csrc.nist.gov/Projects/risk-management/about-rmf.
(2) Management system standards for oil and gas industry – ISO. https://committee.iso.org/files/live/sites/tc67/files/Workgroup2/Management%20system%20standards%20for%20oil%20and%20gas%20industry%20v2019-08.pdf.
(3) 4. Risk – Aramco. https://www.aramco.com/-/media/images/investors/annual-report/ara-2022-risk-english.pdf.
(4) Risk Management in the Oil and Gas Industry. https://energy.mit.edu/news/risk-management-in-the-oil-and-gas-industry/.
(5) ADVANCED SAFETY METHODOLOGY FOR RISK MANAGEMENT OF PETROLEUM REFINERY …. https://researchonline.ljmu.ac.uk/7984/1/2017Isholaphd.pdf.

Leave a comment