Failure Mode and Effects Analysis (FMEA) and Program evaluation and Review Technique (PERT): The Most

Commonly Used Technique for Analysing Risk

Abstract A failure modes and effects analysis (FMEA) is a procedure in product development, systems engineering and operations management for analysis of potential failure modes within a system for classification by the severity and likelihood of the failures. A successful FMEA activity helps a team to identify potential failure modes based on past experience with similar products or processes, enabling the team to design those failures out of the system with the minimum of effort and resource expenditure, thereby reducing development time and costs. Because it forces a review of functions and functional requirements, it also serves as a form of design review. It is widely used in manufacturing industries in various phases of the product life cycle and is now increasingly finding use in the service industry. Failure modes are any errors or defects in a process, design, or item, especially those that affect the intended function of the product and or process, and can be potential or actual. Effects analysis refers to studying the consequences of those failures. The Program (or Project) Evaluation and Review Technique, commonly abbreviated PERT, is a statistical tool, used in project management, that is designed to analyze and represent the tasks involved in completing a given project. First developed by the United States Navy in the 1950s, it is commonly used in conjunction with the critical path method or CPM. Keywords: Failure Modes and Effects Analysis, Reliability, Functional, Risk Priority Number

ORIGINS OF FAILURE MODES AND EFFECTS ANALYSIS (FMEA) Procedures for conducting FMEA were described in US Armed Forces Military Procedures document MIL-P-1629 (1949; revised in 1980 as MILSTD-1629A).By the early 1960s, contractors for the U.S. National Aeronautics and Space Administration (NASA) were using variations of FMECA or FMEA under a variety of names. NASA programs using FMEA variants included Apollo, Viking, Voyager, Magellan, Galileo, and Skylab. The civil aviation industry was an early adopter of FMEA, with the Society for Automotive Engineers publishing ARP926 in 1967. During the 1970s, use of FMEA and related techniques spread to other industries. In 1971 NASA prepared a report for the U.S. Geological Survey recommending the use of FMEA in assessment of offshore petroleum exploration. FMEA as application for HACCP on the Apollo Space Program moved into the food industry in general. In the late 1970s the Ford Motor Company introduced FMEA to the automotive industry for safety and regulatory consideration after the Pinto affair. They applied the same approach to processes (PFMEA) to consider potential process induced failures prior to launching production. Although initially developed by the military, FMEA methodology is now extensively used in a variety of industries including semiconductor processing, food service, plastics, software, and healthcare. It is integrated into the Automotive Industry Action Group's (AIAG) Advanced Product Quality Planning (APQP) process to provide risk mitigation, in both product and process development phases. Each potential cause must be considered for its effect on the product or process and, based on the risk, actions are determined and risks revisited after actions are complete. Toyota has taken this one step further with its Design Review Based on Failure Mode (DRBFM) approach. The method is now supported by the American Society for Quality which provides detailed guides on applying the method. Implementation Failure Mode and Effects Analysis (FMEA) In FMEA, failures are prioritized according to how serious their consequences are, how frequently they occur and how easily they can be detected. An FMEA also documents current knowledge and actions about the risks of failures for use in continuous improvement. FMEA is used during the design stage with an aim to avoid future failures (sometimes called DFMEA in that case). Later it is used for process control, before and during

ongoing operation of the process. Ideally, FMEA begins during the earliest conceptual stages of design and continues throughout the life of the product or service. The outcomes of an FMEA development are actions to prevent or reduce the severity or likelihood of failures, starting with the highest-priority ones. It may be used to evaluate risk management priorities for mitigating known threat vulnerabilities. FMEA helps select remedial actions that reduce cumulative impacts of life-cycle consequences (risks) from a systems failure (fault). It is used in many formal quality systems such as QS-9000 or ISO/TS 16949, and AS9100. FMEA is intended to provide an analytical approach to reviewing potential failure modes and their associated causes. FMEA is a recognised tool to help to assess which risks have the greatest concern, and therefore which risks to address in order to prevent problems before they arise. The development of these specifications helps to ensure the product will meet the defined requirements and customer needs. The pre-work The process for conducting an FMEA is typically developed in three main phases, in which appropriate actions need to be defined. Before starting with an FMEA, several other techniques are frequently employed to ensure that robustness and history are included in the analysis. A robustness analysis can be obtained from interface matrices, boundary diagrams, and parameter diagrams. Failures are often found from external 'noise factors' and from shared interfaces with other parts and/or systems. Typically, a description of the system and its function is developed, considering both intentional and unintentional uses. A block diagram of the system is often created for inclusion with the FMEA, giving an overview of the major components or process steps and how they are related. These are called logical relations around which the FMEA can be developed. Step of FMEA Step 1: Occurrence In this step it is necessary to look at the cause of a failure mode and the number of times it occurs. This can be done by looking at similar products or processes and the failure modes that have been documented for them in the past. A failure cause is looked upon as a design weakness. All the potential causes for a failure mode should be identified and documented. Again this should be in technical terms.

Rating 1 2/3 4/5/6 7/8 9/10

Meaning No known occurrences on similar products or processes Low (relatively few failures) Moderate (occasional failures) High (repeated failures) Very high (failure is almost inevitable)

Step 2: Severity Determine all failure modes based on the functional requirements and their effects. Examples of failure modes are: Electrical short-circuiting, corrosion or deformation. A failure mode in one component can lead to a failure mode in another component, therefore each failure mode should be

listed in technical terms and for function. Hereafter the ultimate effect of each failure mode needs to be considered. A failure effect is defined as the result of a failure mode on the function of the system as perceived by the user. In this way it is convenient to write these effects down in terms of what the user might see or experience. Examples of failure effects are: degraded performance, noise or even injury to a user. Each effect is given a severity number (S) from 1 (no danger) to 10 (critical). These numbers help an engineer to prioritize the failure modes and their effects. If the sensitivity of an effect has a number 9 or 10, actions are considered to change the design by eliminating the failure mode, if possible, or protecting the user from the effect. A severity rating of 9 or 10 is generally reserved for those effects which would cause injury to a user or otherwise result in litigation. Rating 1 2 3 4/5/6 7/8 9/10 Very high and hazardous (product becomes inoperative; customers angered; the failure may result unsafe operation and possible injury) Step 3: Detection When appropriate actions are determined, it is necessary to test their efficiency. In addition, design verification is needed. The proper inspection methods need to be chosen. First, an engineer should look at the current controls of the system, that prevent failure modes from occurring or which detect the failure before it reaches the customer. Hereafter one should identify testing, analysis, monitoring and other techniques that can be or have been used on similar systems to detect failures. From these controls an engineer can learn how likely it is for a failure to be identified or detected. Each combination from the previous 2 steps receives a detection number (D). This ranks the ability of planned tests and inspections to remove defects or detect failure modes in time. The assigned detection number measures the risk that the failure will escape detection. A high detection number indicates that the chances are high that the failure will escape detection, or in other words, that the chances of detection are low. Rating 1 2 3 4/5/6 7/8 9/10 Meaning Certain - fault will be caught on test Almost Certain High Moderate Low Fault will be passed to customer undetected Meaning No effect Very minor (only noticed by discriminating customers) Minor (affects very little of the system, noticed by average customer) Moderate (most customers are annoyed) 7/8 High (causes a loss of primary function; customers are dissatisfied) High (causes a loss of primary function; customers are dissatisfied)

After these three basic steps, risk priority numbers (RPN) are calculated Risk priority number (RPN) RPN play an important part in the choice of an action against failure modes. They are threshold values in the evaluation of these actions. After ranking the severity, occurrence and detectability the RPN can be easily calculated by multiplying these three numbers: RPN = S O D This has to be done for the entire process and/or design. Once this is done it is easy to determine the areas of greatest concern. The failure modes that have the highest RPN should be given the highest priority for corrective action. This means it is not always the failure modes with the highest severity numbers that should be treated first. There could be less severe failures, but which occur more often and are less detectable. After these values are allocated, recommended actions with targets, responsibility and dates of implementation are noted. These actions can include specific inspection, testing or quality procedures, redesign (such as selection of new components), adding more redundancy and limiting

environmental stresses or operating range. Once the actions have been implemented in the design/process, the new RPN should be checked, to confirm the improvements. These tests are often put in graphs, for easy visualization. Whenever a design or a process changes, an FMEA should be updated. Timing of FMEA The FMEA should be updated whenever:

A new cycle begins (new product/process) Changes are made to the operating conditions A change is made in the design New regulations are instituted Customer feedback indicates a problem

Uses of FMEA

Development of system requirements that minimize the likelihood of failures. Development of methods to design and test systems to ensure that the failures have been eliminated. Evaluation of the requirements of the customer to ensure that those do not give rise to potential failures. Identification of certain design characteristics that contribute to failures, and minimize or eliminate those effects. Tracking and managing potential risks in the design. This helps avoid the same failures in future projects. Ensuring that any failure that could occur will not injure the customer or seriously impact a system. To produce world class quality products

Advantages

Improve the quality, reliability and safety of a product/process Improve company image and competitiveness Increase user satisfaction Reduce system development timing and cost Collect information to reduce future failures, capture engineering knowledge Reduce the potential for warranty concerns Early identification and elimination of potential failure modes Emphasize problem prevention Minimize late changes and associated cost Catalyst for teamwork and idea exchange between functions Reduce the possibility of same kind of failure in future Reduce impact of profit margin company Reduce possible scrap in production

Limitations Since FMEA is effectively dependent on the members of the committee which examines product failures, it is limited by their experience of previous failures. If a failure mode cannot be identified, then external help is needed from consultants who are aware of the many different types of product failure. FMEA is thus part of a larger system of quality control, where documentation is vital to implementation. General texts and detailed publications are available in forensic engineering and failure analysis. It is a general requirement of many specific national and international standards that FMEA is used in evaluating product integrity. If used as a top-down tool, FMEA may only identify major failure modes in a system. Fault tree analysis (FTA) is better suited for "top-down" analysis. When used as a "bottom-up" tool FMEA can augment or complement FTA and identify many more causes and failure modes resulting in top-level symptoms. It is not able to discover complex failure modes involving multiple failures within a subsystem, or to report expected failure intervals of particular failure modes up to the upper level subsystem or system.

Additionally, the multiplication of the severity, occurrence and detection rankings may result in rank reversals, where a less serious failure mode receives a higher RPN than a more serious failure mode.[16] The reason for this is that the rankings are ordinal scale numbers, and multiplication is not defined for ordinal numbers. The ordinal rankings only say that one ranking is better or worse than another, but not by how much. For instance, a ranking of "2" may not be twice as severe as a ranking of "1," or an "8" may not be twice as severe as a "4," but multiplication treats them as though they are. See Level of measurement for further discussion. Types of FMEA

Process: analysis of manufacturing and assembly processes Design: analysis of products prior to production Concept: analysis of systems or subsystems in the early design concept stages Equipment: analysis of machinery and equipment design before purchase Service: analysis of service industry processes before they are released to impact the customer System: analysis of the global system functions Software: analysis of the software functions

INTRODUCTION The Risk Environment In todays competitive business environment, business entities are faced with greater uncertainties (risks and opportunities) as they strive to create value. And in the quake of the current global economic crisis, businesses in a bid to stay competitive have taken several crucial measures. Some businesses have cut-down on the number of staff tremendously to save cost in a bid to survive (one of such businesses is British Telecom; a Telecom giant which cut 15,000 jobs after making a 1.3bn loss1), some shut-down offices, branches, divisions, or plants within their business enterprise due to drastic reduction in the demand for their products/services (such is the case of Honda motors which shut-down its plant at Swindon for four months from February to May 20092), and the going burst of several businesses due to the inability to repay their debt (an example is Woolworths which closeddown, closing its 807 British outlets and leaving over 27,000 people unemployed3). These have led managers and investors in recent times to pay more attention to managing the risks inherent and emerging in their businesses. It is therefore of great importance for businesses to take advantage of making appropriate strategicdecisions on uncertain outcomes, as at worse it would cut-down losses due to disaster and at best,
5

improve profitability in cases of opportunities. Uncertainties present both risks and opportunities, with potential to erode or enhance value.4 The sources of uncertainties with adverse effects/outcomes (the probability of which is defined as risk) are described as due to the volatility/complexity/heterogeneity of risk; the impact of external events (such as customer preferences, competitors strategies, and so on), the response to external events /developments (such as compliance to policies/regulations/standards, development of strategies, and so on), and the behaviour of employees is as well crucial. Some of the risks covered in this research include capacity expansion risk, diversification, vertical integration, financial, marketing, and human resources. The 2009 Risk Management survey5 carried-out by the Aon Corporation presents its findings in four key components; Top ten risks, Overall risk preparedness, Business losses related to risk, and key business topics/functions. And the top ten risks are published as follows: 1. Economic slowdown 2. Regulatory/legislative changes 3. Business interruption 4. Increasing competition (new addition to top ten since 2007 report) 5. Commodity price risk (new addition to top ten since 2007 report) 6. Damage to reputation 7. Cash flow/liquidity risk 8. Distribution or supply chain failure (new addition to top ten since 2007 report) 9. Third party liability

Failure to attract or retain top talent The Relevance: A Need for Enterprise Risk Management The recession has forced businesses to place more focus on the management of risks relating to all aspects of their businesses. Such management is broadly defined as Enterprise Risk Management ERM, which describes the set of activities that businesses undertake to deal with all the diverse risks that face it in a holistic/strategic/integrated method. These risks include financial, strategic,
6

operational, hazardous, and compliance risks, spanning through the organization. Many of such risks have significant impact on the profitability, effectiveness, and reputation of business enterprises. In the 21st century, there are several checkpoints that have considerably driven the need for enterprise risk management, which today is referred to as drivers of ERM, this includes increase in the following6: Greater transparency (Corporate Governance) Financial disclosures with more strict reporting and control requirement Security and technology issues Business continuity and disaster preparedness Focus from rating agencies Regulatory compliance (laws and regulations) Globalization in a continuously competitive environment The what ERM provides for Businesses (the benefits) has been highlighted in many publications, but as any critic (manger) would say, this is not enough; anyone could lay claims that lofty. The how this is achieved is what these critics are interested in knowing now that it has caught their attention. They need very good reasons, why they should apply such a process looking at its associated cost and effect on the bottom-line of their businesses. The how is what links the process of ERM to the benefits it is said to give. This explanation may very well be the incentive that businesses (management) need to implement the ERM process towards realizing, with reasonable assurance, their strategic objects. UNDERSTANDING ENTERPRISE RISK MANAGEMENT The Concept of Risk Management Lets start by understanding the simple concept of risk and progress gradually towards managing enterprise risks. The renowned father of modern management, Peter Drucker is quoted to have said, and I quote, a decision that does not involve risk, probably is not a decision7. Thomas Stewart says; Risk lets get this straight up front is good. The point of risk management isnt to eliminate it; that would eliminate reward. The point is to manage it that is, to choose where to place bets, and
7

where to avoid betting altogether8. We see the same school of thought in the words of Dan Borge, former director of Bankers Trust; Many people think that the goal of risk management is to eliminate risk to be as cautious as possible, not so. The goal of risk management is to achieve the best possible balance of opportunity and risk. Sometimes, achieving this balance means exposing yourself to new risks in order to take advantage of attractive opportunities.9. Again, Peter Drucker makes it clear what an attempt to eliminate risk completely would lead to; A business has to minimize risk. But if its behaviour is governed by the attempt to escape risk, it will end up taking the greatest and least rational risk of all: the risk of doing nothing.10. Dr Vedpuriswar adds that risk can neither be avoided nor eliminated completely11. The theme of risk management is clearly highlighted as the minimization of risk in a bid to keep it within controllable limits, as well as the acceptance of risk in other to gain reward the definition of a risk appetite. Uncertainty in business and life in general is said to exist due to the futuristic nature of outcomes. The outcomes of business operations are to be reached at sometime in the future after the tasks have been performed. G. Monahan agrees to this in his work stating that businesses face risk due to the uncertainty of possible outcomes of the actions taken in the course of doing their business12. And even in situation where a high level of certainty exists towards the achievement of positive outcomes, a sudden disastrous event may occur to change this fate. Barton T. L. et. al. sheds light on the risk debacles which the business community has witnessed that have resulted in considerable decrease in shareholder value, financial loss, damage of company reputation, so on13. They point out that such events may include environmental disaster, mergers destroying shareholder value, organisations trading in complex derivative instruments without the understanding of the risks involved, traders lacking oversight and have inadequate controls for the enormous risks they assume, etcetera, while placing emphasis on the attention and handling of such risks. G. Monahan argues on the notion that risk is the same as uncertainty, by defining risk as anything
8

that produces a distribution of various probabilities for various outcomes14. COSO on the other hand, defines uncertainty as that which presents both risk and opportunities, with potentials to erode or enhance value. Risk is the possibility that the occurrence of an event will adversely affect the achievement of objectives, and opportunity is the possibility that an event will occur and positively affect the achievement of objective. The author has adopted the COSO definitions in this paper.15 What is Enterprise Risk? Currently, the need for corporate governance, internal control (as well as the compliance to rules and regulations) and risk management have been of critical concern to businesses as experts call for the integration of all three with a single management approach referred to as the integrated GRC.16 However, the solution came as Enterprise Risk Management, as it emphasizes on all three aspects within its process of application. Experts point at the recent financial crisis and the related economic downturn, and the failure of risk management to help the situation as further backing for the reevaluation of the discipline for a change to a more co-ordinated (wider scoped) risk management approach that recognizes the interdependencies of risks17. Again, Enterprise Risk Management is described as the solution to this challenge. Enterprise risk is the aggregate of all functional and process risks a business entity faces in the course of carrying out its business activities. Such risks would include the types described by Casualty Actuarial Society18 listed below: 1. Hazard risk 2. Financial risk 3. Operational risk 4. Strategic risk Enterprise Risk Management (ERM) approach is a first attempt to recognize the interdependencies among risks and the treatment of risks across all business operations. 16 About Enterprise Risk Management (ERM) The holistic approach that characterizes the present trend of risk management, referred to in some
9

text as enterprise-wide risk management, enterprise risk management (ERM), strategic risk management, or integrated risk management, is aimed at dealing with uncertainty for the organisation.19 The rationale behind this approach is that value is maximized when the decision-makers sets strategy and objectives to strike an optimal balance between growth and return goals, and the related risks, and efficiently and effectively allocate resources in pursuit of the entitys objectives.20 Barton et. al. stated that the goal of this new approach is to create, protect, and enhance shareholder value by managing uncertainties that could influence the achievement of organisational objectives.21 Enterprise Risk Management is clearly distinguished from risk management and financial risk management in the RIMS Executive Report, 2009. While risk management is described as a broad term for the business discipline that is concerned with the protection of the assets and profits of an organisation by either reducing the potential before it occurs, mitigating the impact of a loss if it occurs, and the execution of a swift recovery after a loss occurs; Financial risk management is the term often used by non-financial institution to describe the mitigation process for their financial exposure; Enterprise Risk Management on the other hand, is said to represent a revolutionary change in the risk management discipline that broadens the scope of risk management behaviours.22 By definition and contrast, ERM is seen as the new paradigm in risk management; while the old paradigm in characterized by avoiding losses within a limited scope, separated by function, and terminates at the end of the task (or project), this new approach covers all risks, both internal and external, integrates and views all risks from a board, creating awareness organisation-wide, with the goal of creating, protecting, and enhancing shareholder value by mitigating risks and seizing opportunities in a continuous process.
10

The authorities and expert of this emerging discipline have defined ERM in a number of ways that depicts their perception and the way they practice it. The CAS committee definition is stated below: ERM is the discipline, by which an organisation in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organisations short and long term value to its stakeholders23. The committee places emphasis on the following five parts of the definition: 1. ERM is a discipline 2. ERM applies to all industry 3. ERM exploits (value creating) as well as mitigate (manage) risk. 4. ERM consider all sources of risks 5. ERM consider all stakeholders of the enterprise The COSO committee describes ERM as one that deals with risk and opportunities, and defines ERM as follows: Enterprise risk management is a process, affected by an entitys board of directors and other personal, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.24 As before, the COSO committee also breaks the definition in to simple bits, it seems to be the most elaborate definition of the concept; 1. ERM is a process; it is ongoing and following through an entity. 2. ERM is affected by people at every level of an organization. 3. ERM is applied in strategy setting. ERM is applied across the enterprise, at every level and every unit, and includes entity-level portfolio view of risk. 5. ERM is designed to identify potential events that, in the event of their occurrence, will affect the entity and to manage the risk within its risk appetite. 6. ERM is able to provide reasonable assurance to the management and board of directors of an entity. 7. ERM is general towards the achievement of objectives in one or more separate but overlapping categories. Managing Enterprise Risks
11

According to Lexicon Systems, LLC, this new, strategic imperative has grown momentum, and in a single paragraph summarizes the activities of ERM which will take organisations years and years to accomplish, stating that: organisation can support ERM solutions when they reach a certain level of business and information maturity. When this occurs, they establish a risk culture and then gather risk intelligence. The adoption of a process focused on GRC as against the siloed issue-by-issue style follow. In addition to these, they suggest that the organisations establish a risk and compliance architecture that considers the business processes, the people and the information technology. And finally, the organisation commits and trains the members consistently on corporate policies and procedures.25 The CAS committee states that this involves continual scanning of the risk environment and evaluating the performance of the risk management strategies, and the feedback into the contextsetting step of the process and the cycle repeats again and again, continuously.26 The ERM process in a generic sense is a reiterative process in which certain sequential activities are carried out starting with establishing a context, and then identifying events, analyzing and quantifying risks, integrating risks, assessing and prioritizing risks, and finally treating risks/exploiting opportunities. The monitoring and reviewing activities are continuous and concurrent with these other activities. What is a Framework? By definition a framework serves as a guide, an outline or overview of interlinked items (activities) to facilitate an approach towards achieving a specific goal. In this context, a framework would aid the implementation of ERM. It does so by aiding to organize and structure an approach that can both be measured and repeated. A risk management framework is described as an organisational specific set of functional activities and the associated definitions that define the risk management system in an organisation and also the relationship to the risk management organisational system.
12

The Enterprise Risk Management Framework The 2008 ERM Benchmarking Survey conducted by the Institute of Internal Auditors (IIAs) and IIA Research Foundations Global Audit Information Network revealed in 2009 that the COSOs Enterprise Risk Management Integrated Framework is the most commonly used framework to guide risk management efforts. In the perspective of experts, the only rival to this is the revised ISO 31000 standards published in late 2009. In managing risks, these ERM frameworks must identify and analyze it, and then take one of the following actions28: Avoidance of risk by aborting actions that contributes to risk Reduction of risk by reducing the likelihood or impact of risk Share or insure risk by transferring or sharing a portion of the risk (impact) And Acceptance of risk by taking no action as a result of a cost/benefit decision Some other ERM frameworks/standards include: Association (FERMA) ISO 31000 British Standard AIRMIC Risk and Insurance Management Society (RIMS) Risk Maturity Model FAA Safety Risk Management and so on. In this paper, the COSOs ERM integrated framework will be examined, as it deals with ERM applicable to all industries and encompassing all types of risks. The Enterprise Risk Management Integrated Framework is a framework developed by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) to meet the requirements of a robust framework that would effectively identify, assess and manage risk due to heightened concerns and focus on risk management. The aim was the development of a framework that would be readily usable by managements to evaluate and improve the Enterprise Risk Management of their organisations.29 The effectiveness and efficiency of the implementation of the COSO frameworks concepts and principles will mostly be affected by an entitys size, complexity, industry, culture, management style, and other attributes.30 The Committee discusses that because of the availability of an array of
13

approaches and choices, even similar organisations implement ERM differently. On pre-implementation, however, Jerry Micolism emphasizes on the need to develop a company-specific operation before diving in for a company-specific ERM program.31 In todays business world, the ultimate purpose of an ERM framework would be seen as the facilitation of the process to be described, automated, monitored and improved as part of the cycle of continuous innovation and responsiveness to the business dynamics. The Business Case for Implementing Enterprise Risk Management The society of architecture describes the drivers32 for this change and the development of the discipline of ERM to be due to: 1. Regulatory developments 2. Rating agency views 3. The COSO report 4. Basel 5. Economic capital 6. Conglomerates 7. Convergence of financial products, markets, globalization 8. Board attention due to publics demand for certain assurances The challenges/issues of the traditional risk management approach The major issue is the persistent contextual myopia in risk management, concentrated solely on hazard risk; risk management has been a disconnected function, risks do not always fit into categories quite neatly. An example would be business interruption at a plant, this has finance, marketing, and reputational implications beyond the effects on production and also, the applicability of the property insurance policy. The growing recognition that co-ordinating and financing all facets of organisational risk effectively, is critical for the maximization of success.33 Scholars have observed that it cost much more to manage risk individually. The challenge of having a focus on narrow concerns, a fragmented approach toward risk management has its solution in the understanding of the wider scope of risks being faced.34 Establishing, maintaining, and implementing a new approach35 having: An organisation-wide awareness of risk management The channels for communication of risks The methods, tools and practices for managing risk The ways to measure operational and financial risk The organisational risk map
14

The risk financing mechanisms The measurements of risk management effectiveness

15