TABLE OF CONTENT
1.2.1 Risk Management
1.4 Principles Of Risk Management
1.6 Establishing The Context
1.9.1 Composite Risk Index = Impact Of Risk Event X Probability Of Occurrence
1.9.2 Risk Options
1.9.3 Potential Risk Treatments
1.9.4 Risk Avoidance
1.9.5 Hazard Prevention
1.9.6 Risk Reduction
1.9.7 Risk Sharing
1.9.8 Risk Retention
1.10 Create A Risk Management Plan
1.10.2 Review And Evaluation Of The Plan
1.11 Areas Of Risk Management
1.11.1 Enterprise Risk Management
1.11.2 Risk Management Activities As Applied To Project Management
1.11.2 Risk Management For Megaprojects
1.11.3 Risk Management Regarding Natural Disasters
1.11.4 Risk Management Of Information Technology
1.11.5 Risk Management Techniques In Petroleum And Natural Gas
1.11.6 Positive Risk Management
1.11 7 Risk Management And Business Continuity
1.12 Risk Communication
1.12.1 Seven Cardinal Rules For The Practice Of Risk Communication
Chapter Two Environmental Risk Assessment
2.1 Environmental Risk
2.2 The Need For Risk Assessment
2.3 How To Make Risk Assessment Tractable And Feasible
2.4 Judgment, Normative Values, And Policy Choices Are Unavoidable
2.5 Limits Of Risk Assessment
3.1 Environmental Law
3.2 Laws And Regulations On The Environment In Nigeria
3.3 Constitution Of The Federal Republic Of Nigeria (1999) “Not Amended”
Chapter Four Environmental Regulations in Nigeria
4.1 National Environmental Standards And Regulation Enforcement Agency (NESRA) Act 2007
4.2 Environmental Impact Assessment (EIA) Act. CAP E12, LFN2004.
4.3 The Nigerian Urban And Regional Planning Act CAP N138, LFN 2004
4.4 Land Use Act CAP 202, LFN 2004
4.5 Harmful Waste (Special Criminal Provisions) Act CAP H1, LFN 2004
4.6 The Endangered Species Act, CAPE9, LFN 2004.
4.7 Sea Fisheries Act, CAP S4, LFN2004.
4.8 Inland Fisheries Act, CAP I10, LFN 2004.
4.9 Territorial Waters Act, CAP T5, LFN 2004
4.10 Nuclear Safety And Radiation Protection Act, CAP N142, LFN 2004
Chapter Five Service And Production Regulations
5.1 Petroleum Drilling And Production Regulations
5.2 Oil Pipelines Act, CAP07, LFN 2004
5.3 Oil Pipelines Regulations
5.4 Petroleum Act, CAPP10, LFN 2004
5.5 Petroleum Refining Regulation
5.6 Mineral Oil Safety Regulations And Crude Oil Transportation And Shipment Regulations.
5.7 Petroleum Products And Distribution Act CAP P12, LFN 2004
5.8 Hydrocarbon Oil Refineries Act, Cap H5, LFN 2004
5.9 Oil In Navigable Waters Act, CAP 06, LFN 2004
5.10 Associated Gas ReInjection Act, CAP 20, And LFN 2004
5.11 Civil Aviation Act. CAP C13, LLN 2004
5.12 Factories Act, CAP F1, LFN 2004
5.13 Hides And Skins Act, CAP H3, And LFN 2004
5.14 Water Resources Act, CAP W2, LFN 2004
5.15 River Basins Development Authority Act, CAP R9, LFN 2004
5.16 Pest Control Production (Special Powers) Act, CAP P9, LFN 2004
5.17 Agriculture (Control Of Importation) Act, CAP A93, LFN 2004
5.18 Animal Diseases (Control) Act, CAP A17, LFN 2004
5.19 Bees (Import Control And Management) Act, CAP B6, LFN 2004
5.21 Environmental Pollution Control Law
5.22 Quarantine Act, Cap Q2, LFN 2004
5.23 The Federal National Parks Act, CAP N65, LFN 2004
5.24 NigerDelta Development Commission (NDDC) Act, CAP N68, LFN 2004
5.25 Criminal Code
In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled. Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by Government or organization due to a lack of identification ability. In Nigeria, some time, this is what is obtainable in the social and physical environment. In view of the above fact, environmental laws have been put in place to regulate every activity on the environment to manage the risk involved in these process and stage of development in other to avoid an impending or a looming catastrophe. According to the International Network for Environmental Compliance and Enforcement (INECE), the major environmental issues in Nigeria are “drought and flooding, air pollution, deforestation, loss of biodiversity, freshwater availability, degradation of soil and vegetation, and widespread poverty.” Government and other organizations hope to provide protection and mitigation regarding pollution and other disasters before their impacts contaminate the African environment as well as the global environment. Therefore chronicled in this write up, is the appraisal of the role of Environmental Law in risk management.
The mission of Federal Ministry of Environment and NESRA as its parestetal is to protect human health and to safeguard the natural environment.viz: air, water, and land-upon which life depends. EPA fulfills this mission by, among other things, developing and enforcing regulations that implement environmental laws enacted by law-making bodies. Inferred is the fact that successful environmental problem-solving must encompass not only "what must be done" (setting a standard or risk management objective), but equally "how it shall be accomplished" (implementation and enforcement). Determining environmental standards, policies, guidelines, regulations, and actions requires making decisions considering this full spectrum. The quality of any decision and resulting action "determines how well environmental programs actually work and the extent to which they achieve health and environmental goals. There are numerous factors which impact the quality and success of any decision or action, and many of these are competing or contradictory forces, such as: Determining environmental standards, policies, guidelines, regulations, and actions requires making decisions which are often contentious. Setting an environmental standard that is too lax may threaten public health or the environment, while a standard that is unnecessarily stringent may impose a significant marginal economic cost for small marginal gain. Environmental decisions are often time-sensitive, for example when public health is known or suspected to be at risk. The decisions must frequently be made with incomplete or imperfect information and many times under the additional pressure of heightened public scrutiny and concern. And, once made, the decisions are often challenged in court and subject to high levels of public and scientific scrutiny.
As a result, such contentious decisions must be based on the current state of knowledge-certainty is not required, and appropriate means must be used. Rational support for answers to key questions and an estimate of confidence in the decision must be provided.
There are often conflicting interests bearing on environmental decisions, and as a result, it is well recognized that it is important (and in some cases even mandated) to consider a broad range of factors when making decisions about risk management.
Risk is an inherent consequence of life that is not possible to altogether avoid or eliminate. Risk is a very elusive and often contentious concept, but in general, it is a concept that denotes a potential negative impact or outcome that may arise from some present or future process. The definitions of risk depend on specific contexts or applications, and there are multiple dimensions to risk, ranging from the tangible and quantitative to the psychological and emotional. 1) Outcome, 2) likelihood, and 3) severity. Most importantly, risk is the complete range of possible outcomes, their severity, and their likelihood, and not just the actual outcomes which have occurred or will actually occur.
Another critical dimension of risk is uncertainty-the fact that outcomes are uncertain makes them risk, and unavoidable. These concepts are illustrated in the following quote:
‘Reports that say that something hasn't happened are always interesting to me, because as we know, there are known; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns-the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.’
1.2.1 RISK MANAGEMENT
This is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities. Risks can come from uncertainty in financial markets, project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety.
The strategies to manage risk typically include transferring the risk to another party, avoiding the risk, reducing the negative effect or probability of the risk, or even accepting some or all of the potential or actual consequences of a particular risk. Certain aspects of many of the risk management standards have come under criticism for having no measurable improvement on risk, whether the confidence in estimates and decisions seem to increase.
A widely used vocabulary for risk management is defined by ISO Guide 73, "Risk management. Vocabulary." In ideal risk management, a prioritization process is followed whereby the risks with the greatest loss (or impact) and the greatest probability of occurring are handled first, and risks with lower probability of occurrence and lower loss are handled in descending order. In practice the process of assessing overall risk can be difficult, and balancing resources used to mitigate between risks with a high probability of occurrence but lower loss versus a risk with high loss but lower probability of occurrence can often be mishandled.
Intangible risk management identifies a new type of a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability. For example, when deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity.
Risk management also faces difficulties in allocating resources. This is the idea of opportunity cost. Resources spent on risk management could have been spent on more profitable activities. Again, ideal risk management minimizes spending (or manpower or other resources) and also minimizes the negative effects of risks.
For the most part, these methods consist of the following elements, performed, more or less, in the following order.
1. Identify, characterize threats
2. Assess the vulnerability of critical assets to specific threats
3. Determine the risk (i.e. the expected likelihood and consequences of specific types of attacks on specific assets)
4. Identify ways to reduce those risks
5. Prioritize risk reduction measures based on a strategy
1.4 PRINCIPLES OF RISK MANAGEMENT
The International Organization for Standardization (ISO) identifies the following principles of risk management:
Risk management should:
- Create value – resources expended to mitigate risk should be less than the consequence of inaction, or (as in value engineering), the gain should exceed the pain
- Be an integral part of organizational processes
- Be part of decision making process
- Explicitly address uncertainty and assumptions
- Be systematic and structured
- Be based on the best available information
- Be tailor able
- Take human factors into account
- Te transparent and inclusive
- Be dynamic, iterative and responsive to change
- Be capable of continual improvement and enhancement
- Be continually or periodically re-assessed
According to the standard ISO 31000 "Risk management – Principles and guidelines on implementation," the process of risk management consists of several steps as follows:
1.6 ESTABLISHING THE CONTEXT
1. Identification of risk in a selected domain of interest.
2. Planning the remainder of the process.
3. Mapping out the following:
- The social scope of risk management.
- The identity and objectives of stakeholders.
- The basis upon which risks will be evaluated, constraints.
4. Defining a framework for the activity and an agenda for identification.
5. Developing an analysis of risks involved in the process.
6. Mitigation or solution of risks using available technological, human and organizational resources.
After establishing the context, the next step in the process of managing risk is to identify potential risks. Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.
- Source analysis. Risk sources may be internal or external to the system that is the target of risk management.
Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an airport.
- Problem analysis. Risks are related to identified threats. For example: the threat of losing money, the threat of abuse of confidential information or the threat of human errors, accidents and casualties. The threats may exist with various entities, most important with shareholders, customers and legislative bodies such as the government.
When either source or problem is known, the events that a source may trigger or the events that can lead to a problem can be investigated. For example: stakeholders withdrawing during a project may endanger funding of the project; confidential information may be stolen by employees even within a closed network; lightning striking an aircraft during takeoff may make all people on board immediate casualties.
The chosen method of identifying risks may depend on culture, industry practice and compliance. The identification methods are formed by templates or the development of templates for identifying source, problem or event. Common risk identification methods are:
- Objectives-based risk identification Organizations and project teams have objectives. Any event that may endanger achieving an objective partly or completely is identified as risk.
- Scenario-based risk identification - In scenario analysis different scenarios are created. The scenarios may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for example, a market or battle. Any event that triggers an undesired scenario alternative is identified as risk – see Futures Studies for methodology used by Futurists.
- Taxonomy-based risk identification - The taxonomy in taxonomy-based risk identification is a breakdown of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled. The answers to the questions reveal risks.
- Common-risk checking Empty citation (help) - In several industries, lists with known risks are available. Each risk in the list can be checked for application to a particular situation.
- Risk charting method combines the above approaches by listing resources at risk, threats to those resources, modifying factors which may increase or decrease the risk and consequences it is wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can begin with resources and consider the threats they are exposed to and the consequences of each. Alternatively one can start with the threats and examine which resources they would affect, or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.
Once risks have been identified, they must then be assessed as to their potential severity of impact (generally a negative impact, such as damage or loss) and to the probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the best educated decisions in order to properly prioritize the implementation of the risk management plan.
Even a short-term positive improvement can have long-term negative impacts. Take the "turnpike" example. A highway is widened to allow more traffic. More traffic capacity leads to greater development in the areas surrounding the improved traffic capacity. Over time, traffic thereby increases to fill available capacity. Turnpikes thereby need to be expanded in a seemingly endless cycles. There are many other engineering examples where expanded capacity (to do any function) is soon filled by increased demand. Since expansion comes at a cost, the resulting growth could become unsustainable without forecasting and management.
The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for intangible assets. Asset valuation is another question that needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of information. Nevertheless, risk assessment should produce such information for the management of the organization that the primary risks are easy to understand and that the risk management decisions may be prioritized. Thus, there have been several theories and attempts to quantify risks. Numerous different risk formulae exist, but perhaps the most widely accepted formula for risk quantification is.
Rate (or probability) of occurrence multiplied by the impact of the event equals risk magnitude
1.9 COMPOSITE RISK INDEX
The above formula can also be re-written in terms of a Composite Risk Index, as follows:
1.9.1 COMPOSITE RISK INDEX = IMPACT OF RISK EVENT X PROBABILITY OF OCCURRENCE
The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1 and 5 represent the minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses). However, the 1 to 5 scale can be arbitrary and need not be on a linear scale.
The probability of occurrence is likewise commonly assessed on a scale from 1 to 5, where 1 represents a very low probability of the risk event actually occurring while 5 represents a very high probability of occurrence. This axis may be expressed in either mathematical terms (event occurs once a year, once in ten years, once in 100 years etc.) or may be expressed in "Plain English" – event has occurred here very often; event has been known to occur here; event has been known to occur in the industry etc.). Again, the 1 to 5 scale can be arbitrary or non-linear depending on decisions by subject-matter experts.
The Composite Index thus can take values ranging (typically) from 1 through 25, and this range is usually arbitrarily divided into three sub-ranges. The overall risk assessment is then Low, Medium or High, depending on the sub-range containing the calculated value of the Composite Index. For instance, the three sub-ranges could be defined as 1 to 8, 9 to 16 and 17 to 25.
Note that the probability of risk occurrence is difficult to estimate, since the past data on frequencies are not readily available, as mentioned above. After all, probability does not imply certainty.
Likewise, the impact of the risk is not easy to estimate since it is often difficult to estimate the potential loss in the event of risk occurrence.
Further, both the above factors can change in magnitude depending on the adequacy of risk avoidance and prevention measures taken and due to changes in the external business environment. Hence it is absolutely necessary to periodically re-assess risks and intensify/relax mitigation measures, or as necessary. Changes in procedures, technology, schedules, budgets, market conditions, political environment, or other factors typically require re-assessment of risks.
1.9.2 RISK OPTIONS
Risk mitigation measures are usually formulated according to one or more of the following major risk options, which are:
1. Design a new business process with adequate built-in risk control and containment measures from the start.
2. Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures.
3. Transfer risks to an external agency (e.g. an insurance company)
4. Avoid risks altogether (e.g. by closing down a particular high-risk business area)
Later researches shown that the financial benefits of risk management are less dependent on the formula used but are more dependent on the frequency and how risk assessment is performed.
In business it is imperative to be able to present the findings of risk assessments in financial, market, or schedule terms. Robert Courtney Jr. (IBM, 1970) proposed a formula for presenting risks in financial terms. The Courtney formula was accepted as the official risk analysis method for the US governmental agencies. The formula proposes calculation of ALE (annualised loss expectancy) and compares the expected loss value to the security control implementation costs (cost-benefit analysis).
1.9.3 POTENTIAL RISK TREATMENTS
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:
- Avoidance (eliminate, withdraw from or not become involved)
- Reduction (optimize – mitigate)
- Sharing (transfer – outsource or insure)
- Retention (accept and budget)
Ideal use of these strategies may not be possible. Some of them may involve trade-offs that are not acceptable to the organization or person making the risk management decisions. Another source, from the US Department of Defense, Defense Acquisition University, calls these categories ACAT, for Avoid, Control, Accept, or Transfer. This use of the ACAT acronym is reminiscent of another ACAT (for Acquisition Category) used in US Defense industry procurements, in which Risk Management figures prominently in decision making and planning.
1.9.4 RISK AVOIDANCE
This includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the legal liability that comes with it. Another would be not flying in order not to take the risk that the airplane were to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits. Increasing risk regulation in hospitals has led to avoidance of treating higher risk conditions, in favour of patients presenting with lower risk.
1.9.5 HAZARD PREVENTION
Hazard prevention refers to the prevention of risks in an emergency. The first and most effective stage of hazard prevention is the elimination of hazards. If this takes too long, is too costly, or is otherwise impractical, the second stage is mitigation.
1.9.6 RISK REDUCTION
Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy.
Acknowledging that risks can be positive or negative, optimizing risks means finding a balance between negative risk and the benefit of the operation or activity; and between risk reduction and effort applied. By an offshore drilling contractor effectively applying HSE Management in its organization, it can optimize risk to achieve levels of residual risk that are tolerable.
Modern software development methodologies reduce risk by developing and delivering software incrementally. Early methodologies suffered from the fact that they only delivered software in the final phase of development; any problems encountered in earlier phases meant costly rework and often jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a single iteration.
Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher capability at managing or reducing risks. For example, a company may outsource only its software development, the manufacturing of hard goods, or customer support needs to another company, while handling the business management itself. This way, the company can concentrate more on business development without having to worry as much about the manufacturing process, managing the development team, or finding a physical location for a call center.
 ISO/IEC Guide 73:2009. Risk management — Vocabulary . International Organization for Standardization. (2009) p.21
 David. H, Understanding and Managing Risk Attitude. (Gower Publishing: London, 30 March 2007). P67
 ISO Risk management Principles and guidelines on implementation , ISO Press, London: 2003; p8.
 H. Douglas, The Failure of Risk Management, John Wiley & Sons, London: 2009; p. 46.
 Crockford, N. An Introduction to Risk Management, 2 ed.( Cambridge, UK: Woodhead-Faulkner. 1986). p. 18.
 Dorfman, S. Introduction to Risk Management and Insurance, 9 ed.( Englewood Cliffs, N.J: Prentice Hall. 2007).p5