APPROVE

Director

"___" __________ 2011

Put into action:

Order No. ______ dated _______

Organization Standard

Environmental management system

STO OHSAS 23-2011

HAZARD IDENTIFICATION,

RISK ASSESSMENT AND DETERMINATION OF MANAGEMENT MEASURES

1. Appointment
2. Scope
4. Terms and definitions
5. Abbreviations
6. Responsibility
7. Description of the procedure
7.1 General
7.2 Procedure for hazard identification and risk assessment
8. Documentation
Annex 1 Form for accounting for hazardous and harmful production factors
Annex 2 Risk assessment methodology
Annex 3 Hazard Identification and Risk Assessment Form
Appendix 4 Significant Risk Register Form
Approval sheet …………………………………………………………..
Change registration sheet …………………………………………………

1 PURPOSE

This Organizational Standard establishes procedures for identifying health and safety hazards associated with the activities of the organization, assessing and analyzing risks, and managing them.

2 APPLICATION

The requirements of this Organizational Standard apply to all types of labor activity employees of the organization, as well as the activities of contractors, visitors and suppliers.

This organization standard is mandatory for use by all officials and structural divisions of the organization.

3 REGULATORY REFERENCES

This Organizational Standard uses references to the following documents:

(Give documents to which references are given in the text of your standard)

4 TERMS AND DEFINITIONS

This Organizational Standard uses terms with appropriate definitions:

Tolerable Risk - risk mitigated to a level that the organization can support, given its legal obligations and those of its own health and safety policy.

Significant risk is the risk that the organization is committed to managing.

Hazard identification The process of recognizing that a hazard exists and identifying its characteristics.

Danger - source or situation with potential harm in the form of injury or illness, property damage, damage to the environment surrounding the workplace, or a combination of both.

Risk assessment– general process determining the magnitude of the risk and deciding whether the risk is tolerable or not.

Risk– a combination of the likelihood and consequence(s) of the occurrence of a particular hazardous event.

risk management– reduction (maintenance at a certain level) of the risk value through various measures.

5 ABBREVIATIONS

The following abbreviations apply in this standard:

OHSS - Occupational Health and Safety Management System.

6 RESPONSIBILITY

6.1. Management representative (chief engineer):

Ensures the organization of work on the identification of hazards in the field of OSH of the enterprise, the assessment of risks associated with them and their management;

Approves the register of significant risks of the organization.

Provides methodological assistance to structural units for the identification of hazards and risk assessment;

Develops and updates the register of significant risks of the organization.

6.3. Leaders structural divisions:

Ensure the organization of work on the identification of hazards, risk assessment and management in their structural divisions;

Develop and update hazard identification and risk assessment maps.

7 DESCRIPTION OF THE PROCEDURE

7.1 General

7.1.1 Hazard identification A risk assessment is carried out to determine significant impacts. production activities organizations on the health of workers and safety at work.

7.1.2 Hazard identification, risk assessment and subsequent risk management activities are carried out in the organization as an ongoing process that determines the past, Current state and the potential impact of the organization's activities on worker health and safety.

7.1.3 Hazards are initially identified based on the results of a preliminary health and safety review.

The preliminary analysis considers:

Legislative and other requirements;

Results of the investigation of accidents, accidents and incidents.

7.1.4 When identifying hazards, direct and indirect hazards are identified.

Direct dangers are associated with:

the staff of the organization;

production equipment;

Materials and substances used in the production process;

Technological features of production processes;

The state of the production environment;

Unreliable means of protecting the worker;

A decrease in the level of safety of means of production due to their wear and tear during operation.

Indirect hazards are associated with:

Activities of contractors, suppliers;

Visitors.

7.2 PHazard Identification and Risk Assessment Procedure

7.2.1. In structural subdivisions, all work on hazard identification and risk assessment is organized by the heads of structural subdivisions.

7.2.2. Heads of structural divisions determine dangerous and harmful factors of production at the workplaces of the structural unit in accordance with annex 1 and submit the completed forms to the OSH manager for the organization to compile a list of hazards. The list of hazards is approved by a management representative.

Heads of structural divisions carry out:

Identification of hazards associated with the selected activity or process;

Assessing risks from identified hazards using a risk assessment methodology.

The risks are considered in the following situations:

Normal working conditions;

A normal conditions work (starting and stopping equipment, unintentional and possible (foreseeable) misuse of equipment, material, process, potentially emergency or emergency situations, etc.)

The risk assessment methodology is given in annex 2. Moderate and significant risks are categorized as significant.

Development of risk management measures, if the risk is significant, and re-assessment of it in order to determine the value of the residual risk.

If there are residual risks that are significant, special measures are required to manage such risks (inclusion of an activity or process in list of works with increased risk; performance of work on the side-admission; passing special training; strengthening control over the execution of work, etc.)

Significant risks are given special attention, since measures to manage (maintain at a certain level) such risks are taken into account when setting goals in the field of occupational health and safety and are included in the OH&S program.

Completion of hazard identification and risk assessment cards. The form of the hazard identification and risk assessment card is given in annex 3.

Hazard identification and risk assessment maps drawn up in structural units are transferred to the labor protection manager.

7.2.3. The labor protection manager, after analyzing the hazard identification maps and risk assessment, draws up a register of significant risks for the organization, which is approved by the management representative.

The form of the register of significant risks of the organization is given in Annex 4.

7.2.4. Based on the register of significant risks, the labor protection manager determines the activities that need to be included in the OH&S program.

7.2.5. Hazard identification and risk assessment cards are updated by the heads of structural units once at the end of the calendar year or as needed. Copies of updated hazard identification and risk assessment cards are transferred to the labor protection manager to update the register of significant risks of the organization.

7.2.6. The basis for the revision of hazard identification and risk assessment maps are:

Change in the composition of the organization's personnel;

Changes in legislation in the field of health and safety at work;

Acquisition of new materials, including hazardous ones;

Changing the technological process;

Results of the analysis of accidents, occupational diseases, incidents, inconsistencies;

The occurrence of emergencies;

Analysis of the results of internal audits;

Management analysis.

8 DOCUMENTATION

Name document	Executor (job title, structural subdivision)	storage control copy	Shelf life
List of organization hazards	Heads of structural divisions, labor protection manager	Labor protection manager	Before replacement with new
Hazard identification and risk assessment cards for structural units	Heads of structural divisions	Structural units
Register of significant risks of the organization	Labor protection manager	Labor protection manager

APPLICATION1

Form for accounting for hazardous and harmful production factors in the workplace

Structural subdivision _______________________________

	Dangerous and harmful production factors in accordance with the classification according to GOST 12.0.003-74	Workplace or profession
	Physical dangerous and harmful production factors
	moving machines and mechanisms;
	moving parts of production equipment;
	moving products, blanks, materials;
	increased dust and gas content in the air of the working area;
	increased or decreased temperature of surfaces of equipment, materials;
	increased or decreased air temperature of the working area;
	increased noise level in the workplace;
	increased level of vibration;
	increased level of infrasonic vibrations;
	increased level of ultrasound;
	increased or decreased air mobility;
	increased voltage in the electrical circuit, the closure of which can occur through the human body;
	lack or lack of natural light;
	insufficient illumination of the working area;
	sharp edges, burrs and roughness on the surfaces of workpieces, tools and equipment;
	the location of the workplace at a considerable height relative to the surface of the earth (floor);
	Chemical hazardous and harmful production factors
	Psychophysiological dangerous and harmful production factors
physical overload;
neuropsychic overload.
others (please specify)

Head of department ____________ _______ _______

The identification of hazards in the workplace is carried out in order to identify and clearly describe all hazards in all types of activities of the organization, including planned and unplanned activities, for further risk assessment and management, and should take into account:

situations, events, combinations of circumstances that led or could potentially lead to an injury or occupational illness of an employee;

the causes of potential injury or illness associated with the work performed, product or service;

information about the injuries that have taken place, occupational diseases.

It is necessary to evaluate both normal working conditions and cases of deviations in work associated with incidents, possible emergency situations.

When identifying hazards depending on the type of activity being carried out, it is necessary to determine the list of works included in the type of activity being carried out, and also consider not only the hazards and risks from the activities performed by its personnel, but also the hazards and risks arising from the activities of contractors and visitors, from the use products and services provided by other organizations.

This procedure includes consideration of:

organization of work, including the safety of their performance;

designing safe workplaces, technological processes, equipment;

installation, operation, Maintenance, repair of equipment (buildings and premises);

characteristics of goods and services acquired by the organization.

Responsibility and authority.

The functions performed and responsibility for determining the risks associated with the activities of the enterprise, assessing their significance are given in the responsibility distribution matrix (Appendix 1).

Description of activity.

General provisions.

In order to effectively manage the activities of the enterprise and individual departments in the field of occupational safety, the enterprise has defined procedures for identifying hazards and assessing risks.

Hazard identification

In the course of hazard identification, Required documents on labor protection:

Records of all types of condition monitoring labor protection(logs of daily, monthly monitoring of the state of labor protection, inspection reports);

The results of the examination and inspections of labor protection by state supervision and control bodies, OSH;

Statistics of microtraumas, accidents, accidents and incidents at the enterprise;

List of works with increased danger;

Records on training, instructing and testing the knowledge of employees;

Labor protection instructions, etc.

Hazards that create risks of potential harm to the life or health of an employee, damage to the property of the enterprise, disturbance of the environment at the workplace, or a combination of them when performing work are indicated in the classifier (Appendix 7).

Risk classification.

The OSMS of the enterprise establishes the following classification of risks according to the level of significance:

Acceptable Risks	low
	medium
Unacceptable Risks	high
	very high

TO low risk(R<6) относятся потенциальные риски при ежедневной работе на рабочем месте. Риски с таким уровнем рассматриваются как приемлемые при наличии мер по управлению ими (инструктаж по ОТ).

TO medium risks(P = 6-12) include risks in which there is a potential threat to the health of personnel and / or damage to the property of the organization. Risks with this level are considered acceptable if there are sufficient measures to manage them and require constant monitoring and analysis.

TO high risk(P = 14-25) include risks in which there is a potential threat to the life and health of personnel and / or causing significant damage to the property of the organization. Risks with this level are considered unacceptable and require further mandatory management.

TO Very high risk(Р=27-45) include risks in which there is a real threat to the life and health of personnel and / or causing significant damage to the property of the organization. Risks with this level are considered unacceptable and require mandatory management.

Risk assessment.

Risk assessment in the organization is carried out by the calculation method in accordance with the methodology given in Appendix 3 for professions and positions specified in Appendix 4.

Risk assessment cards (Appendix 5) are filled in by the heads of structural divisions for each division of the organization and agreed with the head of the OT bureau, with the obligatory reflection in them:

professions;

descriptions of the hazard;

residual risk assessment ( P);

The card is used in departments for:

assessment of the state of OT in the unit for the year;

preparation of input data for the analysis of the OSMS by the management of the enterprise;

evaluating the effectiveness of the corrective and preventive actions taken to reduce the level of risks for this profession.

The assessment of risks in the completed cards is carried out in relation to the hazards identified in the practice of performing work.

Heads of structural subdivisions enter unacceptable risks into the register of unacceptable risks of the structural subdivision (Appendix 5) and transfer a copy of the register to the CBO.

Based on the registers of unacceptable risks of structural divisions, the head of the OT bureau draws up a register of unacceptable risks for the organization (Appendix 7) and submits it to the chief engineer for consideration and approval.

For low risks, the development of corrective actions (measures) is not required.

For unacceptable risks, the heads of structural divisions of the enterprise develop measures for their management, which are agreed with the chief engineer and approved by the director of the enterprise.

These activities may be related to:

production equipment;

Staff awareness and training;

Procedures for ensuring the safe operation of equipment, emergency response, accident prevention, etc.

After the implementation of the developed measures, a re-assessment of the risks and analysis of the effectiveness of risk management measures are carried out with the subsequent introduction of the expected risk reduction into the risk assessment card (residual risk assessment ( P, S, R), filled in by the heads of structural divisions.

Analysis of the process of hazard identification and risk assessment and management.

Every year, before the meeting on the analysis of the OSH by the management, the heads of structural divisions, in order to assess the effectiveness of the measures taken to manage risks and set new goals in the field of occupational health and safety, identify hazards and assess risks for their structural division by filling out Risk Assessment Cards, Registers of unacceptable risks.

Heads of structural subdivisions also ensure unscheduled identification of hazards and risk assessment within a month in the following cases:

Introduction of new regulatory legal acts and technical regulatory legal acts in the field of labor protection;

Expansions, reductions, changes in the structure of the unit;

Redistribution of responsibility;

Changes in methods and modes of operation;

Introduction of new technologies, equipment.

Information on the use and storage of documents containing registered data (records) based on the results of the work established by this standard is given in Table 1.

Table 1

Name document	Storage location of the original (copy) document	Term storage document
Occupational risk assessment charts
Register of unacceptable risks of structural divisions	Structural unit (BOT)
Register of unacceptable enterprise risks
Hazard classifier	BOT (structural division)

The OT specialist is responsible for updating and making changes. The director of the enterprise approves the changes.

Accounted and registered copies of this standard or changes to it after the issuance of a director's order to put it into effect, are distributed.

This mini guide provides a practical example of the steps involved in identifying hazards and assessing risks in a manufacturing plant in accordance with the requirements GOST 12.0.230-2007 (OHSAS 18001:2007) . The presented practical guide reveals the main idea of ​​the standards of the occupational safety and health management system GOST 12.0.230-2007 (OHSAS 18001:2007), aimed at improving the labor protection management system at the enterprise, reducing unforeseen expenses (for the elimination of accidents, incidents, insurance payments, etc. .d.), increasing labor productivity, as well as increasing the loyalty of staff and society.

Introduction

1. The concept of danger and risk

2. Stages of work on hazard identification and risk assessment

3 Risk management in emergency situations

4 Development of measures to improve the occupational safety and health management system

Conclusion

Introduction

According to the Federal Labor Inspectorate of the Russian Federation, at present in Russia more than 600 people die on the job every month, 1000 people become disabled, about 20% of people work in conditions that do not meet sanitary and hygienic standards. The proportion of jobs with harmful and dangerous working conditions has increased by more than 5% since 1995 and has averaged about 23% in recent years, reaching a third or even a half in some industries. Initial disability exit has increased by about 50% since 1995.

Taking into account the real volume of production, injury rates in Russia are constantly increasing (with some numerical reduction in the number of injuries at work in recent years). Economic losses at the same time increase by 10-30% annually.

From foreign experience, we note the following.

According to international standards, the employer is obliged to insure each employee not only against accidents at work, but also against damage associated with treatment.

The International Labor Organization recommends a minimum amount of such insurance in the amount of a salary for 7,500 working days.

In countries with a strong trade union movement, collective agreements include the obligation of the employer to insure his employees also against the consequences of domestic injuries and general morbidity, sometimes together with family members.

In connection with the accession to the WTO, Russian organizations will need to be guided by similar international standards in the field of labor safety, and in order to avoid the above problems in the future, domestic companies will need to modernize their labor protection management system.

Something is already being done now - for example, since January 01, 2010, changes have been made to the Labor Code of the Russian Federation regarding labor protection requirements. In the new version of the Labor Code of the Russian Federation, the requirements of labor safety system standards are equated to labor protection requirements, which includes more than 120 labor safety system standards (SSBT) now equated to state and mandatory for use.

The presented manual discloses the main idea of ​​one of the standards of the SSBT system - GOST 12.0.230-2007 (OHSAS 18001) - carrying out hazard identification and risk assessment occurrence of accidents and incidents. This work is very time-consuming and costly, but for a Company that really cares about the health and safety of its employees, such events are simply necessary.

1. The concept of danger and risk

First, let's define what "hazard" is and what "risk" is in the interpretation of the OHSAS 18001 standard (it is recommended to rely on it, since GOST 12.0.230 does not yet fully comply with it).

Hazard is a source, situation, or activity with the potential for harm in the form of injury or ill health, or a combination of both.

Risk is the combination of the likelihood of a hazardous event or exposure(s) occurring and the severity of injury or ill health that could be caused by that event or exposure(s).

In order to understand these terms, we can give an example from everyday life. We meet with dangers every day - we travel in transport, cross the roadway, railway tracks and use electrical appliances - all this is a source of risk of ill health. Those. in other words, DANGER is the source from which the risks of an accident come. For example, even a car is regarded as a "means of increased danger" - i.e. a moving car is a danger, and a risk is already a potential dangerous event - i.e. An accident with a deterioration in human health (injuries, fractures, or God forbid death).

The biggest mistake of companies that start this kind of work is the confusion in terms. If initially the terms are misinterpreted, then it will be "Sisyphean labor", because. without a common understanding of the terminology of the OHSAS 18001 standard, this system cannot be built. For example, the concept of "danger" is very often confused with the concept of "risk". For example, the interpretation of the danger associated with a slippery floor - someone means as a source - i.e. the source of the risk is “slippery floor”, someone like the situation “walking on a slippery floor”, someone like an action - let's say “washing floors”. As a result, the risk of injury from falling on a slippery floor in practice can be from several sources (hazards), for example:

Because the floor was slippery;

Because they walked on a slippery floor;

Because someone washed the floor.

Practice shows that it is more expedient to regard "danger" as a source of risk, and regard the situation and action as a technological operation, therefore, the following scheme can be distinguished:

Thus, a common understanding of the terminology OHSAS 18001 by all employees involved in the development of the occupational safety and health management system is one of the key points in the effective implementation of the SMPS.

2 Stages of work on hazard identification and risk assessment

The work on hazard identification and risk assessment can be divided into several stages (given in a logical sequence, but some stages can and should be combined):

- Stage 1. Identification of the activities of the organization

- Stage 2. Isolation of individual technological operations

- Stage 3. Hazard identification in process operations

- Stage 4. Risk identification

- Stage 5. Determination of the level of risks and their ranking

- Stage 6. Development of risk management measures

- Stage 7. Allocation of responsibility for risk management measures

- Stage 8. Identification of legal and regulatory requirements in relation to significant risks

Practice shows that for the effective implementation of this work, it is necessary to involve not only experts in the field of labor protection (OT) (at the enterprise these can be specialists and heads of labor protection), but also heads of departments, since no one knows better than, say, the head of a shop about all potential risks in his unit.

Stage 1. Identification of the activities of the organization.

At this stage, they are considered as standard activities of the organization, for example, such as production, warehousing, repair work, transportation of products, etc. (if the enterprise is large, then it can be divided into separate production processes), and non-standard activities that should also be taken into account when identifying hazards - design, contractor activities, activities of nearby organizations, modernization, administrative and economic activities, etc.

For example, take a small factory for the production of plastic products. There is production with various technological processes, warehousing, transportation, repair work of production equipment, etc. (see Figure 1). If the company has implemented a quality management system (QMS) according to the standard ISO 9001 , then the implementation of this stage is greatly simplified, since when introducing ISO 9001 the business processes of the company are distinguished in relation to the types of activity: the main business processes (production, procurement, logistics, etc.), auxiliary processes (repair, maintenance, service, etc.) and management processes. Thus, the types of activities have already been identified in some form and you can continue to work with them. If there is no implemented QMS, then types of activities can be distinguished according to the principle: main and auxiliary, standard and non-standard (for example, design or modernization).

At the output of the stage, we get a list of standard and non-standard activities, possibly broken down into more detailed areas (for example, at a furniture factory, the global furniture production process can be divided into the production of upholstered furniture and the production of cabinet furniture, and if the technological chain is fundamentally different, then according to types of production).

Stage 2 Selection of individual operations

Let's take the main type of activity, where the main dangers and risks are usually concentrated - production. In our case, the production of plastic products. In order to proceed to this stage, it is necessary to analyze the entire technological chain of manufacturing plastic products from the production of parts from raw materials to obtaining the finished product and break it down into separate technological operations (unless, of course, there is no technological documentation where everything is described). Suppose, in our case, the production of plastic products consists in casting parts in an oven from granules, drying them, preparing them for assembly into a finished product (grinding, polishing), assembling the finished product by hot pressing, painting the product, varnishing, etc.

At the output of this stage, we obtain a list of technological operations (processes) for a specific type of activity (preferably in a logical sequence) linked to a specific activity. Such a list can be arranged in the form of a table for clarity (table 1).

This work must necessarily include technologists and heads of departments. After identifying technological operations in various types of enterprise activities, you can proceed to the main 3 stage.

Stage 3 Identification of hazards in technological operations

This is one of the most labor intensive steps. For the qualitative identification of hazards, it is necessary to analyze a huge amount of information, namely to carry out:

- Analysis of the documentation of the existing organization management system

- Analysis of legislative and regulatory documentation in the field of labor protection applicable to a given organization and, in particular, to individual technological processes and operations.

- Analysis of the current technical documentation of the enterprise (technological and work instructions, equipment operation instructions, situational plans, etc.)

- Analysis of hazardous substances and materials records (if any)

- Analysis of records on the investigation of accidents, incidents and accidents (including at similar enterprises);

- Analysis of monitoring and measurement records in the field of labor protection (physical factors);

- Monitoring the implementation of "material" processes (production, logistics, etc.);

- Interviews with employees implementing processes;

- Analysis of messages of interested parties (Society, state), etc.

At the output of this stage, we obtain a list of hazards (sources of risk) for each specific technological process (operation). For more efficient work at this stage, it is necessary to involve experts in the field of labor protection (including third-party ones) and heads of departments. The work of identifying hazards can also be divided into separate stages depending on the size of the enterprise.

In the presented example, hazards from the technological operation "Assembly of parts" were identified (in the example, not all possible hazards in this case are presented, but only some of them). In our case, the assembly is carried out by hot pressing, i.e. the operator works on a press, the surface of which, for example, has a high temperature. Based on the analysis of the above documentation by the working group and the observation of the technological process, we determine those hazards that we will consider as a source of risk for a person, in this case, an operator working on a press. Standard OHSAS 18001 also provides for the identification of hazards for equipment, and the risks of its breakdown and failure, but in this article we will talk about the dangers associated only with human health. The results of the work are also entered in the table (table 2)

After the implementation of this stage, the first elements of the occupational safety and health management system are already visible - there is a traceability of hazards to the types of activities of the enterprise.

4 Stage of identifying risks for each operation

At this stage, it is necessary to determine the potential deterioration in the health status of personnel from the identified hazards. Those. for example, we have a danger - a high surface temperature of a press for assembling plastic parts - the risks from such a danger can be, for example, the operator getting burned, thermal shock or fatigue from high temperatures.

Information on risks can be obtained from normative documentation on labor protection (labor safety system standards (OSSS), work instructions, technological documentation, workplace certification records, accident and incident analysis records, etc.), as well as through expert evaluation of employees' activities (for example, monitoring of technological processes, inspections of workplaces, personal protective equipment, etc.). At this stage, it is necessary to involve not only internal OT specialists, but also third-party expert organizations in this area, if possible.

We also enter the data on the identified risks for each hazard in the table (Table 3) and proceed to assess the level of each risk.

Stage 5 Determination of the level of risk and their ranking

After the titanic work of identifying hazards and risks has been done, we proceed to ranking the risks according to their significance. To do this, it is necessary to develop a methodology for determining the "significance" of risks. There is no single methodology for risk assessment and it is developed individually, being the "know-how" of each enterprise. This can be an expert risk assessment - where the risk level is determined by an expert (by a group of specialists) for each risk, and the introduction of a risk scoring system. Expert assessment of the level of risk is the most informative and reliable, but it is difficult to apply to large enterprises, as it is associated with large labor costs. Therefore, we will focus on a more universal scoring. The most common risk assessment formula is:

where R is the level of risk,

С t is the degree of severity of the risk (the severity of the consequences of the occurrence of a dangerous event),

H is the frequency of occurrence of risk.

In order to obtain a quantitative assessment of the level of risk, it is necessary to rank the severity and frequency of occurrence by levels (Table 4). For each level of severity (eg low impact) it is necessary to define a specific set of characteristics (eg minor injury, contusion, etc.) and similarly define the risk frequency characteristics (eg rare - 1 per year). In order for the level of risk to have a quantitative value, we assign a certain number of points to each level and get a certain number of points characterizing the level of risk.

Now that we have received a quantitative value of the level of each risk, it is necessary to rank them according to the levels highlighted in Table 4, for example:

- Minor risk (highlighted in white);

- Acceptable risk (highlighted in pink);

- Unacceptable risk (highlighted in red).

Each enterprise chooses the number of risk levels itself, depending on the scale and number of jobs with difficult (dangerous) working conditions. A certain number of points is assigned to each level and, based on this, a register of significant (unacceptable) risks of the enterprise is formed (Table 5).

Since the OHSAS 18001 standard requires the management of significant (unacceptable) risks, it is first necessary to create a separate register of significant (unacceptable) risks and develop management measures for them.

Stage 6. Development of risk management measures

to be continued...

A risk map can become not just a list of possible problems for a company to monitor and control, but a tool for implementing a strategy. Management can predict a possible map projection in a few years. Let's give a specific example of a risk map.

The company in question included several subsidiaries, as well as a sub-holding in which I held the position of financial director. Controlled firms conducted a variety of activities, including production, services under agency contracts. The total revenue of the holding amounted to several billion rubles a year.

In a sub-holding process was fairly formalized. For all subsidiaries, the shareholders have put into effect a general regulation on drawing up a risk map. It spelled out the methodology for its creation, deadlines and responsible persons. Special services for did not have. Primary responsibility for risk mapping in the sub-holding was entrusted to the Department of Finance, in subsidiaries - to the heads of financial services. On the part of the managing organization, this work was performed by one person - the director of the financial department.

Every year, the companies of the group filled out a special table that dealt with all the risks they face, not only . For confidentiality reasons, I cannot indicate specific business risks, so I will give a conditional example in the table.

Drawing up a risk map

Table. Information for the preparation of the risk map

№	Name of risk	risk owner	Probability of risk realization (from 0 to 100%)	The degree of exposure to the risk, expressed in monetary terms	Description of the risk	Risk Management Measures
1	The risk of falling sales due to the high level of competition and the limited number of customers in the market	CEO	60	100 million rubles (loss of revenue)	Non-renewal of the contract with one of the customers	Accepted. Status monitoring is carried out through the operations committee
2	Risk covenant violations and declaration of default on the loan	CFO	50	400 million rubles (early repayment of the loan, additional cash)	In view of the irregularity of revenue receipts and gaps in liquidity, a number of banking covenants may be violated. According to the loan agreement, if they are violated, the bank may declare a default	Tougher sanctions for late payment in contracts with customers Regular reminders of upcoming payments Monthly forecast for banking covenants at the end of the quarter Preparation of refusal (Waiver) in advance, coordination with the bank
3	Additional charge of income tax in the event of a tax audit on a controversial issue	Financial director, chief accountant	40	10 million rubles (including penalties and fines, profit reduction)	There is conflicting case law on this issue.	Accepted. Deferred tax assets can be used in case of additional taxes
4	The emergence of bad debts	Commercial department (you need to specify the name of a specific employee)	30	10 million rubles (debt write-off, profit reduction)	Eat arrears from two clients, there is a possibility of non-payment of the debt	Regular holding of a bad debts committee, preventing the growth of overdue debts Search for a factoring agency, discussing the possibility of selling part of the debt Assign a responsible person to each item and prescribe a deadline

Suppose one of the "daughters" with a turnover of 1 billion rubles has four main risks. The probability of their occurrence is a subjective factor, the value of which is determined by an expert. The “Risk Impact Degree” column indicates which financial indicator is directly affected by the risk. This is important, since the degree of impact on different indicators (revenue, profit, cash balance) cannot be compared with each other.

The risks are then ranked by cost, which, based on the data in the table, is calculated as follows: probability of occurrence × degree of impact. The result obtained is transferred to the risk map (see below for an example of a risk map). The most significant risks with a high probability of occurrence are marked in red in it.

The difference between the zones in the holding was determined by the materiality of the risk (from revenue), which was calculated by experts from the financial service of the management company. For example, risks exceeding 50 million rubles in value could fall into the red zone, less than 3 million rubles into the green zone, and the rest into the yellow zone.

Picture 1

Risk Management Scheme

To control the activities of our subsidiaries, we held operational committees once every two months. Their composition necessarily included the financial and operational directors of the group. Positions from the red zone of the map were necessarily spelled out during each such meeting. In addition, the board of directors also met every two months in the sub-holding for subsidiaries. Before each meeting, a meeting of the operating committee was necessarily organized, where all the issues on the agenda of the upcoming board of directors were worked out in detail. It was necessary for me, as the financial director of the sub-holding, to participate in all these events. Thanks to this, when compiling a consolidated risk map, I understood their essence and knew what was really being done to prevent them. On the one hand, this practice took a huge amount of time, on the other hand, it was “invested” in a detailed acquaintance with the business of each company.

At the end of the year, all information received on risks was discussed at a meeting of the audit committee, considered by the holding's board, and submitted to the board of directors. To do this, the specialists of the financial block prepared a detailed presentation in which they showed the dynamics of the risk map for the year, spoke about the largest risks and possible ways to minimize them. Let's say risks 1 and 2 from our table could be included in their number. In addition, we noted the number of unrealized risks and their cost compared to those that caused damage.

For example, if, as a result of a tax audit, no additional income tax was accrued, then this risk was considered unrealized. If we saw that some risk was unavoidable, then we accepted it and left it on the map as inherent in our business. This category would include the risk “Declining sales due to high levels of competition and a limited number of customers in the market”, shown in the table in question.

This is how the risk management process was built. But, as it turned out, this was not enough to achieve the goals. The shareholders set the subholding a certain level of annual profit, and at the end of the first quarter we realized that due to new factors and changed market conditions, we are not fulfilling the set task. We also saw that when working on a strategy, the relevant department itself analyzes business risks. It turned out that this process is duplicated - in reporting to shareholders and in drawing up a strategy. We decided to improve the efficiency of using the collected risk data within the sub-holding and identified two areas: strategic and operational. The shareholders approved our proposal.

Risk map and SWOT analysis

In the process of discussing an already existing strategy, we conducted a study of the main risks and made SWOT analysis of the project . True, it was not fully combined with the compilation of a risk map, in fact, these activities were implemented in parallel. In our case, this happened due to the peculiarities of the strategy itself. The fact is that it was mostly aimed at buying new companies, since all existing businesses worked stably and explosive growth was unattainable for them.

Then, on the basis of the existing risk map and audited financial statements, the management drew up a Risk-Return schedule for the sub-holding. The figure below shows its conditional example. Let's figure out how to use it.

Figure 2.

Possible current state of the company (marked with a red star in Fig. 2). We use the margin EBITDA for the last reporting year (or forecast for the current one) along the vertical axis, and along the horizontal axis - we conduct a general assessment of all the risks of the company according to the map drawn up. For example, possible locations on the chart are shown. Let's say an organization can operate with high business risks and have relatively small margins. Or to have an insufficient but stable margin with a low degree of risk. This analysis seems simple, but in my 20-year career in finance, I haven't seen it often.

The position of the company in a few years (marked with a green star in Fig. 2) is estimated based on a development strategy for three or five years. An assessment of the degree of risk in the future can be obtained through stress tests of the financial model. It is also advisable to use the subjective opinion of management, since understanding the business may be more important than mechanical checks. The shareholder needs the company to move on the schedule to the left and up. If this happens, then at the final stage, an action plan should be developed that will ensure this movement.

Thus, the risk map becomes not just a list of probable problems for their monitoring and control, but a tool for implementing the strategy. Management can predict a possible map projection in a few years. In this context, it is worth using not the entire risk map, but only those positions that, in the example above, are marked in red on the risk map. They most of all influence the result and the success of the strategy implementation.

Risk map and operational planning

Even at the beginning of the second quarter of the reporting year, we predicted a high risk of non-fulfillment of the budget target in terms of net profit. In order to develop a plan for the measures necessary to prevent it, we took the existing risk map as a basis. In fact, by the middle of the year, a detailed additional analysis of all risks that affect profits for all companies of the group was carried out. If we recall our conditional example in the first part of the article, then during the additional analysis, the subsidiary once again studied all the factors that could lead to a drop in profits, and identified, for example, six more risks. Each of them individually was not significant enough in value to fall into the red zone. However, when all risks materialized, the most pessimistic forecast of net profit at the end of the year was obtained. So, if in the first case we worked with macro-risks in order to “combine” their management with the current strategy, then here we analyzed micro-risks that affect the result of a given year. Moreover, unlike the standard annual or quarterly manipulations with the risk map that were carried out before, we had to monitor the situation for each organization every month until the end of the year. For such an analysis, we used Table 1. At the same time, it was actively adjusted for the next meeting of the operational committee - the risks that were closed as a result of the measures taken disappeared, others appeared. The degree of probability of their implementation also changed due to the changed assessment of management and, as a result, the profit forecast for the year.

Thus, if earlier the companies of the group simply reported on the already existing risk map and discussed the list of measures with us, now the work with it was carried out continuously and actively. Declared measures to minimize risks began to be implemented immediately, and all attention was focused only on those that affect the profit of the organization. As a result, already by the end of the third quarter of the year under review, the forecast for profit reached the budget level and at the end of the period it was possible to fulfill the planned indicator.

In the course of identifying and assessing financial risks, various graphical methods are used that give a visual representation of the distribution of risks in time, by type of activity, by business process stages, in space (for example, by premises), by the size of the identified damage, etc. But the most versatile information visualization tool widely used in risk management is the so-called risk map. It is built on the basis of the register of risks and their qualitative and quantitative characteristics obtained during the measurement process. A risk map can be built either for the entire organization or for a specific department. In addition, risk maps can be drawn up for the direction of the organization's activities or for a separate project, program.

The simplest risk maps are usually presented in tabular form. In cases where qualitative-quantitative scales of probabilities and consequences are used to measure risks, matrix risk maps are used. Matrix risk map - a graphical and textual description of a limited number of risks of the organization, located in a rectangular table, on one "axis" of which the strength of the impact or significance of the risk is indicated, and on the other - the probability or frequency of its occurrence. In cases where qualitative and quantitative scales of probabilities and consequences are used to measure risks, the entire spectrum of risks is divided into cells. Because of the superficial similarity, such a risk map is sometimes referred to as a "matrix".

Generally speaking, risk mapping methodologies are as different as the risks of companies. The construction of a risk map can be carried out both as part of the implementation of a risk management system at the level of the entire organization, and for solving a separate range of risk management tasks. The methods used by consultants (experts) when compiling a risk map include interview , formalized And non-formalized survey questionnaires And industry research , analysis of the documentation set of the company and numerical methods of evaluation and so on.

The composition of the team of consultants (experts) is very important for the success of the risk mapping process. When the work is carried out by professional consultants, the team (working group) usually includes those specialists who have experience and expertise. Experience shows that a team works effectively if it consists of six to ten people. Only by defining the boundaries of the analysis can one determine who is included in the team. When compiling a map of the company's financial risks, the team must include the head of the financial department, the head of the legal, control, GG departments, etc. The degree of detail required in the analysis is specific to each risk and varies from one risk to another, but depends mainly from the goals pursued by the organization.

Mapping is a complex process that includes many specific operations, but in a generalized way it consists in visualizing the identified risks. Risk identification includes an analysis of financial risks aimed at identification and assessment of risks.

Recall that identification is the first and one of the main stages of risk analysis. The results of risk identification make it possible to describe and compile a register of risks. Risk assessment involves the determination (calculations) of the main qualitative and quantitative parameters (value) of the risk.

The results of risk identification and assessment are recorded in financial risk cards. To build a financial risk map (hereinafter referred to as the Map), you must perform the following sequential steps and fill in all the columns of the following table (Table 2.6).

At the initial stage, identification involves choice of risk owner (risk subject). In our Map, this is the line - job title.

The so-called risk owners riskowners) - these are employees, specialists, who are assigned by the manager to observe the triggers of some specific risk, and also to manage response procedures in case of occurrence of this risk. Employees become risk owners by virtue of specific expertise on a particular issue or because they have some control over a specific risk.

Here the choice of the position of the employee and the identification of the types of activities performed by him and the objects of management related to these types of activities are carried out. The selected type of activity will be entered in column 2 of the Map.

The group of subjects with increased financial risk includes those who are characterized by:

• availability of powers related to the distribution of significant financial resources;
• a high degree of freedom of action, caused by the specifics of their work;
• high intensity of contacts with organizations and their representatives.

The next step is to define a list of job responsibilities with high financial risk. Identification and assessment of risks is carried out according to a specific list of job responsibilities with a high probability of financial risks.

Column 3 Maps involves consideration and analysis of the conditions at work. Usually the following conditions are distinguished:

FINANCIAL RISK MAP №________________

Department: _________________________________________________

Job title: ____________________________________________________

filled out

(Head of department) (signature) (Last name, first and last name) (date) AGREED

Head of the organization (subdivision) _____________________________________________________________

______________________________________________________________________

• (EXPERT/CONSULTANT)
• normal (scheduled activities) - denoted by the letter "H";
• emergency (incidents and other emergencies) - denoted by the letter "A".

Identification of specific types of financial risks associated with selected activities is recorded in column 4 of the Map.

The identified risks are described and documented in the form of the Register of Financial Risks (Table 2.7).

Table 2.7

Register of financial risks

	Object of risk	Name of the risk	Description of the risk	risk factor
P

Count 5 Cards involves the identification of existing measures against the impact of hazards (regulations, measures) for the selected type of activity (work). Hazard measures include:

• training and advanced training in the field of minimizing financial risks;
• certification of workplaces;
• certification of workplaces according to working conditions;
• testing of implemented standards, norms, regulations;
• identifying areas of business processes that are not covered by controls;
• identification of ineffective controls;
• introduction of new indicators of financial risks;
• other similar measures.

Identification by incidents (commercial bribery, forgery, trading in insider information, abuse of office, etc.) in the organization is filled in column 6 of the Map. Information on incidents is accumulated in the presented table (Table 2.8).

Table 2.8

Incident Information

Description of the severity of the hazardous event (assumed - in the absence of statistics) from the possible impact of the hazard (column 7 of the Map) taking into account the implementation of existing measures against this impact (standards for minimizing financial risks).

The most difficult step is the risk assessment. The risk assessment associated with the identified hazard is recorded in columns 7–10 of the Map.

The risk assessment associated with the identified hazard is carried out according to the following formula:

where Р is the risk; T - severity of harm; - the likelihood of a hazard; - Exposure to hazard.

The severity of harm (T) is assessed in a point system (for example, in a ten-point system) and is filled in in the form of a table (Table 2.9).

Table 2.9

Severity of harm T

	Characteristic
	Bankruptcy
	Loss of primary financial document

The severity of harm is determined by an expert assessment of the working group that conducts mapping. They determine the severity and put down points based on the specifics of the economic entity. Therefore, for example, the harm from the revocation of a license to conduct operations in foreign currency for some organizations will be 9 points, and for others, non-core organizations, much less.

The probability of harm (B) is considered by experts in terms of the likelihood of a hazard and exposure to the hazard and is filled in in the following tabular form (Table 2.10).

Table 2.10

Probability of harm B

	Probability of hazard manifestation, B1	Exposure to hazard, В2
	1 event per day	From 90% working time
	1 event per month or less	80 to 90% working time
	1 event per quarter	70 to 80% working time
	1 event per semester	60 to 70% working time
	1 event in 9 months	50 to 60% working time
	1 event in 1 year	40 to 50% working time
	1 event in 2 years	30 to 40% of working time
	1 event in 3 years	20 to 30% of working time
	1 event in 4 years	10 to 20% of working time
	1 event in 5 years	Up to 10% of working time

The identified risks are further sort. Let's analyze the real technique of sorting a large number of risks, which has proven itself on the example of more than one hundred companies. It is actively used and promoted by the Risk Management Special Interest Group ( RMSIG ) from the Project Management Institute. The essence of the method is to distribute risks according to a special map (its other name is PI- matrix). The map should look like the one shown in the table. 2.11. Typically, all identified risks are shared among the members of the risk management team. The person who identified the risk is usually responsible for the risk (source is indicated on RMC- map). The risks identified by those who are not present at this procedure are divided equally among all other participants. Then the participants distribute their risks according to certain squares, i.e. the probabilities and degrees of influence of these risks are ranked.

Table 2.11

Risk Sorting Map

Probability
	Degree of impact

It may be necessary to improve the quality of individual decisions about the likelihood and impact of risks. It is a good idea to hand out colored pens to team members and, after reviewing all the risks, to mark those with which they disagree and which, in their opinion, need to be discussed separately. After that, the marked risks are discussed and appropriate changes are made. At the end of this step, the probability and degree of impact of each risk on the project is considered to be established, and in RMC- The cards include the probability of a given risk and the degree of impact.

In addition to the risk sorting procedure, they must be rarify, those. define RR (from English - risk ranking) for each risk. Formula to determine RR is:

RR = Probability of risk (IN) × Degree of risk exposure ( Y ).

This step repeats the sorting of risks on the map, however, experts advise doing it, as it will be needed in the future. Then it is already possible to determine which risks will be launched into the risk management process. List of risks according to value RR allows you to sort them. Thus, risks that are very unlikely to occur or will have very little impact on the project can be removed from further analysis.

The most important thing at this step is to decide on the risk thresholds that will be involved in further consideration. This is a complex issue on which it is difficult to make specific recommendations. A huge role here is played by the experience of the project manager, as well as the levels of risks that are accepted as threshold in the company. If the company has adopted a maximum project risk level of 70, then all risks that have RR above 45–50 should be considered significant. All risks that RR below 45–50 are documented, but not put into risk management work. The identified risks are ranked, their written description is compiled, which is entered in a special table (Table 2.12). A similar table is filled in by each expert.

Table 2.12

Risk ranking map

	Object of risk	Name of the risk	risk factor	Probability of occurrence	Risk Damage	Risk Index (I r = B × Y)
P

The results of risk identification and assessment are recorded in the Maps for presentation to management. The identified, sorted and ranked risks are entered in the first version of the final Corruption Risk Map. In fact, we have already done part of this work by filling in Table. 2.6.

For a more visual presentation, the identified and sorted risks are entered in the matrix Risk Map. Depending on the degree of danger, several categories of risks are distinguished. The number of categories corresponds to the needs of the study. Table 1 can be used as a starting point. 2.13. It will help determine High , Average or Low Risk depending on its likelihood and consequences. For example, a combination High probability + high influence would obviously mean High level of risk.

Table 2.13

Level of risk

Severity of Consequences / Likelihood of Occurrence	General level of risk
High Loss/High Probability
High Loss/Medium Probability
High Loss/Low Probability	Medium/Low
Medium Loss/High Probability
Average Loss/Average Probability	Medium/Low
Medium Loss/Low Probability
Low Loss/High Probability
Low Loss/Medium Probability
Low Loss/Low Probability

These nine simple combinations of risk characteristics can also be tabulated as follows (Table 2.14).

Table 2.14

Level of risk and measures for their management

Probability / Impact

The boxes represent combinations of probability and consequences that are safe to ignore. Cells represent combinations that require urgent risk management action. Cells represent combinations that require close attention and regular reassessment in the future.

The risk assessment is valid for a certain period. In order to have grounds for applying the apparatus of probability theory, this period must be sufficiently long (three to five years). If the probability of an event (for example, theft) is low, the period under consideration should be further increased. But during this time the situation will change significantly and the old estimates will lose their meaning. Therefore, when assessing risks, events with a probability less than a certain threshold value can be neglected, despite the fact that the potential damage from them may be large. Note that this is contrary to traditional practice, where managers tend to over-emphasize risks with high damage and low probability. In fact, the foreground should be risks with moderate damage but high probability (for example, malware attacks) that are repeatedly realized during the period under consideration. At the same time, it must be borne in mind that it is very difficult to estimate the probability of a negative event with any accuracy. Therefore, it is recommended to consider risks not as numerical values, but as points on a plane, where the coordinate axes are probabilities and losses (Fig. 2.4). Level lines for the risk function are hyperbolas.

Event Risk U1 is among those usually overestimated by managers; in practice, due to the low probability, most of these risks should be neglected.

A very important step in risk analysis is the determination of the risk tolerance boundary. Risk tolerance limit critical limit of risk tolerance. The choice of the tolerance line is carried out by a strong-willed decision of the company's management. Financial risks above and to the right of the boundary are considered "unacceptable" and require immediate management attention. Those threats below and to the left of the border are currently considered tolerable.

Rice. 2.4.

mymi. The risk tolerance boundary changes depending on the risk appetite of the organization. When classifying risks by significance/probability, even without a numerical assessment, it is possible to roughly estimate the amount of financial losses from a particular risk, which makes it possible to determine to some extent the organization’s appetite for risk and determine the risk tolerance limit on the map. In order to visualize the boundaries of tolerance (tolerance, acceptability) for risk, the financial risk map is presented in the following form (Fig. 2.5).

Rice. 2.5.

Risk acceptance boundaries allow you to immediately visually determine the division of risks into categories in terms of the danger they represent. The risk map can be slightly complicated and presented in color. For example, a matrix Risk Map may look like this (Fig. 2.6).

Rice. 2.6.

This risk map shows probability or frequency on the vertical axis and impact strength or significance on the horizontal axis. In this case, the probability of occurrence of risk increases from bottom to top as you move along the vertical axis, and the impact of risk increases from left to right on the horizontal axis. The Arabic numerals on the map represent risks that have been classified so that each probability/significance combination is assigned one type of risk.

This classification, which places each risk in a specific individual "box", is not mandatory, but simplifies the process of prioritization by showing the position of each risk relative to others (increases the resolution of this method). The bold broken line is the critical limit of risk tolerance; cells are combinations of probability and significance (consequences) that can be safely ignored. When critical risks are identified, scenarios leading to risks above this threshold are considered unacceptable.

On the map they are marked with and . Cells represent combinations that require close attention and regular reassessment in the future. For identified unacceptable (untolerable) risks, it is required to understand how to reduce or transfer such risks, while risks below the boundary are manageable in the working order. Risk management corresponds to the movement of points along the plane. Usually, one tends to approach the origin of coordinates along one axis without changing the value of the other coordinate. However, if you can reduce both coordinates at once, it will be even better. In fact, depending on the purpose of construction, many different types of risk maps or variations of a given risk map can be built.

The register and the risk maps compiled on its basis are the main information base for making decisions on further risk treatment. For the most accurate risk assessment possible, it is essential to take into account the full group of factors that determine the risk. The totality of risk factors should reflect all the conditions of the external and internal environment of the organization that give rise to possible corruption risks.

The risk map has been drawn up, now it is necessary to develop measures to neutralize those risks that turned out to be above the tolerance limit. On the basis of the Maps of subdivisions, experts (consultants), together with interested subdivisions and specialists of the organization, draw up a "Register of unacceptable risks of the organization (subdivision)" within 10 working days. The working group should determine whether to leave things as they are and not apply any additional actions or develop a new risk management action plan if they are not satisfied with their consequences. As a result of the activities carried out, reduce the likelihood of risk , reduce the chance of loss , or change the consequences of the risk.

The purpose of the action plan is to figure out how to move each intolerable risk to the left, down into the tolerable zone. It should be noted that it is necessary to balance the costs of such a move with the benefits of it. Proposed measures to manage unacceptable risks should first be analyzed for the presence of new hazards and their associated risks. The degree of acceptability of risk depends on the importance for each risk subject, as well as their goals and expectations. The method of influencing the risk is chosen. For example, if a risk has been determined to be unacceptable, then a mitigation option is developed. If it does not reduce the level of risk to an acceptable level, then the avoidance option is used. If it is impossible to transfer the risk, it is subject to acceptance with the mandatory reservation of funds in case of unforeseen circumstances.

From the point of view of risk management technology with the construction of a risk map, the management process does not end, but only begins. Moreover, a risk map is a "living organism" that reacts to decisions made and operations performed. It lives and develops with the development of the organization, along with new opportunities, new risks appear, some of the old risks lose their relevance and become insignificant, insignificant for the organization. Therefore, it is important that the process of risk mapping, map refinement, be built into the activities of the organization. This will allow the organization's risks to be updated as often as necessary. Usually the period of "planned updating" is a year, sometimes it is tied to certain cycles (seasonal, calendar) if they take place in the organization's activities. However, when even weak signals appear about events that can greatly affect the organization's risk objects, their impact on the organization's risk map should be assessed without any periodicity. It is important to understand that the value of a risk map lies not in determining the exact size of the probability or damage from risks, but in the relative position of one threat relative to another and in their position relative to the acceptability margin.

Thus, risk mapping is a universal analytical tool in order to understand the financial risks of business entities, arrange them in order of importance, and prepare measures to minimize them.

• URL: iemag.ru/master-class/detail.php?ID=15716