Risks when organizing events. Problems. Insurance and legal issues

17.02.2011

The next conference on risk management will be held in July 2013 - .

More and more energy companies are developing risk management systems. They are driven not only by the requirements of regulatory authorities, the consequences of the crisis, energy accidents, but also by the desire to lay the foundation for business development. Therefore, it is so important to build a system for detecting risks and seizing opportunities, as well as early response to threats.

DTEK Group has been operating in the Ukrainian energy market since 2002. It includes 15 enterprises that form an efficient production chain from coal mining and processing to the production and supply of electricity. Until 2009, risk management in the company was a system in which risks were tied only to functional areas - business areas. In order to make the system more understandable, transparent at all levels and effective, its concept was revised in 2009. At that time, the risk management department was subordinate to the CFO for some time - during the crisis he was removed from the subordination of the CEO for a more precise concentration of efforts. When the management saw that the company was at the pre-crisis level of stability, it was decided to carry out structural changes again. So the risk management function was transferred to the executive director. In addition, a group risk committee was established, which included the CEO, CFO, security director, and heads of three departments: risk management, audit and compliance. The task of the committee was to turn the existing risk management into an effective tool for managing risks and increasing the reliability, transparency and efficiency of company management.

First of all, the purpose of the system was reformulated. We have identified six areas for ourselves:

  • checking tasks and strategic initiatives for relevance;
  • checking goals for achievability in the short and long term;
  • providing reasonable confidence in achieving goals (answers to questions: what can help us or, conversely, hinder us; how can we reduce possible obstacles and potential problems and turn them into opportunities);
  • work on bugs; monitoring events, conclusions and changing the line of behavior in the future to a more effective one; maximum flexibility;
  • development of a culture of risk management in everyday activities - that is, a kind of foundation for the functioning of the system, not only of risk management, but also of effective management as such, where responsibility and rationality are present in every area of \u200b\u200bthe enterprise.

The most important thing in a risk management system is to ask key employees the right questions on time, and then collect and analyze the answers and communicate them to everyone else.

The next step was to clearly structure the risks by groups, including two large groups of risks: internal and external. There was no such division before. And only external risks fell into the category of the most significant risks for the company. Internal ones were not scrutinized, which made it sometimes difficult to unleash the company's potential and improve internal processes. In order to balance our efforts to deal with external and internal risks, we have implemented such a division.

Risk groups are tied to groups of goals, and each specific risk is linked to a specific goal and target measurable indicator: short-term (operational), long-term (strategic) and always existing (systemic). Based on this, DTEK's risk structure today looks like this:

Systemic risks include:

  • risks associated with personnel management;
  • legal risks;
  • political risks;
  • risks associated with information technology;
  • asset security risks;
  • other risks that threaten the existence of the company.

Risks attributed to strategic areas of activity:

  • reputation risks;
  • investment and liquidity risks in the long term;
  • environmental risks;
  • compliance risks;
  • risks of strategic projects (including M&A);
  • market risks (risks of competition and market environment);
  • other risks directly related to the execution of the strategy.

Among the operational risks are the following:

  • risks that may interfere with the implementation of budget targets;
  • risks of investment projects within the current period;
  • tax risks;
  • risks of current business plan projects.

I would like to note that risks from other groups - strategic and systemic - can also fall into the operational category during the year. We identify them during the annual assessment stage for inclusion in the annual action plan.

The structure described is quite flexible and is in a constant process of improvement and updating.

Why was it decided to tie risks to goals? In the company, each line of activity, function, employee has a list of goals for the year. In addition, there are goals for a longer period (say, strategic ones) in the case of long-term projects. Thanks to this transparent communication, everyone understands what should be achieved, by what date and how the result can be reflected in the work of the whole group. This not only improves the clarity of setting goals and keeping records, but also motivates and promotes greater employee involvement in the process.

Process, indicators and appetites

The company has adopted a cycle of management and risk assessment, which is repeated from year to year. In addition, the strategy and strategic risks are updated annually. We are aware that the market does not stand still, many external factors affecting the business are changing. This entails the need to revise the goals and objectives, as well as the associated risks.

The main steps in the risk management process are always the same. They include identification and definition of types and types of risk, causes (factors) of its occurrence, assessment of inherent risk, appetite establishment, development of management measures, assessment of residual risk, and monitoring.

To obtain a quantitative statistical assessment, our company uses risk exposure meters, the so-called key risk indicators ( KRI - key risk indicator). This is a quantitative indicator that allows you to judge the level of the actual exposure of the company to this risk at one time or another. Dynamics KRI is monitored periodically on a mandatory basis. Let me give you an example: equipment accident rate (as an operational risk) has indicators in the form of the number of breakdowns, losses from work process downtime and restoration of normal operation, restoration costs, etc.

Of course, not all risks can be quantified. Some of them, such as reputational or environmental risks, are often assessed and qualitatively. In this case, we add alphabetic ciphers to the digital value (for example, the possible occurrence or non-occurrence of various kinds of responsibility, etc.).

Appetites are set for all risks. These are quantitative indicators - boundaries that determine the maximum acceptable level of risk that the company is ready to accept (before the need for corrective measures). At DTEK they are two-tier.

The first level is those appetites that are formed from indicators. For example, if the employee turnover indicator is less than 10%, then the situation is within the normal range, and no special measures in the form of an analysis of what is happening and the introduction of additional incentive measures are required.

The second level of appetite is set for aggregated indicators, that is, those indicators that are affected by risk. In our company it is EBITDA. In the process of approving the risk appetite for this indicator, the members of the DTEK board expressed their proposals: they named the amount, the loss of which would be acceptable for the company and discussed it, and following the voting, the risk appetite for EBITDA for the entire group in 2010 was set at 5%. After that, for each enterprise, its appetites in monetary terms were calculated and communicated to it, proportional to its contribution to this indicator. What does this mean? If the deviation of the actual EBITDA of a particular enterprise from the planned business plan within a month is less than the established figure - a special analysis of the reasons for the deviation may not be carried out, or carried out only upon request. In the event that the deviation turns out to be higher than the permissible, our enterprises, together with the submission of reports on the implementation of the plan, give us a description of the reasons for the deviation, the risks and factors that caused them, as well as a list of measures taken and proposals to prevent similar problems in the future. This is a streamlined process that we call budget control. At the same time, in essence, this is an elementary risk appetite management at the level of the parent company and their standard tracking.

In addition, once a month all our enterprises provide reports on the implementation of risks. If the corresponding indicator goes beyond the appetite, then they simultaneously send us an analysis of the reasons why this happened, and a list of measures that will be taken to prevent a similar situation in the future. The reports are periodically reviewed by the risk committee and continuously monitored by our department. However, if we see that such and such a risk is constantly at the limit of appetite, but has not yet gone beyond it, we promptly take control of it and develop measures that will prevent this risk, which will be discussed later.

Transformation into opportunities

In general, the picture of risks by the company and its areas of activity is reviewed once a quarter at a meeting of the risk committee. In addition to the management staff of the corporate center, top managers of enterprises belonging to the DTEK group, as well as their key employees, take part in it. We divide risks into significant (group A) and non-material (group B). A group of the most significant risks that can greatly affect our business is always brought up for discussion at the highest level. They are identified on the basis of interviews with experts, including from specialized directorates, our group's strategy directorate, analytical data provided by enterprises, the strategic block and prepared by risk managers, publications in the media, as well as internal statistical information. The materiality of the risk can be determined relative to the monetary threshold, and such materiality limits have been established for the enterprises of our group. In addition to the materiality threshold, the expert opinion of a member of the risk committee is taken into account. For example, if some risk does not fall into the group of significant monetary value, but we are aware that it is important for the company, the risk committee takes it under control and works with it.

As an example, for DTEK one of the biggest risks today is legislative changes. The energy sector in Ukraine is subject to strict regulation, and each new law, regulation or order can entail serious negative consequences for the company.

Each of these high-level risks is analyzed and monitored quarterly at the committee level and monthly at the level of our department - we track the trend, the level of appetite for it at the moment, etc.

It is the constant monitoring that serves as a powerful risk warning tool. For each function of our company, all data are consolidated, a slice of the company is compiled: statistics in different sections, graphs, forms and analysis. The analysis includes, in particular, comparison with previous periods, with the established risk appetites for each indicator, with the achievement or failure of goals. For example, we have estimated the current "operational" level of accidents, and we annually put in the business plan the amount for recovery based on the results of accidents - we know from statistics that they will still occur in some, albeit minimal amount. Throughout the year, we collect information on breakdowns, look at the dynamics in comparison with previous periods, and compare them with the figure set in the business plan. We monitor that their volume does not go beyond the established appetites. The most important part is to analyze the causes of accidents and the measures taken. We look at why certain developed measures do not give a result, and if they were not implemented at all, then what were the reasons, and we insist on their development, etc. After that, all the data received and processed by us is presented in the most convenient way view to interested leaders in the form of charts, trends and analysis. We are currently automating the work with such reports.

In general, during the meetings of the risk committee, we try to present our problems as our opportunities. The group's management initially views risk as an uncertainty that can give the company a positive potential, and not as a problem to be shielded from. An example is situations with changes in regulatory requirements: suppose a specific regulation may negatively affect our generating unit. Before its approval, we are already considering all the available possibilities and trying to understand whether, say, distribution or mining can win, how to balance the work, etc. As a result, we try to use any change wisely anyway.

Of course, our company is not limited to identifying and assessing just a few significant risks, which are mentioned above. We also identify and track dozens of less significant risks. All of them are considered at the level of enterprise management - the corporate center has delegated both the opportunity and responsibility to manage risks within the framework of those appetites that exist within the entire group.

It's all about the reaction

In general, we do not prepare overly detailed scenarios for responding to risks. At the same time, we have formulated a standard list of our actions in the event of a risk event. On exit, the values KRI abroad established by the risk appetite, the risk owner initiates one or more actions from the following list:

  • taking emergency measures to reduce / close the risk;
  • revision of the action plan aimed at reducing exposure to risk with mandatory notification of the risk committee;
  • revision of the business plan / targets;
  • revising the risk appetite and informing the risk committee (when revising for significant risks).

Some of the response options described above are often already contained in a worst-case scenario (and a global example of this is the disaster recovery plan the company is developing today).

Measures can be developed by the risk owner when the appetite is exceeded in a clearly limited period, if, for example, the realization of the risk is temporary in nature and is associated with a momentary market situation, a temporary regulation of the regulatory body or a specific accident. This happens most often, and such an action is mandatory, since it means that the previously provided measures are not sufficient to prevent losses from realizing the risk. In other, rare cases, if the realized risks are of a protracted, systemic or catastrophic nature, we can revise the appetites for them or even the company's business plan (that is, new targets will be developed). The financial crisis was an example of such a risk being realized.

If the risks that have exceeded the threshold and have been realized repeatedly do not entail significant consequences, a review of the value of the risk appetite may also be initiated. In this case, we understand that, perhaps, we have set too strict a figure.

Reasonableness and responsibility

What exactly is the risk management department responsible for? Taking DTEK as an example, I can say that we are responsible for the risk management process (and not for specific areas of the company's activities and risks in them). Our task is to make it as efficient as possible. Our division is responsible for the functions of methodological support, consolidation of all information on risk management and its analysis (in addition to additional related areas of insurance and internal control).

As for me, as the head of the function, I am not responsible for the risks themselves, their implementation or prevention. Moreover, quite often they are associated with the production process, finance, etc. My task is to conduct appropriate training for key specialists, collect the necessary information, structure and analyze it, submit it to managers on time, build a system of indicators, etc. But as the head of internal control and insurance, I am responsible for the reasonable and optimal insurance in the group. Here I am also the owner of the process, so not only the development of methods, insurance requirements, determination of the list of counterparties and other related tasks, but also the efficiency and results of such work are directly within my competence.

In general, the purpose of our function is to ensure awareness for reasonable and responsible decision-making, that is, timely provision of a complete picture of risks, opportunities, history and assumptions to responsible persons - managers. This includes early warning of problems, analysis of how they have been solved in the past, and much more, the mechanics of which were discussed above.

At the same time, the Risk Management Department does not independently revise internal processes. Initially, I insisted not to make our division a department to improve operational efficiency, to optimize business processes. This is done in the group by profile directorates, responsible working groups and managers. We participate in the relevant events as methodologists, moderators and, of course, as risk management specialists. We find out what was the reason for the realization of the risk in the past (whether the factors that caused it remain) today (where there are uncovered areas), and we try, together with our colleagues, to figure out how to prevent problems in the future. This is precisely the competence of our internal control function.

Today risk management in DTEK Group is a function fully integrated into key business processes. It employs 14 people. We have developed and approved at the level of the board and other authorized bodies a risk management policy, relevant methods and regulations in areas, report forms and plans. We review and agree on a list of risks, their assessment and an action plan to prevent and respond to risks before it is discussed by the risk committee and other relevant committees and authorized persons. All relevant final reports prepared by the group's enterprise managers for senior management go through our department.

Summing up the above, I can say that over the year and a half of its existence, the updated risk management system at DTEK has made the decision-making process more transparent and simpler for managers. I hope this has helped to improve their quality. Including due to the effectiveness of our management decisions, we maintain a strong position in the fuel and energy market of Ukraine. I have no doubt about that.

Irina Andropova, Head of the Internal Control and Risk Management Department, DTEK

The psychological aspect of the study of risk opens up new possibilities for studying the reasons for the existence of bad habits, explaining some of the characteristics of human behavior.

The mechanism, the desire for risky actions are traits characteristic of a significant part of the youth, and often the introduction to alcohol, drugs or toxic substances is a kind of bravado, etc.

A successfully completed risky act usually evokes feelings of satisfaction from a certain danger. However, for one, such a danger can be the storming of a difficult peak in inclement weather, and for another, in the absence of sufficiently developed moral, psychological so-called "insurance mechanisms", - burglary, for the third - entrepreneurial activity carried out by him in order to obtain more benefits and, accordingly, accompanied by an increased degree of risk. In order to taste the pleasure, enjoy the joy of victory, the results of one's labor, a new and stronger danger is needed. So a person can increase the propensity to take risks and he becomes an end in itself for him.

This implies a natural requirement: the system of measures to influence people should take into account that their behavior is determined, along with many other circumstances, by motivated or unmotivated risk. Yu.V. Chufarovsky expresses the judgment that it is extremely difficult for a person with a weak will to resist the urge to imitate, especially if it is intensified by danger.

Russian civil law does not subdivide risk into reasonable or unreasonable (excessive, unacceptable), thereby allowing risk in any act and in any legal relationship that is governed by civil law. Moreover, civil law does not provide for liability for unreasonable (excessive, unacceptable) risk. There is not a single norm in civil law that would directly speak of civil liability for unjustified risk. Based on this, it is possible to assume that in civil law any risk is reasonable.

Criminal legislation takes a slightly different position, believing that the risk must be justified, otherwise criminal prosecution may ensue.

The general part of the criminal law has now expanded the number of circumstances precluding the criminality of an act. Particularly noteworthy is the provision that was first introduced into the Criminal Code of the Russian Federation (hereinafter - the Criminal Code of the Russian Federation), dedicated to reasonable risk. According to some estimates, at least 30-40% of the actions of the tax police, firefighters, rescuers, pilots, and vehicle drivers are carried out at risk. And the undeveloped mechanism of action of the corresponding norm creates a threat of unfair prosecution of them.

From the point of view of criminal law, negligence can manifest itself in criminal arrogance or negligence. Here, the actions of the culprit characterize the determination to commit the deed that he needs (and it is natural that other people's interests in this case are sacrificed out of frivolity, although quite deliberately). And it is not so much a matter of counting on overcoming circumstances, but of confidence in a successful outcome. And guilt is expressed not only in the mental attitude to the result, but, above all, to the unlawful action.

As for civil law, it usually does not apply the division of negligence into arrogance and negligence. Negligence here is characterized by the fact that the subject either does not admit or does not foresee the possibility of his behavior causing a harmful result, although he should and could have admitted or foreseen it.

Including the norms on justified risk in the Criminal Code, the legislator outlined a tendency to develop initiative and independence, scientific and technical, economic, professional courage, to make new, non-standard decisions in any area where this or that citizen works.

Reasonable risk, consisting in the legitimate creation of a possible danger to law-protected interests in order to achieve a socially useful result that could not be obtained by ordinary, non-risky means, is a circumstance that excludes the criminality of an act.

Any citizen has the right to take risks, regardless of the extreme situations in which he risks (when carrying out professional activities or when overcoming difficulties arising in the field of everyday life, leisure, business, etc.). With a legitimate risk, the goal cannot be achieved by ordinary, non-risky means, not related to risk actions. If such an opportunity existed, and the person did not take advantage of it, but chose to take risks and, as a result, caused harm to the interests protected, it is subject to liability on a general basis.

The risk should not translate into knowingly causing harm. The possibility of causing harmful consequences at risk is recognized by the riskier only as a side and only possible (and not inevitable) variant of his actions (inaction). Thus, the actions performed by professionals in conditions of legitimate risk must comply with modern scientific and technical knowledge and experience, etc.

However, it is necessary to start from the position of the so-called average person, who, in conditions of risk, often proceeds from objectively developed specific conditions and the possibilities at his disposal, relies on the experience and knowledge that he himself possesses. In this case, the person who took the risk must take, in his opinion, sufficient measures to prevent harm to law-protected interests (foresee the size of possible harmful consequences and, taking into account the available opportunities, correctly choose those measures that can, if not eliminate, then at least minimize them the size).

In such cases, when the person made a mistake and, despite the measures taken and contrary to his calculations, the harm that occurred turned out to be very large than it could have been if other measures were taken that were not related to risk, the limits of the justified risk were exceeded and criminal liability could arise. Exceeding the limits of reasonable risk is considered by criminal law as a circumstance mitigating liability.

A person has the right to choose various options for his behavior, and if he chooses an option that is harmful to society and the state, responsibility, the application of sanctions, condemnation of this particular behavior as illegal behavior will follow.

There is another point of view in the literature, linking wrongfulness with an action that violates a legal obligation - to refrain from committing this action. So, V.P. Shakhmatov argues that since the duty cannot be assigned to incapacitated persons, their behavior should not be considered illegal. The first part of this point of view does not raise any objections if we take into account that there is no fundamental difference between understanding wrongfulness as a violation of a legal norm and as a violation of an obligation. However, one cannot agree that the legal norm applies only to capable persons. A legal norm is a general rule of conduct for everyone, but an incapacitated person is not capable by his actions to create rights for himself and acquire responsibilities. But this does not mean at all that the prohibition of certain behavior applies only to persons who have reached the age of 18. Based on various points of view, it can be concluded that actions that violate the norms of law are recognized as illegal.

In the Civil Code of the Russian Federation, the legislator avoided listing the cases that would exempt from liability. So, in Art. 416 "Impossibility of performance of an obligation" indicates that "The obligation is terminated by the impossibility of performance if it is caused by a circumstance for which none of the parties is responsible." Part 1 of Art. 401 of the Civil Code of the Russian Federation "Grounds for liability for violation of an obligation" reads: "A person who has not fulfilled an obligation, or who has performed it improperly, is liable in the presence of guilt (intent or negligence)" and further "the person is recognized innocent if, with such a" degree of care and discretion, which was required of him by the nature of the obligation and the terms of the turnover, it took all measures for the proper performance of the obligation. " Part 3 of the same article reads: “Unless otherwise provided by law or contract, a person who has not fulfilled or improperly fulfilled an obligation in the course of entrepreneurial activity is liable if he does not prove that proper performance was impossible due to force majeure, that is, extraordinary and circumstances unavoidable under the given conditions. Such circumstances do not include, in particular, a breach of obligations by the debtor's counterparties, the absence of the goods necessary for execution on the market, the absence of the necessary funds from the debtor. "

Thus, the legislator transfers to the discretion of the parties or the court the possibility of determining a specific list of extraordinary and unavoidable circumstances that entailed non-fulfillment or improper fulfillment of obligations.

In the practice of civil circulation, the question of what obstacles to the execution of the contract the parties took into account when concluding it is usually decided directly or indirectly by the parties themselves. Of course, such an expression as "force majeure" appears to a greater extent in contracts. But in professionally drawn up contracts there are specific conditions that provide for the grounds and consequences of release from liability when certain circumstances occur. Such conditions are recognized as valid, although in their content they may differ from those provided by the law.

The general formula for exemption from liability can be illustrated by examples from practice, which points to such traditional events as natural disasters (earthquakes, floods, hurricanes, etc.), as well as circumstances especially characteristic of the sphere of international trade and consisting in an increasingly expanding government interference in this area, blockades, military actions, etc. Events such as a strike, an accident, etc. can become similar in consequences. However, it should be remembered that always the legal consequences of an event must be qualified in each specific case in terms of the applicable criteria. And therefore, it may turn out that the same circumstances in different situations will affect the responsibility for default in different ways.

Thus, on the basis of the above reasoning, the impossibility of performance can be defined as an objectively existing situation in which the parties (party) find themselves due to circumstances precluding the actual performance of actions in relation to the subject (s) of the obligation. The impossibility of fulfillment can be divided primarily into the impossibility of the guilty and the impossibility of the innocent, as the legislator does. The culpable impossibility entails liability in the form of sanctions and damages. Conversely, an innocent impossibility terminates the obligation.

All of the above allows us to conclude that when the impossibility of performance arises both objectively by accident and subjectively by accident, we are faced with the issue of risk as a basis for responsibility.

Organization of events is difficult and sometimes unpredictable. At almost all events, situations arise when something goes wrong and gets out of control. There are many risks associated with organizing events, and we will talk about them in this article.

  1. Staff

People are always a source of risk. Even if you work with professionals, you shouldn't rule out the human factor. The presenter may get sick, the speakers at the event may not come, the waiters may not be able to cope with the work. You should always have the phones of people who can quickly come and save the situation. Hosting, emergency services and food delivery numbers will never be redundant, and in some cases will help save the whole event from failure.

  1. Equipment may break

Please be aware that your camera or camera may run out of battery, your computer or projector may stop working, or power may go out altogether. Such situations should always be foreseen. Carefully monitor the work of your contractors, check all equipment in advance, always have a few cables and extension cords in stock. You never know at what moment they may be needed, but in the event of force majeure, they will help you a lot.

Before the event itself, check with the site owners if there is a spare generator on it. If not, then you need to find out about the availability of people who can quickly fix the problem.

  1. Speakers at conferences

Check in advance invited speakers for public speaking experience, otherwise you may find yourself in a situation where the speech becomes a failure due to the speaker's lack of experience. In this case, rehearsals before the event will save you, which will help prepare an inexperienced speaker for the stage and save you from unforeseen situations.

  1. Abrupt weather changes

There is always the possibility that at the most unexpected moment it will rain or a thunderstorm. And you must be ready for this. Think in advance what you will do in this case, where the guests of the event will have to go. If the start of the event depends on the weather, then you need to think about how long the start can be postponed, what at this time can be occupied by people who have gathered for the beginning of the holiday.

  1. Guests may not behave as planned

In the event manager's plan, everything that should happen at the event is clearly spelled out: when the next speaker comes out at the conference or when the time comes for a “surprise” for the guests of the holiday. Sometimes guests may not pay attention to the request to go somewhere, because they are too keen on the conversation, accidentally spoil the key decoration, and so on. Therefore, you need to remember that this plan is only in front of you and the guests do not think about the timing and how complex the event is.

Material prepared:

Last week Minsk hosted an air sports festival "70 years of peaceful sky". The show turned out to be bright. But the organizers made several serious mistakes, which caused many spectators to lose their impressions. This case was analyzed by our project management expert Maxim Yakubovich.



Once failing to meet the expectations of a client who came to an event, the next time they try to invite him to a similar event, the organizers are likely to hear something like: “Last year we waited an hour and never got any spectacle. We will not do this anymore. " It will be too expensive and difficult to regain customer interest.


For any event project, you can learn a lesson from this mistake and formulate the risk:

“The owners of the place where the event is planned to be held may refuse the organizers to hold the event. This will lead to the need to quickly find and prepare a new place that meets certain requirements. "

I wrote earlier about what strategies for dealing with risks exist:

Let's pump the risk through 4 possible strategies:

1. Evasion from this risk is hardly possible.

2. Broadcast This risk would have been possible if it had been decided to transfer the entire organization of the event on a turnkey basis to an agency specializing in such events.

3. Decline risk has several options:

To reduce the likelihood of the condition under which the risk materializes, you can conclude an agreement with the organizers, which from a financial point of view will be unprofitable for the owner of the place (for example, to prescribe a large fine).

It is possible to reduce the impact of the consequences. You must first find a spare place for the event and agree on the possibility of holding a holiday there on the scheduled dates.

4 . Active risk takingwould consist in creating a reserve of money to prepare a spare place in a short time and a plan for quickly preparing this place for an event in case of refusal to hold at the main place.

Of the four strategies for dealing with this risk, the most appropriate, in my opinion, are reduction and active acceptance.

Error 2

Quoting from the article: “We decided that only the first balloon launch would take place in Minsk-1. According to the organizers, it was supposed to happen at 18.00 on Friday, but that evening it started to rain in the capital ”.

This puncture surprised me a little. It is necessary to know that it often rains in Belarus in summer, and forecasts for a month have no more than 70% probability.


Let's formulate the risk:

"In case of rain at the start of the holiday, the start will have to be postponed."

Strategy evasion: you can only evade by hiring planes that will disperse the clouds (more -). But it is obviously expensive and not every event organizer can afford it.

Broadcast: This risk, in fact, there is no one to transfer. If only to return to the idea of \u200b\u200btransferring the entire event on a turnkey basis to a specialized event-agency.

Decline: we cannot influence the probability of rain, but is it possible to reduce the consequences? Obviously, dissatisfaction with the postponement of the start of the event can be reduced by thinking in advance how many hours it is generally possible to delay the start, how to occupy the people who have gathered before the start of the holiday and how to organize their passage if there are a lot of people willing.

Well adoption - this, again, is the creation of a reserve of money for entertainment events that must be launched in order to keep the audience occupied until the moment it rains.

Interestingly, rain caused a third risk:

“When the rain ended, law enforcement officers began to launch the crowded people into the airport. But by that time there were so many people wishing to admire the balloons that the police simply could not cope with their flow. "

The strategy for avoiding this risk is described in the article itself: organize a sufficient number of checkpoints. I would also use a mitigation strategy for this risk: inform viewers in advance(even in advertisements or articles) that checkpoints will be organized to enter the event and you will have to wait a little in line. And so that it was not boring to stand in lines, I would have come up with some kind of entertainment or activity.

Error 3

Quoting from the article: "Because of the strong wind, they decided to postpone the start."

Let's formulate the risk: “Strong wind at the time of the planned start of the event will not allow balloons to be launched into the sky”.

It is impossible to evade this risk, there is no one to pass it on, which means it is necessary to reduce its consequences. And in the article, the organizers of the event themselves offered to reduce the risk: to have a backup version of entertainment for spectators who came to the holiday. For example, to hire a presenter, to arrange some kind of contests on a topic related to the event, and a prize drawing - you need to make amends to those whose expectations were not met.


As you can see, in the risk mitigation activities for the three risks, the same thing appears: the preparation of an entertainment program that must be launched in order to keep the audience occupied until the rain passes, the wind weakens, and while they stand in line. Of course, such a program needs to be carefully thought out, tk. if it does not rain, it will be short, and if it does, it will be long.

Error 4

Quote from the article: " One of the tasks was for the city to see the balloons, and if we all launched them from Borova, then with that wind they would fly towards Minsk-2. At about five in the evening, we decided to launch most of them from the airport, so that the balloons would fly over Minsk and land just in Borovaya. The flaw, says Anton, was that the audience was not immediately informed about it. "

We formulate the risk as follows: “On the day of the holiday, the wind will change its direction and the balloons will fly to another side, not planned by the organizers”.

Again, the risk cannot be avoided and there is no one to pass it on. We are thinking how we can reduce the consequences. For example: we have a spare site, we transfer the start there and inform all spectators 2 hours before the start of the transfer of the start to another site.

Error 5

Quoting from the article: “Much in this sport also depends on the time of day. For example, few people know that it is forbidden to fly in a balloon over the city at night. Therefore, the audience was disappointed whenon the show "Night glow of balloons" not a single balloon took off. "


We formulate the risk: “Viewers may not be aware that it is forbidden to fly in a balloon over the city at night and they will not understand why the balloons do not take off at night. "

For other event projects, this risk can be generalized:

"Viewers are not always aware of the technical limitations for some numbers of the show and will not understand why they were not there at some events."

Obviously, for this risk, the consequences can be reduced by informing in advertising articles about the event that balloons will fly only during the day. Therefore, hurry up to see them at this time. And at night there will be other numbers and shows.

I hope this case will spur the organizers of such major events to take project risk management more seriously.

I wish you success in your event projects!

Project management expert, consultant and business coach of the Here and Now Consulting Group.

Over 10 years of experience in project management.
20 completed projects as Project Manager and Project Program Manager.
Teaching experience - 10 years. About 2,200 students trained in his seminars.

Lecturer at the Project Management module at the Russian School of Management.
Visiting Lecturer in Project Management at the British Higher School of Art and Design.

YOU WILL LEARN:

  • why you need to manage risks;
  • what five steps are needed to manage risk;
  • how to learn to manage risks.

Risk management is needed when we need to make complex decisions: at the stages of product development, when studying the feasibility of making changes, investigating deviations, organizing a workspace or making a decision about the possibility of combining the production scheme of different drugs, etc., - in fact, where there is a problem of choosing from several options, and where there are no clear, unambiguous requirements. Risk management technology is necessary in a situation where there is uncertainty and uncertainty.

In no case should risk management be opposed to current regulatory requirements. It is impossible to justify the non-binding nature of the implementation of legislative norms through risk assessment. The risk management process is the source of requirements. History knows many examples when it would be possible to avoid dangerous situations if we were better with them. managed... There are also many developments in pharmaceutical practice from which lessons have been learned.

This is how GMP 1 rules came into being. These rules are just a program to minimize the known risks associated with drug manufacturing. Preventing cross-contamination, confusion or substitution, hygiene and self-employment, choosing a quality control strategy and maintaining a quality system are just a few of the classic examples of risk management.

Many managers believe that they can see the full picture of their processes even without additional technologies and intuitively feel the risks to the quality of their products. Indeed, professional, talented managers have tremendous intuition. Only it is hardly congenital. It can be developed using a risk management methodology. After all, intuition is a subconscious analysis of various options for the development of certain events. Including dangerous ones. This is the answer to three key questions: what can happen; if this happens, what will be the consequencesand because of what can this happen?Good intuition is a “spontaneous” assessment of risks by an individual person. And the conscious application of the risk management process is an objective corporate culture that is weakly dependent on subjective factors. Moreover, it is a replicable and easily distributed technology.

Identifying and assessing quality risks does not work by itself. The result of risk management is the selection and implementation of a strategy for controlling significant risks. The task is not to endlessly play different scenarios, not to avoid responsibility, but to make correct, balanced, sometimes even risky, but consciously risky decisions.

Risks to product quality are risks to the consumer. The manufacturer of a medicinal product, the holder of the marketing authorization and government agencies regulating the circulation of medicinal products are responsible to the patient for the efficacy and safety of products placed on the market.

Security is based on modern approaches to risk management. Risk management is the line of defense. It turns out that the only way to ensure patient safety is to implement an effective quality risk management system. This is an element of our responsibility to society. The patient needs guarantees of the effectiveness and safety of the products he takes.

Security does not mean there is no danger. A safe state is when we know what, from our point of view, dangerous events can occur and what impact they will have on the quality of our work and products and, as a result, on our consumer. Safety should be ensured without resorting to prohibitions, but by developing effective procedures. Even if we do not have the opportunity to prevent the occurrence of a dangerous situation, we, at least, will be able to prepare for it, we will think over measures to prevent and overcome the consequences in advance, we will warn everyone about the presence of a serious danger, for example, by describing it in the instructions.

Hazard is measured by risks, which vary in importance. In order to understand what risks require our special attention, we need to adequately assess them. If you do not study the nature of possible risks and hide behind the slogan: "NO risk is acceptable!" - we will not be able to understand why this or that risk can be realized, and, accordingly, we are unlikely to be able to reduce the likelihood of its occurrence. It remains only to say: "Sorry, it happened!" Risks need to be managed systematically and professionally. This is an integral and necessary competence of any manager of any level in any enterprise.

Sometimes you can hear the opinion that risk management is just a catchy name and incredibly harmful technology, applicable only to armchair people. It's not like that at all. The personnel of any department can be conditionally divided into two categories: managers and performers.

Contractors perform work based on the established requirements. Managers, however, establish requirements for the performance of such work, taking into account legislative norms, prescribe algorithms and create conditions, and then control the quality of their performance. In most cases, the contractor does not need a risk assessment. Leaders need it. It is needed when they are forced to make important and difficult decisions in conditions of uncertainty. For example, there are no legal requirements or these requirements are stated without specific algorithms for their implementation, or there are several implementation options, but there is no certainty which option to choose. Leaders are responsible for the results not only of their work, but also of the work of the performer. And the higher the uncertainty caused by uncertainty, the greater the responsibility for the consequences of the implementation of the decision. Based on how the manager manages risks, one can conclude about his professionalism. If a leader skillfully applies this methodology, he comes across as an insightful person with clear logic and remarkable intuition.

These are the qualities that risk management technology develops. In addition, such a leader understands that the executor's mistake is often caused by the negligence of his leader, which manifests itself in the fact that he did not fully assess all possible threats. And those who believe that all risks are equally dangerous or unacceptable, that is, impossible, are simply not able to make decisions.

As a result, they do it at random, using their favorite "poke" method, or shift the responsibility for the decision onto another, for example, the same performer. It's easier. The practice of doing only what is required and only as understood is inherently flawed. You must admit that we often find ourselves in situations where it is difficult and sometimes scary to make a decision and there is a feeling of uncertainty and unpredictability as to how it will affect the quality of the product, and hence the safety of the patient. And then it may seem that risks are something that does not depend on us. Or, conversely, we will become presumptuous of believing that we have completely eliminated risk.

However, in reality this is not the case. Any deviation, failure in the operation of the engineering system or equipment, a claim received or a signal of a side effect of the drug is a realized risk. Of course, you can simply not register deviations and emerging problems, thereby confirming the reliability of your processes. This is a bluff! There are risks and will always be. The main thing is to see the threats in time and calculate the "unforeseen circumstances" in which these threats can be realized, to understand what we can do to prevent this from happening and how to act if it does happen. To do everything that depends on us and to be prepared for any development of events.

Is it worth spending a lot of effort where you can get by with little money? If your decision is based on a regulatory requirement and you are confident in it - no, you should not. No risk assessment is needed here. However, if you are in a difficult situation, you need to understand the possible threats and their consequences, calculate in advance how to act in this or that course of events, and be prepared for anything.

Risk management improves predictability and certainty, which gives us a sense of confidence. Of course, this is an approach that provides sufficient consumer protection, which, in turn, does not interfere with profit and does not slow down the development of the enterprise.

The basic principles of quality risk management in the pharmaceutical industry are set out in the ICH Q9 guidelines, the text of which has been included in the European GMP framework since 2008: first in Annex 20 and then in part 3 of GMP. The need for risk management is documented in various guidelines issued by regulatory agencies, professional communities (eg ISPE, PDA, IEST) and healthcare organizations around the world. This methodology is based on knowledge and experience accumulated in different countries. However, in Russia there are still disputes about how correct this methodology is. Its erroneous perception has already led to the exclusion of the text of ICH Q9 from GOST R 52249-2009 with a “criminal” wording: “ This text is stated vaguely and is not suitable for practical application". Why is it not suitable? The Risk Management Process Model presented in ICH Q9 (Figure 1) is simple and, most importantly, implementation-oriented (Figure 2).

Figure 1. Traditional quality risk management process (in accordance with ICH Q10 guidelines) of the model presented in ICH Q9

Of course, in risk management, as in any technology, there are enough nuances and details. In order to use this technology correctly, it is necessary create internal standards and procedures, to trainleaders and experts involved, exercise constant supervisionthe quality of the assessment.

Attempts to exclude risk management technology from the effective decision-making process are absurd. It is unacceptable to simply remove the risk management process from the standards just because the author of the national standard does not understand its methodology. You cannot go to extremes and blame the technology of risk management for redundancy, incorrectness or subjectivity.

The decision of any person is subjective in nature. You need to fight not with subjectivity, but with carelessness when making decisions. Risk assessment should not be based on guesswork, but on modern scientific achievements, known facts, while taking into account the experimental base, etc. All gaps in knowledge and data should also be attributed to a separate risk category, the so-called missing information.

Likewise, risk management methodology cannot be elevated to the status of a “regulatory requirement”. Decision making techniques, by definition, cannot be so. This is the same as forcing everyone to think and act according to the same template, which is simply unacceptable and, moreover, dangerous! Risk management is not aimed at circumventing regulatory requirementsand not a direct regulatory requirement(see section 1 part 1 of GMP). The GMP rules declare the need for risk management only in order to emphasize their paramount importance and the relationship with the quality system and the rules of proper production and quality control of medicines.

Scheme 2. Algorithm for risk management for quality. Based on ICH Q9 model

GMP regulations require a risk assessment when there is uncertainty. Analysis of the European version of GMP confirms that the need for risk assessment is prescribed only in the following situations:

  • if during the investigation of the deviation it is impossible to establish the true cause of its occurrence (part 1, paragraph 1.4 (XIV)). Then it is necessary to select the most probable cause using deductive or inductive risk management methods;
  • at the stage of making a decision on the possibility of combining the production of different drugs at a single production facility (part 1, clause 5.9);
  • to create a program to prevent cross-contamination (part 1, clauses 5.18, 5.19);
  • when organizing packaging processes (part 1, clause 5.44);
  • when making decisions on the possibility of processing or re-processing substandard products (part 1, clauses 5.62, 5.63);
  • when deciding on the possibility of resuming the turnover of all or part of the returned products (part 1, clause 5.65);
  • when justifying the scope of validation work (Appendix 15).

In other words, when there is a need to make difficult decisions. And, mind you, solutions that do not conflict with regulatory requirements.

Both the successful functioning and the survival of the enterprise depend on the effectiveness of the managerial decisions taken by the manager. It is also necessary to take into account the fact that, in addition to the obvious advantages, the risk management process has serious disadvantages (Table 1).

Table 1

Advantages and Disadvantages of a Quality Risk Management Process

The statement of the task is also incorrect in its essence - to exclude only the risks that are indicated in the regulatory documents. I repeat: regulatory documents are a kind of average perception of known risks. Each production has its own specifics, and regulatory requirements do not take it into account.

You also do not need to strive for total control. It is important for us to be able to identify the most dangerous risks and develop adequate and timely measures to manage them. Even a not very large-scale assessment can reveal dozens, even hundreds of different risks. This can be confusing for any specialist, since it is not clear what to do with them and what to tackle in the first place. Of course, it would be nice to eliminate all the risks, but most often it is impossible to do this. Our resources, like money, are always limited, so we have to choose priorities.

It is intuitively clear that some risks require priority solutions, and some are generally not interesting to us. To determine priority actions, it is just necessary to establish the elements of risk - the level of its impact and the likelihood of implementation. If a hazard is realized, it can have a different effect, which largely determines the severity of the risk, just as an assessment of the likelihood of a particular negative event can tell us a lot and predetermine our perception of security.

By definition, risk- This is a combination of the probability of a particular hazard and the severity of the harm it causes. There is no methodological error here. Indeed, values \u200b\u200bthat are different in meaning are multiplied and a conclusion is drawn from the result. When using two criteria for assessing risk, we are not talking about its averaging.

The probability is taken into account in order to cut off incredible, unreal events. Another question is that we still prioritize based on the level of their impact.

The methodological error lies in the fact that some domestic critics do not take into account the main axiom of risk management: the severity of harm has a higher priority over probability.

Therefore, if, for example, consider the boring example of an airplane, an incorrect gradation of risk when using a quantitative assessment can be considered an error. Consider two events using a five-point scale (1 to 5).

First.Nonhazardous event - late arrival of the aircraft (severity of harm equal to 1), but often repeated (probability equal to 5).

Second.A dangerous event is a plane crash (the severity of harm is 5), but extremely rare (the probability is 1).

Indeed, multiplying the weight coefficients gives the same figure 5, but it does not equalize their significance.

The first event is an insignificant risk, but the second event can be ranked as a significant risk (due to the fact that the severity of harm coefficient exceeds a certain predetermined threshold, for example, 2), which means it will require our close attention and the development of a program for controlling such risk, ensuring constant monitoring of its effectiveness. The risk control program can be different - from one action to a separate comprehensive plan.

Embedding the risk management process into the daily life of the enterprise does not require investment and does not imply the introduction of any complex systems and models. It is enough to take just five steps.

First stepis to learn to see and clearly identify hazards (threats). We often do this empirically, dare I say, unconsciously. This is not enough. To fully identify risks means taking into account all their parameters.

Second step- you need to learn how to create risk profiles, that is, to systematically determine all the risks inherent in the object of our assessment (draw up a risk assessment protocol). This is important, because it is useful to manage risks “on the spot”, but not enough.

Task third stepis to learn how to determine which risks should be dealt with first. To do this, you need to be able to analyze risks, prioritize.

For successful implementation fourth stepit is necessary to select and implement strategies for managing significant risks. It is important here to understand what specific actions we need to take in order to gain more and / or lose less.

And finally fifth step- to learn how to create an optimal "safety cushion", that is, to develop an action plan in case one or another risk is realized. The goal of this step is to prepare for any development of events and always have a "B" plan. These are basic steps that apply in any situation, in any business, and at any level of the enterprise hierarchy. The model shown in ICH Q9 is used in most countries around the world. A similar model is presented in the basic ISO 31000 2 standard. Today, there is a serious methodological base for the implementation of the risk management process in the practice of pharmaceutical companies, which has been actively developing since the 60s of the last century. More than 100 risk assessment methods are known. The ICH Q9 guidelines state only six of the most common tools (Table 2), ISO 31000 describes 31 methods, and there are even more in life. However, this does not mean that everyone should be used. You need to select for yourself those risk assessment tools that you can work with and which you will trust. The main thing is that they are clear to you.

table 2

Summary of ICH Q9 Risk Assessment Methods

Risk Assessment Tool

Specialization

Detail of the assessment

Complexity

disadvantages

PHA - Preliminary Risk Analysis

You need to be able to predict threats. Prevents relationships between different threats

HAZOP - Risk and Opportunity Analysis

Requires a lot of information about the subject of assessment. Evaluates threats by components / elements without linking to other components / elements

HACCP - Hazard Analysis and Critical Control Points

Various

Not suitable for assessing the relationship between failures and their causes. Does not allow assessing the risks associated with objects / systems

FMEA - Failure Modes and Effects Analysis

Not very useful for retrospective risk assessment. Does not establish a relationship between failures / threats and their causes

FTA - Fault Tree Analysis

May be monotonous and lengthy

RRF - classification and screening of risks

Not suitable for retrospective risk assessment. Of little use with a small number of identified threats

Thus, learning to manage risk professionally requires practice and experience. Naturally, this takes effort and time. First to a greater extent, then to a lesser extent. The main thing is to start gradually introducing risk management technology into your work. To do this, you do not need to allocate any special day, wait for some event or mood. By managing risks, we ensure the quality of our work and, conversely, by ensuring quality, we manage risks. The result of risk management is a guarantee of the quality of your products, compliance with regulatory requirements, a stable profit, and therefore a guarantee of our stability. Modern life insists on this!

Per. from English VIALEK group of companies

1 GMP (Good Manufacturing Practice) - good manufacturing practice (standard for a production management system). - Approx. ed.

 

It might be useful to read: