Achieving Unified Risk Management Through A Formal Acceptable Risk Policy

Last week’s blog, “Unified Risk Framework Across MI, RCM, PHA, and SIL/SIS,” proposed managing all risks for all asset types within a single framework. This previewed this week’s topic. When acceptable risk is undefined or left to one person’s discretion, organizations unintentionally create inconsistency, bias, and unmanaged exposure. It also damages defensibility during audits or post-incident reviews.

An Acceptable Risk Policy forms the foundation of a risk governance model, rather than just being a policy statement. Allowing acceptable risk thresholds to be managed through undocumented, individual discretion, such as a plant manager, does not optimize resource allocation or promote consistent decision-making.

An effective organization establishes a formal, acceptable risk policy that:

• Defines risk tolerance thresholds,
• Assigns decision authority by risk category,
• Requires escalating levels of review and approval as risk increases.

High-risk decisions should require multi-disciplinary, documented approval to ensure alignment among operations, engineering, safety, and leadership. This can be a standalone document or incorporated into the Management of Change (MOC) process. This approach enhances consistency, transparency, and defensibility, while also helping to better prioritize limited resources. Below is a conceptual recommended framework for implementing this approach.

Practical Implementation Framework

Unified Risk Management assesses the risk of operating assets through a prioritization process that considers two factors: the likelihood and the consequence of failure. The first step is to set the comparison criteria, which can be in the form of a risk matrix or an isometric risk plot.

1) Define Risk Categories (Standardized)

AOC recommends using a consistent risk matrix, such as Consequence of Failure (COF) combined with Likelihood of Failure (LOF/POF), as illustrated below. Each asset or component will be assigned coordinates on this matrix, which correspond to Risk Priorities (ranging from 1 to 25). Each priority represents a unique combination of COF and LOF established during the risk assessment.

• Low Risk (Green) – Acceptable within routine operations
• Medium Risk (Yellow) – Requires review and mitigation
• Medium High Risk (Purple) – Requires formal approval and documented justification
• High Risk (Red) – Requires executive-level approval or is intolerable

Each level in every matrix is calibrated to order-of-magnitude steps. This approach has proven to be relatively easy to implement while still offering sufficient discrimination between the asset types being evaluated.

2) Assign Decision Authority and Responsibility by Risk Level

For example, the risk analysis used to develop the mitigation plans must be approved by the individuals listed in the table below. Additionally, every risk classified as non-conformance must also be accepted according to the table.

3) Define “Who Must Be in the Room”

Higher-risk decisions require a cross-functional input that can consist of:

• Operations → Practical impact
• Engineering → Technical integrity
• HSE / Risk → Compliance & hazard evaluation
• Maintenance / Reliability → Failure implications
• Management → Business risk acceptance

4) Document Risk Acceptance Criteria

Every risk acceptance above a defined threshold should include:

• Basis for risk ranking
• Safeguards and controls in place
• Compensatory measures (temporary or permanent)
• Time-bound validity (no indefinite acceptance)
• Named accountable owner

5) Escalation Triggers (Critical)

Non-negotiable escalation conditions must be defined and documented. Such as:

• Degraded safety barriers
• Operation outside design envelope
• Temporary repairs exceeding the specified duration
• Repeated deferrals of corrective action
• Regulatory or code non-compliance

6) Tie to Existing Systems

This policy should integrate directly with:

• MOC (Management of Change)
• MI / RBI programs
• PHA / LOPA risk rankings
• Work Deferral and Backlog Management
• SIL / SIS impairment processes

7) Auditability & Governance

To make this real (not just policy on paper):

• Require documented approvals (digital workflow preferred)
• Track risk acceptance duration and renewals
• The following must be periodically reviewed:
• “What risks are we carrying?”
• “Who accepted them?”
• “Are they still valid?”

Key Insight (What Most Companies Miss)

The goal isn't to eliminate risk; it’s to establish a standard way of accepting risk.

Without this:

• Two similar risks get treated differently
• Decisions drift toward production pressure
• Organizations unknowingly accumulate systemic risk debt

With this:

• Risk acceptance becomes intentional, visible, and managed
• Resources get deployed where they matter most
• Leadership is responsible for risk, not just operations

Bibliography – Acceptable Risk, Risk Governance, and Decision Authority

Core Risk Management & Governance Standards

• ISO. ISO 31000:2018 – Risk Management: Guidelines.
  https://www.iso.org/iso-31000-risk-management.html
  → Establishes the requirement to define risk criteria, risk appetite, and decision-making structure.
• COSO. Enterprise Risk Management – Integrating with Strategy and Performance (2017).
  https://www.coso.org
  → Defines risk appetite, governance, and escalation responsibilities at multiple organizational levels.
• Institute of Risk Management (IRM). Risk Appetite and Tolerance (2011).
  https://www.theirm.org
  → Practical guidance on defining acceptable risk thresholds and assigning ownership.

Process Safety & Major Hazard Industry Guidance

• Center for Chemical Process Safety (CCPS).
  Guidelines for Risk Based Process Safety (2007).
  → Explicitly requires defined risk tolerance criteria and management authorization levels.
• Center for Chemical Process Safety (CCPS).
  Guidelines for Risk Analysis (1989, updated editions).
  → Establishes risk ranking, acceptance criteria, and decision accountability.
• American Petroleum Institute.
  API Recommended Practice 580 – Risk-Based Inspection.
  → Requires documented risk acceptance and prioritization of resources.
• American Petroleum Institute.
  API Recommended Practice 581 – RBI Methodology.
  → Provides quantitative basis for risk ranking tied to decision-making thresholds.
• American Petroleum Institute.
  API Recommended Practice 584 – Integrity Operating Windows.
  → Defines operating limits and escalation requirements when exceeded.

Functional Safety & Risk Acceptance Criteria

• International Electrotechnical Commission.
  IEC 61511 – Functional Safety: Safety Instrumented Systems for the Process Industry Sector.
  → Requires formal risk acceptance via SIL determination and management approval.
• International Organization for Standardization.
  ISO 17776 – Offshore Risk Assessment.
  → Defines risk acceptance criteria and ALARP principles with documented justification.
• UK Health and Safety Executive.
  Reducing Risks, Protecting People (R2P2).
  https://www.hse.gov.uk/risk/theory/r2p2.htm
  → Foundational reference for ALARP and risk tolerability bands with escalation expectations.

Regulatory & Compliance Frameworks

• Occupational Safety and Health Administration.
  29 CFR 1910.119 – Process Safety Management.
  https://www.osha.gov/process-safety-management
  → Implies requirement for documented hazard evaluation and management accountability.
• U.S. Environmental Protection Agency.
  Risk Management Program (40 CFR Part 68).
  → Requires formal hazard analysis and risk management decision structures.

Corporate Governance & High-Reliability Organization Concepts

• James Reason.
  Managing the Risks of Organizational Accidents (1997).
  → Establishes that organizational systems—not individuals—must control risk acceptance.
• Karl E. Weick & Kathleen M. Sutcliffe.
  Managing the Unexpected (2007).
  → High-reliability organizations rely on structured decision authority, not informal judgment.

Be the first to comment

There are no comments for this article.