CiteSeerX — From Portfolio Risk Assessment to Portfolio Risk Management FROM PORTFOLIO RISK ASSESSMENT TO PORTFOLIO RISK MANAGEMENT

(1)

ANCOLD 2006 Conference Page 1 of 19

FROM PORTFOLIO RISK ASSESSMENT TO PORTFOLIO RISK MANAGEMENT

David S. Bowles*

ABSTRACT

Portfolio Risk Management is a riskinformed approach for improved management of dam safety for a portfolio of dams in the context of the owner’s business. It can be used to identify ways to strengthen technical and organisational aspects of a dam safety program, and to provide valuable inputs to various business processes. Portfolio Risk Assessment is a decisionsupport tool, which is incorporated in Portfolio Risk Management. It can combine engineering standards and risk assessment approaches to provide a systematic means for identifying, estimating and evaluating dam safety risks, including comparisons with other industries. It should be periodically updated to provide a basis for managing prioritised queues of investigations and riskreduction measures to achieve more rapid and costeffective reduction of both knowledge uncertainty and risk.

Portfolio Risk Assessment is a standard of practice in Australia and is being applied by the US Army Corps of Engineers and others. When properly conducted and used within its limitations, the Portfolio Risk Assessment process is generally considered to be robust, adaptive, defensible for corporate governance, and to justify its cost through such benefits as increased dam safety funding, identification of failure modes that were not previously recognised, identification of opportunities for improved risk management, and more rapid “knowledge uncertainty” and risk reduction.

1 INTRODUCTION

Need for Portfolio Risk Management Portfolio Risk Management (PRM) is a risk

informed approach for improved management of dam safety for a portfolio of dams in the context of the owner’s business ¹. As such, it is not an additional activity to be added to an existing dam safety management program, but rather it is an improved approach to the owner’s entire dam safety management program ². Portfolio Risk Assessment (PFRA ³)

*Professor of Civil and Environmental Engineering and Director, Institute for Dam Safety Risk Management, Utah State University, Logan, Utah 843228200; and Principal, RAC Engineers &

Economists; B.Sc. (Hons), Ph.D., P.E., P.H., F.ASCE; Phone 435.797.4010; Fax 435.797.3663;

Email David.Bowles@usu.edu.

1 The term “business” is used in this paper to apply to both private and government dam owners.

2 For a regulator’s perspective on PFRA and PRM see Watson (1998).

3 The acronym “PFRA” is generally used in this paper for “portfolio risk assessment”. This is consistent with a convention proposed in ICOLD [2005] and ANCOLD [2003] to avoid confusion

is a decisionsupport tool for assisting owners with PRM. In the USSD Emerging Issues

White Paper on Risk Assessment (USSD 2003), PFRA was judged to be

“a valuable and increasingly accepted approach for costeffectively prioritizing dam safety remedial measures and further investigations for a group of dams. It provides insights that can better inform owners about the business and liability implications of dam ownership. PRA (PFRA) outcomes must be used with regard for the limitations of the approach and should be periodically updated.”

with the acronym “PRA”, which is used for

“probabilistic risk assessment” or “probabilistic risk analysis”; although the use of the words

“probabilistic” and “risk” in these terms is arguably redundant. In addition, it is noted that these terms are less commonly used now than in the past and perhaps for this reason the acronym “PFRA” has not been widely adopted outside Australia.

Quotations in this paper from sources that used

“PRA” for “portfolio risk assessment” have not been changed to be faithful to these sources.

(2)

While the technical evaluation of dam safety must be approached on a dambydam basis, many organisations have responsibility for a group of dams. The likelihood that an owner of many dams will experience a dam failure is determined by the number of dams and their probabilities of failure, with the organisation’s leastsafe dams dominating the result. The owners of groups of dams face all the challenges of individual dam ownership, but they also face the additional challenges of managing dam safety risks ⁴ across their portfolio.

A riskinformed approach combines insights from traditional ⁵ engineering standards ⁶ and risk assessment (RA) approaches. The traditional approach is familiar to dam safety professionals, but it cannot relate dam safety levels to public safety levels in other fields, and its outcomes can be difficult for lay decision makers to understand, which can hinder the justification of dam safety funding.

RA helps to compensate for these weaknesses

4 The use of the term “risk” in this paper is consistent with the ICOLD (2005) definition:

“Measure of the probability and severity of an adverse effect to life, health, property, or the environment. In the general case, risk is estimated by the combined impact of all triplets of scenario, probability of occurrence and the associated consequence. In the special case, average risk is estimated by the mathematical expectation of the consequences of an adverse event occurring (that is, the product of the probability of occurrence and the consequence, combined over all scenarios).”

5 The use of the term “traditional approach” in this paper is consistent with the USSD (2003) definition: “The commonlypracticed approach to dam safety, which focuses on safety factors and standards of performance while not including the explicit computation of risk. The assessment of risk in these approaches tends to focus on the degree of conservatism used in selecting parameters for the analyses” and the ICOLD (2005) definition of the

“standardsbased approach” as “The traditional approach to dams engineering, in which risks are controlled by following established rules as to design events and loads, structural capacity, safety coefficients and defensive design measures.”

6 The term “engineering standards” is used in this paper to include aspects of current good practice that are normally required under the traditional approach, but which are not codified as standards per se.

in the traditional approach, although it is relatively new in dam safety practice. Both the traditional and risk assessment approaches have limitations in characterising the safety or risk associated with dams; and it is important that these limitations be properly communicated and considered at all times.

While the traditional engineering standards approach, which is followed by most US regulators, for example, in a relatively prescriptive manner, is designed to protect public safety, dam owners have to address additional considerations that can determine their overall effectiveness in achieving dam safety, especially for portfolios of dams.

These considerations vary between owners, but include the following needs:

· An auditable, logical and defensible approach for relating lowprobability high

consequence dam safety risks to corporate governance;

· Optimising the priority and urgency ⁷ of risk reduction programs;

· Justifying dam safety capital and operating expenditures;

7 “ANCOLD (2003) has made a distinction between priority (the order in which things should be done) and urgency (how soon things should be done).

The word priority strictly refers to a rank order, coming from ancient Latin pri meaning before. But the word is being corrupted in contemporary English usage to embrace a concept of urgency.

However, the ANCOLD distinction avoids confusion by having two (correct) words for the two concepts.” The two concepts are related in that more urgent riskreduction measures should always be given higher priority. In that sense, priority is expressed on an ordinal scale and urgency on a cardinal scale; and thus, in principal, the order of addressing riskreduction measures should be the same on both scales. In practice it is often harder to decide on urgency than on priority of riskreduction measures. To address the programmatic obstacles to implementing urgent riskreduction measures, the author is working with the US Army Corps of Engineers to develop a classification procedure, which first divides their dams into “Dam Safety Action Classes” according to urgency, with dams in active failure in the most urgent class. Dams in the most urgent classes are given the highest organisational and programmatic commitment to urgency of addressing their dam safety issues and deficiencies, and prioritisation takes place within each class.

(3)

ANCOLD 2006 Conference on Dams Page 3 of 19

· Meeting duty of care obligations;

· Meeting contractual obligations;

· Maintaining a license to operate; and

· Protecting the business from the liability associated with a dam failure or a dam safety incident, which might be widely publicised.

For owners to effectively relate these considerations to dam safety management requires more than just meeting traditional engineering standards or regulatory requirements; and this has been a major driver for the development of PFRA and PRM.

This paper is divided into three major parts.

The first part provides some background on

“deficiencies” vs. “dam safety issues”, the traditional and risk assessment approaches, and dam safety management programs. The second and third parts describe PRM and PFRA, respectively. The paper closes with a summary and some conclusions about the benefits, limitations, and keys to successful implementation of PFRA and PRM.

2 BACKGROUND TOPICS

Deficiencies vs. Dam Safety Issues The dam safety profession has used the term

“deficiency” or “(spillway) inadequacy” to describe the situation in which an existing dam does not meet an engineering standard.

However, in some cases, these terms may pre

judge the outcome of a safety decision before the justification for riskreduction has been evaluated. Such decisions are traditionally based primarily on engineering standards, but under a riskinformed approach they could be based on engineering standards, tolerability of risk considerations, or a combination of both.

As an alternative, the term “dam safety issue”

was proposed by Achterberg (1995) because it does not imply that a risk reduction is justified before an evaluation has been conducted and a decision has been made. This distinction is especially important for communicating dam safety risks to the public; and because under a riskinformed approach, the organisational location at which safety is ultimately decided shifts from a technical level to a senior management or executive level with technical

input as one of several inputs to those decisions.

In some cases a potential dam safety issue may be identified at a particular dam and then investigations ⁸may demonstrate that it cannot lead to a plausible failure mode. In such a case, it is even more undesirable to use the term “deficiency” prematurely. It is therefore recommended that the term “deficiency”

should be reserved for the situation in which an adequate justification to proceed with a riskreduction has been demonstrated, and that the term “dam safety issue” should be used in all other cases. Thus, a dam safety issue is a potential deficiency, which if it is realised, could result in failure of the dam.

Traditional and Risk Assessment Approaches

Traditionally, dam safety has been viewed as mainly a technical matter, which has been judged and regulated using engineering standards. These standards have tended to evolve somewhat independently in sub

disciplinary areas, rather than through a comprehensive and integrated consideration of the overall safety of reservoir projects. This evolution has generally taken place in isolation from other engineering fields and industries in which public safety for low probability – high consequences risks are managed and regulated.

As a result, the levels of risk or safety associated with dam safety standards vary significantly across different failure modes, and they can differ significantly from other areas in which public safety is managed and regulated. In addition, it is only recently that systematic procedures for identifying potential failure modes have been introduced to the dam safety field (e.g. FERC 2005), with the result that some previouslyoverlooked failure modes are now being identified. Without the benefit of RA, some relatively high probability failure modes have received less attention than their contribution to overall dam safety risk would justify, and in some cases they have been ignored altogether. At the same time, significant investments have been made to

8 The term “investigations” is used broadly in this paper to include fieldwork, materials testing and engineering analyses to provide inputs to the technical evaluation of dam safety issues.

(4)

reduce the risks associated with some low probability or low consequences failure modes;

thus achieving a slower rate of risk reduction than could have been accomplished with the same funding. In addition, the commonly adopted safety management processes of other industries, have not yet been introduced to most damowning organisations.

Some are concerned about using quantitative RA in dam safety for reasons such as limitations in approaches to estimating probabilities of failure. However, it is important to recognise that the traditional approach also has significant limitations in the way that it indirectly characterises damfailure risks and the manner in which uncertainties are addressed. Other industries, such as the nuclear industry (Jackson 1997), face similar concerns about quantitative RA, and as a result they have adopted a “riskinformed” approach to their use by combining traditional and RA approaches. When PFRA and PRM are adopted, it is still an option to retain engineering standards definitions of the ultimate safety targets; although the use of RA in PRM will sometimes expose a poor justification for these targets, and in other cases it will show justification for more stringent risk reduction measures than would normally be considered using the traditional approach alone.

Dam Safety Management Programs There are both physical and management aspects to a dam safety management program.

These have been categorised by Hartford (2004) as follows: 1) dam, 2) physical monitoring systems, and 3) management systems. In this paper, dam safety management is considered to comprise two programs with the following purposes:

1) Recurrent Dam Safety Management Program (“Recurrent Program”):

a) To maintain and operate a dam to its design level of safety;

b) To verify that performance meets design expectations and identify any apparent deviations as dam safety

issues through monitoring and surveillance ⁹;

c) To periodically inspect the dam and review its design and performance to identify dam safety issues, including potential failure modes analysis, and to prepare a Baseline PFRA and Updated PFRAs;

d) To plan for and manage dam safety incidents, including emergency action plans and exercises, and the identification of additional dam safety issues; and

e) To decide if new dam safety issues, or existing issues for which new information becomes available, justify immediate or accelerated actions, or if they can be handled under the normal Dam Safety Improvement Program timetable.

2) Dam Safety Improvement Program (“Improvement Program”):

a) To conduct staged investigations to evaluate dam safety issues, including updating PFRAs;

b) To evaluate and recommend the need for staged structural and nonstructural riskreduction measures to address dam safety issues, including detailed individual dam RAs, the development of safety and business case justifications, and the formulation of riskreduction implementation projects; and

c) To implement riskreduction measures that improve dam safety to achieve tolerable risks or better.

Two key requirements for effective dam safety management are therefore as follows: 1) the systematic identification of dam safety issues;

and 2) the systematic management of the uncertainties ¹⁰and risks associated with dam safety issues through investigations, decision

making, and implementation of riskreduction measures, as justified.

9 The term “surveillance” is used to include routine inspections conducted by dam tenders.

10 The term “uncertainty” is used in this paper to describe knowledge uncertainties about dam safety issues, which can, to at least some degree, be reduced through investigations.

(5)

ANCOLD 2006 Conference on Dams Page 5 of 19

3 PORTFOLIO RISK MANAGEMENT

Purposes and Scope

a) Purposes: Although the specific purposes for PRM vary from one owner to another, and should be carefully identified by each owner, they can generally be grouped as follows:

1) To provide a Baseline Risk Profile and Updates, including potential failure modes identification, and to track knowledge uncertainties and risk reduction for dam safety issues;

2) To provide a basis for evaluation, strengthening, and better integration of Recurrent Dam Safety Management Program activities;

3) To identify the need to consider urgent Shortterm Riskreduction Measures;

4) To provide a basis for developing and

managing a Dam Safety

Improvement Program comprising:

queues of investigations and risk

reduction measures, business and safety case justifications, and formulation of riskreduction projects;

and

5) To provide information inputs to the owner’s Business Processes and to other stakeholders to achieve better integration of dam safety considerations.

b) Owner’s decision and business context:

Comprehensive PRM should encompass all the purposes listed in the Dam Safety Management Programs subsection of Section 2, for all dams in a portfolio. To obtain good value from PRM and PFRA, it is essential that they be designed to fit the owner’s decision and business context.

This should include consideration of applicable external factors, such as the following:

· Safety and business regulatory requirements, and tolerable risk guidelines;

· Stakeholders, public consultation, and public perception; and

· National cultural, political and legal systems and trends, the degree of economic development.

In addition, consideration should be given to applicable internal factors, such as the following:

· Organisational mission, goals and values;

· Corporate risk management philosophy and position;

· Capital and operations funding processes and degree of competition;

· Dam safety decisionmaking process;

· Corporate loss financing and insurance;

· Business criticality and contractual obligations;

· Financial position of the owner;

· Duty of care, legal liability, and due diligence associated with dam safety;

· Inhouse technical capability and knowledge about the dams;

· Age and condition of the dams, operational purpose(s), and backlog of investigations and risk reduction measures;

· The safety position of specific dams relative to other dams in the portfolio;

· Maturity of the owner’s Dam Safety Management Program, including safety management practices, and management information systems; and

· Awareness and support for dam safety by organisational leadership.

c) Dam safety decision categories: The following general categories of dam safety decisions or key questions have been identified (Bowles and Anderson 2003 and ICOLD 2005):

1) Setting safety or tolerable risk goals:

How safe is safe enough?

2) Managing knowledge uncertainty

reduction and riskreduction pathways:

How to justify and reach safety goals for individual dams and a portfolio of dams?

3) Managing residual risk: How to maintain and assure adequate safety and tolerable risk throughout the uncertainty and riskreduction

(6)

pathways and for the entire life cycle of each dam?

While the first decision type is an essential part of PRM, it is not a focus of this paper ¹¹. Although most dam safety programs have relatively welldefined safety goals, often expressed as engineering standards, many programs have poorlydefined approaches to the second decision type (i.e. determining pathways for achieving safety goals). In relation to the third decision type, it is common that poor integration exists amongst different aspects of a dam safety program, or between that program and other aspects of the owner’s business.

The term “riskreduction pathway” is used to describe a proposed sequence of risk

reduction measures formulated to reduce the failure risk for an individual dam or for a portfolio of dams (Bowles and Anderson 2003). The term “uncertaintyreduction pathway” is used to describe a proposed sequence of investigations formulated to reduce knowledge uncertainties about dam safety issues and thus to provide information for engineering and risk analyses in support of decisions about the need, urgency, and justification of risk

reduction measures. The management of risk and uncertaintyreduction pathways should be a key focus of PRM, with the goal of achieving significantly more rapid risk reduction than traditional management approaches, especially for portfolios of dams.

d) Business options for risk management:

From a business perspective risk management options can be grouped into the following categories (USSD 2003), although these are “not necessarily mutually exclusive or appropriate in all circumstances” (AS/NZS 1995):

1) “Avoid the risk”: this is a choice that can be made before a dam is built, or perhaps through decommissioning an existing dam;

11 See Bowles et al (2003a) for discussion of combining traditional engineering standards and RA approaches to the decision, “How safe so safe enough?”

2) “Reduce (prevent and control ¹²) the probability of occurrence”: typically through structural measures, or dam safety management activities such as monitoring and surveillance, periodic inspections, or an operating restriction;

3) “Reduce (mitigate) the consequences”:

for example, by nonstructural approaches such as earlywarning and evacuation systems or by relocating exposed populations at risk;

4) “Transfer the risk”: for example, by contractual arrangements or sale of the dam; and

5) “Retain (accept or tolerate ¹¹) the risk”:

“after risks have been reduced or transferred, … residual risks … are retained and … may require risk financing (e.g. insurance).”

While the first three options reduce the risk to which third parties are exposed, the fourth and fifth options only affect the risk that the owner is responsible for and leave unchanged the risk to which third parties are exposed. However, all five options should be considered as PRM options.

The remainder of this section is divided into subsections on the role of the following in PRM: a Management Information System, the Recurrent Dam Safety Program, the Dam Safety Improvement Program, and Organisational Integration.

Management Information System

An important requirement for successful PRM is an organised means of managing dam safety information. A welldesigned Management Information System (MIS) is therefore an important tool for PRM. It can include the following capabilities, which are represented schematically in Figure 1:

· To provide a Data Base of Record for archiving all types of dam safety information for the portfolio, including design documents, inspection reports, monitoring data, maintenance records, operational records, and incident reports;

12 Words in italics were added by the author.

(7)

ANCOLD 2006 Conference on Dams Page 7 of 19

· To capture new information, including the outcomes of investigations, inspections, and design reviews, and the completion of riskreduction measures;

Management Information System for PRM

Data Base

Input

Updating

Tracking

RA/PRA Reports

RA/PRA Calculations

Other Analyses

Modelling

Figure 1. Schematic Representation of a Management Information System for PRM.

· To perform PFRA Update and Baseline calculations;

· To generate Portfolio Risk Profile Update Reports documenting changes in estimated risk and uncertainty levels for various management levels;

· To provide Dam Safety Issue Tracking Reports for individual dams and the entire portfolio for management of the Recurrent and Improvement Programs, including tracking the queues of investigations and riskreduction measures;

· To model alterative prioritisations or urgencies of investigations and risk

reduction measures (i.e. uncertainty

reduction and riskreduction pathways) and thus explore the effects of such factors as changes in levels and timing of funding, staging, risk trading, and grouping of dam safety issues for investigation and risk reduction; and

· To generate Specialised Reports containing technical and businessrelated information that is relevant to specific business processes and stakeholders.

An MIS can provide the following types of information for each dam and for the portfolio:

· Potential failure modes;

· Engineering assessment ¹³ ratings against engineering standards;

· Existing dam estimated probabilities of failure and consequences;

· Existing dam risk evaluation against tolerable risk guidelines;

· A list of needed investigations, their prioritisation, urgency, schedule, and status; and

· A list of potential structural and non

structural riskreduction measures with their strengths of justification for implementation, estimated residual probabilities of failure and consequences, residual risk evaluations against engineering standards and tolerable risk guidelines, prioritisation, urgency, schedule, and status.

Recurrent Dam Safety Program

The purposes of the Recurrent Program are summarised in the Dam Safety Management Programs subsection of Section 2. A major challenge for managing a Recurrent Program is that different people in different departments are often responsible for different aspects of the safety of a single dam. The dam, however, is no respecter of these organisational boundaries and unsympathetic to difficulties in sharing information or coordinating activities between departments. Similar to the experience with potential failure modes analysis (PFMA) for FERCregulated dams, the Baseline PFRA and PFRA Updating processes provide valuable opportunities for better integration across these departments through the sharing of insights and information. In addition, a welldesigned MIS can provide pertinent information of value to each department. However, it is ultimately people and the commitment of senior management that determines successful integration in a Recurrent Program. Some examples of ways that PRM can help to achieve better Recurrent Program integration are listed below (ICOLD 2005):

· Improved risk management through monitoring and surveillance procedures

13 See Engineering Assessment subsection in Section 4.

(8)

that target identified failure modes for early detection of poor performance;

· Improved risk management and incident detection through field staff that is informed about damspecific potential failure modes and such procedures as prioritising postearthquake inspection locations based on likelihood of failure, including considerations of urgency;

· Strengthened operations and maintenance procedures that benefit dam safety, such as those important for maintaining and improving the reliability of spillway gate systems;

· Improved emergencyaction planning based on damspecific potential failure modes, including consideration of the locations and the effects of detectability on the timeliness of the notification of the authorities and the issuance of public warnings; and

· A technology watch to identify new and costeffective riskreduction measures.

Dam Safety Improvement Program The purposes of the Improvement Program are listed in the Dam Safety Management Programs subsection in Section 2. Prioritised queues of investigations and riskreduction measures should be managed in a coordinated manner and reprioritised as the PFRA is updated with the results of completed investigations, including a revaluation of the urgency of investigations and riskreduction measures. The next four subsections discuss the role of the following in PRM: the formulation and prioritisation of investigations and riskreduction measures, and the justification of riskreduction measures.

a) Formulation and prioritisation of investigations: The engineering assessment (EA) and PFMA steps ¹⁴of a Baseline PFRA or PFRA Update include the identification of needed investigations for each dam. Additional investigations may be needed to address dam safety issues that are identified as a result of abnormal conditions detected through

14 See Section 4 for discussions of the roles of EA and PFMA in PFRA.

monitoring and surveillance or dam safety incidents.

Investigations should be staged, where practicable, and subsequent stages of investigations can be separately prioritised using the outcomes of earlier stages of investigations. This approach can also increase the opportunity for rapid and cost

effective uncertainty and risk reduction.

Investigations can be prioritised based on the sensitivity of the prioritisation of their associated riskreduction measures or estimated dam failure risks to an estimated range of investigation outcomes.

Where there is a need to better understand a dam safety issue that affects several dams, it may be more efficient to group investigations that can benefit several dams; such as for some aspects of spillway gate reliability or spillway blockage.

b) Formulation of riskreduction measures: In a Baseline PFRA, risk

reduction measures are typically formulated at a reconnaissance level of detail by selecting a reasonablylikely risk

reduction option. It should be selected to provide a representative estimate of the risk reduction and the cost of risk reduction. Structural fixes (riskreduction measures), which are identified in the EA step of a PFRA, are typically formulated to meet engineering standards requirements or currently accepted good practice where traditional practice has not been codified in standards. Extrapractice fixes may be identified in the RA step of the PFRA; and they are typically formulated to satisfy tolerable risk guidelines or factors such as business criticality considerations, which may not be achieved by meeting engineering standards.

Nonstructural measures, such as operating restrictions (see Bowles et al 2005), or improved early detection or warning and evacuation systems, can be considered.

However, in general, longterm risk reduction should not rely on mitigation (i.e. reduction in consequences), where reasonably practicable options exist for preventing or controlling the likelihood of a failure mode, at least to the point of meeting minimum safety levels defined by

(9)

ANCOLD 2006 Conference on Dams Page 9 of 19 accepted good practice or tolerable risk

guidelines.

To increase the opportunity for rapid and costeffective risk reduction, structural and nonstructural fixes should be considered in a staged manner, wherever practicable.

Several Australian dam safety regulators are in the process of formalising guidelines for staged structural fixes. For example, a proposal by the New South Wales Dams [note the s] Safety Committee (2004), if approved by Government, would require that risk be reduced to below the ANCOLD limit of tolerability within a relatively short timeframe and to tolerable risk (including satisfying the ALARP principle) within a somewhat longer timeframe ¹⁵.

For a portfolio of dams, options might exist for risk trading. Examples include dams that are located in series on the same river, or in parallel on more than one river, above the same community. In addition, some types of fixes, such as for debris barriers to prevent spillway plugging, might be implemented at a group of dams at the same time because this is a more costeffective approach to implementation.

The formulation of effective structural and nonstructural riskreduction measures is often an iterative process as information from staged investigations and increasingly moredetailed RAs help to improve understanding and justify pursuing or not pursuing more detailed investigations and analyses. In detailed RAs to support decisions on longterm risk levels, alternative riskreduction measures can be considered at a sufficient level of detail to provide an appropriate level of confidence for the level of decision making in the context of the owner’s business.

c) Justification of riskreduction measures:

The justification for a dam safety risk

reduction measure can be based on the existence of a “deficiency” against a

15 In some cases a standardslevel fix may be insufficient to satisfy tolerable risk guidelines, or a thorough PFMA may identify a failure mode that the traditional approach may not normally consider.

traditional engineering standard ¹⁶or on the outcome of a risk evaluation. A risk evaluation typically includes a comparison against individual and societal tolerable risk guidelines, and this should include an ALARP (aslowasreasonably

practicable) evaluation in countries with a common law legal system ¹⁷, such as the UK, Australia and the USA. This approach includes costeffectiveness considerations to evaluate the sufficiency of risk reduction. A significant advantage of the riskbased justification approach is that it provides a way to relate the justification for a dam safety fix to justifications used in other fields where public safety is threatened by a technological system. Experience has shown that this approach can improve the chance of justifying funding for dam safety.

In some cases there may be practical limits to reducing knowledge uncertainties about dam safety issues through investigations.

In these cases the prudent approach is usually to convert these “irreducible uncertainties” into “relative certainties”

through design of works that will provide a high level of confidence that the dam will perform satisfactorily, even if the evidence that the works are needed is less conclusive than desired, because if the risk is real, it would be too great to ignore.

This is referred to as the “precautionary principle” ¹⁸ and could also constitute a justification for proceeding with risk reduction.

Benchmarking is another approach for providing justification of riskreduction

16 Some limitations of the traditional approach are discussed in the Traditional and Risk Assessment Approaches subsection in Section 2.

17 Bowles (2004) provides a description of how ALARP and associated disproportionality concepts can be used to indicate a strength of justification for risk reduction referenced to US Federal government practice (OMB, U.S. Department of Transportation, CPSC, EPA, FAA, OMB, OSHA and NRC), US industry practice, and UK HSE regulatory guidance (see also Bowles et al 2005 and Hinks et al 2004).

18 See Bowles and Anderson (2003) and ICOLD (2005) for discussion of the precautionary principle.

(10)

measures through using information about decisions by comparable dam owners.

d) Prioritisation of riskreduction measures: The first question to address in prioritisation is, “What to prioritise?” For example is it desired to rank dams, dam safety issues, investigations, or risk

reduction measures? The next question is,

“Which prioritisation criterion to use?” If a prioritisation is to be based on the magnitude of existing risk, then what measure of risk should be used: probability of failure, annualised life loss, risk cost or another measure? This approach would give greatest priority to the highest existing risks; but, it does not consider what practical riskreduction options exist and their cost effectiveness. Ranking risk

reduction measures based on their cost effectiveness of estimated risk reduction maximises the rate of risk reduction for the funds expended (Bowles et al 1998)

In practice, riskreduction measures are often prioritised using a combination of criteria. Figure 2 shows the estimated annualised lifeloss risk reduction projected for a program of structural fixes developed for the SA (South Australian) Water Corporation’s 17 large dams (Bowles et al 1999) in which two priortisation criteria were applied. The fixes were prioritised by decreasing magnitude of the cost effectiveness of reducing annualised life loss, estimated from a Baseline PFRA, until a point of diminishing returns was reached. From that point, the remaining fixes were prioritised by decreasing magnitude of the cost effectiveness of reducing economic risk costs to the community. Figure 2 includes a comparison of the more rapid rate of risk reduction based on the PFRA with the slower rate estimated for a traditional standardsbased prioritisation approach, which was being followed prior to conducting the Baseline PFRA. This dramatically illustrates the advantage of using PFRA, rather than a traditional approach, to formulate the riskreduction pathway for the same set of fixes. The traditional approach simply does not provide the information needed to identify the most rapid riskreduction pathway. It

is important to recognise that using PFRA to manage the uncertaintyreduction and riskreduction pathways still leaves open the option of adopting standardsbased safety goals, which is what SA Water did.

Figure 2. Risk Reduction for the PFRA Approach and Traditional Approaches for SA Water’s Large Dams (Bowles et al 1999).

Costeffectiveness prioritisations, such as that shown in Figure 2, can serve as a starting point for developing riskreduction pathways. However, if reducing high existing risks is judged to be more important, fixes that address these can be prioritised first, using both shortterm and longterm riskreduction measures, and then cost effectiveness can be used after high existing risks have been reduced.

Sometimes this is done for all existing risks that exceed a “limit of unacceptability” ¹⁹ for life safety risks.

Prioritisations have sometimes been adjusted to account for the timing of capacity upgrades, which may be determined by considerations other than dam safety, but which provide an opportunity to combine the design and construction of dam safety works with other works. It is sometimes useful to display riskreduction pathways against projected timing of project completion or

19 The term “limit of unacceptability” refers to the

“limit of tolerability” in the ANCOLD (2003) tolerable risk guidelines. This alternative terminology is suggested by the author as more precise because, in general, for a particular dam, the risk that meets all conditions for tolerable risk, including ALARP, would not begin until a lower level of risk than this limit.

Portfolio Life Safety Risk

0 10 20 30 40 50 60 70 80 90 100

0 20 40 60 80 100

Capital Cost of Structural Measures (% of total) Annualized Incremental Life Loss (lives/year as % of existing)

PRA Prioritization Standardsbased Prioritization

(11)

ANCOLD 2006 Conference on Dams Page 11 of 19 timing of expenditures, instead of cost, as

shown in Figure 2.

A problem that must be faced when developing riskreduction pathways is how to manage the transition from an existing program (pathway) of investigations, design and construction to a new program that is based on a prioritisation using PFRA. This can be a particularly difficult decision when investigations or design work are in an advanced stage, or if construction is about to commence, on measures that the PFRA shows to have a much lower strength of justification than others, and where a shift to other measures would provide much greater and more immediate risk reduction at other dams in the portfolio. It is important to involve the regulator in such decisions.

In some cases it is useful to group prioritised fixes into riskreduction phases and to describe them according to their urgency, risk reduction character, type or strength of justification, or differences in their funding or approvals processes. This approach can enhance the understanding of lay decision makers, facilitate effective management, and improve the chances of funding. For example, the following phases were developed for SA Water’s Baseline PFRA (Bowles et al 1999):

· Phase 1: Seven measures estimated to be the most costeffective, and therefore the most rapid, for reducing annualised lifeloss risk, but which also reduced all the high existing risks;

· Phase 2: Six remaining measures estimated to be needed to meet the ANCOLD societal tolerable risk limit guideline, and which have high estimated rates of economic risk cost reduction for the community;

· Phase 3: Seven remaining measures estimated to have riskbased justifications for proceeding; and

· Phase 4: Three remaining measures needed to meet engineering standards, although they only have small estimated risk reductions and poor cost effectiveness of risk reduction.

An inevitable effect of grouping fixes with the highest levels of justification into earlier phases is that the later phases will have lower justifications, with the result that it may be harder to obtain funding for them.

An MIS developed to support PFRA and PRM can be used to model different prioritisation scenarios and to explore their implications for various aspects of the owners risk profile over time, including probability of failure, life safety, economic, financial, environmental, and other types of risks. The effects of different rates or phases of funding, or different allocations of resources to dams that have lifeloss potential compared with dams that do not have identified lifeloss potential, can be explored. Changes in schedule resulting from the need to complete additional investigations or due to construction delays can also be explored and tracked. Options can be explored for lumping some types of fixes for a group of dams, such as adding spillway debris barriers, instead of implementing them individually. Risk trading can be explored as mentioned above in this Section under b) in the subsection on the Dam Safety Improvement Program. Uncertainty

reduction and riskreduction pathways should be reprioritised using updated information as it becomes available from completed investigations, and RA supporting studies ²⁰.

The urgency of risk reduction is sometimes related to the degree of departure from traditional standards or tolerable risk guidelines (e.g., ANCOLD 2003).

Benchmarking can be used to evaluate and justify the urgency for action, in terms of the rate, extent, and basis for risk

reduction pathways, through obtaining information on these from comparable dam owners, although such an approach

20 The term “RA supporting studies” is used to refer to all studies to develop probability and consequences inputs for RA. They may include, flood estimation, seismic hazard characterisation, dam break studies, consequences estimation, stability analyses, cost estimates for fixes, etc.

(12)

should not be used to justify moving to the

“lowest common denominator” ²¹. Organisational Integration

Improved organisational integration of dam safety considerations can be an important benefit of PRM. It can be achieved through properly utilising information from PFRA in different parts of a dam owner’s organisation where its benefits can be realised. Well

designed MIS reports containing only the information relevant to a particular department can help to facilitate this process. The effectiveness can be improved through establishment of a highlevel Dam Safety Coordination Group to oversee PRM from its inception, with membership from all departments in the owner’s organisation that relate to dam safety. However, accountability to the CEO or government agency head is essential and will demonstrate that organisational leadership assigns high importance to this process.

Some examples of business uses of PFRA outcomes are listed below (ICOLD 2005), although the degree to which each can be achieved will depend on the scope and level of detail of the PFRA process for a particular organisation:

· Corporate risk management prioritisation schemes that address all risks faced by the owner and not just dam safety risks;

· Business contingency planning for dam failure and nondam failure risks;

· Community emergency evacuation planning through an improved understanding of dam failure modes, their detectability, consequences, available warning time and any seasonal occurrence or initiating eventrelated factors;

· Loss financing, including insurance, to assess the adequacy of the existing insurance provisions and to better inform the owner’s finance officer or risk manager and its underwriters about dam safety risk exposure;

21 This caution is based on a comment made by the reviewer in his review of this paper.

· Legal considerations, due diligence, internal control, corporate governance, and legal defensibility of dam safety decisions;

· Business criticality through relating dam safety issues to meeting contractual obligations, licensing requirements, and key business results indicators;

· Community consultation with the affected public(s), including risk communication of dam failure modes, the likely consequences, and steps being taken to manage and reduce the risks; and

· Benchmarking through obtaining information on riskreduction decisions and pathways from comparable dam owners to provide an input to due diligence, corporate governance, and legal liability evaluation processes.

4 PORTFOLIO RISK ASSESSMENT

Overall Process

PFRA is an essential tool for effective PRM.

It should be implemented through a close partnership between experienced dam engineers, a PFRA facilitator, the owner’s dam safety manager and highlevel decision

makers, and other stakeholders, including the regulator, although perhaps only as an observer. PFRA involves an initial Baseline implementation and Updates, which may be coordinated with periodic design reviews for efficiency. The PFRA process comprises the following major parts, which are represented by the major blocks in Figure 3:

1) Identification of the owner’s decision and business context;

2) Engineering assessment (EA);

3) Risk assessment (RA);

4) Prioritisation of investigations and risk

reduction measures to develop uncertainty

reduction and riskreduction pathways; and 5) PFRA Outcomes.

A key to deriving value from PFRA is an understanding of the owner’s decision and business context so that the PFRA process can be tailored to meet the specific information needs that will benefit the owner’s PRM program and related business processes, and other stakeholders (right side of Figure 4). We

(13)

ANCOLD 2006 Conference on Dams Page 13 of 19 refer to this process as “outcome targeting”

(see Figure 4). Some factors that should be considered in this process are discussed in the Purposes and Scope subsection of Section 3.

Engineering and risk assessments for Baseline PFRAs are often based primarily on available information and engineering judgement. RA supporting studies are usually performed at a reconnaissance level and based on consistent best estimate procedures. By utilising available information (left side of Figure 4), Baseline PFRAs can be efficiently conducted with a minimum of RA supporting studies (center part of Figure 4) and then they can be used as a basis for prioritising future investigations. As these investigations are completed, PFRA updates should incorporate their findings. The level of RA and supporting studies should be kept under review and increased as the nature of decisions changes, such that the level of detail is “decision

driven” (NRC 1996).

The following subsections summarise the EA and RA parts of PFRA. Some trends and variations in applications of PFRA are also discussed. The prioritisation part of PFRA for investigations and riskreduction measures is discussed in parts a) and d) of the Dam Safety Improvement Program subsection of Section 3, respectively. PFRA outcomes can be grouped in various ways, such as shown in the

“Outcomes” box in Figure 3, or by using the categorisation of PRM purposes, listed at the beginning of Section 3 and discussed throughout Section 3.

Engineering Assessment

Engineering assessments yield an inventory of the status of individual existing dams with respect to meeting a list of the prevailing engineering standards that pertain to the owner ²². EA utilises a rating system, which is deigned to minimise conservative biases in cases where limited information is available.

“Pass” and “No Pass” ratings are assigned when sufficient information is available to make these assessments with the normal high level of confidence. When insufficient information is available, “Apparent Pass" and

22 See Bowles et al (2003a) for an example of a list of EA factors for the US Army Corps of Engineers.

"Apparent No Pass" ratings are assigned, based on engineering judgment, to indicate the expected rating after sufficient investigations are completed to the normal level of confidence in making such assessments. A list of potential riskreduction measures to meet engineering standards is identified for all factors with “No Pass” or “Apparent No Pass”

ratings. Another list of needed investigations associated with all factors with “Apparent No Pass” or “Apparent Pass” ratings is developed.

Risk Assessment

Risk assessment includes the following steps for each dam:

a) Potential failure modes identification [i.e.

PFMA or Failure Modes and Effects Analysis (FMEA)];

b) Risk analysis of existing dam to estimate probabilities and consequences for each potential failure mode;

c) Risk evaluation of existing dam leading to identification of investigations and potential riskreduction measures in addition to those indicated by the EA;

d) Risk analysis of potential riskreduction measures identified through EA and RA;

and

e) Risk evaluation of riskreduction measures.

PFMA in Step a) provides the foundation upon which RA is built. Therefore, PFMA should be systematically and thoroughly conducted by experienced dam engineers. In addition to identifying those failure modes for which sufficient evidence already exists, it is important to identify investigations for those potential failure modes for which insufficient information is available to rule them out.

The level of detail for estimating life loss and other types of consequences should be appropriate for the type and level of decisions for which information from the PFRA is to be used and the level of confidence that the owner and stakeholders require (USSD 2003). A common shortcoming in RAs is to spend much less effort estimating the consequences than the probabilities of failure, but this should be avoided because the consequences can affect

(14)

ANCOLD 2006 Conference on Dams Page 14 of 19 Figure 3. Portfolio Risk Assessment Process and Outcomes (Bowles 2001).

Risk Assessment Failure M odes

and Effects

Identification ^Risk

Criteria

Risk Criteria ANP, NP >

Remedial works

Prioritization

Ranking of Remedial

works

Ranking of Inves tigations

Phas ing ^{O t h er} Co n siderat io n s

2 . Basis fo r Im p ro v in g Recurrent Activities

3 . Basis fo r Sh o rt t erm Risk Reduct io n M easures

4. Dam Safety Improvement Program 1. Current Ris k

Profile

Failure M odes and aE ffect s Relat iv e L ik elih oo ds Relat iv e aCons equences Non Dam Safety aRis k Is s ues

M onitoring &

aSurveillance Ins pections Emergency Planning Staff Training O&M

Operating res trictions Heightened M onitoring

&

aSurveillance Ins pections Heightened Emergency aPlanning

Remedial works Inves tigations Budget Phas ing

5. Bus ines s Proces s es

L egal an d due diligen ce In suran ce Budget in g Co n t in gen cy P lan n in g AP, ANP > Investigations

Legend

P = Pas s A P = A pparent Pas s A N P = A p p aren t N o P ass N P = N o P ass Outcomes Ris k A nalys is

 Exis ting Dam Decision Framework

Engineering Assessment

Engineering Standards

& Current Practice

AP , ANP > Investigations

ANP, NP > Remedial works

Ris k A nalys is

Remedial works