To accept that a risk mitigation really does significantly lower your operating risk, it must guarantee “substantial” risk reduction

The ‘rule’ for claiming a risk reduction is it must deliver a ‘substantial’ fall in risk. To be a ‘substantial’ fall, the real-world effects from using a risk mitigation proposal must bring obvious and unquestionably lower operating risk.



Hi Mike,

One thing I want to know is, for a given operational risk is there any rule to set the consequences (low, medium, critical, catastrophic,…) or is it set by company specification?

Regards, David



Dear David,

Identifying the risk level is what a risk matrix is used for. Each company has to set its own value for their grades of consequence (this is called ‘calibrating’ the matrix). The risk matrix then becomes the ‘rule’ that determines the risk level. Use ISO 31000 risk management guidelines to help you develop your risk matrix.

The other issue that needs to be addressed is, ‘when can you claim a risk reduction?’ People will propose ideas to reduce a risk, but how can you be sure that an idea will actually be effective? You can only claim risk reduction from a proposal if it will really reduce risk when the proposal is put to use.

The ‘rule’ for claiming a risk reduction is that it must deliver a ‘substantial’ fall in risk. To be a ‘substantial’ fall, the real-world effects from using a mitigation proposal must bring obvious and unquestionably lower risk. The reason it is necessary to be totally sure a risk reduction proposal will be truly effective is that it is easy to come up with ideas in response to a risk that do not change the risk. Ask a hundred people how to reduce a risk and you may get one hundred different answers. Some might make a positive difference, but which answers are the highly effective ones? We need a way of grading risk reduction ideas and finding those that will surely work. By requiring a risk to be ‘substantially’ reduced by a mitigation, the risk reduction ideas worth considering will clearly ‘stand-out’ as being absolutely certain to work.

If we have a risk of $100,000 per year, what reduction in risk would be ‘substantial’? Getting the risk down to $90,000/year is not ‘substantial’. There is no certainty that you will really get $10,000/yr savings from ideas that make such little difference to a $100,000/yr risk. Would a $20,000/yr risk reduction be ‘substantial’? Now your risk is supposedly down to $80,000/yr. But a 20% reduction in risk is not ‘substantial’. What about ideas that bring $30,000/yr reduction, or $40,000/yr, or $50,000/yr, when does the reduction become ‘substantial’?

I would call a 50% reduction in risk ‘substantial’. Any lesser fall in risk would not be a ‘obvious and unquestionably’ positive improvement. You must be absolutely certain the mitigations you use will substantially reduce risk. Otherwise you cannot claim a risk reduction is worthwhile. That is why in my response to your assignment I said that the maintenance activities selected were useless in removing the risk from a valve failure—they would not work in real life to save the company substantial money.

Recall that you were given the table below, which is an extract from a RCM analysis showing the new maintenance activities recommended by the RCM Team. These new maintenance tasks are meant to reduce the risk of valve failure. The team selected the five activities listed to care for the valve and maximize its uptime. The top three require performing a valve integrity test where the valve is removed, stroked and repaired as necessary. The last two are external inspections of the valve while in operation.



The additional maintenance work will cost $20,000 per valve. It is a total waste of time unless doing those activities actually makes the valve more reliable by a worth of $20,000 per valve each year. If each of the activities are useful in preventing failure their effect should be observable in a risk matrix as a lowering of the risk compared to them not being done. If the risk substantially reduces on the matrix then you are sure that the activity will lower the risk and hence prevent losses and downtime.

The question you must answer is, ‘Would the chosen maintenance activities stop the valve from failing?’ Will there be a substantial reduction in the operating risk by doing these new risk mitigations?

Notice that the new tasks require people to do a test or a check. Will a test or a check stop the valve seat and seals from failing? Will a test stop the valve stem from corroding? The additional work created by the RCM will need to decrease the failures to fewer than one per five years. If the new work does not do that then it is a waste of time and should not be done.

We can plot the current location of risk by determining the current business-wide impact of a valve failure. I call these the DAFT Costs (Defect and Failure Total Costs) because it is silly to live with them when they can easily be reduced. When a valve fails it costs the company $200,000 in losses and rectification. From the maintenance records there is an average 5-year frequency of valve failure. The point is plotted on the risk matrix below. The question is whether the new maintenance work will reduce the risk by significantly more than it costs to do the work.



A valve integrity test means removing the valve from the pipeline and placing it on a test bench and operated under controlled test conditions so the valve internals can be checked for problems and wear. Once the valve is in the test position it is stroked and its stem movement and seating / sealing behavior checked for compliance to an acceptable standard.

An integrity test proves the valve works properly or not. A valve will either pass or fail the test. Performing the test does not make the valve more reliable, it only spots a problem after it has happened. When a problem is found it is fixed or failed parts are renewed. The valve is then put back into the same service situation as it was found to undergo the same conditions that caused its current reliability and performance.

The visual inspections look at the valve condition. The valve will either be fine or it will not. Again the inspection does not make the valve reliable, it only spots a problem after it has happened.

The additional $20,000 spent on every valve annually because of the RCM analysis will not stop a single valve from failing. The best that can happen is old parts that no longer behave properly are replaced with pristine parts and they will start their life from new. Parts not replaced will continue to age further and fail. These new RCM-specified tasks are useless for preventing the valve from failing. They will add more maintenance costs for absolutely no worth.

To stop the seat from failing you must stop the moisture in the product that causes corrosion; you must stop the contamination in the product that fails the valve seat and seals; you must stop the operators running the valve above design differential pressure. Only doing those things will stop the valve failing. Doing a test or a check to see if the valve has failed will never make the valve more reliable. They are money wasters—what a joke such maintenance tasks are!

A better strategy is to replace all valves every 5 years with new valves and do no other maintenance. The best strategy would be to fix the problems that make the valves fail: stop contamination, moisture, and over-pressure operation—remove the cause of the cause of valve failure.

You must prove there is substantial risk reduction from the risk mitigation tasks selected in a risk analysis. Otherwise you will spend a lot of money for nothing!

I hope that the above comments are useful to you.


All the best to you,

Mike Sondalini
Managing Director
Lifetime Reliability Solutions HQ