How to Build a Risk-Based Asset Management Strategy for Large Portfolios

Managing large portfolios is tough. Deciding which assets to prioritize, how to allocate budgets, and minimizing risks can feel overwhelming. A Risk-Based Asset Management (RBAM) strategy simplifies this by focusing on risk to guide decisions. Here’s how:

• Key Principle: RBAM uses the formula Criticality = Consequence × Likelihood to prioritize assets based on their risk scores.
• Core Benefits: Focus resources on high-risk assets, reduce costly failures, and align decisions with organizational goals like safety, compliance, and sustainability.
• Steps to Build It:
  1. Set Objectives: Define clear goals linked to safety, cost control, and carbon reduction targets.
  2. Determine Risk Appetite: Establish acceptable risk levels and thresholds for action.
  3. Centralize Data: Build a detailed asset register with condition, risk, and performance data.
  4. Standardize Assessments: Use consistent grading systems (e.g., 1–5 scales) for condition and risk.
  5. Prioritize Investments: Use risk-cost ratios to allocate budgets effectively.
  6. Leverage Tools: Platforms like Oxand Simeo™ streamline data, risk evaluation, and investment planning.

This strategy ensures smarter, data-driven decisions while balancing budgets and long-term goals like carbon reduction. Keep reading to learn how to implement and refine this approach effectively.

Risk-Based Asset Management Implementation Model

sbb-itb-5be7949

Setting Objectives and Governance for Asset Management

A risk-based strategy thrives on clear objectives and strong governance, ensuring risk data leads to consistent and defensible decisions.

Defining Asset Management Objectives

Asset management goals should align directly with organizational priorities like safety, compliance, cost control, and sustainability. A Strategic Asset Management Plan (SAMP) serves as the link between these overarching priorities and day-to-day asset management. As Anitha Rajmohan, Director of Cyber Assurance at Glocert, explains:

"The SAMP is the critical bridge between organisational objectives and day-to-day asset management activities – without it, alignment cannot be demonstrated." ^[2]

To be effective, every objective in the SAMP needs to follow the SMART framework: Specific, Measurable, Achievable, Relevant, and Time-bound ^[2]. The table below illustrates how high-level organizational goals can be translated into actionable asset management objectives with measurable KPIs:

Organizational Objective	Asset Management Objective	KPI
Achieve 99.5% service availability	Maintain critical asset availability above 99.7%	Critical asset uptime %
Reduce operational costs by 10% over 5 years	Optimize maintenance costs while maintaining performance	Maintenance cost per asset unit; TCO
Achieve net‑zero by 2040	Reduce portfolio carbon footprint by 30% by 2030	Tonnes CO₂e per year
Comply with all regulatory requirements	Zero regulatory non‑compliances related to asset condition	Number of regulatory findings

Source: Glocert ISO 55001 Guide ^[2]

After setting these objectives, the next step is to define measurable risk thresholds that align with them.

Setting Risk Appetite and Tolerance Levels

With objectives in place, you need to determine how much risk your organization is willing to accept and where the boundaries lie. Risk appetite reflects high-level, board-approved statements, such as zero tolerance for safety-related fatalities or a low appetite for environmental damage. On the other hand, risk tolerance translates these broader appetites into specific, measurable thresholds for individual assets or groups ^[1].

For instance, you might set a residual risk score limit of 15 out of 25, requiring executive approval for any score above this threshold. Criticality scores – calculated as the product of Consequence and Likelihood on a 1–25 scale – help apply these thresholds consistently across your portfolio.

In real-world terms, this means defining trigger points. For example, an asset with a Condition Grade 5 (the lowest on a 1–5 scale) would automatically require a risk acceptance plan before continued operation ^[1]. Without such thresholds, risk management can become inconsistent and overly subjective.

Aligning Governance with ISO 55001

ISO 55001 provides a clear framework for governance through a three-tier documentation system ^[2]:

• Asset Management Policy (ISO 55001 Clause 5.2): A concise, 1–3 page document signed by the CEO or equivalent, outlining top-level intentions and principles for asset management.
• Strategic Asset Management Plan (SAMP) (Clause 6.2.1): A more detailed document, typically 15–50 pages, reviewed annually to translate organizational objectives into strategic direction.
• Operational Asset Management Plans (Clause 6.2.2): These are detailed plans – ranging from 20 to over 100 pages – outlining specific activities, resources, and timelines for asset teams.

Governance also includes appointing Risk Owners who are responsible for monitoring specific risks and implementing treatment actions ^[1]. A formal escalation process should ensure that any risk score exceeding tolerance levels triggers an executive review. Regular management reviews, as required under Clause 9.3, keep the system up-to-date and ensure that risk data continues to drive high-level decision-making ^[3].

Building a Reliable Asset and Risk Data Foundation

Once you’ve established your governance structure and defined risk thresholds, the next step is ensuring the data driving your decisions is dependable. Even the most well-designed frameworks can falter if the underlying data is flawed. A strong data foundation transforms good intentions into decisions that are repeatable and defensible. Here’s how to make sure your data is up to the task.

Creating a Centralized Asset Register

A centralized asset register is the backbone of risk-based decision-making. It serves as the single source of truth for all asset-related details, capturing everything decision-makers need: what assets you own, where they are, their condition, and their importance to operations. Without such a register, management often defaults to reactive approaches.

For large portfolios, the register should include these four key data categories:

Information Category	Key Data Points
Core Asset Data	Asset ID, type, location (linked to GIS), age, replacement value, remaining useful life
Condition Data	Inspection results, defect records, condition grade (1–5 scale)
Risk & Criticality	Consequence scores (Safety, Environment, Operations, Finance, Reputation), likelihood, risk owner
Performance Data	Failure history, downtime, maintenance history, reliability data

Integrating GIS technology from the start is crucial. Use GPS devices and georeferencing to validate asset locations and link physical records to digital platforms. This approach minimizes data gaps during audits and ensures critical knowledge is preserved when experienced staff retire or leave the organization.

As Sakthi Thangavelu, Senior Manager of Cyber Assurance at Glocert, explains:

"Asset criticality assessment is foundational to ISO 55001 – it determines how resources, maintenance strategies, and investment are allocated across the asset portfolio."

Standardizing Condition and Risk Assessments

The value of an asset register hinges on the quality and consistency of its data. If one site labels an asset as "Fair" while another rates the same condition as "Poor", portfolio-wide analysis becomes unreliable. Standardizing assessments ensures data comparability across sites, teams, and asset types.

One effective method is implementing a universal 1–5 condition grading scale across all asset classes – whether it’s HVAC systems, water mains, or electrical infrastructure. In this system:

• Grade 1: Near-new condition
• Grade 5: Imminent failure requiring immediate intervention

Pair this grading system with a consequence framework that evaluates potential failure impacts across five dimensions: Safety, Environment, Operations, Financial, and Reputation. This combination creates a solid foundation for assessing risk.

Criticality scores can then be calculated as the product of the Consequence of Failure and the Likelihood of Failure, typically on a scale of 1 to 25. To maintain consistency over time, conduct calibration workshops with representatives from various sites. These sessions help teams align their interpretations of the framework and catch inconsistencies before they become issues.

For assets with the highest criticality, consider using Failure Mode and Effects Analysis (FMEA). This method digs deeper into not just the likelihood of failure but also the specific ways an asset could fail. This level of detail enables more targeted maintenance strategies and strengthens audit documentation.

To manage these processes across large portfolios efficiently, automation becomes a game-changer.

Using Oxand Simeo™ for Asset Data Management

Managing data quality for a geographically dispersed portfolio is no small feat, and relying on spreadsheets or manual processes often falls short. Oxand’s Simeo Inventory offers a streamlined, centralized solution for asset management. It provides a clear, structured register that spans sites, buildings, and infrastructure, with a standardized hierarchy and attributes that feed directly into investment planning models.

Field teams can use the Simeo GO mobile app for guided offline inspections. The app allows inspectors to capture photos, comments, and standardized condition scores on-site, reducing errors from manual transcription. Built-in validation tools and standard forms flag duplicates, gaps, or inconsistencies before data reaches the planning stage. This ensures a reliable, consistent, and shareable knowledge base across the organization.

Building a Risk and Criticality Assessment Framework

Once you have a clean, centralized asset register, you can start making better-informed decisions. The next step is transforming that data into a structured way to evaluate which assets pose the greatest risk and where investments will make the most impact. This framework connects the initial data collection phase to a detailed risk evaluation process, laying the groundwork for targeted asset management.

Defining Risk for Infrastructure and Buildings

With the asset register in place, risk in asset management is defined as the effect of uncertainty on achieving objectives ^[4]. This includes not just asset failure but also issues like over-investment, under-investment, regulatory non-compliance, and gaps in sustainability.

Criticality is calculated as: Consequence of Failure × Likelihood of Failure. Likelihood is often based on a 1–5 condition grade, while consequences span categories like safety, environmental impact, operations, financial implications, and reputation ^[4].

For buildings, two additional factors come into play: Compliance Impact (whether failure leads to regulatory or permit challenges) and Substitutability (whether a backup system can take over if the asset fails) ^[5]. These dimensions matter because even a failure with minimal financial damage can create serious regulatory or operational problems.

To ensure safety-critical aspects aren’t overlooked, always use the highest score across multiple consequence categories when determining the overall rating ^[4]. This approach ensures a comprehensive and balanced evaluation of each asset.

Running Multi-Criteria Criticality Assessments

The reliability of a criticality assessment depends on the process behind it. A common mistake is allowing a single department to handle scoring, which can lead to blind spots. Instead, involve cross-functional teams that include operations, maintenance, engineering, safety, and finance experts to achieve a more balanced and accurate result ^[4].

Here’s how to approach the assessment:

• Define the scope (e.g., system, class, or component level).
• Use consistent severity scales.
• Identify potential failure modes.
• Calculate criticality scores.
• Validate the results with management before aggregating them into a portfolio ^[4].

Assets are then categorized into tiers that guide their management strategies:

Criticality Level	Score Range	Management Approach	Typical Investment Action
Critical	16–25	Intensive management	Capital renewal priority; continuous monitoring
High	10–15	Active management	Prioritized resources; regular condition monitoring
Medium	5–9	Planned management	Scheduled preventive maintenance; routine monitoring
Low	1–4	Minimal management	Run-to-failure acceptable; reactive maintenance

(Data source: ^[4])

For large portfolios, focus detailed analysis on the top 10% to 20% of critical assets ^[6]. Concentrating resources on these high-criticality assets can reduce emergency maintenance costs by 40–60% ^[5]. Additionally, preventive maintenance delivers a return on investment (ROI) that’s 3–5 times higher when applied to high-criticality assets rather than distributed evenly ^[5].

"The most common mistake I see in facility maintenance budgeting is treating every asset as equally important when allocating resources. A facility manager will cut PM frequency uniformly by 20% during a budget squeeze… the consequence is predictable: within 18 months, the asset that should have received more attention fails." – Dr. Samuel Okafor, CMRP, CRE ^[5]

Using Oxand’s Predictive Models for Risk Estimation

Moving from static to dynamic models ensures your risk assessments stay aligned with changing asset conditions. Static scores can quickly become outdated. For instance, an asset rated "Medium" today could shift to "Critical" due to harsh weather, unexpected failures, or natural aging.

Oxand’s predictive models offer a solution. With over 20 years of experience and a library of more than 10,000 proprietary aging and performance models, Oxand uses probabilistic simulations to predict how assets will deteriorate, when failures might occur, and the resulting consequences across various asset types.

These models integrate new data – such as work order histories, inspection results, age milestones, or recent failures – to automatically update criticality scores ^[5]. This creates a "living" risk register ^[4] that reflects the actual state of your portfolio rather than a static, once-a-year snapshot. For ISO 55001 auditors, this provides a clear and traceable link between asset conditions, risk scores, and capital renewal priorities ^[4].

Prioritizing Investments Within Budget and Sustainability Constraints

Once a dynamic risk register is established, the next step is to transform those risk scores into a practical spending plan. The challenge lies in balancing tight budgets with sustainability goals while ensuring investments are both effective and justifiable.

Turning Risk Assessments into Investment Plans

Using the established risk framework, the goal is to create investment strategies that enhance asset reliability and align with sustainability objectives. One effective method is ranking proposals by their risk-cost ratio – essentially the amount of risk reduced per dollar spent. This approach ensures that spending decisions are guided by data rather than tradition or internal politics.

For capital renewal funds, focus on assets classified as Critical (scores of 16–25) and High (scores of 10–15). If an asset is at Condition Grade 5, an emergency replacement plan should be triggered unless senior management explicitly accepts the associated residual risks ^[4].

Investment planning should also consider the Total Cost of Ownership (TCO), which includes not just the upfront cost but also long-term expenses like maintenance, disposal, and failure risks. As Sakthi Thangavelu, Senior Manager of Cyber Assurance at Glocert International, puts it:

"A low-cost asset with high failure risk may have a higher TCO than a more expensive but reliable alternative." ^[4]

To prioritize effectively, calculate the Residual Risk Score for each proposed investment. This method ensures that sustainability considerations are seamlessly integrated into financial decision-making.

Adding Sustainability and Energy Metrics to Investment Decisions

Sustainability can be incorporated into the risk matrix by evaluating environmental impact on a scale from "none" to "catastrophic" ^[4]. For example, an aging HVAC system leaking refrigerant or outdated electrical infrastructure wasting energy might score as High or Critical, even if the immediate financial implications appear minor.

When presenting a case for upgrades, include carbon costs and projected energy savings over the asset’s lifespan in the TCO. This broader perspective often supports investing in higher-efficiency alternatives, which may cost more upfront but reduce long-term risks and expenses. A formal risk appetite statement, such as "We accept short-term financial risk where it supports long-term asset sustainability", can help bridge the gap between immediate budget pressures and future sustainability priorities ^[4].

Once sustainability metrics are defined, tools like Oxand Simeo™ can simulate long-term investment scenarios to guide decision-making.

Optimizing Investment Plans with Oxand Simeo™

Manually balancing risk scores, budgets, and carbon goals is a daunting task. This is where Oxand Simeo™ simplifies the process. By running multi-year simulations – spanning anywhere from 5 to 30 years – teams can evaluate various budget scenarios, service outcomes, and sustainability pathways before finalizing their plans, all in alignment with ISO 55001 standards.

Oxand Simeo™ evaluates multiple factors simultaneously, including risk, lifecycle costs, compliance, energy performance, and CO₂ impact. This transparency allows teams to clearly understand trade-offs. For instance, they can test scenarios like delaying a medium-criticality refurbishment to fund a critical energy upgrade and immediately see how it affects portfolio risk and carbon goals. The result is an investment plan that balances costs, regulatory demands, and long-term sustainability targets effectively.

Rolling Out and Continuously Improving the Strategy

With a well-structured investment plan in place, the next step is to implement and refine your strategy for maximum effectiveness.

Building an Implementation Roadmap

Implementation should follow a clear and logical sequence: asset inventory, project prioritization, capital budgeting, stakeholder engagement, and execution. At each phase, decision gates ensure progress only continues when key KPIs are met ^[7]. This approach prevents costly missteps. For example, projects with poor planning in San Diego, California, ended up consuming 264% more funding than originally estimated ^[7].

To avoid similar pitfalls, checkpoints supported by KPI dashboards – tracking metrics like design completion, permit statuses, and risk score validation – are critical. These tools help mitigate scope creep, which impacts 52% of projects when requirements aren’t clearly defined during execution ^[7].

Once the rollout begins, maintaining the strategy’s relevance requires ongoing performance tracking and adjustments.

Tracking Performance and Refining the Plan

Using a dynamic risk register, schedule regular reviews to incorporate new data and adjust actions as needed ^[4]. A structured review schedule ensures no aspect of performance is overlooked:

Review Frequency	Focus Area	Actions
Monthly	Operational Performance	Monitor KPI dashboards, assess critical risks, review incidents
Quarterly	Tactical Progress	Update risk register, track treatment plan completion rates
Annually	Strategic Alignment	Revise the Asset Management Plan, align budgets
Every 5 Years	Comprehensive Reassessment	Conduct full portfolio audits and overhaul strategies

The risk register should be updated after significant events like major maintenance, unexpected failures, or condition changes ^[4]. As Sakthi Thangavelu, Senior Manager of Cyber Assurance at Glocert International, explains:

"A risk register for assets must be a living document – regularly updated with condition data, incident records, and changing risk profiles." ^[4]

Each risk exceeding the tolerance threshold must have an assigned owner and a detailed treatment plan with specific deadlines. Tracking the completion rate of these treatment actions is a straightforward way to measure the strategy’s effectiveness ^[4].

Consistent performance reviews not only improve operations but also simplify the audit process.

Producing Audit-Ready Reports with Oxand Simeo™

ISO 55001 auditors require a clear and traceable record – from initial criticality assessments to risk registers, maintenance strategies, and investment decisions ^[4]. Oxand Simeo™ simplifies this process by generating ISO 55001-compliant, audit-ready documentation directly from the platform. Since the platform captures every decision – risk scores, budget trade-offs, and sustainability goals – teams can easily demonstrate compliance without scrambling to piece together past actions. This creates a transparent and defensible record that supports both internal governance and external audits.

Conclusion: Key Steps for Building a Risk-Based Asset Management Strategy

Risk-based asset management works as a continuous cycle. Criticality assessments feed into maintenance planning, which then updates risk scores to inform how capital is allocated ^[4].

The process starts with a strong foundation: a centralized asset register combined with standardized assessments. This ensures that decisions are both well-supported and adaptable. Using a multi-criteria criticality framework – evaluating safety, environmental, operational, financial, and reputational factors – helps identify which assets need the most attention, even if their failure likelihood is minimal.

From this framework, investment decisions take shape. The risk-cost ratio is applied to prioritize projects that provide the most risk reduction per dollar spent. This approach ensures resources are directed where they’ll have the greatest impact. At the same time, sustainability factors like carbon footprint and energy performance are integrated into the decision-making process. The result? Investments that not only reduce risk but also support sustainability goals.

Sakthi Thangavelu, Senior Manager – Cyber Assurance at Glocert, emphasizes this point:

"The risk register should directly inform investment prioritization, maintenance planning, and resource allocation. If the register exists independently of decision-making, it adds no value." ^[4]

Tools like Oxand Simeo™ simplify this process by bringing data, risk, and investment decisions together in one platform. For organizations managing large portfolios, having a unified system makes the entire strategy easier to execute and audit.

FAQs

How do I choose consequence and likelihood scores?

To determine consequence scores, consider how an asset’s failure could affect key areas such as safety, environmental impact, operational performance, financial loss, and reputation. Use predefined severity levels that align with your organization’s tolerance for risk.

For likelihood scores, assess the probability of failure by looking at factors like the asset’s age, current condition, and maintenance history. Apply a rating scale (e.g., Rare to Almost Certain) and combine these scores to effectively prioritize risks.

What data do I need before using RBAM?

To get started with a risk-based asset management (RBAM) approach, you’ll need to gather detailed information about your assets. This includes specifics like the type of asset, age, location, replacement value, and remaining useful life. Beyond that, collect condition data such as inspection results and defect records, as well as performance data like failure history and downtime.

Don’t forget consequence data – things like impact assessments and safety reports – to understand the potential effects of asset failure. Lastly, include external factors, such as operating conditions, to evaluate environmental risks. Having this comprehensive dataset ensures you have a solid foundation for assessing risks and making informed decisions.

How often should I update the risk register?

Establishing formal review cycles for your risk register is a smart move. For instance, you could schedule monthly updates for critical risks and quarterly reviews for less urgent ones. These regular check-ins help keep the register "alive" by capturing changes in asset conditions and identifying new risks as they emerge. This way, it remains a dependable resource for making well-informed decisions.

Related Blog Posts

• Infrastructure Asset Management: A Risk-Based Approach for Multi-Year CAPEX Planning
• Lessons Learned from ISO 55001 Implementations: What Successful Organisations Do Differently
• 90 Days to Your First Asset Investment Plan: A Step-by-Step Implementation Guide
• How to Prioritise Predictive Maintenance Use Cases Across a Large Asset Portfolio