Featured Product
This Week in Quality Digest Live
Management Features
Constance Noonan Hadley
The time has come to check whether the benefits of teamwork still outweigh the costs
Naresh Pandit
Enter the custom recovery plan
Anton Ovchinnikov
In competitive environments, operational innovation could well be the answer to inventory risk
Julie Winkle Giulioni
The old playbook probably won't work
Sarah Schiffling
But supply chains will get worse before they get better

More Features

Management News
Program inspires leaders to consider systems perspective for continuous improvement and innovation
Recent research finds organizations unprepared to manage more complex workforce
Attendees will learn how three top manufacturing companies use quality data to predict and prevent problems, improve efficiency, and reduce costs
More than 40% of directors surveyed cite the ability of companies to execute as one of the biggest threats to improving ESG performance
MIT Sloan study shows that target-independent compensation systems can be superior
Steps that will help you improve and enhance your employee recruitment, retention, and engagement
300 Talent acquisition leaders and HR executives from companies gather in Kansas City
FedEx demonstrates commitment to customer-focused continuous improvement

More News

Peter Bussey

Management

Three Essential Capabilities for Operational Risk Management

And some considerations for implementing them

Published: Thursday, October 13, 2016 - 14:48

Operational risk management (ORM) centers on environmental, health, and safety (EHS) risks that can cause accidents or incidents anywhere that work takes place, whether it’s a manufacturing plant, an offshore drilling platform, a mine, or a marine terminal. This article will discuss why and how operational risks need to be managed effectively, the three essential ORM process capabilities, and considerations for implementation.

Operational risks are defined by their ability to lead to adverse events anywhere in an organization’s sphere of operations. The term ORM was first used widely in the financial services sector and then popularized starting about 2009 to describe the set of risks in industrial operations that could harm people, production, or the environment.

The high cost of poorly managed operational risks

Operational risks are tough to identify and even harder to control. Evidence of this is exposed in the decades-long string of high-profile industrial process-safety accidents, as well as the massive ongoing cost of occupational injuries and illnesses. How big is the problem? U.S. manufacturing employees alone experience nearly half a million significant injuries annually that require reporting to the Occupational Safety and Health Administration (OSHA), and direct employer costs for worker’s compensation were $88.5 billion in 2013, not to mention indirect costs much more than that.

Where do operational risks come from?

Management system standards used in industry prescribe in general terms that organizations must use a systematic approach to identify, control, and monitor risks. This applies across areas like quality management system (ISO 9001:2015), environmental management system (ISO 14001:2015), and the Occupational Health and Safety Assessment Specification, (OHSAS 18001), which will become ISO 45001 in December 2017. ISO 31000 provides requirements for an organization’s overall risk management processes.

Although the standards adequately define what should be done overall to manage risks proactively, it’s up to each organization to work out the details. A useful framework for ORM programs and processes is to think about the sources or types of activities that create risk or that identify it. Three of the most common are:
Event-driven: Risks that are recognizable as a result of adverse incidents such as injuries, property damage, and environmental pollution. Near-misses, safety observations, and audit findings also fall into this category. An example would be if a worker strains his back during a material handling task. What caused this?
Change-driven: Changes to production processes, equipment, personnel, procedures, and organization can be a main source of operational risk, and can introduce or change risks associated with a process or work area. An example would be if a process engineer wants to raise the temperature of a production process step. Will this introduce any new risks into the operation?
Performance-driven: Risks identified while conducting routine hazard assessments as part of a proactive risk-reduction program. An example would be during a routine job-hazard analysis in a machine shop, when potentially high noise exposures are identified near a grinding operation, and noise-exposure assessments are scheduled to see if any controls are needed.

Three must-have capabilities for effective operational risk management

Effective management of each of the sources of operational risks requires different process capabilities, and in some cases a combination. These three abilities should be in place and function effectively as part of any EHS management system in asset-intensive and high-risk industries:

1. Incident management: Enables a closed-loop process for recording EHS incidents of any type, including injuries, property damage, near-misses, and safety observations; investigating the incident and defining root causes; managing corrective and follow-up actions; and analysis and reporting.

Although incident management seems to be a reactive process, its greatest strength is to help organizations learn from conflicts, and take action to prevent them in the future. Incident management is a foundational capability for ORM and is often the first item on an EHS improvement road map, i.e., incident management applied to event-driven risks.

2. Management of change: When changes of any type occur in any aspect of operations, new risks are often introduced and are a frequent cause of incidents, including major process safety accidents such as the Deepwater Horizon accident. A management of change process enables staff to systematically identify, assess, and approve all relevant changes before they implement the modification. The management of change process may branch to further risk assessment and corrective processes before approval, and is applied to change-driven risks.

3. Risk assessment: A closed-loop process for identifying hazards in operations, analyzing and prioritizing the risks from these hazards (often by ranking them based on probability and consequences), implementing controls, and monitoring the ongoing effectiveness of those controls. The risk assessment process is usually part of proactive, continuous improvement efforts during which facilities, production systems, and work areas are systematically reviewed to mitigate operational risks. Risk assessment applies to performance-driven risks, as well as those driven by events and change.

Considerations for implementing ORM capabilities

Typically, these ORM processes have been managed with paper- and spreadsheet-based manual processes and homegrown solutions even in large organizations. During the past decade, there has been a widespread adoption of off-the-shelf software to streamline and automate them. Regrettably, many of these efforts have resulted in point solutions for incident management, management of change, and risk assessment siloed inside organizations and business functions.

The best approach is to integrate these processes as part of an overall EHS management platform because they mostly share the same data and are intertwined—for example, when a management of change assessment or incident investigation triggers a risk assessment process. Taking such an integrated approach to ORM also enables consistent analysis and reporting enterprisewide, which fosters better organizational learning and proactive risk control efforts.

Innovative technologies can make the integrated application platform even more powerful. Mobile apps can help capture (and deliver) more data and information to improve and speed up ORM processes. The industrial internet of things can help capture large volumes of operational data, which can be leveraged by big data analytics to provide sharper insights, and help organizations move to a more predictive mode in reducing operational risks.

The scope of ORM also must be considered. Does it go beyond EHS risks to include other domains, such as quality, asset performance management, or the supply chain? Does your organization need separate incident management, management of change, and risk assessment systems for the various domains, or does an integrated management systems approach make more sense?

ORM is a complex undertaking, but one that is essential to safeguarding people, productivity, and reputation. How does your organization stack up?

First published Sept. 6, 2016, on the LNS Research blog.

Discuss

About The Author

Peter Bussey’s picture

Peter Bussey

Peter Bussey is lead research analyst for environment, health, and safety (EHS) and sustainability at LNS Research. Bussey conducts research on industry trends and best practices, and he advises EHS business leaders and technology providers in applying those insights in their organizations. His point of view is based on more than 30 years of experience in manufacturing, consulting, and information technology organizations, all focused on EHS management and related operation areas such as R&D, asset management, manufacturing, and supply chain.