Featured Product
This Week in Quality Digest Live
Management Features
Lee Seok Hwai
CEO discretion varies from industry to industry and firm to firm
Arron Angle
Behavior-based quality: How do you act when no one is looking?
Innovating Service With Chip Bell
Great leaders do not reflect but rather radiate energetic passion
Gleb Tsipursky
To survive and thrive, organizations must shift strategically to the best practices of working from home
Jason Spera
There’s no need to choose between reducing costs and delighting customers

More Features

Management News
Siemens introduces PCBflow, a secure, cloud-based solution for accelerating design-to-manufacturing handoff for printed circuit boards
Includes global overview and new additive manufacturing section
Tech aggravation can lead to issues with employee engagement, customer experience, and business results
Harnessing the forces that drive your organizations success
Free education source for global medical device community
New standard for safe generator use created by the industry’s own PGMA with the assistance of industry experts
Provides synchronization, compliance, traceability, and transparency within processes
Galileo’s Telescope describes how to measure success at the top of the organization, translate down to every level of supervision
Too often process enhancements occur in silos where there is little positive impact on the big picture

More News

Peter Bussey


Three Essential Capabilities for Operational Risk Management

And some considerations for implementing them

Published: Thursday, October 13, 2016 - 14:48

Operational risk management (ORM) centers on environmental, health, and safety (EHS) risks that can cause accidents or incidents anywhere that work takes place, whether it’s a manufacturing plant, an offshore drilling platform, a mine, or a marine terminal. This article will discuss why and how operational risks need to be managed effectively, the three essential ORM process capabilities, and considerations for implementation.

Operational risks are defined by their ability to lead to adverse events anywhere in an organization’s sphere of operations. The term ORM was first used widely in the financial services sector and then popularized starting about 2009 to describe the set of risks in industrial operations that could harm people, production, or the environment.

The high cost of poorly managed operational risks

Operational risks are tough to identify and even harder to control. Evidence of this is exposed in the decades-long string of high-profile industrial process-safety accidents, as well as the massive ongoing cost of occupational injuries and illnesses. How big is the problem? U.S. manufacturing employees alone experience nearly half a million significant injuries annually that require reporting to the Occupational Safety and Health Administration (OSHA), and direct employer costs for worker’s compensation were $88.5 billion in 2013, not to mention indirect costs much more than that.

Where do operational risks come from?

Management system standards used in industry prescribe in general terms that organizations must use a systematic approach to identify, control, and monitor risks. This applies across areas like quality management system (ISO 9001:2015), environmental management system (ISO 14001:2015), and the Occupational Health and Safety Assessment Specification, (OHSAS 18001), which will become ISO 45001 in December 2017. ISO 31000 provides requirements for an organization’s overall risk management processes.

Although the standards adequately define what should be done overall to manage risks proactively, it’s up to each organization to work out the details. A useful framework for ORM programs and processes is to think about the sources or types of activities that create risk or that identify it. Three of the most common are:
Event-driven: Risks that are recognizable as a result of adverse incidents such as injuries, property damage, and environmental pollution. Near-misses, safety observations, and audit findings also fall into this category. An example would be if a worker strains his back during a material handling task. What caused this?
Change-driven: Changes to production processes, equipment, personnel, procedures, and organization can be a main source of operational risk, and can introduce or change risks associated with a process or work area. An example would be if a process engineer wants to raise the temperature of a production process step. Will this introduce any new risks into the operation?
Performance-driven: Risks identified while conducting routine hazard assessments as part of a proactive risk-reduction program. An example would be during a routine job-hazard analysis in a machine shop, when potentially high noise exposures are identified near a grinding operation, and noise-exposure assessments are scheduled to see if any controls are needed.

Three must-have capabilities for effective operational risk management

Effective management of each of the sources of operational risks requires different process capabilities, and in some cases a combination. These three abilities should be in place and function effectively as part of any EHS management system in asset-intensive and high-risk industries:

1. Incident management: Enables a closed-loop process for recording EHS incidents of any type, including injuries, property damage, near-misses, and safety observations; investigating the incident and defining root causes; managing corrective and follow-up actions; and analysis and reporting.

Although incident management seems to be a reactive process, its greatest strength is to help organizations learn from conflicts, and take action to prevent them in the future. Incident management is a foundational capability for ORM and is often the first item on an EHS improvement road map, i.e., incident management applied to event-driven risks.

2. Management of change: When changes of any type occur in any aspect of operations, new risks are often introduced and are a frequent cause of incidents, including major process safety accidents such as the Deepwater Horizon accident. A management of change process enables staff to systematically identify, assess, and approve all relevant changes before they implement the modification. The management of change process may branch to further risk assessment and corrective processes before approval, and is applied to change-driven risks.

3. Risk assessment: A closed-loop process for identifying hazards in operations, analyzing and prioritizing the risks from these hazards (often by ranking them based on probability and consequences), implementing controls, and monitoring the ongoing effectiveness of those controls. The risk assessment process is usually part of proactive, continuous improvement efforts during which facilities, production systems, and work areas are systematically reviewed to mitigate operational risks. Risk assessment applies to performance-driven risks, as well as those driven by events and change.

Considerations for implementing ORM capabilities

Typically, these ORM processes have been managed with paper- and spreadsheet-based manual processes and homegrown solutions even in large organizations. During the past decade, there has been a widespread adoption of off-the-shelf software to streamline and automate them. Regrettably, many of these efforts have resulted in point solutions for incident management, management of change, and risk assessment siloed inside organizations and business functions.

The best approach is to integrate these processes as part of an overall EHS management platform because they mostly share the same data and are intertwined—for example, when a management of change assessment or incident investigation triggers a risk assessment process. Taking such an integrated approach to ORM also enables consistent analysis and reporting enterprisewide, which fosters better organizational learning and proactive risk control efforts.

Innovative technologies can make the integrated application platform even more powerful. Mobile apps can help capture (and deliver) more data and information to improve and speed up ORM processes. The industrial internet of things can help capture large volumes of operational data, which can be leveraged by big data analytics to provide sharper insights, and help organizations move to a more predictive mode in reducing operational risks.

The scope of ORM also must be considered. Does it go beyond EHS risks to include other domains, such as quality, asset performance management, or the supply chain? Does your organization need separate incident management, management of change, and risk assessment systems for the various domains, or does an integrated management systems approach make more sense?

ORM is a complex undertaking, but one that is essential to safeguarding people, productivity, and reputation. How does your organization stack up?

First published Sept. 6, 2016, on the LNS Research blog.


About The Author

Peter Bussey’s picture

Peter Bussey

Peter Bussey is lead research analyst for environment, health, and safety (EHS) and sustainability at LNS Research. Bussey conducts research on industry trends and best practices, and he advises EHS business leaders and technology providers in applying those insights in their organizations. His point of view is based on more than 30 years of experience in manufacturing, consulting, and information technology organizations, all focused on EHS management and related operation areas such as R&D, asset management, manufacturing, and supply chain.