That’s fake news. Real news COSTS. Please turn off your ad blocker for our web site.
Our PROMISE: Our ads will never cover up content.
Peter Bussey
Published: Thursday, October 13, 2016 - 14:48 Operational risk management (ORM) centers on environmental, health, and safety (EHS) risks that can cause accidents or incidents anywhere that work takes place, whether it’s a manufacturing plant, an offshore drilling platform, a mine, or a marine terminal. This article will discuss why and how operational risks need to be managed effectively, the three essential ORM process capabilities, and considerations for implementation.
Operational risks are defined by their ability to lead to adverse events anywhere in an organization’s sphere of operations. The term ORM was first used widely in the financial services sector and then popularized starting about 2009 to describe the set of risks in industrial operations that could harm people, production, or the environment. Operational risks are tough to identify and even harder to control. Evidence of this is exposed in the decades-long string of high-profile industrial process-safety accidents, as well as the massive ongoing cost of occupational injuries and illnesses. How big is the problem? U.S. manufacturing employees alone experience nearly half a million significant injuries annually that require reporting to the Occupational Safety and Health Administration (OSHA), and direct employer costs for worker’s compensation were $88.5 billion in 2013, not to mention indirect costs much more than that. Management system standards used in industry prescribe in general terms that organizations must use a systematic approach to identify, control, and monitor risks. This applies across areas like quality management system (ISO 9001:2015), environmental management system (ISO 14001:2015), and the Occupational Health and Safety Assessment Specification, (OHSAS 18001), which will become ISO 45001 in December 2017. ISO 31000 provides requirements for an organization’s overall risk management processes. Although the standards adequately define what should be done overall to manage risks proactively, it’s up to each organization to work out the details. A useful framework for ORM programs and processes is to think about the sources or types of activities that create risk or that identify it. Three of the most common are: Effective management of each of the sources of operational risks requires different process capabilities, and in some cases a combination. These three abilities should be in place and function effectively as part of any EHS management system in asset-intensive and high-risk industries: 1. Incident management: Enables a closed-loop process for recording EHS incidents of any type, including injuries, property damage, near-misses, and safety observations; investigating the incident and defining root causes; managing corrective and follow-up actions; and analysis and reporting. Although incident management seems to be a reactive process, its greatest strength is to help organizations learn from conflicts, and take action to prevent them in the future. Incident management is a foundational capability for ORM and is often the first item on an EHS improvement road map, i.e., incident management applied to event-driven risks. 2. Management of change: When changes of any type occur in any aspect of operations, new risks are often introduced and are a frequent cause of incidents, including major process safety accidents such as the Deepwater Horizon accident. A management of change process enables staff to systematically identify, assess, and approve all relevant changes before they implement the modification. The management of change process may branch to further risk assessment and corrective processes before approval, and is applied to change-driven risks. 3. Risk assessment: A closed-loop process for identifying hazards in operations, analyzing and prioritizing the risks from these hazards (often by ranking them based on probability and consequences), implementing controls, and monitoring the ongoing effectiveness of those controls. The risk assessment process is usually part of proactive, continuous improvement efforts during which facilities, production systems, and work areas are systematically reviewed to mitigate operational risks. Risk assessment applies to performance-driven risks, as well as those driven by events and change. Typically, these ORM processes have been managed with paper- and spreadsheet-based manual processes and homegrown solutions even in large organizations. During the past decade, there has been a widespread adoption of off-the-shelf software to streamline and automate them. Regrettably, many of these efforts have resulted in point solutions for incident management, management of change, and risk assessment siloed inside organizations and business functions. The best approach is to integrate these processes as part of an overall EHS management platform because they mostly share the same data and are intertwined—for example, when a management of change assessment or incident investigation triggers a risk assessment process. Taking such an integrated approach to ORM also enables consistent analysis and reporting enterprisewide, which fosters better organizational learning and proactive risk control efforts. Innovative technologies can make the integrated application platform even more powerful. Mobile apps can help capture (and deliver) more data and information to improve and speed up ORM processes. The industrial internet of things can help capture large volumes of operational data, which can be leveraged by big data analytics to provide sharper insights, and help organizations move to a more predictive mode in reducing operational risks. The scope of ORM also must be considered. Does it go beyond EHS risks to include other domains, such as quality, asset performance management, or the supply chain? Does your organization need separate incident management, management of change, and risk assessment systems for the various domains, or does an integrated management systems approach make more sense? ORM is a complex undertaking, but one that is essential to safeguarding people, productivity, and reputation. How does your organization stack up? First published Sept. 6, 2016, on the LNS Research blog. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Peter Bussey is lead research analyst for environment, health, and safety (EHS) and sustainability at LNS Research. Bussey conducts research on industry trends and best practices, and he advises EHS business leaders and technology providers in applying those insights in their organizations. His point of view is based on more than 30 years of experience in manufacturing, consulting, and information technology organizations, all focused on EHS management and related operation areas such as R&D, asset management, manufacturing, and supply chain. Three Essential Capabilities for Operational Risk Management
And some considerations for implementing them
The high cost of poorly managed operational risks
Where do operational risks come from?
• Event-driven: Risks that are recognizable as a result of adverse incidents such as injuries, property damage, and environmental pollution. Near-misses, safety observations, and audit findings also fall into this category. An example would be if a worker strains his back during a material handling task. What caused this?
• Change-driven: Changes to production processes, equipment, personnel, procedures, and organization can be a main source of operational risk, and can introduce or change risks associated with a process or work area. An example would be if a process engineer wants to raise the temperature of a production process step. Will this introduce any new risks into the operation?
• Performance-driven: Risks identified while conducting routine hazard assessments as part of a proactive risk-reduction program. An example would be during a routine job-hazard analysis in a machine shop, when potentially high noise exposures are identified near a grinding operation, and noise-exposure assessments are scheduled to see if any controls are needed.Three must-have capabilities for effective operational risk management
Considerations for implementing ORM capabilities
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Peter Bussey
© 2022 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.