On Wednesday, April 25, LNS Research hosted the webcast, “Integrated Risk Management: Five Strategies to Drive Operational Excellence.” The presentation examined why integrated risk management is the best way to reduce the likelihood and impact of negative outcomes to people, products, operations, the environment, and profitability plus deliver strategic value to the enterprise.
Q1: What’s new and different with the 2018 update of ISO 31000?
A1: The ISO 31000 risk management guidelines first released in 2009 and revised in early 2018. These guidelines provide a framework for managing all risk types in any organization. The 2018 revision is shorter, simpler, and concise, making it easy to understand and use. Aside from the style changes, the principles have been revised with an emphasis on the role of risk management in value creation and protection. Integration of risk management into all parts of the business is further emphasized, as is leadership and commitment. The definition of risk now centers on managing uncertainty. Overall, the guidelines are more flexible and focused on ensuring risk is incorporated into business planning, strategy, and execution.
Q2: What are some factors to consider if we’re trying to decide whether and how to integrate risk management processes and frameworks?
A2: This is a great question because one of the core principals of risk management is to align and integrate it with the fabric of the business. Another principle is, risk management should be tailored to the organization and be proportionate to the risks faced by the company. So yes, integration is a key objective, but how it’s implemented in each organization is going to look different. Some key factors to consider are the organization’s risk profile (which is largely dependent on industry sector), the maturity of current risk programs and systems, scale and complexity of operations, and readiness for change. One aspect that is mandatory in all organizations is integration into business planning and strategy, which involves top management.
Q3: What are some other examples of using Industry 4.0 digital technologies to better manage risk?
A3: Proactive ergonomic risk mitigation and developing leading indicators to manage the environment, health, and safety (EHS) performance are good examples of use cases that leverage the Industrial Internet of Things (IIoT), information technology (IT)/operational technology (OT) convergence and Big Data analytics. With ergonomic risk mitigation, workers wear sensor equipped vests which generate large volumes of data on biomechanical parameters. This data can be analyzed to identify risk patterns and trends for control and prevention. The leading indicator use case involves applying advanced analytics to diverse sets of data from operational and business systems to identify factors associated with positive and negative outcomes, and then using that to control risk. This is moving towards predictive and prescriptive risk management and performance improvement.
Q4: What are the major stumbling blocks to integrated risk management?
A4: Our research shows silos of data, information, process, and organization are the main challenges to EHS performance improvement and Operational Excellence. Siloed data results in disconnected processes, and lack of visibility and control over performance. The polls taken during the webcast provide an interesting perspective. We asked participants to indicate which risk management core principals were implemented in their organization. The ones that came up most short had to do with organizational alignment, integration of risk into all parts of the business, and incorporation of cultural and human factors. These are evidence of organizational, process, and technology silos undermining the risk management program.
Q5: How do the ISO management systems standards like 9001, 14001, and 45001 influence integrated risk management?
A5: Most industrial organizations have implemented one or more domain-specific management systems in areas like quality, health, and safety, asset, and environmental management. Even if an organization doesn’t adopt and implement risk management-specific guidelines like ISO 31000 or the COSO Enterprise Risk Management guidance, the management system standards themselves provide a great vehicle to bring order and standardization to risk management and integrate it with the business. These standards are well on the way to being harmonized. ISO 9001, 14001, and 45001 now have the same high-level structure and common language, including risk management requirements. Together with the recent update of ISO 31000, the standards provide an excellent opportunity to consider standardizing and integrating risk management across business domains.