Operational Risk Management (ORM) centers on Environmental, Health, and Safety (EHS) risks that can cause accidents or incidents anywhere work takes place, whether it's a manufacturing plant, an off-shore drilling platform, a mine, a marine terminal, and so forth. This post will discuss why and how operational risks need to be managed effectively, the three essential ORM process capabilities, and considerations for implementation.
Operational risks are defined by their ability to lead to adverse events anywhere in an organization’s sphere of operations. The term ORM was first used widely in the financial services sector, and then popularized starting about 2009 to describe the set of risks in industrial operations that could harm people, production, or the environment.
The High Cost of Poorly Managed Operational Risks
Operational risks are tough to identify, and even harder to control. Evidence of this is exposed in the decades-long string of high-profile industrial process safety accidents, as well as the massive ongoing cost of occupational injuries and illnesses. How big is the problem? U.S. manufacturing employees alone experience nearly half a million significant injuries annually that require reporting to OHSA, and employer direct costs for Worker’s Compensation were $88.5 billion in 2013; not to mention indirect costs much more than that.
Where Do Operational Risks Come From?
Management system standards used in industry prescribe in general terms that organizations need to use a systematic approach to identifying, control, and monitor risks. This applies across areas like quality (ISO 9001), environmental management (ISO 14001), and occupational health and safety (OHSAS 18001, and someday ISO 45001). ISO 31000 provides requirements for an organization’s overall risk management processes.
Although the standards adequately define what should be done overall to manage risks proactively, it's up to each organization to work out the details. A useful framework for ORM programs and processes is to think about the sources or types of activities that create risk or identify it.
- Event-driven: Risks that are recognizable as a result of adverse incidents such as injuries, property damage, environmental releases, etc. Near-misses, safety observations, and audit findings also fall into this category. An example would be a worker strains his back during a material handling task. What caused this?
- Change-driven: Changes to production processes, equipment, personnel, procedures, organization, etc. can be a main source of operational risk, and can introduce or change risks associated with a process or work area. An example would be a process engineer wants to raise the temperature of a production process step. Will this introduce any new risks into the operation?
- Performance-driven: Risks identified while conducting routine hazard assessments as part of a proactive risk reduction program. An example would be during a routine job hazard analysis in a machine shop, potentially high noise exposures are identified near a grinding operation, and noise exposure assessments are scheduled to see if any controls are needed.
3 Must-Have Capabilities for Effective Operational Risk Management
Effective management of each of the sources of operational risks requires different process capabilities, and in some cases a combination. These three abilities should be in place and function effectively as part of any EHS management system in asset-intensive and high-risk industries:
1. Incident Management (IM)- Enables a closed-loop process for recording EHS incidents of any type (including injuries, property damage, near-misses, and safety observations), investigating the incident and defining root causes, managing corrective and follow-up actions, and analysis and reporting.
Although incident management seems to be a reactive process, its greatest strength is to help organizations to learn from conflicts, and take action to prevent them in the future. IM is a foundational capability for ORM and is often the first item on an EHS improvement roadmap. IM applied to event-driven risks.
2. Management of Change (MOC)- When changes of any type occur in any aspect of operations, new risks are often introduced and are a frequent cause of incidents, including major process safety accidents such as the Deepwater Horizon accident. An MOC process enables staff to systematically identify, assess, and approve all relevant changes before they implement the modification. The MOC process may branch to further risk assessment and corrective processes before approval, and is applied to change-driven risks.
3. Risk Assessment (RA)- A closed-loop process for identifying hazards in operations, analyzing and prioritizing the risks from these hazards (often by ranking them based on probability and consequences), implementing controls, and monitoring the on-going effectiveness of those controls. The risk assessment process is usually part of proactive continuous improvement efforts in which facilities, production systems, and work areas are systematically reviewed to mitigate operational risks. RA applies to performance-driven risks, as well as those driven by events and change.
Considerations for Implementing ORM Capabilities
Historically these ORM processes have typically been managed with paper- and spreadsheet-based manual processes and home-grown solutions even in large organizations. Over the past decade, there has been a wide-spread adoption of off-the-shelf software to streamline and automate them. Regrettably, many of these efforts have resulted in point solutions for IM, MOC, and RA siloed inside organizations and business functions.
The best approach is to integrate these processes as part of an overall EHS management platform, as they mostly share the same data and are intertwined; for example when a MOC assessment or incident investigation triggers a risk assessment process. Taking such an integrated approach to ORM also enables consistent analysis and reporting enterprise-wide, which fosters better organizational learning and proactive risk control efforts.
Innovative technologies can make the integrated application platform even more powerful. Mobile apps can help capture (and deliver) more data and information to improve and speed up ORM processes. The Industrial Internet of Things (IIoT) can help capture large volumes of operational data, which can be leveraged by Big Data Analytics to provide sharper insights, and help organizations move to a more predictive mode in reducing operational risks.
The scope of ORM also needs to be considered. Does it go beyond EHS risks to include other domains such as quality, Asset Performance Management (APM), or supply chain? Does your organization need separate IM, MOC, and RA systems for the various domains; or does an integrated management systems approach make more sense?
ORM is a complex undertaking, but one that is essential to safeguarding people, productivity, and reputation. How does your organization stack up?