What can asset intensive industries gain by better managing operational risks?
At a glance
The physical safety of employees and the wider community affected by an organisation’s products, services and operations is paramount. The United States Bureau of Labor Statistics reported that private industry employers indicated 2.8 million nonfatal injuries and illnesses occurred in 2022, up from 7.5 percent from 2021. This data suggests that despite tighter regulations to ensure safe and healthy working conditions, incidents continue to rise. And while many factors can influence these injury and illness rates, including changes in industry practices, advancements in safety equipment and variations in reporting standards, more can be done to prevent harm from being done.
The energy, resources, mining, power generation, heavy industrial, and transport sectors, known as asset intensive industries, experience inherent hazards and threats to their operations, often referred to as operational risks. These operational risks can wreak havoc through incidents and accidents resulting in extensive property and environmental damage, loss of license to operate, tarnish reputations, and most concerningly, serious injuries as well as the loss of lives.
Workplace safety rules and environmental stewardship continue to be under the microscope, even more so for asset intensive industries. While organisations are intently looking to prevent incidents and protect assets, a lack of proper information mining hampers the recognition of the most significant operational risks. The most common response to risks occurs after the threat becomes an event. Investigations identify root causes, usually leading to additional controls, sometimes resulting in increased regulations. In some instances, lawsuits, fines, and reputation damage ensue.
What if leaders could identify and rank risks to then address what’s inside their control? Then using analysis indicators, leaders could continuously monitor controls and information management. This article gives organisations a framework to reposition operational risk as a strategic lever, with emphasis on being proactive and drawing on external learnings to prevent the unexpected from happening in the first place.
A framework for managing operational risk management in asset intensive industries
A successful operational risk program captures a holistic approach and aligned vision of risk. Integrating an approach that includes technology, processes, policies and whole-of-company business is critical. Approaching risk from a high-level perspective, while drilling down to the asset and function level, yields a prioritised plan that builds on the current state of capabilities for managing risks within the asset and functions. The end goal? Minimise unplanned downtime and avoid disruption from accidents, unplanned events, and asset failure. The framework below outlines how gathering risk-related information across the organisation leads to thoroughly distilled observations and recommendations that leaders can better leverage and inform decisions.
As a next step, leaders must consider risk management decisions and actions that include proactive, reactive and learning characteristics. This balanced approach provides multiple entry and feedback points that allows the organisation to apply the three-pronged model throughout the entire business lifecycle.
- Reactive: motivated where internal data is analysed, and learnings are shared.
- Learning: analysis of data and information from outside the company, including industry organisations. External analysis and benchmarking help identify potential best/leading practices for achieving a specific goal.
- Proactive: identify potential barriers and opportunities for success. The development of a balance of leading/lagging indicators flows from the controls put in place to measure courses of action.
The convergence of health, safety, environmental and operational risk
Organisations are evolving beyond the traditional "check-the box" compliance mentality to manage their risks and reduce financial and legal exposure. An industry leading practice called Operational Risk Management (ORM) has been established as a leading practice. ORM is the process that covers assessing risk, decision making, implementation of controls that feed into the acceptance, mitigation or avoidance of risk. It includes the process of risk analysis, strategy, and risk control to identify and lower risks across daily operations.
ORM focuses on the entire asset lifecycle model from design, commissioning and operation through retirement. Typically, capital projects and turnarounds tend to decrease the focus on health, safety and environmental (HSE) compliance activities. ORM brings holistic business process transformation and information management solutions to the table, moving toward managing project scheduling, compliance and over run costs. A holistic, integrated approach cuts the HSE and asset compliance challenge down.
Initiatives fail because they address only one or two of HSE elements. Challenges are compounded when HSE is viewed as a compliance task, so holistic solutions are difficult to achieve, versus something like a maintenance budget which is more robust given its ROI is typically more tangible.
However, forward-thinking organisations realise there is a direct correlation between reliability and overall safety performance. Identifying inter-related complex (technical) risk issues and solving the related problems with practical, value-based solutions is critical in the overall process. Tactical controls assessment developed as part of the risk register that identifies fundamental controls for the business or asset and applies a robust controls assessment framework segmenting core, key, and critical controls. For reference, core controls refer to the maintenance spend and allocation or segregation of duties. Key controls focus on competency assurance and standard operating procedures. And, critical controls cover the hazard and operability study, management of change, commission procedures and pre-start up safety reviews.
Routine asset maintenance requires the integration of numerous business processes and information systems to enable risk informed decision making. Notices of violations, loss of containment and downtime due to equipment failure are costly. Organisations are shifting toward continuous improvement and transparent business processes to sustain compliance. Leaders must be able to make timely HSE compliance and equipment availability decisions based on risk to avoid complex and costly outcomes. How do you begin to tackle this challenge?
Traditionally, HSE business processes are vetted in isolation. This leads to fractured management systems and typically Information Technology (IT) point solutions. Leaders can use the questions listed in this table to determine where they are on their risk journey and what areas they need to strengthen.
Putting operational risk into practice
The risks, illustrated as the holes in the diagram below, can be identified through incident analysis or an operational risk assessment that focuses on potentially high impact events and not outcome-based incidents. This will successfully lead to the identification of failures in a series of controls which can result in a top event and eventually consequences.
The risk view of high potential disruptive events needs to replace causal factor efforts spent on outcome-oriented event investigation.
Consider the potential of the event not the outcome, this will allow the functional business and asset to make better more informed decisions regarding their risk and their risk profile moving forward not looking back.
Mitigating operational risk involves a combination of risk, control and value creation strategies to reduce the impact of negative outcomes to keep your organisation focused on the task at hand rather than handling a constant stream of emergencies. Below are GHD’s sequential steps to establish and strengthen your risk management operating model.
1. Embed risk awareness across the organisation: develop a corporate-wide risk language, and standardised risk taxonomy. Instill a risk process that reflects the most appropriate level of risk appetite, and risk aversion for your organisation. Create a strong risk culture with direction, visibility, and tone set by leadership at the corporate, functional business, and asset levels.
2. Reinforce ownership and responsibility: identify key operational risk process owners and solicit their support, input, direction and guidance in the process. Get their buy-in for directional changes and course corrections involving the risk management process at the functional business and asset levels. Leverage these relationships to collectively assess the quality of the risk management process and protocols against industry practices.
3. Risks assessments and reviews: conduct risk assessments (enterprise, function, division) with the functional business or asset, and design and integrate risk frameworks, governance processes, metrics and tools to enable risk organisation at all levels. Targeted reviews on risks associated with special initiatives are also critical. Focus on assessment and investigation of potentially high impact events and only consider the outcome of an incident associated with compliance obligations and not causal factor analysis or garnering the attention of resources to conduct in depth incident investigations.
4. Identify tactical controls: an assessment should be developed as part of the risk register that identifies fundamental/foundational controls for the business/asset and applies a robust controls assessment framework segmenting core, key, and critical controls.
5. Understand and incorporate value framework approaches: including various models, risk-based cost benefit analysis, value driven-focused on key risks driving disproportionate gains/losses, risk optimisation, core strategic and operational decisions, line-function, facilitated by highly skilled staff. Create a robust control management framework, and leverage value across the risk and controls environment.
6. Identify and implement KPIs: prepare goals that incorporate a maturity level of balanced leading and lagging indicators, and then identify KPIs to achieve full risk transparency.
Operational risk management is a critical component of an organisation’s risk management strategy. While profitability is not the motivation for better managing operational risk, the bottom-line benefits to a decrease in reputational risk, lost days to injury and regulatory fines, as well as less budget allocation to rebuild and repair, can be quantified, and recognised. Contact us for more information on how you can strengthen your operational risk program.