The 3 Essential Capabilities Needed for Operational Risk Management https://blog.lnsresearch.com/the-3-essential-capabilities-needed-for-ope...

Peter Bussey

Operational Risk Management (ORM) centers on Environmental, Health, and

Safety (EHS) risks that can cause accidents or incidents anywhere work takes
place, whether it's a manufacturing plant, an off-shore drilling platform, a mine, a
marine terminal, and so forth. This post will discuss why and how operational
risks need to be managed effectively, the three essential ORM process capabilities,
and considerations for implementation.

Click here to speak with Peter

Operational risks are defined by their ability to lead to adverse events anywhere in
an organization’s sphere of operations. The term ORM was first used widely in the
financial services sector, and then popularized starting about 2009 to describe the
set of risks in industrial operations that could harm people, production, or the
environment.

The High Cost of Poorly Managed Operational Risks

Operational risks are tough to identify, and even harder to control. Evidence of
this is exposed in the decades-long string of high-profile industrial process safety
accidents, as well as the massive ongoing cost of occupational injuries and

1 of 4
The 3 Essential Capabilities Needed for Operational Risk Management https://blog.lnsresearch.com/the-3-essential-capabilities-needed-for-ope...

illnesses. How big is the problem? U.S. manufacturing employees alone

experience nearly half a million significant injuries annually that require reporting
to OHSA, and employer direct costs for Worker’s Compensation were $88.5
billion in 2013; not to mention indirect costs much more than that.

Where Do Operational Risks Come From?

Management system standards used in industry prescribe in general terms that

organizations need to use a systematic approach to identifying, control, and
monitor risks. This applies across areas like quality (ISO 9001), environmental
management (ISO 14001), and occupational health and safety (OHSAS 18001, and
someday ISO 45001). ISO 31000 provides requirements for an organization’s
overall risk management processes.

Although the standards adequately define what should be done overall to manage
risks proactively, it's up to each organization to work out the details. A useful
framework for ORM programs and processes is to think about the sources or types
of activities that create risk or identify it.

Event-driven: Risks that are recognizable as a result of adverse incidents such as

injuries, property damage, environmental releases, etc. Near-misses, safety
observations, and audit findings also fall into this category. An example would be
a worker strains his back during a material handling task. What caused this?

Change-driven: Changes to production processes, equipment, personnel,

procedures, organization, etc. can be a main source of operational risk, and can
introduce or change risks associated with a process or work area. An example
would be a process engineer wants to raise the temperature of a production
process step. Will this introduce any new risks into the operation?

Performance-driven: Risks identified while conducting routine hazard

assessments as part of a proactive risk reduction program. An example would be
during a routine job hazard analysis in a machine shop, potentially high noise
exposures are identified near a grinding operation, and noise exposure
assessments are scheduled to see if any controls are needed.

3 Must-Have Capabilities for Effective Operational Risk

Management

Effective management of each of the sources of operational risks requires different

process capabilities, and in some cases a combination. These three abilities should
be in place and function effectively as part of any EHS management system in
asset-intensive and high-risk industries:

2 of 4
The 3 Essential Capabilities Needed for Operational Risk Management https://blog.lnsresearch.com/the-3-essential-capabilities-needed-for-ope...

1. Incident Management (IM)- Enables a closed-loop process for recording

EHS incidents of any type (including injuries, property damage, near-misses, and
safety observations), investigating the incident and defining root causes,
managing corrective and follow-up actions, and analysis and reporting.

Although incident management seems to be a reactive process, its greatest

strength is to help organizations to learn from conflicts, and take action to prevent
them in the future. IM is a foundational capability for ORM and is often the first
item on an EHS improvement roadmap. IM applied to event-driven risks.

2. Management of Change (MOC)- When changes of any type occur in any

aspect of operations, new risks are often introduced and are a frequent cause of
incidents, including major process safety accidents such as the Deepwater Horizon
accident. An MOC process enables staff to systematically identify, assess, and
approve all relevant changes before they implement the modification. The MOC
process may branch to further risk assessment and corrective processes before
approval, and is applied to change-driven risks.

3. Risk Assessment (RA)- A closed-loop process for identifying hazards in

operations, analyzing and prioritizing the risks from these hazards (often by
ranking them based on probability and consequences), implementing controls,
and monitoring the on-going effectiveness of those controls. The risk assessment
process is usually part of proactive continuous improvement efforts in which
facilities, production systems, and work areas are systematically reviewed to
mitigate operational risks. RA applies to performance-driven risks, as well as
those driven by events and change.

Considerations for Implementing ORM Capabilities

Historically these ORM processes have typically been managed with paper- and
spreadsheet-based manual processes and home-grown solutions even in large
organizations. Over the past decade, there has been a wide-spread adoption of off-
the-shelf software to streamline and automate them. Regrettably, many of these
efforts have resulted in point solutions for IM, MOC, and RA siloed inside
organizations and business functions.

The best approach is to integrate these processes as part of an overall EHS

management platform, as they mostly share the same data and are intertwined;
for example when a MOC assessment or incident investigation triggers a risk
assessment process. Taking such an integrated approach to ORM also enables
consistent analysis and reporting enterprise-wide, which fosters better
organizational learning and proactive risk control efforts.

3 of 4
The 3 Essential Capabilities Needed for Operational Risk Management https://blog.lnsresearch.com/the-3-essential-capabilities-needed-for-ope...

Innovative technologies can make the integrated application platform even more
powerful. Mobile apps can help capture (and deliver) more data and information
to improve and speed up ORM processes. The Industrial Internet of Things (IIoT)
can help capture large volumes of operational data, which can be leveraged by Big
Data Analytics to provide sharper insights, and help organizations move to a more
predictive mode in reducing operational risks.

The scope of ORM also needs to be considered. Does it go beyond EHS risks to
include other domains such as quality, Asset Performance Management (APM), or
supply chain? Does your organization need separate IM, MOC, and RA systems for
the various domains; or does an integrated management systems approach make
more sense?

ORM is a complex undertaking, but one that is essential to safeguarding people,

productivity, and reputation. How does your organization stack up?

4 of 4