2

In many organisations today, even the big ones like BP, NASA and Transocean, I don’t think risk management, or more to the point the application of risk management was being well applied, maybe not even taken that serious; prior to their major incidents that is. Sure anyone can do a basic risk assessment if the one doing the assessment has any knowledge on safety (or common sense) and has their proactive safety glasses on. But there is more to mature risk management in complex organisations (organisation with many risks at all levels) than just looking for hazards and saying; this is dangerous for this reason so we cannot do it; that is basic risk management.

“If safety management is the means of protection, then risk

management would have to be the means to challenge”

History and many hindsight papers have surely proved bad risk management principles over and over again. The problem seems to be with human intuition at every level; which seems to forget prior learnings and moves on because of the fact there is too much effort required to maintain the learnings. Many events throughout the history of time (war, erosion, pollution, workplace incidents) that have resulted in a major catastrophe, also backs up this claim. Yes...I can say with pretty good evidence that we humans seem to enjoy making the same mistakes over and over again. Hence, I have come with a better terminology to explain this dilemma called; regression to the stupid (derived from the fact that humans collectively call themselves smart).

Risk Management within any organisation should be one the most fundamental and proactive event mitigation systems within safety that if done well, will take any organisation above and beyond just statuary compliance and general industry expectations, and contribute to sustainable development, growth and success (success being the key word here).

The management of risk in any medium to large size organisation should be managed by a specific specialised role, just like a lead auditor,

3

investigator, project manager, quality role etc. All facets of risk throughout the operation should be synergised and directed through a central means so then it can then act in unison with the other key roles. Like any system there has to be a central control point/hub to collect, direct and control information.

The consequence of not managing risk in its full capacity can be detrimental, both in cost and reputation. A good risk management system maintained by a risk officer can far outweigh the negative consequences of not proactively managing risk. I have often said; “workers should get paid on what they reduce in potential outcomes” meaning; if they have reduced a possible event that could have happened, where the outcome would have cost profit loss either by injury or damage, then this is the saving the company has made and therefore a percent of this saving should then belong to that person as a form of recognition for a job well done. Now wouldn’t that prevent a lot of accidents and be a very proactive measure if ever I did see one! And guess what, everyone wins.

What I find interesting in my observations in businesses is that a

company will spend big dollars conducting a single incident

investigation (and big dollars on outcomes and implementing

change) and they accept this as something that had to be done to

find the reason behind the unfortunate event; yet they won’t spend

the money on a proactive complete risk mitigation system that

could possibly save the organisation from losses.

Risk management, or more to the point, mature risk management goes above just standard compliance, risk assessments and safety management systems. Whilst in some organisations, there seems to be a huge amount of time and investment put towards developing a safety culture and implementing a robust and comprehensive safety management framework in a holistic approach such as; training, drafting policies and procedures, commissioning plant and implementing various other safety systems and initiatives, the monitoring, auditing, analysing,

4

evaluating, and treatment or risk, is being mostly forgotten or left out. There seems to be a gap somewhere in-between indentifying and monitoring. I feel this gap is the overarching “application” of all these steps, which in picture 1 would be the two arrows I have added on the two sides of the risk management process. The reason for this shortfall is, as with any maintenance program; it costs time and money.

Picture 1 – The risk assessment process with the application arrows added. By application

I mean it as the dictionary explains it; the act of applying to a particular use or purpose;

thus the application of applying the risk process in an exacting exercise (the exercise of

risk management).

Each step of the risk management process as shown in picture 1 has its own process of varying applications and levels of complexity which are dependent on the size and operation of an organisation. You are not going to conduct a formal risk assessment to bang a nail in (unless for the sake of this argument you were banging the nail into a nuclear reactor high pressure hose for whatever reason). If you look at the “analyse risk” step for example, other than the learning about the risk, there are many tools that can be used to establish an appropriate result. It may take anything from a few hrs to a few weeks to analyse one risk depending on the

5

complexity level. If there are a few complex risks, then each risk may have to be analysed separately due to many variations and conditions, thus increasing the time to complete just this one step in the whole risk process.

Many organisations from small to large seem to get to a point of compliance in safety/risk management, and then they do not know what to do after that, or feel as though they have done enough; all the boxes are ticked so-to-speak. Some of the audits I have been involved in to gain some safety certification have been given a pass on the bias that the organisation had everything in place; therefore, the system must be working or worse still, good enough.

An analogy question I thought of at this point was; if you were

going to determine whether a chef was a great chef or an ordinary

chef, would you just look at his recipes? No, of course you wouldn’t;

because the taste is in the pudding.

One audit I was once involved in was headed by an extremely pedantic senior auditor who had obviously been around and knew what auditing was all about. He was not interested in what was in the system; he wanted to see the working system. A completed dirty form was far better than the blank template. After this encounter of a third kind, I came up with 3 levels of auditing/auditor; (1) A; just show me what you got (2) K; give me an example (3) Z; let me see it in action. Obviously the best auditing/auditor level for the testing of the true application of a system is a type Z. This type of auditing/auditor, whether you are an internal or external auditor, truly tests the safety system to its entirety and ensures that what has been created is being used, hence ensures that the level of process meets the level of its leading application. In between these levels, is obviously anything in-between, which is why I used AKZ.

If risks are not being managed appropriately, such as not allowing enough adequate time devoted to the risk management process, then risk is not being addressed at a level one should expect; it is simply not being

6

managed and people are just going through the typical basic systems and motions. People are for the most part in any organisation are at the mercy of a system. Risk management is the system that is there to control risks, and it should not be treated in a casual way or; casual incidents will occur from these casual factors.

I use the term casual in my safety philosophy as a way to describe the high percentage of accidents that occur in many workplaces every day. They are careless in nature; either through human factors (managers or workers) or other system failures that are not operating at full application .

If risk is not fully managed and controlled from an unwanted occurrence or observed hazard, then the same sort of event or release of the hazard will occur sometime down the track. There is a term for this called Regression to the Mean, for which I have great respect for in its true meaning. Everything returns back to a constant if no up-keeping is maintained. You cut a forest down and leave it for a few hundred years and it will grow back to be a forest again. If you don’t maintain the management and education of the workforce, then risk (and the management of) will return back to the average. My saying here “People are not robots, and many will do just enough to do what needs to be done, as nature has innately instilled into us” this is how I use the regression to the mean for this point.

There would be many “Risks in Waiting” throughout many organisations; some not known, some known but not fully understood, some not shared, some not treated correctly, many ignored, many not challenged, some that senior management don’t even know about but should, or worse still, some that management do know about but don’t care. The function of hazard management is to find the things that can cause harm and damage, the function of risk management is to find the solutions, provide answers for those concerned and give an owner to that risk.

I feel it is a big jump up between the two steps, a step that is often too big to take for many organisations. I often use this analogy when describing

7

this point; it’s easy to think up an idea (in a second), but to turn that idea into something tangible is a whole new ball game (it can take years to develop). This simply means that finding hazards are easy; managing them is the complex part.

No organisation today can afford to sit back and wait for incidents to happen before they act, “the next big accident could be tomorrow...or today” no-one knows for sure just as described in the laws of probability, where it is impossible to know the outcome of any one event for sure.

Take the tragic Deepwater Horizon accident that killed 11 people and injured many more. On the day of the disaster, senior managers were on-site happily celebrating seven years of operation with zero lost time from incidents. As Mr Balot explains;

“The Gulf of Mexico disaster is a tragic example of celebrating the good but ignoring what could be going wrong,” says Origin Energy’s chief risk officer, Ben Balot.

“Transocean, the company which operated the site on behalf of BP, appear to have been very focused on managing personal safety risks, such as stairs and other trip hazards,” says Balot. “But they missed perhaps the most important one.”

All I can say here after understanding the failures related to this incident and many like it is; this is a typical scenario of how many organisations from around the world use incident trending, hazard counting, audit programs and lost time counts to determine their safety compliance and or maturity level. In my mind, these are by no means a proactive way to manage risk! How can they be? If an organisation is using the same inspections, and the same processes year in and year out, without challenging any process, without challenging people’s complacencies and perceptions, without checking what one would do any given situation, then, in this case I would say that it is no surprise that the big one happens.

8

Having missing controls, lax procedures, badly designed or maintained equipment, lack of management, and complacent workers - create high-risk “circumstance factors” that are likely to lead to a major event, even if the workplace is not high risk. Thus identifying and acting on these high-risk causal situations, or “precursors,” is the best means to prevent major events from occurring in the first place. A precursor is any practice that has not been recognised and or corrected in any checking system (audits/inspections). It could for example, be a safety control in a procedure that is routinely ignored. In such a case, the company could go for years with very low lost-time injury rates. Then suddenly out of the blue...a worker is killed.

I have worked in a few organisations over the years now, which has been great in the terms of analysing different companies and seeing the common issues and failures I feel they have. I have seen the same shortfalls in nearly every organisation; they are compliant on safety systems, but not compliant on proactive system application, such as the important risk management process (accident investigations are not proactive in the first instant). Many of these organisations think that having a safety officer, a list of procedures and a zero harm policy is all they need, then wonder why they still have accidents.

Many incident investigations are quick to point towards worker

human performance as a causal factor, as this is much easier and

cost effective to manage than say if it was a systems error. If risk

assessment processes and supporting tools were actively felicitated,

then there is a better than average chance that the accident would

not have happened in the first place. This is the difference between

being proactive in assessment principles or reactive.

In many companies, so much effort has been put into the development of the safety management system so to have everything there for auditing (some companies paying a lot of money for a complete ready to go system), but no time was really given to manage and maintain the risk

9

management process (application of) as described in risk management guidelines, codes of practice, ISOs and many other relevant documents where specific risk processes are described in more detail, hence why I am not going to delve into the tools and processes that can be used in this article.

I have heard the typical common phrases over the years such as “we have not had a serious incident for a while, so we are doing a great job in risk management”, “we passed our safe systems audit, so we are now a safe company, we even have a certificate to prove it which is hanging on the wall”...then “Deepwater” happens, and then everyone runs around spending profit and overreacting to a system that clearly had many shortfalls. In these cases, the causal factor evidence or in some cases as mentioned earlier, the casual factors mostly trended towards the fact that it was the lack of managing the risks both at the coalface and senior levels that failed in all its practical and proactive application.

Some organisations say that they don’t want to over-complicate risk

management, more like they don’t want to give too much time to it

because if done right, risk management does take a lot of time and

effort from many people, time that people don’t either have or want

to give. But look at the positive results; effort equals reward.

The message coming from a lot of recent major accidents such as the Deepwater Horizon and Pipa Alfa incidents is this; “we simply overlooked the complex issues”.

Risk management is a complex issue because of the consequences, and because of the many contributing factors that can play a part in an unfortunate failure. Risk is also complex due to the many, what I call “divergent pathways” any event may take for any particular scenario. Risk management is complex, because it involves many levels of input. It is complex because controls are needed to be appropriately addressed and implemented. It is complex because it has to be made simple/non-

10

complex by safety/risk professionals for the average worker to understand and use, and in some cases for senior management to understand.

There are many organisations that may not have had any serious incidents to date, but I would have it an objective guess that there would have been many near misses (dangerous events) that if occurred, could have been catastrophic in nature. I have often asked this question to various employees and managers over the years; do you think the company is managing risk well? The majority of the feedback leans towards, no. In the cases where people said yes or don’t know, it was further analysed that these people where either naive or just did not really understand the true application of risk management. This general consensus result should be treated as a sign that risk is not being well managed across the board as shown in many statistics. As I have alluded to earlier in this paper, it most likely backs up with some accuracy the reason behind some of the major incidents of late; that risk is not being managed as it should.

There is something called a risk maturity chart/model which shows where a company might be sitting in relation to safety management. Again out of the companies I have worked in, not many leaders or managers have ever seen this chart let alone understand its value, which is kind of disappointing and leans towards the reason why so many safety systems fail. Sure, an organisation may have successfully past an audit with flying colours, but the inner workings are not at the same level. An organisation has to be honest with itself to improve! There has to be at least a “Fred” from; Our Iceberg is Melting, who is prepared to ask the hard questions and challenge the common place thinking, regardless of who it may offend.

I believe most organisations would probably sit somewhere between Managed/Reactive and Defined/Compliant. This would be based from their hazard registers, incident data, quality of procedures and any internal audit outcomes. There are 2 levels above defined; Measured/Proactive

11

and Optimised/Resilient. I think if more organisations could move up to these levels, above the average region (mean), the cost in consequences would drop dramatically. Then the return on the risk management investment will be proven and granted a success.

Picture 2 – what a maturity chart looks like. Hudson and MIRM have developed some good

papers on this topic.

The problem I have come to understand over time with this theory is that to move up a level, the balancing of the cost of implementation and maintenance of the system increases exponentially, in what I call “the weighing of the factual” as shown in picture 4. This is where each level or new height requires more commitment and control. This is a balance between protection and production.

12

Picture 3 - The biggest issue with risk management is of the weighing of the factual.

If you look at Heinrich’s work (I will use Heinrich as many people believe in his theories even though not all are proven in practice); he professes that among the direct and proximate causes of industrial accidents:

•88% are unsafe acts of persons;

•10% are unsafe mechanical or physical conditions;

•2% are unpreventable.

According to Heinrich, to which I agree with in some degree on some topics, human failure is the problem and psychology (behaviour) is an important element in correcting it, which is why many companies are going toward BBS programs. In this discussion of risk management, I won’t go into incident investigation and causal factors, but the interesting thing that we could probably use is the ratio (of sorts). Without any data, to back up my claim, I think that reducing risks through the proper

13

application would reduce accidents by at least 80%. I am not just talking about using procedures and training to manage risk either, I am talking about the risk of senior managers not being proactive in the whole system, not leading by example, allowing unsafe workers to stay because production needs them. This is a big risk and if anyone did a risk assessment just on this topic alone, I am sure some interesting facts may come to light. If a worker has an accident from a bad attitude, could the risk have been averted if management were more proactive? Risk management is mitigating risk and a worker with a bad attitude is a risk, they are a “human Risk” and human risks need to be eliminated or controlled also.

It must be noted here my concerns of BBS, human factor programs; is that this thinking tries to put the onus onto the worker 88% of the time and thinking that psychology is the best way to manage it. If a lax attitude (from any level) or lax system caused the accident, then why was this failure not picked up? Why was this attitude allowed to continue to the point of creating the event in the first place? It may show that 88% of worker error was due from some other negligence. Also looking at Heinrich’s domino effect in picture 4, I observed that the taking out of a domino (worker), which caused the accident, the two dominos (systems or management) before the accident are neglected as a fault, therefore the underlying issue remains. An interesting topic to further discuss that I will leave for another paper as many people hear of a theory and accept it as true without question.

14

Picture 4.

Many larger companies from gaining better awareness and maturity are now starting to focus more on risk management instead of just using the umbrella term “safety”. As a result, incidents are declining and profits are rising. This is because risks are being questioned and therefore better controlled. The more specialised roll is proving to be a very valuable asset and long term investment. If organisations are expecting safety professionals to multitask (to cut costs); such as looking after training, safety advising, auditing, inspecting, environmental care, hazard management, risk management, behaviour and incident investigation, then this going down the path of professionals knowing a little about everything, but not enough to be a subject expert or competent in their role.

This is when things are going to be missed, risks not noted; this is when accidents are going to happen. These missed things are going to be the “Deepwaters”, and as we all know, they can cost a lot of time and money to rectify. A risk assessment done on multitasking would have interesting results and again possibly show why accidents keep occurring. If a safety professional/safety champion is out doing their job; observing, questioning, doubting, educating, analysing etc, then I see no reason for a majority of accidents to occur in the first place.

Organisations of many kinds face many internal and external factors and influences that make risk uncertain, to what extent to which they will achieve or exceed their risk management objectives is up to how much time, detail or commitment is given to application of Risk Management by senior executives and managers.

The effect uncertainty has on any organisation’s objectives is “Ri$k”. I use the $ in the word as a leading indicator to add “value” to the term!

All activities within an organisation involve some level of risk. I feel that managing risk should be proactively managed by Foreseeing,

15

Understanding and Deciding whether to modify anything (what I call the FUD process) that has an influence on an outcome. This can only really be done if there are people who are nominated as risk champions. If people are not allocated to a task, then most people won’t take on the ownership of it, this is human nature. Through this FUD process, all stakeholders should communicate and consult, monitor and review the risks and controls that are there mitigating the risk. Standard risk management philosophy that is well documented I know, but ask; how well do you think your organisation is doing this?

Safety in many organisations is still very much a satellite chore of varying degrees. I find it confusing why people treat safety as a chore, when the whole purpose of safety is managing the welfare of workers. People hate being pulled up and told they are on a pathway to injury...I cannot even explain my confusion with this.

While all organisations manage risk to some degree (mostly at a basic level), there needs to be established a number of principles that ensure risk management will be effective and implemented. I believe many organisations should have a framework that further integrates the process for managing risk into the organisation's overall governance; strategy and planning, management commitment, reporting processes, policies, values and culture. The term Enterprise Risk Management (ERM) is growing in popularity and is something many senior managers should be investigating, especially if the organisation has many divisions.

Although the practice of risk management has been developed over time by many experts and across many sectors to meet the many assorted needs, the adoption of a consistent processes within a comprehensive framework helps ensure that risk is managed effectively, professionally and logically across the whole organisation. When the risk management process is implemented and maintained, the management of risk enables organisations to—

increase the likelihood of achieving safety objectives; encourage proactive risk management across the board;

16

make aware of the need to identify and treat risk thoroughly throughout the organisation;

improve the identification of opportunities and threats; achieve compatible risk management practices between

management and workers; improve governance; improve stakeholder confidence and trust; establish a reliable basis for decision making and planning; improve controls; improve operational effectiveness and efficiency; enhance health and safety key performance; improve organisational resilience to unwanted events.

Below are some truths about risk I have based off from observations;

Inconvenient Truth number 1- Risk management is easy.

Risk management is easy, if done by a committed and professional manager/officer of risk who knows the true application of risk management. Risk management done by anyone else is simply not done well enough. To manage risk, to really understand the complexity of the risk process, you need to allocate resources. When this occurs, things may not be missed.

Inconvenient Truth number 2- Anyone knows how to manage risk.

Yes, everyone, even a 2 year old knows how to manage risk to some degree. Risk is an innate function that is there to protect the self and or others. The real truth is; to manage risk to its full application; one must devote appropriate time and capture appropriate time from others to achieve positive outcomes. It is only through this process that risk will be managed properly.

Inconvenient Truth number 3 – It’s up to the workers to ensure risk is managed.

17

No, risk must be managed by officers, managers or professionals. This phrase has been made up by officers and managers of big organisations who have lost control over their workplace safety. It has been promoted so to push their obligations back onto the workers, so that the blame always sits at the worker level. No officer or manager wants to take ownership of something that might show their failures, misunderstandings or laziness.

Inconvenient Truth number 4 – Managing risk is about changing one’s safety psychology.

Unless safety professional are also now required to be fully qualified psychiatrists, I doubt there will be any means to proficiently apply psychology in any safety programme. We can influence a change in behaviour, but we cannot make workers robots.

So, risk management is growing in popularity. This is because it is more protective in nature (if done at a mature level) than any other safety program or system. Training is great as it teaches how to do something; Incident investigation is great to learn how something went wrong; Auditing is great because it checks how or if things are being done. Risk management though is the pinnacle system, because out of all the other systems, risk management is used in some way in all other systems.

Look, risk management is easy...to the risk specialist that is.