industrial firms must embed risk based thinking into their operations

INDU

Copyright © 2015 E.I. du Pont de Nemours and Company. All rights reserved. The DuPont Oval Logo, DuPont™, and The miracles of science™ are registered trademarks or trademarks of

DuPont or its affiliates.

1

INDUSTRIAL FIRMS MUST EMBED RISK BASED

THINKING INTO THEIR OPERATIONS

Risk-based thinking is not a new concept for firms. The consideration of business risks has

always formed a core component of executive team discussions and the approach and

framework for understanding and analyzing these risks has changed little over many years,

reflecting a relatively stable operational landscape. In recent years however, rapid and

profound shifts in the operational landscape of firms, particularly those operating in the

industrial sector, has seen the breakdown of these frameworks. Firms are now more global

than ever with larger and more complex supply chains. Firms need to manage an ever

expanding list of legislative requirements and the explosion in social media means their

activities are scrutinized more closely than ever before. This combination of factors demands

firms overhaul their operational risk management (ORM) strategies and make them relevant for

today’s unique and evolving business challenges.

While firms increasingly accept the need to transform their ORM strategies, many are struggling

with how to design a strategy which is appropriate for today’s more complex operational

landscape. In tackling this issue, firms are seeking answers to a core set of questions. What

does ORM mean to my business? Where are the issues with my firm’s approach to ORM? What

is the business value in enhancing the ORM strategy and approach at my firm? What is the

relationship between ORM and Operational Excellence (OE)?

To answer these questions, DuPont Sustainable Solutions (DSS) commissioned independent

analyst firm Verdantix to undertake an independent research study involving interviews with 75

senior leaders. A total of 66 interviews were conducted with firms from the following eight

industries: Chemicals/Fertilizer/Petrochemicals, Food & Beverage Manufacturing, Healthcare,

Mining & Metals, Oil & Gas Downstream, Oil & Gas Upstream, Transport, Utilities. A further

nine interviews were conducted with affiliated trade associations. The senior leaders from the

66 industrial firms were almost all in risk or operational roles (59 interviews) with the remaining

seven interviews conducted with individuals in environment, health and safety (EH&S) and

project management roles. The interviewees were located across the following ten countries:

Australia, Canada, France, Germany, UK, USA, China, India, Saudi Arabia and the United Arab

Emirates. All firms (excluding the trade associations) have annual revenues in excess of $1

billion.

INDU



2



Firms Demand Comprehensive Upgrades to Established ORM Programs

Effective risk management has never been more critical for large businesses. Today, these

businesses are forced to wrestle with increasingly complex supply chains, a growing roster of

legislative requirements and unprecedented social-media fueled scrutiny of their operations.

With risk management growing in significance, to what extent do firms have suitable

operational risk management (ORM) programs in place?

ORM programs are widely deployed. Across the 66 interviews with industrial sector

firms, 91% stated that ORM had been adopted in some way across their organization

(see figure 1). Only 3% of firms had no ORM program in place.

Figure 1, n=66

INDU



3



ORM programs vary by sector. At the highest possible level, ORM programs are

concerned with assessing, prioritizing, mitigating and monitoring risks across the entire

operational footprint of an organization. While this overarching definition carries broad

agreement, applying this to different sectors creates divergence in terms of the focus of

the programs.

“I think the definition of operational risk management varies. Mining & Metals, Oil &Gas and heavy manufacturing are deeply focused on employee and public safety” (Finance Industry Association) “I always look at ORM in terms of license to operate. You need to make sure you are complying with all regulations and rules related to environment, energy, emissions, safety and health. You need to ensure the product is at the right quality, is safe to use, can be transported safely and securely and that through all this, your business remains competitive” (Steel Association)

Firms favor health and safety metrics for assessing operational risk. Interviewees were

asked to provide examples of metrics they used to assess operational risk. While there

was significant variation in the responses received, health and safety related metrics

emerged strongly including injury rate, incident rate and lost time with injuries

“Assessment of work-related Injuries is how we assess performance.” (Transport)

Firms target widespread improvements to ORM programs. The interviewees from the

industrial firms were asked how important it is for their firm to improve performance

across five major areas of ORM over the next 12 months (see figure 2). Across each area,

at least 75% of firms said it was important or very important to improve performance

over the next year. “Risk control processes and governance” was the area that recorded

the highest number of responses in the very important category (45%) and “Setting risk

targets” was the area with the highest number of very important and important

responses (86%).

INDU



4



Figure 2, n=66

Safety, Compliance, and Reputation Drive Investment in ORM

Large industrial firms have established a shared understanding of ORM and most have some

sort of ORM program in place. What are the drivers behind this widespread adoption? In which

parts of the business is ORM most important? This research reveals some distinctive trends:

Safety is the most critical driver for ORM. When asked to rate the importance of eight

separate drivers for investing in ORM, 85% of firms rated safety as “very important” –

higher than any other driver (see figure 3). This trend emerges again when interviewees

are asked to identify the operational areas in which ORM is most important. In this

question, employee safety emerges as the most important area with 82% of interviews

rating this as “very important” (see figure 4).

“Employee safety and health is our major operational risk” (Oil & Gas, Upstream)

INDU



5



Figure 3, n=66

INDU



6



Figure 4, n=66

Compliance continues to drive spending on ORM. Compliance has traditionally been

seen as the most prominent driver in risk management and ORM. This research still

shows it as a key driver (with 74% of interviewees rating it as “very important”) but

secondary to safety. Compliance-focused ORM can vary in maturity level, spanning from

Excel based audits to the integration of comprehensive regulatory databases.

“We need to keep on top of changes to environmental regulations as it impacts every

part of our business, from manufacturing through to distribution. We have realized that

we may have to spend more on complying with regulations than planned” (Food &

Beverage)

INDU



7



Firms invest in ORM to steer clear of reputational issues. Reputation is the third

highest rated driver for investment into ORM with nearly 90% of respondents describing

it as ‘important’ or ‘very important’. It is also worth noting that reputation is often a

highly significant secondary driver of ORM. Some interviewees stated that safety and

compliance risks have to be effectively managed in order to protect business reputation.

“Firms in high hazard industries are very aware that if a serious event occurs the

ultimate price could be the future of the firm. Firms have been known to disappear as a

result of serious incidents” (Chemicals Industry Association)

Avoiding unplanned shutdowns is an important ORM driver for 96% of firms.

Unplanned shutdowns can be highly damaging to the cash flow positions of

organizations. They typically carry with them a level of urgency which forces

management attention to be diverted from executing on broader strategic plans. While

a greater number of respondents classified ‘maintain license to operate’ as a very

important driver, unplanned shutdowns are considered significant due to the near

unanimous view that it was either an important or very important driver.

“The fact is that if you do proper maintenance of your assets, you will not have

operational problems, unplanned shutdowns, or unplanned costs.”

(Food and Beverage Manufacturing)

ORM drives improved Operational Excellence performance. While not included as a

specific option within figure 3, a number of the interviewees commented on how ORM

was being used as a tool to drive better performance in their operational excellence

(OE) programs. The trade association interviews revealed that rather than treating ORM

as a “check the box” exercise, leading firms are looking at the long- term benefits of

ORM by focusing not only on significant operational risks, but also changing customer

requirements and even opportunities to develop new offerings.

“Operational risk management is the critical review of operations that feed into your

operational excellence program. (Mining & Metals Industry Association)

INDU



8



Firms Face Headwinds in Deploying Effective ORM Programs

There are a number of powerful factors driving investment in ORM including safety, compliance

and reputational concern. Most firms have responded to these drivers by developing an ORM

strategy but this alone is not sufficient for an effective ORM program. In order to be successful,

it is imperative the ORM strategy focuses on the relevant areas of the business. With a suitable

strategy in place, funding then needs to be made available to convert the strategy into an

ongoing program. This research reveals a number of prominent hurdles (see figure 5) firms

face in securing sufficient funding for ORM programs:

Senior executives fail to distinguish ORM from financial risk management. This study

asked interviewees to rate the significance of five different barriers to investing in ORM.

Lack of understanding of ORM among senior executives emerged as the barrier most

frequently rated as “very significant” (35% of respondents). Further insights from the

interviews indicate that for some senior executives, moving away from their traditional

financial risk mindset is a major challenge.

“Investors who are not industry players create challenges in implementing effective

operational risk management strategies. They want to maximize the return on their

investment and see investment in safety, environment and communities as denting their

returns” (Finance Industry Association)

ORM is not recognized as a discrete program which requires dedicated funding. Where

risk management practices are considered to be fully embedded within a firm’s

operations, it can be challenging to secure funding for a dedicated ORM program. For

26% of the firms interviewed, managing risk as part of current day-to-day operations is

identified as a very significant barrier to investing in ORM.

“ORM should not be seen as a corporate initiative - it should be embedded in day to day

business.” (Mining & Metals)

INDU



9



ORM programs lose out to other internal investment initiatives. Investing in risk

management can be seen as similar to investing in insurance, where the return on

investment is not a useful measure of the value of the investment. This means the

business case for ORM needs to be defined differently than other internal initiatives

competing for funding. As a result, it can be difficult to secure funding for ORM

programs. In this study, 35% of respondents told us that the lack of a proper business

case is a ‘very significant’ or ‘significant’ barrier to ORM investment and another 65%

said the lack of available budget was a significant or very significant barrier.

Unfortunately, the true value of an effective ORM program often only becomes

apparent when the impacts of a deficient ORM program are exposed.

“It is quite hard for people to see the return on an investment. If you have a BP Gulf of

Mexico event, everyone can see the cost of having failed to deploy an effective ORM

strategy”. (Finance Industry Association)

Figure 5, n=66

INDU



10



Seven Steps for Developing a Successful ORM Strategy

Major shifts in the operational landscape of large global industrial firms have exposed them to a

much deeper and more complex network of risks. Driven largely by concerns around safety,

compliance and reputational integrity, firms are looking to overhaul long-standing ORM

strategies to make them relevant for today’s operating environment. Beyond the core objective

of mitigating business risks, leading firms are using ORM to help drive OE programs and

increase the resiliency of the business.

Despite the strong set of drivers, ORM programs can be starved of funding. Misunderstanding

of ORM by senior executives, lack of recognition of ORM as a discrete program, and

competition with other initiatives all create investment challenges for ORM programs.

Seven steps should be taken to develop and activate a successful ORM strategy:

1. Secure approval/consensus and leadership at the corporate level. An ORM program

will only be truly effective if it is championed at the very top of the organization. Senior

leaders in the corporate function need to be accountable for risk management and drive

this approach down across the organization. Many firms have already been successful in

taking this step with 79% of interviewed firms stating that risk ownership and

accountability for risk management is assigned centrally at the corporate level (see

figure 6).

“It is essentially a top down delivery program. Our board has set up direct input from

the functional teams who carry out country controls. We have quarterly meetings where

we discuss updates from employees on how we can achieve operational success.”

(Utilities)

INDU



11



Figure 6, n=66

2. Introduce risk accountability across the organization. Without buy-in at the corporate

level, firms are unlikely to be effective in rolling out an enterprise wide ORM program.

At the same time, this senior level support is only one ingredient for success. Employees

across every level of the organization need to be trained to incorporate risk-based

thinking into their day-to-day jobs. They need to be accountable for the risks within

their immediate area of control. The results from this study show that 38% of shop-floor

employees are not held accountable for risks management (see figure 6)

“Enhanced risk prevention / control at every level ensures operational excellence.

Continuous examination and inspection of risks is also part of this.” (Transport)

INDU



12



3. Agree to timely risks assessments. Ensuring operational risk assessments are completed

on a timely basis is a key component in any ORM strategy. These risk assessments help

ensure firms stay on top of new compliance requirements and prevent risk management

from slipping off the agenda. The required frequency of the audit will be determined by

the precise characteristics of each firm and its operational footprint. Among the

interviewees for this study, 92% of firms were conducting risk assessments on at least

an annual basis (see figure 7).

“Self-assessments and routine audits by third party verification firms are in place to

control risks.” (Oil & Gas Downstream)

Figure 7, n=66

INDU



13



4. Quantify and prioritize risks. An effective ORM program is able to quantify and

prioritize the identified risks, enabling mitigation efforts to be targeted in the most

effective way. Managing an optimized ORM program requires that risks are quantified in

terms of probability and severity, as well as the calculation of costs and benefits of

mitigating a risk versus allowing the risk to remain as is. It is this multi-faceted

calculation which helps determine the mitigation action (if any) that needs to be taken.

“Based on the risk metrics, we improve the risk management system. We have 5x5

metrics which comes to 25, which we then use to evaluate day to day operations. If a risk

score goes above 12, then it will be considered as moderate or high risk. We will apply

the highest priority based on the metrics calculated.” (Food & Beverage)

5. Establish appropriate metrics and KPI’s to monitor and assess performance.

Establishing the correct risk monitoring metrics and KPIs is one of the most important

steps in the ORM program. By establishing metrics, firms can ensure that the

appropriate effort and resources are expended based on the risk profile of the business.

A number of firms are already aware of the criticality of this step and therefore

supplement the development of their own metrics with advice and guidance from other

sources (see figure 8).

“For every improvement we make, we tend to establish a set of KPIs to make a

measurement of the success of the improvement. Generally, one of those KPIs will be

related to risk management. (Mining & Metals)

INDU



14



Figure 8, n=66

6. Implement consistent, well-documented and cost effective controls. Once the priority

risks are quantified and identified and the monitoring metrics and KPIs established, it is

necessary to implement control measures to actively mitigate these risks. From the

firms interviewed, 98% felt they already had at least adequate controls already in place

(see figure 9). In contrast, only 27% described these controls as cost-effective,

suggesting an opportunity to find better options for managing and controlling the

identified risks.

“Having standardized processes and procedures in place for risk mitigation is an

essential attribute of a successful risk management strategy.” (Food & Beverage)

INDU



15



Figure 9, n=66

7. Reinforce the importance of risk management through regular communications.

Establishing a regular timetable of communication on ORM performance is an effective

way of maintaining engagement on the subject. Tailor communications to specific levels

and functions of the organizations to address different priorities and focus areas. Linking

the impact of ORM to broader programs, such as operational excellence, will boost

engagement by making the benefits of ORM more tangible.

“We have monthly reports & information on operational risk management that is sent to

everybody stating what is being done & what went wrong and what went right.”

(Transport)

industrial firms must embed risk based thinking into their operations

Leadership & Management