resilience as a means to analyze business processes on the ... · resilience as a means to analyze...
TRANSCRIPT
Resilience as a means to analyze business processes on thestructure of vulnerabilityCitation for published version (APA):Gifun, J. (2010). Resilience as a means to analyze business processes on the structure of vulnerability.Eindhoven: Technische Universiteit Eindhoven. https://doi.org/10.6100/IR675415
DOI:10.6100/IR675415
Document status and date:Published: 01/01/2010
Document Version:Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)
Please check the document version of this publication:
• A submitted manuscript is the version of the article upon submission and before peer-review. There can beimportant differences between the submitted version and the official published version of record. Peopleinterested in the research are advised to contact the author for the final version of the publication, or visit theDOI to the publisher's website.• The final author version and the galley proof are versions of the publication after peer review.• The final published version features the final layout of the paper including the volume, issue and pagenumbers.Link to publication
General rightsCopyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright ownersand it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
• Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain • You may freely distribute the URL identifying the publication in the public portal.
If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, pleasefollow below link for the End User Agreement:www.tue.nl/taverne
Take down policyIf you believe that this document breaches copyright please contact us at:[email protected] details and we will investigate your claim.
Download date: 24. May. 2020
Resilience as a Means to Analyze Business Processes on the Structure of Vulnerability
PROEFSCHRIFT ter verkrijging van de graad van doctor aan de Technische Universiteit Eindhoven, op gezag van de rector magnificus, prof.dr.ir. C.J. van Duijn, voor een commissie aangewezen door het College voor Promoties in het openbaar te verdedigen op woensdag 30 juni 2010 om 16.00 uur door Joseph Frederick Gifun geboren te Chelsea, Verenigde Staten van Amerika
Dit proefschrift is goedgekeurd door de promotoren: prof.dr.ir. A.C. Brombacher en prof.dr. D.M. Karydas Copromotor: dr.ir. J.L. Rouvroye Copyright © 2010 by Joseph F. Gifun All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the copyright owner. A catalogue record is available from the Eindhoven University of Technology Library ISBN: 978-90-386-2268-2 Printed by: University Printing Office, Eindhoven Cover design by: Paul Verspaget
iii
Acknowledgements So many people have contributed to this body of work that I harbor the fear that I might miss
thanking everyone. If the reader finds that my fear is founded in truth I apologize, the failure
is mine alone to bear.
I am humbled and eternally grateful to Jane, my wife, for enduring much during the past few
years and for doing so with love, considerable poise, understanding, and a resolute positive
attitude.
I am indebted to the members of my dissertation committee; Professor Dimitrios Karydas for
sharing his knowledge in many things, his dedication to my doctoral learning and research
experience, his faith in my ability, but most of all his friendship; Professor Aarnout
Brombacher for his direct and kind critique of my work and his steadfast support during the
entire process; Dr. Jan Rouvroye for his attention to detail, his knowledge of and ability to
navigate confusing and complex processes, and for his language translation assistance;
Professor George Apostolakis for demonstrating his confidence in me by granting me the
opportunity to participate in his graduate students’ research and to engage his students in
mine, their tough questions caused me to think much harder and learn more; and Professor
Jan de Jonge and Professor Hans Pasman for their thought provoking questions and detailed
comments on this dissertation.
I send many thanks to the anonymous workshop participants for their generosity and candor.
Your participation made all the difference.
Thank you, thank you, thank you to Aunt Mary for her generosity, encouragement, and
whose remedy for writer’s block, setbacks, and frustration is a batch of freshly baked hermits.
During the years of work behind this dissertation I ate many.
It is my pleasure to thank Vicky Sirianni, an extraordinary person and leader who has helped
so many people see the untapped possibilities they had within. I am honored that she took the
time to convince me that there were a few within me too.
iv
My gratitude extends to the MIT DRU project team, Bill VanSchalkwyk, Susan Leite, Dave
Barber, Bill McShea, and Jerry Isaacson with special thanks to Hua Li a great thinking
partner from whom I learned so much.
Thanks to Jim Wallace for his support and for sharing his personal experiences regarding
balancing the daily obligations of family and work with the demands of doctoral study.
I value all that I learned about organizational leadership, process, behavior, and internal
politics from Professor Jim Bruce. I am grateful to have learned by his example that a clever
technical solution is incomplete if people affected by the solution have not participated in its
development.
I am grateful to Dr. Barbara Ash for convincing an old buck like me that I should become a
student once again. While I expected that the younger students might benefit from my
experience I did not expect that I would learn much more than I contributed.
Special thanks to Dr. Carol Zulauf whose enthusiasm in organizational learning and systems
thinking is infectious. I learned that systems can be difficult to understand completely but
they are knowable if one is willing to put aside preconceptions and focus on uncovering the
truth.
Thank you to Dottie Winn for her unflagging support and considerable knowledge of the state
and national political landscape.
I am grateful to Walt Henry for the example of excellence that he demonstrates daily and his
words of encouragement.
And thanks to Dick Amster, William Elliot, Joe Pinciaro, my colleagues, my friends at
Perfecto’s Caffe, and so many others for their support and at times, words of comfort.
This dissertation is dedicated to Dr. Charles “Chuck” Devoe whose words of wisdom, humor,
and encouragement always came when I needed them most.
v
Resilience as a Means to Analyze Business Processes on the Structure of Vulnerability
Summary
The impact of global societal trends regarding product reliability provides society with great
benefits and yet comes with the consequence of increased organizational vulnerability. The
goal of this research was to examine these issues and develop the means for organizations to
mitigate the potential negative effects of disturbances from within and external to the
organization for the purpose of sustaining organizational resilience. As a result of this
research the Highly Reliable Resilient Organization (HRRO) methodology was developed to
provide a consistent and customizable methodology to assess organizational vulnerability.
The purpose of this methodology is to determine current and potential levels of vulnerability
and to select and prioritize vulnerability elimination and mitigation initiatives and projects
using pre-established monetary and non-monetary factors. Moreover, the HRRO
methodology provides the means to identify, define, and assess the prerequisite criteria of an
organization that enable it to be resilient. These prerequisite criteria are the foundation for the
organization’s core function; its culture, its ability to manage risk, and its governing
processes, i.e. its ability to be resilient, or at the very least available to fulfill monetary and
non-monetary goals and enjoy a better chance for sustained viability. The HRRO
methodology is a generalizable analytic-deliberative process that was validated by
stakeholders, nine well known organizational models, a prioritization methodology that has
been in use for several years, independent case studies, and an independent and widely used
location risk quality benchmarking algorithm. To foster sustained use, the HRRO
methodology strikes a balance between complexity and simplicity, i.e. the model is
sufficiently comprehensive to reflect reality and sufficiently simple to be manageable.
The methodology used in this dissertation is based upon transformative-reflective design
processes. The first step in this process was, in this case, the creation of a construct that was
analyzed, validated and adapted during subsequent steps.
vi
vii
Preface
This dissertation is directed to organizational resilience by the assessment of the vulnerability
of complex technical operational systems, the relative comparison of vulnerabilities, and the
prioritization of vulnerability elimination and mitigation efforts. A practical objective of this
research was to identify, analyze, and incorporate as many existing organizational models and
methods as was needed. Although the models analyzed within were suitable for their intended
purposes they were deficient in terms of the organizational prerequisites needed to enable
resiliency. These deficiencies were the motivation for the development of the Highly Reliable
Resilient Organization (HRRO) methodology. However, two of the criteria within the HRRO
methodology are rated by acquired existing methods. Because of the requirement to
customize the HRRO methodology for specific organizations one may find and incorporate
different and more suitable methods for other applications. The HRRO methodology was
designed with the flexibility for customization.
This dissertation is presented as follows.
Chapter 1 establishes the context for the research described herein by providing an example
of the pervasiveness and magnitude of organizational vulnerability and the overall negative
effect thereon by societal trends for reliability. This chapter also provides the reader with
definitions of primary terms and concepts, a brief historic overview, and several success
stories.
Chapter 2 focuses on the reason organizational vulnerability is a problem and identifies and
explains the sources of vulnerability including inherent vulnerabilities, the multi-domain
nature of the problem of vulnerability, and the deleterious effects that can be caused by
cognitive bias. The research questions answered by this dissertation are included.
Chapter 3 describes the process used to accomplish the research within this dissertation.
Chapter 4 describes the development of the Highly Reliable Resilient Organization (HRRO)
methodology by examining existing organizational models and extracting relevant criteria.
This chapter also describes the stakeholder workshop process and aspects of the HRRO
viii
methodology such as its constructed scales and survey forms. Supporting examples from
results achieved by stakeholder workshops are provided wherever applicable.
Chapter 5 describes the use of the HRRO methodology by way of flowcharts showing several
applications of the methodology as means to assess and prioritize; including the use of
benefit-to-cost concepts.
Chapter 6 is devoted to discussions validating the methodology by way of relevant literature,
the author’s experiences, case studies, a comparison made using a complex and independent
risk quality benchmarking algorithm, and user feedback.
Chapter 7 presents the conclusion of this research by way of the answers to the research
questions, commentary regarding generalizability of the HRRO methodology, and
recommendations for related future research.
Appendices provide information that is necessary to this dissertation yet so voluminous that
the reader could find the dissertation difficult to follow. These appendices show the results of
the mapping exercise to determine the effect of societal trends on vulnerability, descriptions
of organizational models used to create the HRRO methodology, workshop results, various
worksheets used to develop the HRRO methodology, constructed scales, the complete set of
stakeholder survey forms, stakeholder feedback, and several case studies used to support the
validity of this research.
ix
Table of contents
Acknowledgements iii
Summary v
Preface vii
Table of contents ix
List of figures xii
List of tables xiii
External publications related to the dissertation xv
Acronyms xvi
Glossary xvii
1 Context 1
1.1 Trends and consequences 1
1.2 Primary terms and concepts 2
1.3 Targeted historic overview 3
1.4 Success stories 4
1.5 Chapter summary 6
2 Why is organizational vulnerability a problem? 9
2.1 Sources of vulnerability 9
2.2 Research questions 16
2.3 Chapter summary 17
3 Research methodology 19
3.1 Methodology 19
3.2 Chapter summary 31
4 Development of the Highly Reliable Resilient Organization
methodology 33
4.1 Introduction 33
4.2 Criteria found in existing models 34
4.3 Initial workshop and stakeholder feedback 39
4.4 Post initial workshop 41
x
4.5 Second workshop 47
4.6 Chapter summary 48
5 Application of the Highly Reliable Resilient Organization
methodology 49
5.1 Application of processes 49
5.2 Prioritization: benefit-to-cost 57
5.3 Chapter summary 57
6 Analysis and reflection 59
6.1 Validity 59
6.2 Reflection 71
6.3 Chapter summary 73
7 Conclusions and recommendations 75
7.1 Conclusions 75
7.2 Recommendations for future research 78
References 79
Appendix A Mapping of vulnerabilities, General Motors, to
reliability trends 87
Appendix B Existing models 99
B.1 The High Reliability Organization 101
B.2 Disaster Resistant University 110
B.3 DRU at MIT 114
B.4 Resilient Enterprise 121
B.5 Enterprise Risk Management 123
B.6 Risk-Based Process Safety 127
B.7 Reactor Oversight Process 130
B.8 Hearts and Minds 133
B.9 Business Continuity Planning 138
B.10 Rejected models 140
Appendix C Analysis of model decomposition and criteria themes 145
xi
Appendix D Materials distributed to stakeholders to prepare for
Workshop No.1 179
Appendix E Assessor responses and priority 193
Appendix F Constructed scales 195
Appendix G Survey forms 203
Appendix H Prioritizing infrastructure renewal projects in MIT
Department of Facilities 229
H.1 Intent 229
H.2 Process design and management 229
H.3 Stakeholder engagement 230
H.4 Lessons learned 231
Appendix I Compilation of assessor feedback 233
Appendix J Comparison of recommendations from Baker Panel
report and HRRO 237
Appendix K Comparison of recommendations from COT
Institute for Security and Crisis Management report
and HRRO 243
Appendix L Comparison of recommendations from Ernst and
Young report and HRRO 245
Curriculum vitae 247
xii
List of figures
Figure 1 HRRO hierarchical tree 38
Figure 2 Example: constructed scale for safety culture based on Hearts
and Minds 43
Figure 3 Example: safety culture survey form based on Hearts and Minds 45
Figure 4 HRRO process flowchart for baseline assessment purposes 50
Figure 5 HRRO process flowchart for estimating effect of potential
disturbance of prerequisite organizational criteria 50
Figure 6 HRRO process flowchart for organizational improvement
prioritization purposes 52
Figure 7 Disturbance elimination and mitigation project prioritization
Process 55
Figure 8 Implied HRO hierarchical tree 108
Figure 9 Implied DRU hierarchical tree 113
Figure 10 DRU at MIT framework 116
Figure 11 ERM objectives, components, and units 126
Figure 12 Hierarchical tree, (partially shown), Risk-based Process
Safety 129
Figure 13 Reactor Oversight Process 130
Figure 14 The health, safety, and environment culture ladder 135
Figure 15 Hearts and Minds hierarchical tree 136
Figure 16 HRDRO hierarchical tree (max score = 1.00) 183
Figure 17 HRDRO hierarchical tree (max score = 100) 184
Figure 18 HRRO constructed scales 195
Figure 19 HRRO survey forms 203
xiii
List of tables
Table 1 Mapping of vulnerabilities, General Motors, to reliability trends
(sample) 11
Table 2 Example: biased assessment of covariation 15
Table 3 Mapping of decision-making styles to requirements 23
Table 4 Mapping of decision-making models to requirements 25
Table 5 Analysis by model decomposition for Risk-based Process
Safety 28
Table 6 Example of themes derived from criteria by category and
application 29
Table 7 Summary criteria numbers by themes 30
Table 8 Categories and applications 40
Table 9 Stakeholder summary sheet – Assessor A 47
Table 10 Prioritized criteria improvement opportunities from second
workshop (without deliberation) 61
Table 11 Comparison of recommendations from Baker Panel report and
HRRO 66
Table 12 Comparison of recommendations from COT Institute for
Security and Crisis Management and HRRO 68
Table 13 Comparison of recommendations from Ernst and Young and
HRRO 69
Table 14 Mapping of vulnerabilities, General Motors, to reliability trends 87
Table 15 Impact on People 109
Table 16 Corrective example based on Li et al 120
Table 17 Performance indicator, initiating events 131
Table 18 High Reliability Organization, analysis of model decomposition
and criteria 145
Table 19 Disaster Resistant University, analysis of model decomposition
and criteria 149
Table 20 Disaster Resistant University @ MIT, analysis of model decomposition
and criteria 150
xiv
Table 21 Resilient Enterprise, analysis of model decomposition
and criteria 151
Table 22 Enterprise Risk Management, analysis of model decomposition
and criteria 155
Table 23 Risk-Based Process Safety, analysis of model decomposition
and criteria 160
Table 24 Reactor Oversight Process, analysis of model decomposition
and criteria 162
Table 25 Hearts and Minds, analysis of model decomposition
and criteria 163
Table 26 Business Continuity Planning, analysis of model decomposition
and criteria 166
Table 27 Decomposition of models to extract themes 168
Table 28 Summary: Criteria Number by Theme 176
Table 29 Assessor responses and priority 193
Table 30 Chronology 230
Table 31 Compilation of stakeholder feedback 233
Table 32 Comparison of recommendations from Baker Panel report and
HRRO 237
Table 33 Comparison of recommendations from COT Institute for
Security and Crisis Management and HRRO 243
Table 34 Comparison of recommendations from Ernst and Young
and HRRO 245
xv
External publications related to the dissertation
The following publications refer to prior research in which the author had participated.
References to these works are made in this dissertation wherever each publication specifically
applies. Moreover, as these works represent the author’s journey in the subjects of
organizational vulnerability and risk-informed decision-making they are considered to be
overarching influences.
Gifun, J. F., & Karydas, D. M. (2010). Organizational attributes of highly reliable complex
systems. Quality Reliability Engineering International, 26(1), 53-62.
Karydas, D. M., & Gifun, J. F. (2006). A method for the efficient prioritization of
infrastructure renewal projects. Reliability Engineering & System Safety, 91(1), 84-99.
Gifun, J. F., Karydas, D. M., Brombacher, A. C., & Rouvroye, J. L. (Submitted for
publication). Resilience as a means to analyze business processes on the structure of
vulnerability.
Li, H., Apostolakis, G. E., Gifun, J. F., VanSchalkwyk, W., Leite, S., & Barber, D. (2009).
Ranking the risks from multiple hazards in a small community. Risk Analysis, 29(3), 438-
456.
xvi
Acronyms
AHP Analytic Hierarchy Process
BCP Business Continuity Planning
BCR
DRU
Benefit-to-cost ratio
Disaster Resistant University
ERM Enterprise Risk Management
FEMA Federal Emergency Management Administration
FY Fiscal Year
H&M Hearts and Minds
HRRO Highly Reliable Resilient Organization
HRO High Reliability Organization
MAUT Multi-Attribute Utility Theory
MIT Massachusetts Institute of Technology
RBPS Risk-Based Process Safety
RE Resilient Enterprise
ROP Reactor Oversight Process
xvii
Glossary
Analytic hierarchy Process: AHP is a method where the criteria of a decision are
arranged in a hierarchy and weighted according to a 1 to 9 scale. This scale provides the
means for decision maker to assign a degree of preference of the criteria relatively by way
of pairwise comparisons. The numerals 1 to 9 indicate the extremes of the scale where 1
represents equal preference and 9 represents absolute preference of one criterion to
another. Numerals between 1 and 9 represent intermediate levels of preference. The result
of each pairwise comparison is placed in a square matrix and squared until the difference
of normalized row sums of sequential iterations equals or closely approximates zero.
Once achieved, the values in the normalized row sums represent the matrix’s eigenvector
and the weight of each attribute relative to each other (Saaty, 1980).
Cognitive bias: A distorted perception of reality caused by beliefs of the likelihood of
uncertain events. Occasionally such beliefs are expressed numerically as subjective
probabilities and to reduce the complex tasks associated with assessing probabilities and
predicting values to simpler judgmental operations, heuristics are employed. While
economical in the decision-making process the reliance on heuristics can result in poor
decisions when situations are overly simplified and important data is not considered
(Tversky & Kahneman, 1974).
Complex system: To explain the difference between simple and complex systems, the
terms interconnected or interwoven are somehow essential. Qualitatively, to understand
the behavior of a complex system we must understand not only the behavior of the parts
but how they act together to form the behavior of the whole. It is because we cannot
describe the whole without describing each part, and because each part must be described
in relation to other parts, that complex systems are difficult to understand. This is relevant
to another definition of complex: not easy to understand or analyze (Bar-Yam, 1997). A
system is complex if it consists of diverse agents who are connected whose behaviors and
actions are interdependent and who adapt (Page, 2009).
xviii
Disturbance: A generic term used to denote an unintended interruption or variation in
regular process or system state. Disturbance refers to the result caused by any credible agent
that could upset or adversely influence the core business of an organization or actual does so.
Hazard: A generic term used to denote natural or human induced threats including but not
limited to flood, earthquake, influenza, fire, and terrorism.
Impact: According to the Commission of the European Communities’ Green Paper on the
European Programme for Critical Infrastructure Protection (Commission of the European
Communities, 2005):
Impacts are the total sum of the different effects of an incident that take into account at least
the following qualitative and quantitative effects:
• Scope: The loss of a critical infrastructure element is rated by the extent of the
geographic area which could be affected by its loss or unavailability - international,
national, regional or local.
• Severity: The degree of the loss. Among the criteria which can be used to assess
impact are:
o Public (number of population affected, loss of life, medical illness, serious
injury, evacuation);
o Economic (effect on gross domestic product, significance of economic loss
and/or degradation of products or services, interruption of transport or energy
services, water or food shortages);
o Environment (effect on the public and surrounding location);
o Interdependency (between other critical infrastructure elements).
o Political effects (confidence in the ability of government);
o Psychological effects (may escalate otherwise minor events) both during and
after the incident and at different spatial levels (e.g. local, regional, national
and international).
• Effects of time: This criterion ascertains at what point the loss of an element could
have a serious impact (i.e. immediate, 24-48 hours, one week, other).
xix
Model: A representation of a system that allows for investigation of the properties of the
system and, in some cases, prediction of future outcomes (Investorwords, n.d.).
Organization: An organization, a group of people intentionally organized to accomplish
an overall common goal or set of goals, is a system of systems, an organized collection of
parts that are highly integrated in order to accomplish said overall goal. Feedback among
the various parts ensures that they are and remain aligned. The system has various inputs
which are processed to produce certain outputs that together, accomplish the overall goal
desired by the organization. Inputs include resources, i.e. raw materials; money,
technologies, and people. Outputs are 1) tangible results produced by the system’s
processes, i.e. products or services for consumers and 2) benefits for consumers, e.g. jobs
for workers and enhanced quality of life for customers.
An organization operates according to an overall purpose or mission and culture.
Organizations consist of numerous subsystems, e.g. departments, programs, projects,
teams, and processes, each with its own boundaries, inputs, processes, outputs, and
outcomes. The organization is defined by its legal documents (e.g. articles of
incorporation and bylaws), mission, goals and strategies, policies and procedures, and
operating manuals and is depicted by its organizational charts, job descriptions, and
marketing materials. Furthermore, the organizational system is maintained or controlled
by policies and procedures, budgets, information management systems, quality
management systems, and performance review systems (McNamara, n.d.).
Reliability: The ability of a [system] to perform a required function, under given
environmental and operational conditions and for a stated time (Murthy, Rausand, & Osteras,
2008).
Resilience: The ability of a system to withstand a major disruption within acceptable
degradation parameters and to recover within an acceptable time and composite costs and
risks (Haimes, 2009).
Stakeholder: The individuals and organizations that could benefit from a decision and the
individuals and organizations that could be affected by a decision (Accorsi, Zio, &
Apostolakis, 1999). The term stakeholder consists of entities that could be categorized as
xx
investors, society, customers and suppliers, employees and subcontractors, and local
communities (Solvay S.A., n.d.). In this dissertation the term stakeholder is used in the
generic case as well as when referring to the participants in the first workshop. Assessor is a
synonymous term and is used to differentiate stakeholders who participated in the second
workshop.
Technical Operational System: an organizational system that uses technology in its day-to-
day activities.
Threat: The intent and capability to adversely affect (cause harm or damage to) the system
by adversely changing its states (National Research Council, 1996).
Vulnerability: Vulnerability is a characteristic of a critical infrastructure’s design,
implementation, or operation that renders it susceptible to destruction or incapacitation by a
threat (International Risk Governance Council, 2006; President's Commission on Critical
Infrastructure Protection, 1997).
1
Chapter 1 Context This chapter provides the reader with a glimpse of the current state of organizational
resilience and vulnerability knowledge and introduces the effect of technology trends thereon
as the motivation for this research. Several terms and concepts are defined in the manner that
they are used throughout this dissertation. Also several cases describing the benefit of
mitigating the potential impact of risk are provided as successful examples where
organizations addressed threats to resilience and vulnerability in a preemptive manner. The
intent of this chapter is to provide the reader with a sense of the author’s motivation for this
dissertation.
1.1 Trends and consequences
Our global society is faced with four trends regarding product reliability (Brombacher, de
Graef, den Ouden, Minderhoud, & Lu, 2001):
1) The increasing integration of (increasingly complex) technology in our society and
the increasing expectation of users that these systems will function at all times
2) The increasing dynamics of business processes where stability (due to ever changing
economic demands) and overview (due to globalization and outsourcing) are hard to
establish
3) The increasing role of information and communications technology and the increasing
dependence on computer systems by society
4) The increasing withdrawal of government from the social infrastructure in favor of
private business. For example, non-government control of the internet
Society has gained many benefits from technology and the inclusion of thoughts and actions
from people throughout the world; however, such benefits come with consequences;
increasing complexity, unpredictability, vulnerability, and the ease by which a disturbance
can propagate through a system. While both trends and consequences apply to individuals
and organizations this dissertation focuses on vulnerability within organizations and leaves
the several combinations of trends and consequences to future research. The potential effect
of these trends on organizational vulnerabilities is discussed in detail in §2.1.
2
1.2 Primary terms and concepts
To align reader with the author’s intent a few definitions of terms and concepts used in this
dissertation are in order: These terms are shown directly below and supplement those
provided in the glossary.
• Complexity: an inherent state of an organization that is a group of diverse, interacting,
interrelated, interdependent, and adaptive agents [that include components and criteria
or attributes, physical and intangible, to form a unified whole] (Page, 2009).
• Unpredictability: a state of difficulty foreseeing, declaring or indicating in
advance, a specific outcome on the basis of observation, experience, or scientific
reason (Merriam-Webster, 2010). Organizations that do not even attempt to
predict the risk of a disturbance by way of identifying and analyzing the potential
for the disturbance to occur and the potential consequences that could result, and
then take measures to eliminate or mitigate the impact of the disturbance
preemptively will most likely suffer therefrom (ASIS International, 2009; British
Standards Institute, 2006).
• Vulnerability: a characteristic of a critical infrastructure’s design, implementation,
or operation that renders it susceptible to destruction or incapacitation by a threat
(International Risk Governance Council, 2006; President's Commission on
Critical Infrastructure Protection, 1997). Thus, organizations with high levels of
vulnerability recover less quickly, or not at all, and spend more money to do so
when compared to organizations with low levels of vulnerability [resilience]
(Sheffi, 2005). Organizations are at risk for spending money inappropriately or
making ineffective funding choices when such actions or inactions drain monetary
resources from core business needs and reserves for contingencies and the
recovery from disturbances.
• Propagation: the measure of the depth a disturbance passes into an organizational
system. The safety and risk management literature contains many examples of
relatively small and in some instances unpredictable or difficult to predict
3
disturbances that have resulted in catastrophic results because the disturbance had
the ability to pass unchecked deep into the system. A classic example tells of a
March 2000 lightning strike that caused a fire in a Philips’ semiconductor
fabrication plant in New Mexico that was extinguished in 10 minutes and yet
caused a shift in the balance of corporate power between Ericsson, Philips’s radio
frequency chip customer, and Nokia, Ericsson’s competitor. The impact of the
shutdown of the Philips plant took more than nine months to resolve and at the
end of 2000 Ericsson announced a $2.34 billion loss in its mobile phone division
where at least $400 million is due to loss of potential revenue directly attributed to
the cascading results of the fire while Nokia took over a major part of the
market.(Latour, 2001).
1.3 Targeted historic overview
The following represents a short targeted portion of the history of risk management as the
first of two examples of the reason organizations are subject to vulnerability and the need for
its elimination or mitigation. The second example is introduced and explained in §2.1.
In 2002 a McKinsey & Company survey found that due to nonexistent or ineffective risk
management processes, extra-financial risks received only anecdotal treatment in the board
room (Felton & Watson, 2002) as cited in (Tonello & Brancato, 2007). In 2004 The
Conference Board conducted research on 271 companies and found that despite a positive
disposition toward Enterprise Risk Management (ERM) most firms were in the early stages
of designing a comprehensive risk management structure where only 18% had the most basic
elements in place, 16% had integrated advanced ERM thinking into business practices, and
4% of responders had addressed performance metrics or compensation policies (Gates &
Hexter, 2005) as cited in (Brancato, Tonello, Hexter, & Newman, 2006). In 2004
PricewaterhouseCoopers found that 20% of 1,400 chief executives surveyed reported that
they understood their accountability with respect to managing business risk
(PricewaterhouseCoopers, 2004). In June 2006 The Conference Board and McKinsey &
Company and KPMG’s Audit Committee Institute showed that few executives can point to
the use of robust ERM techniques by their companies (Brancato et al., 2006). From these
results, while one can conclude that corporate executives understand the need to mitigate or
eliminate vulnerability they give little attention to implementing vulnerability elimination and
4
mitigation efforts. Thus, while most likely not the intent of these corporate executives, the
little attention given to identifying, analyzing, eliminating and mitigating vulnerabilities
makes their organizations vulnerable.
1.4 Success stories
While the safety and risk management literature is rich with failures and dreadful accidents
resulting in deaths, injuries, large monetary losses, and protracted legal proceedings all is not
hopeless as there are organizations that have dealt well with the potential for vulnerability;
several examples are provided below.
Mount Pinatubo
On the morning of June 15, 1991, Mount Pinatubo on the island of Luzon in the Philippines
erupted. In anticipation of such a possibility due to a series of small steam-blast explosions,
monitoring equipment was put in place in April 1991 by the Philippine Institute of
Volcanology and Seismology and the U.S. Geological Survey. The purpose of monitoring
volcanic activity was to mitigate vulnerability by providing advance knowledge of an
eruption so that evacuations could be undertaken and protective measures put in place before
the eruption commenced. The advanced notice and preemptive implementation of protective
measures saved the lives of 5,000 to 20,000 people and avoided property losses estimated to
be between $350 million and $475 million. The cost to monitor the volcano, protect property,
and evacuate people amounted to $56 million (United States Geological Survey, 2005).
Flood Hazard Mitigation in North Carolina
The state of North Carolina has a long history of destruction by hurricanes because its
protruding coastline falls in line with the track for tropical cyclones that curve northward in
the western Atlantic Ocean. A hurricane or tropical storm makes landfall in North Carolina
on the average of once every 4 years and a tropical cyclone affects the state every 1.3 years
(State Climate Office of North Carolina, n.d.).The federally funded Hazard Mitigation Grant
Program provided matching funds to the State of North Carolina to elevate structures above
flood water levels and prior to Hurricane Isabel (category 2) in 2003 182 structures had been
elevated. In Belhaven, North Carolina the cost to mitigate the damage from flooding caused
5
by hurricanes was $7.1 million and the losses avoided by Hurricane Isabel alone were $2.6
million (Flood Insurance and Mitigation Division, n.d.). If one assumes that the life-cycle of
the construction required to raise the structures above flood waters is 20 years, a hurricane
similar to Isabella occurs every 4 years of the life-cycle, losses due to each storm occurrence
are $2.6 million, and the discount rate is 2% then the present value of the avoided risk is
$12.91 million. A similar case can be made for efforts undertaken in Kinston, North Carolina
where 100 homes were acquired and demolished prior to Hurricane Floyd in September 22,
1999 saving $6.4 million in avoided losses for a cost of $2.1 million (Division of Emergency
Management, 2002).
Nokia
The shift in market share described in §1.2 highlights Nokia’s ability to manage risk
particularly its ability to identify and analyze potential disturbances and develop and
implement solutions. That is once the extent and potential effect of the disturbance on
Nokia’s production capability became known Nokia focused efforts aggressively on
acquiring radio frequency chips from Philips and other suppliers with whom Nokia had
relationships. The result being that Nokia’s share in the world handset market increased
from 27% to 30% while Ericsson’s fell from 12% to 9% (Latour, 2001).
United States Coast Guard and Hurricane Katrina
Success regarding diminishing the vulnerability for others was exemplified by the preparation
for and execution of emergency response activities by the United States Coast Guard for
Hurricane Katrina in 2005. The Coast Guard’s ability to be flexible and decentralized and
take measured risks set it apart from the sluggish centralized bureaucracy of the Department
of Homeland Security of which it is part thereof. Prior to the strike of Hurricane Katrina and
before the mandatory evacuation order given by the mayor of New Orleans the Coast Guard,
mitigating vulnerability to its assets, moved personnel and equipment out of the area so that it
could be moved back in behind the storm no matter which direction it took. The Coast Guard
gives extraordinary responsibility to enlisted personnel so decisions can be made quickly by
the person closest to the situation. Despite the fact that almost half of Coast Guard personnel
lost their own homes due to the hurricane they rescued or evacuated 33,500 people (Ripley,
2005).
6
Incident Command System
The incident command system (ICS) is an emergence response and management structure
currently used in the United States by federal and state public safety agencies; municipal
police, fire, and public works departments; and many other organizations, including
universities. ICS enables the control the temporary systems deployed to manage personnel
and equipment at a wide range of emergencies that could require expansion, contraction, or
modification of response assets. ICS was the result of knowledge gained from the harmful
disorder that occurred among various organizations during the suppression of extensive
wildland fires in California during the 1970s. The ICS is a formal hierarchical structure that
consists of five major functions: command, planning, operations, logistics, and finance and
administration and is modifiable and scalable to any type of emergency. It represented a
significant departure from previous large-scale emergency management methods and since its
inception in the 1970s it has been tested broadly by way of actual events, modified
accordingly, and because of its demonstrated success it is now required by the Federal
government for state, local, or tribal entities as a condition for Federal preparedness
assistance under the National Incident Management System (Bigley & Roberts, 2001; Ridge,
2004).
1.5 Chapter Summary
Organizations are vulnerable because of the inherent complex nature of organizational
systems, the unpredictability of potential disturbances, and the uncertain path a disturbance
may take into an organization as well as the confounding effect of societal trends regarding
product reliability. The societal trends were introduced as they provide one with a way to test
an organizational system in terms of the future and will be discussed in greater detail in
Chapter 2. Astonishing results were presented from research by others for the purpose of
bringing into the discussion the potential deleterious effect on an organization by
organizational leaders who are not aware of the risks their organizations face and the
management efforts in place to counter such risk. The value of planning and preemptive
action is one of the foundations of this dissertation and several successful examples were
provided. These examples tell of the plans and preemptive actions put in place to mitigate the
effects of a disturbance, e.g. the planning and staging operation by the United States Coast
7
Guard prior to the strike of Hurricane Katrina in 2005. Chapter 2 is founded on the reality
presented in Chapter 1 and describes why organizational vulnerability is a problem.
8
9
Chapter 2 Why is organizational vulnerability a problem?
Discussed in this chapter are sources of vulnerability including external, internal, and
inherent vulnerabilities such as vulnerabilities due to cognitive bias. A comprehensive list of
vulnerabilities, compiled by General Motors, was mapped to the societal trends introduced in
Chapter 1. The purpose of the mapping is to use the vulnerabilities provided by General
Motors as an example to determine whether vulnerability would increase, decrease, or
remain the same should the manifestation of the societal trends occur. This chapter concludes
with the research questions that were the motivation for this dissertation.
2.1 Sources of vulnerability
Organizational vulnerability
Organizational vulnerability is a multi-domain problem. Organizations are vulnerable to
disruptions that originate from directly identifiable causes internal and external to the
organization and to disruptions that are due to the inherent characteristics of the
organizational system. Inherent vulnerability will be discussed in the following sub-section.
Organizations are also vulnerable to the uncertainty associated with the magnitude of the
disruption and its ability to propagate through the organizational system. The basis of Table 1
is a list of the types of vulnerabilities, internal and external, faced by General Motors (GM)
(Elkins, 2003). Knowing that the list does not represent the vulnerabilities of every
organization the author suggests that it is comprehensive enough to familiarize the reader
with a fundamental, albeit incomplete, list of organizational vulnerabilities. The original list
was augmented to map each of GMs vulnerabilities against the societal trends introduced
earlier in §1.1 for the purpose of determining whether organizational vulnerability is a valid
problem. This analysis provides the second of two examples of the reason organizations are
subject to vulnerability and the need for its elimination or mitigation. Table 1 should be read
as follows; for each trend would organizational vulnerability due to; for example, disruptions
to the organizations debt and credit rating; become more of an issue or get worse (indicated
by -), become less of an issue or get better (indicated by +), or remain neutral (indicated by o)
under trend 1, 2, 3, or 4 or any combination thereof. In this example the author believes that
the societal trends 2 and 4, for the reasons stated in Table 1 could increase the level of
10
vulnerability for an organization should they occur. To refresh the reader’s mind the four
trends regarding product reliability are (Brombacher, de Graef, den Ouden, Minderhoud, &
Lu, 2001):
1) The increasing integration of (increasingly complex) technology in our society and
the increasing expectation of users that these systems will function at all times
2) The increasing dynamics of business processes where stability (due to ever changing
economic demands) and overview (due to globalization and outsourcing) are hard to
establish
3) The increasing role of information and communications technology and the increasing
dependence on computer systems by society
4) The increasing withdrawal of government from the social infrastructure in favor of
private business. For example, non-government control of the internet
The complete Table 1 reveals that the societal reliability trends affect the 105 vulnerabilities
as follows; the vulnerability becomes more of an issue or gets worse 54, the vulnerability
becomes less of an issue or gets better 12, and the vulnerability remains neutral 14 times. In
25 instances vulnerabilities were affected by multiple trends, i.e. becomes more of an issue or
gets worse plus becomes less of an issue or gets better. Breakdown by individual trend is not
relevant to the present paper. Overwhelmingly the trends have a deleterious effect on the
vulnerabilities identified by GM.
11
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Debt & credit rating - -
Trend 2 - Negative interpretation of dynamical state of business by conservative financial markets result in less flexibility regarding debt. Trend 4 - Less government involvement results in increasing degradation of oversight, data collection capability, information transfer, and consistently applied controls
Health care & pension costs - +
Trend 1 - More expensive treatment costs to offset drug and diagnostic equipment development costs. Higher costs passed to employers therefore fewer funds available for other employee benefits, e.g. pensions. Trend 4 - Less government involvement increases competition in the marketplace and results in lower costs
Uncompetitive cost structure o o o o
Not related to trends as poorly priced products and services will not be competitive
Legend: - indicates that selected vulnerability becomes more of an issue or gets worse, + indicates that selected vulnerability becomes less of an issue or gets better, and o indicates neutrality
Table 1 – Mapping of Vulnerabilities, General Motors, (Elkins, 2003) to Societal Reliability Trends (Brombacher et al., 2001) (sample, entire table in Appendix A)
Inherent vulnerability
Organizations are subject to vulnerabilities from internal and external sources as well as
vulnerabilities inherent to the organization. A discussion of internal and external sources of
vulnerability was presented in the previous sub-section addressing organizational
vulnerability while a discussion related to inherent vulnerability, albeit a kind of
organizational vulnerability is presented separately as follows. To be clear inherent
vulnerabilities are not to be confused with errors in the vulnerability assessment process but
with vulnerabilities due to aspects of the system that make vulnerabilities hard to see due to
system complexities such as the remoteness of interdependent operations and the negative
effects imposed on the organizational system due to cognitive bias on organization leadership
decisions.
12
While the list of vulnerabilities provided in Appendix A is fairly comprehensive it does not
specifically identify sources of vulnerabilities that are inherent to systems both locally and
remotely. For example, an earthquake occurring near the site of a manufacturer’s
organization, even if it does not cause physical damage to the organizations assets can
damage transportation systems and hinder the movement of supplies, product, and personnel
to and from their intended destinations or destroy the utility infrastructure that supports the
manufacturer. Similarly, an earthquake could occur in the vicinity to the manufacturer’s
primary supplier but remote to the manufacturer and still have devastating effects on the
manufacturer’s ability to fulfill its core responsibilities by way of damage to the suppliers
physical assets, transportation systems between the supplier and manufacturer, and utility
infrastructures Organizational structures put in place because of manufacturing concepts such
as lean manufacturing are particularly vulnerable, although the vulnerability is not intended.
The reason is that lean organizations are designed to function at high levels of efficiency;
however, when a disturbance occurs there is little or no slack in the system to accommodate
the disturbance. For example, in the instance mentioned above where an earthquake, remote
to both the supplier and manufacturer, prevents the movement of materials from the
supplier’s location to the manufacturing plant the impact to the manufacturer’s production
capabilities could be devastating if an alternative supplier is not available. In this instance it is
prudent to find a balance between organizational lean-ness and profit while taking into
consideration credible potential impact due to the potential occurrence of a particular
vulnerability. Thus, to mitigate the vulnerability of material delivery interruption due to an
earthquake a manufacturer should develop relationships with alternative suppliers, stock
some materials on site, or a combination of both (Sheffi, 2005). Another example of
vulnerability inherent to systems has to do with the desire for a company to provide its
customers with a high level of support through unimpeded access to its employees and
product information by way of the internet also provides access to individuals wishing to
commit cyber crime.
Cognitive bias
A systematic approach such as the HRRO methodology also mitigates the destructive effects
of cognitive bias (defined in the glossary of this dissertation) on behalf of the decision makers
as cognitive biases can play a strong role in the decision-making process where they can
13
diminish the correctness of the decision. Thus, cognitive bias is a source of human error in
the decision-making process, especially in decisions that are made by intuition and
inexperienced decision makers. With decisions that require consideration of various courses
of action and their implications, a structured formal approach can help reduce the risk of
error. Some of the more common cognitive biases are listed below.
1. Confirmation: The migration to evidence that supports a preexisting hypothesis. Not
only is this evidence found more persuasive and convincing, contradicting evidence is
discounted (Roberto, 2009).
2. Overconfidence: Human beings are systematically over confident and optimistic in
their judgments (Roberto, 2009). Overconfidence occurs most often when the
estimator lacks expertise or knowledge about the quantity they are estimating, thus
fails to include all of the possibilities (Goodwin & Wright, 2000)
3. Sunk cost trap: The tendency for people to escalate commitment to a course of action
in which they have made substantial prior investments of time, money, and other
resources (Roberto, 2009)
4. Availability bias: Ease of recall is not associated with probability, i.e. easily recalled
events are not necessarily highly probable. Also, easily imagined events are not
necessarily the most probable, therefore associated risks could be overestimated and
in situations where expertise is lacking, underestimated. In addition, current
information could be problematic in estimating quantities as decision makers may
anchor on the current value and make insufficient adjustments for the anticipated
effect of future conditions (Goodwin & Wright, 2000)
5. Illusory correlation: A form of the availability bias where fact less based
preconceptions could lead one to the wrong conclusion about the relationship between
two variables when no causal relationship exists (Goodwin & Wright, 2000; Roberto,
2009). For example, if one had the opinion that foreign made products were less
reliable; the frequency of unreliable foreign made products could be overestimated
6. Anchoring bias: Anchoring refers to the notion that we sometimes allow an initial
reference point to distort our estimates (Roberto, 2009). People tend to overestimate
the probability of the occurrence of conjunctive events because they anchor on the
probability of one of the events occurring. Overestimating probabilities for
conjunctive events may lead to unjustified optimism. With disjunctive events the
14
tendency is to anchor on one event and underestimate the probability (Goodwin &
Wright, 2000; Tversky & Kahneman, 1974)
7. Hindsight bias: The more time passes, the more that we think that we predicted, or
could have predicted, the eventual outcome to a situation (Roberto, 2009)
8. Egocentricism: When we attribute more credit and blame to ourselves for a particular
group or collective outcome than an outside party would attribute (Roberto, 2009)
9. Ignoring base-rate frequencies: People tend to base probability estimates on how
representative a subject or item is to descriptive information not the statistics
representing the base-rates (Tversky & Kahneman, 1974)
10. Expecting sequences of events to appear random: When a sequence of events is
generated by random processes we expect the sequence to represent the characteristics
of randomness. This bias could lead to errors in forecasts when data from few events
is misinterpreted as representative of the systematic patterns of many events
(Goodwin & Wright, 2000)
11. Expecting chance to be self correcting: This is another consequence of the belief that
random sequences of events should be representative of what the random process is
perceived to look like. For example, if a fair coin is tossed, given that no trickery is
present, the probability of the occurrence of a head or tail is 0.5. In a sequence of
tosses one expects the resulting number of heads and tails to be approximately equal.
However, in a sequence of tosses resulting in heads, many people will think that the
occurrence of a tail is overdue (Goodwin & Wright, 2000)
12. Ignoring regression to the mean: People expect extremes to be followed by similar
extremes; however, the unusual event is probably a result of a particularly favorable,
or unfavorable, combination of chance factors which are unlikely to recur in the
following period. Failure to consider this bias could result in overestimating or
underestimating resources needed to address the most likely event (Tversky &
Kahneman, 1974)
13. The conjunction fallacy: The co-occurrence of two events cannot be more probable
than each event on its own (Tversky & Kahneman, 1974)
14. Believing desirable outcomes are more probable: People tend to view desirable
outcomes as more probable than those which are undesirable (Goodwin & Wright,
2000)
15. Biased assessment of covariation: A bias similar to illusory correlation that can occur
when people are presented with tables showing the number of times events occurred
15
or failed to occur together. For example, consider the following information, Table 2,
based on the records of 27 patients:
Illness Present Illness Absent
Symptom Present 12 6
Symptom Absent 6 3
Table 2 – Example: Biased Assessment of Covariation
According to research by Arkes, Harkness, and Biber, as cited in Impediments to
Accurate Clinical Judgment and Possible Ways to Minimize Their Impact by H. Arkes
(Arkes, 1986), many people would conclude that there was a relationship between
symptom and disease. In Table 2, the large value 12 and the suggestion that people
only consider the frequency of cases where both symptom and disease are present
creates the illusion of a relationship; however, the conditional probabilities reveal that
the probability of a relationship between illness and symptom is 12/18 = 2/3 and the
probability of no relationship between illness and symptom is 6/9 = 2/3. Therefore,
the presence or absence of the symptom has no effect on the probability of having the
illness.
The author observed the following instance of cognitive bias. The subject was an
organizationally powerful and highly competent stakeholder (a secondary stakeholder
external to the process but a person who could enable the improvement of the process and its
proliferation throughout the broader organization) who believed that the only viable method
for selecting and funding projects was to initiate as many projects as could be afforded and to
do so as quickly as possible. A method the stakeholder referred to as going after the low
hanging fruit. In this instance the manifestation of the confirmation bias was observed. The
stakeholder was comfortable in a discipline where quick response reflects due diligence.
Thus, one should select projects that could be implemented quickly. While some of the low
hanging fruit could have been projects that were low in cost and high in benefits there was no
guarantee that this practice would result in funding and implementing the optimal set of
projects based on the combination of benefit and cost. One might conclude that this
stakeholder had adopted a satisficing strategy, i.e. a decision-making strategy where an
16
adequate non-optimal solution is acceptable, but because of this persons emphatic position in
context of due diligence the author rejects this notion.
Some decision makers do not experience such judgment difficulties as shown above and in
these situations cost can be considered an attribute within the hierarchical tree (Goodwin &
Wright, 2000). Because of the uncertainty of knowing how well the decision-makers are able
to judge costs versus intangible benefits, particularly in a group decision making process; the
author recommends that monetary and non-monetary aspects be kept separate unless
experience with the decision makers proves otherwise. This process aligns with the
traditional concept of benefit-to-cost analysis where the goal is to maximize net benefits from
an allocation of resources (Federal Highway Administration, 2007).
2.2 Research questions
The impact of vulnerability described in the historic overview regarding corporate leadership
and ERM, the mapping example provided in Table 1, and the impact of vulnerability caused
by inherent characteristics of systems support the conclusion that organizational vulnerability
is a problem. Vulnerability presents a multi-domain problem whose magnitude and ability to
penetrate into an organization is difficult to determine with certainty. Also, organizational
vulnerability is hard for an organization’s leaders to support because the benefit-to-cost
relationship of risk avoidance is hard to prove (Karydas & Rouvroye, 2006), information
related to terrorism is impossible to get for the typical business organization (Pate-Cornell &
Guikema, 2002), the impact of risks, especially large impacts, are perceived as rare events
and ignored (Sheffi, 2005), and the role of cognitive bias in organizational decision-making is
not often taken into consideration (Page, 2009).
The major contributions by this paper are the responses to the following research questions.
1. By what means can an organization systematically identify and assess and either
eliminate or mitigate vulnerability that takes into consideration prerequisite
organizational factors and cost?
2. How would an organization prioritize vulnerability mitigation or elimination projects
or initiatives
17
2.3 Chapter summary
Organizational vulnerability is a problem because if unaddressed the organizational system
could suffer and in turn the organizations ability to fulfill its core responsibilities, e.g. the
fabrication and delivery of a product to a customer. Organizations are systems of complex
systems therefore knowing the vulnerabilities the organization could face, whether internal,
external, or inherent are essential to the sustainability of the organization. The research
questions at the conclusion of §2.2 target the underlying, prerequisite, organizational factors
and practices that enable an organization to identify and assess and either eliminate or
mitigate vulnerability. The methodology undertaken to accomplish this research is described
in Chapter 3.
18
19
Chapter 3 Research methodology
This chapter describes the methodology undertaken to understand the magnitude of
organizational vulnerability and decision-making processes in context of the stakeholders
associated with the process. During the present phase of the research existing models were
identified and analyzed for the purpose of determining whether they are suitable as models
for examining vulnerability in context of organizational prerequisites in their entirety or
whether they should be incorporated in a new model.
3.1 Methodology
To resolve the problems described in the previous chapter the main goal of the present
research is to develop a systematic, consistent, and customizable methodology to assess
organizational vulnerability for the purpose of supporting organization decision-making. A
desired outcome of this methodology is the ability to determine current and potential levels of
vulnerability and to select and prioritize vulnerability elimination and mitigation initiatives
and projects using both monetary and non-monetary factors. The process behind this research
consists of the ten major steps below.
1. Reflect on personal experience gained during 36 years of professional practice and
reflections offered by others,
2. Review relevant literature
3. Identify requirements in context of user perspective
4. Identify and analyze decision-making styles for selection consideration
5. Map decision-making styles to requirements
6. Select decision-making process that fits requirements best
7. Identify and analyze decision-making models consistent with decision-making
process
8. Map decision-making models to requirements
9. Develop new model that mitigates deficiencies, and;
10. Validate new model
20
Each of these steps will be explained in detail below or in appendices as referenced.
Step 1: Reflect on personal experience gained during 36 years of professional practice
and reflections offered by others
This step provided the basis for this research, i.e. the author’s reflection upon experiences
(sometimes painful) and learning acquired recently and over the years as a professional
engineer and as a facility manager of an academic and research university. This step also
incorporates invaluable reflections by other practitioners whether offered directly to or sought
out by the author. Since the research process is iterative and took place over several years this
step is considered overarching as experiences were recalled and reflected upon throughout the
research.
Step 2: Review relevant literature
Like Step 1 the review of literature was an overarching activity as every newly discovered
idea and journal article or recommendation offered by a practitioner resulted in deeper review
of the relevant literature and learning.
Step 3: Identify requirements in context of user perspective
Knowing that the methodology would be validated by stakeholders the author, including the
input from others, made a first pass at identifying its requirements using personal experience
and relevant literature particular to organizational structure, reliability, and resilience as
guides. These requirements are criteria an organization must possess as prerequisites in
addition to those needed to conduct its core function. The intent was to put before the
stakeholders text they could react to and revise, including discarding, if necessary. This
process is explained in §4.3. The requirements and a brief description are provided as
follows.
• Culture – the ability of the methodology to capture the degree the organization values
and protects its employees and how the employees value and protect the organization.
Also, how the organization elicits ideas and feedback from employees and how the
organization and employees learn from experiences,
21
• Risk management – use of the methodology to identify, analyze, eliminate, mitigate
risks including its ability to manage emergencies when they occur,
• Governance – application of the methodology as a means to measure an
organization’s overarching leadership and management structure including its
functions, policies, and procedures,
• Expressed / expressible as hierarchical tree – the ease by which a methodology can be
structured in levels of attributes representing important aspects of the organization,
• Preemptive use – use of the methodology to predict the magnitude of an impact before
it occurs,
• Corrective use – use of the methodology as a means to determine the magnitude of an
impact after it occurs,
• Customizable – the ease by which the methodology can be modified to fit specific
user requirements,
• Defendable – a clearly defined process,
• Repeatable – the ability of the methodology to yield identical results when provided
with identical inputs,
• Implementable – the readiness by which the methodology can be put into practice in
an organization,
• Quantifiable – the outcome of a methodology where a numerical value provides a
decision makers with the means of comparing and selecting alternatives in relative
terms,
• Systematic – structured logical approach, i.e. set of steps, and;
• Monetary application – the ability of the methodology to take into consideration cost.
Step 4: Identify and analyze decision-making styles for selection consideration
Since most decision scenarios in organizations are participative to varying degrees four
decision-making styles particular to participative process will be explained and then
evaluated (in Step 5) according to suitability to stakeholder requirements identified in Step 3.
The four types of participative decision-making are (Daugherty, 1997):
22
• Autocratic – the leader maintains total control and ownership of the decision
• Consultative – the leader encourages input from other participants regarding ideas,
perception, knowledge, and information but maintains total control of the decision
and is the sole decision maker
• Democratic – the leader relinquishes control and lets other participants vote. While a
decision can be rendered quickly no one takes responsibility for the decision
• Consensus – the leader gives up complete control and responsibility for the decision
to all of the participants. All must agree and come to the same decision. While the
decision process can be lengthy the best decisions are rendered because the skills and
ideas of many people are involved
Step 5: Map decision-making styles to requirements
In Table 3 decision-making styles are mapped against requirements to determine the most
beneficial style, i.e. to determine whether specific requirements are included in a specific
decision-making style. For example the autocratic style defines an organizational structure
with a single decision maker that does not take advantage of feedback from employees, thus
the requirement of culture, as defined earlier, is not included. Table 3 reveals by a factor of 2
that the consensus decision-making style matches best with the requirements.
23
Decision-Making Styles Requirements Autocratic Consultative Democratic Consensus Culture (generic) - - + + Risk Management (generic) + + - + Governance (generic) + + - + Expressed or expressible as hierarchical tree - - - + Preemptive use + + + + Corrective use + + + + Customizable - - - + Defendable + + - + Repeatable - - - + Implementable + + + + Quantifiable - - - + Systematic - - - + Monetary application + + + + Ratio (number of responses reflecting inclusion) / (total possible responses) 0.54 0.54 0.38 1.0
Legend: + indicates that the selected decision-making style incorporates the specific requirement, - indicates that the selected decision-making style does not incorporate the specific requirement
Table 3 – Mapping of Decision-Making Styles to Requirements
Step 6: Select decision-making process that fits requirements best
Multi-attribute utility decision support processes support consensus-based decision-making
by including additive utility functions [such as the requirements listed above] and displays
objectives and sub-objectives of the decision making process formatted in a hierarchical tree
(Clemen, 1996). Thus, a methodology based on the principles of multi-attribute utility theory
(MAUT) is preferred.
24
Step 7: Identify and analyze decision-making models consistent with decision-making
process
While nine existing models were selected for analysis; the High Reliability Organization
(HRO), the Disaster Resistant University (DRU), Massachusetts Institute of Technology’s
version of the Disaster Resistant University model (DRU at MIT), the Resilient Enterprise
(RE), Enterprise Risk Management (ERM), Risk-Based Process Safety (RBPS), Reactor
Oversight Process (ROP), Hearts and Minds (H&M), and Business Continuity Planning
(BCP) others were rejected as they were either similar enough to a model that was already
selected that inclusion would have resulted in duplication, for which little detail was available
to fully describe the model, or lacked the rigor and efficiency of the analytic-deliberative
process (Gifun & Karydas, 2010). For example intuition is a common means for making
judgments but was rejected because it does not provide a systematic, defendable, or
repeatable approach. Complete descriptions and analyses of the selected organizational
models and a brief commentary of the rejected models are provided in Appendix B.
Step 8: Map decision-making models to requirements
Table 4 shows the decision-making models as mapped to the requirements for the purpose of
showing whether each model addresses each requirement. All are valid models within
specified areas of interest but none address all of the requirements, although HRO and DRU
at MIT come closest.
25
Decision-making Models Requirements (In context of organizational vulnerability) HRO DRU
DRU at
MIT RE ERM RBPS ROP H&M BCP Culture (generic) + - - - - - - - - Risk Management (generic) + - + + + - - - + Governance (generic) + - - - + - - - - Expressed or expressible as hierarchical tree + + + - - + + + + Preemptive use + + + + + + + + + Corrective use + + + + + + + + + Customizable - + + + - + - - + Defendable + + + - + + + + + Repeatable + + + - - - + + + Implementable - - + - - - - + + Quantifiable + - + - - - + + - Systematic + + + - - + + + + Monetary application - - - - - - - - - Ratio (number of responses reflecting inclusion) / (total possible responses) 0.77 0.54 0.77 0.31 0.38 0.46 0.54 0.62 0.69
Legend: + indicates that the selected decision-making style incorporates the specific requirement, whereas - indicates that the selected decision-making style does not incorporate the specific requirement
Table 4 - Mapping Decision-Making Models to Requirements
Step 9: Develop new model that mitigates deficiencies
Table 4 shows the similarities and dissimilarities of the several models and the strength of
each model by way of the inclusion of requirements. A brief commentary regarding each
model is provided as follows (Gifun & Karydas, 2010).
26
• HRO provides a comprehensive high-level view of an organization but does not
provide the means for implementation
• DRU focuses on hazards and threats (primarily physical) external to the organization
and like HRO does not provide explicit means for implementation
• DRU at MIT is similar to DRU but provides greater guidance regarding
implementation
• RE provides broad principles but no method for implementation
• ERM focuses broadly on corporate risk but does not provide a method for
implementation
• RBPS is excessively comprehensive and provides so much detail that implementation
would be unmanageable
• ROP is specifically applied to public health and safety as a result of reactor operation
and provides the means for implementation
• H&M provides a comprehensive view of an organization in context of safety and the
means for implementation, and;
• BCP does not provide the means for implementation but provides an organization
with a comprehensive model that focuses on preemptive action
All of the models recognize the potentially devastating impact of hazards and threats to an
organization but do so with levels of detail and in areas of application that makes
organization-wide implementation impractical without modification. Thus, the new
methodology labeled The Highly Reliable Resilient Organization (HRRO) must mitigate the
deficiencies in the individual models and include the means for implementation, recognition
of organizational cultural complexity, a structured analytic-deliberative decision-making
process, and the means to inform risk avoidance decisions. The HRRO methodology is
intended to provide the means to measure organizational reliability and resiliency against
organizationally derived criteria. To develop the hierarchical tree as indicated in Tables 3 & 4
in support of a consensus-based model, the nine organizational models mentioned earlier
were decomposed at the criterion level according to the broad categories of culture, risk
management, and governance and whether each criterion could be applied preemptively,
correctively, or both. The purpose of this analysis was to determine where deficiencies might
be in each model and to derive themes that would become the criteria of the HRRO
methodology.
27
The description of each criterion was read carefully to determine whether the criterion could
be considered, at least minimally related to culture, risk management, or governance and
whether the description shows that the criterion should be considered for preemptive or
corrective use, or both. For example given the HRO criterion Preoccupation with failure, as
shown in Appendix A, the description tells of the need to encourage the reporting of errors
and warns of complacency as a reason for unexpected events to go undetected. Thus, because
of the organizational behavior aspect of the reporting of errors and the temporal nature of the
description, i.e. precedes bigger problems, the author classified the criterion as cultural and
preemptive. Once the criteria of each model were analyzed and similarly classified duplicates
were removed (strikethrough) as shown in the columns below the heading Model criteria
sets, refer to Table 5 and Appendix C. Table 5 shows an extract from the complete analysis
provided in Appendix C, Tables 18 - 28. The portion of the analysis shown in Table 5
indicates that RBPS is strongly biased toward the preemptive in the categories of culture, risk
management, and governance. Therefore, adding functionality that includes corrective
components would make it more useful in general applications.
Criteria classified as explained above were scrutinized once again to determine whether each
criterion possessed a generic primary theme and sub-theme. For example in Table 6 the
primary theme derived from the detailed scrutiny for HRO1 was determined by the author to
be cultural and risk-management based while the more specific sub-themes were Safety
culture, Analysis, and Testing. The resulting themes associated with each model’s criteria are
safety culture, analysis, testing, organizational learning, maintenance, solution design,
objectives, strategic direction, policy, rules, regulation, flexibility, emergency response,
implementation, decision-making, communication, management support, and procedures. A
sample of the analysis is shown in Table 6 and a summary of the entire analysis is shown in
Table 7.
28
Tabl
e 5
– A
naly
sis
by M
odel
Dec
ompo
sitio
n fo
r Ris
k-ba
sed
Proc
ess
Safe
ty (s
ampl
e, c
ompl
ete
anal
ysis
in A
ppen
dix
C, T
able
s 18
- 28
)
Cri
teri
aD
efin
itio
n
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Co
mm
it t
o
pro
cess
sa
fety
Pro
cess
saf
ety
cu
ltu
re,
com
plia
nce
wit
h
stan
dar
ds,
pro
cess
sa
fety
co
mp
eten
cy,
wo
rkfo
rce
inv
olv
emen
t,
and
sta
keh
old
er
ou
trea
chR
BP
S1
11
1
RB
PS
1 U
R
BP
S1,
R
BP
S2,
&
RB
PS
3N
/AN
/A
RB
PS
2,
RB
PS
3,
& R
BP
S4
U
RB
PS
1,
RB
PS
2,
& R
BP
S3
RB
PS
2,
RB
PS
3,
& R
BP
S4
U R
BP
S4
N/A
RB
PS
1 &
R
BP
S3
U
RB
PS
1,
RB
PS
2,
& R
BP
S3
N/A
N/A
Lea
rn f
rom
ex
per
i-en
ce
Inci
den
t in
ves
tig
atio
n,
mea
sure
men
t an
d
met
rics
, au
dit
ing
, m
anag
emen
t re
vie
w
and
co
nti
nu
os
imp
rov
emen
t,
imp
lem
enta
tio
n, a
nd
th
e fu
ture
RB
PS
41
11
32
31
0
RB
PS
1
RB
PS
2,
RB
PS
3,
&
RB
PS
4
RB
PS
1 &
R
BP
S3
RB
PS
1,
RB
PS
2,
& R
BP
S3
RB
PS
4N
/A
Nu
mb
er o
f C
rite
ria
Set
s
Cri
teri
a b
y C
ateg
ory
Cri
teri
a b
y A
pp
licat
ion
Mo
del
Cri
teri
a S
ets
29
Cri
teri
a Nu
mbe
rDe
finiti
onP
rimar
y Th
emes
Sub
-The
mes
Cul
ture
∩ P
reem
ptiv
e
HR
O1
Enc
oura
ge th
e re
porti
ng o
f erro
rs a
nd p
ay a
ttent
ion
to a
ny fa
ilure
s. T
hese
la
pses
may
sig
nal p
ossi
ble
wea
knes
s in
oth
er p
arts
of t
he o
rgan
izat
ion.
Too
of
ten,
suc
cess
nar
row
s pe
rcep
tions
, bre
eds
over
conf
iden
ce in
cur
rent
pra
ctic
es
and
sque
lche
s op
posi
ng v
iew
poin
ts. T
his
lead
s to
com
plac
ency
that
in tu
rn
incr
ease
s th
e lik
elih
ood
unex
pect
ed e
vent
s w
ill g
o un
dete
cted
and
sno
wba
ll in
to b
igge
r pro
blem
s.
Cul
ture
& R
isk
Man
agem
ent
Saf
ety
Cul
ture
, Ana
lysi
s, &
Te
stin
gD
RU
4Tr
aini
ngC
ultu
reO
rgan
izat
iona
l Lea
rnin
g
RE
4
Like
a c
itize
n st
affe
d ne
ighb
orho
od w
atch
pro
gram
, the
peo
ple
who
mak
e up
or
gani
zatio
ns a
re it
s se
nsor
y sy
stem
. Man
y ey
es, e
ars,
and
the
phys
ical
pr
esen
ce o
f peo
ple
who
cho
ose
to g
et in
volve
d ca
n be
det
erre
nce
to c
rime.
A
lso,
em
ploy
ees
who
lear
n of
pot
entia
l dis
turb
ance
s th
at a
re c
redi
ble
and
coul
d im
pact
the
orga
niza
tion
and
brin
g su
ch in
form
atio
n to
the
orga
niza
tion,
co
uld
prov
ide
the
orga
niza
tion
with
suf
ficie
nt ti
me
to im
plem
ent m
easu
res
to
dim
inis
h th
e po
tent
ial i
mpa
ctC
ultu
re &
Ris
k M
anag
emen
tS
afet
y C
ultu
re, A
naly
sis,
Te
stin
g, &
Mai
nten
ance
ER
M1
Enc
ompa
sses
the
tone
of a
n or
gani
zatio
n, a
nd s
ets
the
basi
s fo
r how
risk
is
view
ed a
nd a
ddre
ssed
, inc
ludi
ng th
e or
gani
zatio
n’s
risk
man
agem
ent
philo
soph
y an
d ris
k ap
petit
e, it
s in
tegr
ity a
nd e
thic
al v
alue
s, a
nd th
e en
viron
men
t in
whi
ch th
ey o
pera
teC
ultu
re, R
isk
Man
agem
ent,
&
Gov
erna
nce
Ana
lysi
s, S
olut
ion
Des
ign,
O
bjec
tives
, Stra
tegy
, Pol
icy,
&
Rul
es
RB
PS
1P
roce
ss s
afet
y cu
lture
, com
plia
nce
with
sta
ndar
ds, p
roce
ss s
afet
y co
mpe
tenc
y, w
orkf
orce
invo
lvem
ent,
and
stak
ehol
der o
utre
ach
Cul
ture
& G
over
nanc
eS
afet
y C
ultu
re, P
olic
y,
Reg
ulat
ions
, & R
ules
Lege
nd:
Cultu
re, R
isk
man
agem
ent,
and
gove
rnan
ce re
fer t
o ca
tego
ries
Pr
eem
ptiv
e an
d co
rrect
ive
refe
r to
appl
icat
ions
Tabl
e 6
- Exa
mpl
e of
The
mes
Der
ived
from
Cri
teri
a by
Cat
egor
y an
d A
pplic
atio
n
(sam
ple,
com
plet
e an
alys
is in
App
endi
x C
, Tab
le 2
7)
30
Themes Criteria Number
Safety CultureHRO1, RE4, RBPS1, H&M3, RE4, RBPS3, ROP2, ROP3, H&M4, RBPS4, H&M6, MIT1, MIT2, H&M1, H&M2
Analysis
HRO1, RE4, ERM1, HRO4, HRO2, HRO3, DRU1, RE2, RE3, ERM3, ERM4, RBPS2, ROP1, BCP1, RBPS4, H&M6, MIT1, MIT2, MIT3, HRO3, ERM2, H&M8, H&M2
Testing HRO1, RE4, H&M7, RE1, RE5, BCP5, ERM8, H&M8Organizational Learning DRU4, ERM1, HRO4, HRO5, DRU5, H&M3, RBPS2, RBPS3, DRU4M aintenance RE4, H&M7, HRO3, RE1, RE5, ERM5, BCP5, ERM8, H&M8Solution Design ERM1, ERM3, ERM5, ROP1, BCP2Objectives ERM1, ERM3, ERM2Strategic Direction ERM1
PolicyERM1, RBPS1, HRO5, H&M3, RE8, MIT1, MIT2, MIT3, RE6, ERM2, ERM6, H&M1, H&M2
Rules ERM1, RBPS1, H&M1Regulation RBPS1Flexibility HRO4Emergency Response HRO4, RE1, RBPS3, ROP1, BCP4, MIT1, MIT2, MIT3Implementation HRO4, DRU3, RE2, ERM5, ROP3, BCP3, MIT1, MIT2, MIT3, ERM6Decision-M aking HRO5, H&M2Communication ERM7, H&M1, DRU2M anagement Support
HRO3, DRU3, RE5, RBPS4, MIT1, MIT2, MIT3, ERM2, ERM5, ERM6, H&M1
Procedures RE6, H&M6, ERM2, ERM6, H&M5
Table 7 – Summary: Criteria Numbers by Themes
(complete analysis in Appendix C, Tables 18 – 28)
The themes derived from this analysis became the criteria of the HRRO methodology. The
HRRO methodology will be discussed in greater detail in following sections of this
dissertation.
The next steps of the development process entail defining the criteria, as shown in §4.2,
creating the constructed scales, weighting, and stakeholder consensus. Constructed scales are
behind the lowest level criteria, e.g. Safety as shown in Figure 1 (Chapter 4). The constructed
scales depict a progression of weighted levels that range from 0 to the maximum weight of
31
the criterion and enable the stakeholder to select a level that matches the stakeholder’s rating.
Constructed scales once established provide the means to efficiently elicit stakeholder input
(Karydas & Gifun, 2006). Figure 2 (Chapter 4) provides the reader with an example of a
constructed scale from the HRRO methodology.
The levels of each constructed scale and the weighting of criteria and constructed scale levels
are developed by stakeholders directly or by a draft version developed by others and then
modified if necessary and subsequently accepted by stakeholder consensus. Because of the
interrelatedness of the constructed scales and the assessment functionality within the HRRO
methodology constructed scales were developed after the first workshop to take full
advantage of stakeholder input. Thus a more detailed and relevant description is provided in
§4.4.
Step 10: Validate new model
Proof of validity is described by way of a discussion about the models from which new
methodology was derived, testing by stakeholder groups, two case studies where the new
methodology was applied post-disturbance to real situations, and correlation of the
methodologies resulting index to a score resulting from an independent risk quality
benchmarking algorithm model. Validity will be discussed in greater detail in Chapter 6.
3.2 Chapter summary
Chapter 3 shows the methodology used to conduct the research described within this
dissertation that includes the identification of user criteria, the preference for a consensus-
based multi-attribute methodology and hierarchical tree structure, and the analysis of existing
decision-making models. While the HRO and DRU at MIT models were the most applicable
considerable deficiencies were present that a new model is required in order to answer the
research questions posited in Chapter 2. The process followed to develop the HRRO
methodology is described in the following chapter.
32
33
CHAPTER 4 Development of the Highly Reliable Resilient
Organization methodology
Chapter 4 builds upon the work described in Chapter 3, continuing with the development of
the HRRO methodology with particular emphasis on stakeholder involvement through
workshop participation.
4.1 Introduction
The HRRO methodology provides a systematic, consistent, and customizable means to
identify, define, and assess the prerequisites of an organization that enable it to be resilient
and supports the prioritization of projects and initiatives to improve prerequisite
organizational criteria to sustain organizational resilience. By becoming (more) resilient the
organizational system will be affected less by various disturbances, i.e. become less
vulnerable. Criteria representing the quality of organizational operations such as annual
revenue, stock price, and market share are not included as traditional means provide better
measures of these criteria. Thus, the author focused on the prerequisite organizational criteria
associated with reliability and resilience, and assumed that the organization’s core business is
viable (Gifun & Karydas, 2010). While success in different types of organizations consists of
varying levels of the combination of monetary and non-monetary achievements the
sustainability of the organization, the result of reliability and resilience, is the true measure of
success, i.e. the organization’s ability to fulfill its purpose over a specified length of time.
Since organizational sustainability includes non-monetary benefits the organization would be
considered sustainable as long as it, at the very least, met its non-monetary goals and was
able to make sufficient money to continue to do so over time. It is the intent of this
dissertation, by way of the HRRO methodology to provide organizations with the means to
enable their decision makers to understand vulnerabilities and make risk-informed decisions
to mitigate such vulnerabilities.
The methodology builds upon relevant work done by or including the author, i.e.
prioritization in A Method for the efficient prioritization of infrastructure renewal
projects (Karydas & Gifun, 2006), risk-informed multi-attribute utility decision support
systems in Ranking the risks from multiple hazards in a small community (Li et al., 2009),
34
complex organizational systems in Organizational attributes of highly reliable complex
systems (Gifun & Karydas, 2010), and organizational resilience and vulnerability in
Resilience as a means to analyze business processes on the structure of vulnerability
(Gifun, Karydas, Brombacher, & Rouvroye, Submitted for publication).
4.2 Criteria found in existing models and stakeholder feedback
To develop the HRRO methodology, the nine organizational models mentioned earlier were
compared at the criterion level against the broad categories of culture, risk management, and
governance and whether they could be applied preemptively, correctively, or both; as shown
in Chapter 3. The purpose of this analysis was to efficiently extract the essence of each
existing model and use this information to create a draft version of a hierarchical tree for
stakeholder review and comment. From this analysis the author learned that an organization
should possess certain criteria as prerequisites in addition to those needed to conduct its core
function. In other words the degree of success therewith is dependent upon the level of
organizational attention and leadership support given to:
1. Culture, safety culture; Worker safety by way of recognition and support inherent in
the organization
2. Culture; organizational learning, quality improvement, & flexibility: Developing
people, deferring to expertise, and learning from organizational experiences
3. Risk management; planning & preparation: Assessing the potential for risk from
within the organization and external thereto and implementing the means for
preemptive elimination or mitigation thereof
4. Risk management; emergency / incident response & business recovery: Accepting
that some risks may cause disruptions no matter the plans made ahead of onset;
therefore, puts in place processes that respond to disruptions for the purpose of
lessening the consequences
5. Governance; objectives & strategic direction: Clearly stating organization objectives,
strategies, policies, procedures, and directives and developing same with a diverse
group of people representing relevant sectors of the organization
6. Governance; internal practices: Developing, but most importantly using transparent
and defendable decision-making methods. Implementing policies and procedures that
are relevant, broadly known, and clearly understood. Communicating multi-
35
directionally within and external to the organization and to do so proactively.
Demonstrating organizational commitment by overtly supporting risk avoidance
methods and processes and funding the implementation of projects and initiatives that
eliminate or mitigate vulnerability
Using that which was learned in Chapter 3, the requirements of multi-attribute utility
theory (MAUT), and the desire to develop the new model in a hierarchical form by way
of its criteria, the draft of the HRRO methodology was brought to an initial stakeholder
workshop for review and further development. During this workshop a facilitated review
of the preliminary definitions for the criteria was undertaken and stakeholders discussed
the meaning of each criterion and offered revisions to some. A detailed explanation of the
workshop is provided in the following section of this chapter. The primary result of this
workshop was the revision and acceptance of the criteria and their definitions and the
creation of the hierarchical tree. Some of the preliminary definitions were taken from
non-validated online sources solely for the purpose of starting the deliberation among the
stakeholders. The definitions are shown below and the post-workshop form of the
hierarchical tree is shown in Figure 1. The pre-workshop format is shown in Appendix D
along with a copy of the information sent to workshop participants.
The following are the final accepted versions of the criteria definitions.
1. Culture: A basic set of assumptions and traditions that define what those within the
organization pay attention to, what things mean, and how to react emotionally to that
which is going on, and determine which actions to take in various kinds of situations
(Schein, 1992)
2. Risk management: Organizational principles, practices, and structures that enable an
organization to manage uncertainty to either eliminate or mitigate the realization and
expansion of potential consequences or transfer the financial impact of such
consequences to other institutions
3. Governance: Decisions made within the organization that define expectations, grant
power, or verify performance
36
4. Safety (safety culture): Organizational safety culture entails compliance with
standards, process safety competency, workforce involvement, stakeholder outreach,
operating procedures, safe work practices, asset integrity and reliability, contractor
management, training and performance assurance, management of change,
operational readiness, conduct of operations, and emergency management
5. Organizational learning, quality improvement and flexibility: A term that describes an
organization that actively creates, captures, manages, transfers, and mobilizes
knowledge to enable it to adapt to a changing environment (Senge, 1990). Flexibility
refers to the ability of an organization to adapt to changing demands (Weick &
Sutcliffe, 2001; Weick & Sutcliffe, 2007)
6. Planning & preparation: Summary criterion for business continuity planning (British
Standards Institute, 2006 )
a. Analysis: The employment of risk, vulnerability, and threat analyses, impact
scenarios, and other analytic tools and methods to assess the current and
potential state of the organization
b. Solution design: The means to identify and develop the most cost effective
risk mitigation and disaster and crisis recovery solution (including the crisis
management command structure)
c. Implementation: Execution of the design elements identified in solution design
d. Testing & acceptance: The means to detect potential disturbances and
ascertain the effectiveness and acceptance of plans and processes
e. Maintenance: Periodic; 1) information updating and testing, 2) testing and
verification of technical solutions, and 3) testing and verification of
organization recovery procedures
7. Emergency / incident response & business recovery: An emergency / incident is a
situation which poses an immediate risk to health, life, property, reputation, the
environment, and finances. Response and recovery are terms describing the action
taken and resources deployed to mitigate the impact of an emergency / incident and to
recover quickly therefrom to ensure the continuity of the organization’s core business
37
8. Objectives & strategic direction: A strategic direction is a long term plan of action
designed to achieve an objective, i.e. a specific goal
9. Internal practices: Summary criterion for policies, rules, regulations, and operating
procedures that are developed and implemented in accordance with the organizational
charter:
a. Policy: A deliberate plan of action to guide decisions and achieve rational
outcome(s). Rules: Formal and widely-accepted statements, facts, definitions,
or qualifications, informal but widely accepted norms, concepts, truths,
definitions, or qualifications. Regulations: Considered as legal restrictions
promulgated by government authority. Procedure: A specification of series of
actions, acts or operations which have to be executed in the same manner in
order to always obtain the same result in the same circumstance
b. Decision-making process: Transparent fact-based analytic-deliberative
processes and methods for making judgments or reaching conclusions are used
where appropriate
c. Communication: An act or instance of exchanging information, e.g. verbal or
written messages (Merriam-Webster, 2009)
d. Monetary & non-monetary support: Organization-wide policies and practices
that overtly support action, e.g. risk assessment and analysis, implementation
of projects, and funding of initiatives to eliminate and mitigate risks
38
Figure 1 – HRRO Hierarchical Tree
39
4.3 Initial Workshop
A draft proposal approach was taken and a stakeholder workshop was held to verify, test,
modify, and quantify the methodology. Also the draft proposal approach was used to make
better use of the stakeholder’s time as less time and effort is needed to revise something that
has been, formulated already, albeit temporarily and cursorily, than to create a new one
(Karydas & Gifun, 2006; Li et al., 2009).
The stakeholder group was composed of six people with experience and interest in relevant
disciplines. Four out of the six were members of an intact risk management and emergency
response team, i.e. a command level police officer, a medical department manager, a
managing director of an environmental health and safety office, and an environmental health
and safety officer. The other two stakeholders were a Ph.D. engineer with expertise in the
field of property insurance related to chemical plant processes and a doctoral degree
candidate focusing on risk analysis. The emergency and business continuity planner
associated with the intact team mentioned above was not able to participate in the workshop
but reviewed and commented upon the material qualitatively and external to the workshop.
Comments offered by this person were included in deliberations with the stakeholder group
by electronic mail.
Prior to the workshop the stakeholders were presented with a packet of materials. These
materials, provided in Appendix D included a description of the overall research project to
provide context, a description of that which would be expected by the stakeholders during
and following the workshop, a scenario to focus the efforts of the stakeholders should such
focus be necessary (it was not), and the author’s draft proposal version of the hierarchical
tree, criteria descriptions, and pairwise comparisons. The categories and applications table,
Table 8, shows the preliminary weights provided to the stakeholders prior to the workshop
and those resulting therefrom. Analyzing criteria by category and application provides
stakeholders the ability to verify, albeit roughly, that sufficient criteria and criteria weight
were included within the categories of culture, risk management, and governance and the
applications of preemptive, corrective, or both. Per the example shown in Table 5 this
process mimics that which was used to analyze the organizational models. During
stakeholder deliberations the categories and applications were discussed; however, the
information was not used in a formal analytical way.
40
Relative Weights
Pre-workshop
Relative Weights
Post-workshop
Categories
Culture 42 40 Risk Management 33 36 Governance 25 24
Applications
Preemptive 49 47 Corrective 14 18 Both 37 35
Weights determined by expert opinion via the Analytic Hierarchy Process (AHP)
Table 8 – Categories and Applications
The stakeholders were guided through a review of the hierarchical tree where all potential
revisions were evaluated to make certain that they were in compliance with the principles of
MAUT. The stakeholders suggested two revisions, 1) move the implementation criterion
from preemptive to corrective as implementing plans is an act of correction and 2) add
business recovery to the emergency and incident response criterion to account for the
physical aspects of recovering the business’s key operations. Per the stakeholders the
criterion labeled implementation refers to implementing business continuity plans while
business recovery refers to implementing business recovery measures once a disturbance had
occurred. Thus, the MAUT principle of prohibiting double counting had not been violated.
The preliminary weights were also reviewed and revised according to stakeholder input. The
hierarchical tree shown in Figure 1 incorporates these revisions.
To capitalize on meeting time to discuss concepts, criteria, and definitions the weighting of
criteria was done by each stakeholder external to the workshop, using an Analytic Hierarchy
Process (AHP) model developed by one of the stakeholders 0
1 (Elliot, 2008). A brief
description of AHP is provided in the glossary. Results were returned by way of electronic
mail.
1 Excel spreadsheet that uses sliders for stakeholders to make pairwise comparisons. The sliders show by way of their position the weight given to each pair under consideration while a bar graph shows the relative weight of the criteria graphically as the sliders are manipulated.
41
The results were compiled and then distributed to the stakeholders by electronic mail for
additional deliberation as they were too broadly distributed for consensus to be considered
achieved. Each stakeholder was requested to review the weights submitted by the entire
stakeholder group and the revised definitions of the criteria and to make revisions to their
weights should they feel the need to do so. One stakeholder submitted revised pairwise
comparisons (the other stakeholders were satisfied with their initial work); however, the
results did not affect the distribution of the results appreciably, thus consensus could not be
considered achieved by way of a strict application of AHP. The results are provided in
Appendix E. Given that the stakeholder group was not a complete intact team, attempting to
force consensus would not have been productive, especially since the purpose of the
workshop was to verify the HRRO model and not to produce a customized version thereof for
immediate use by a specific organization. Also, as the method used to achieve consensus by
way of stakeholder deliberation in conjunction with the review and revision of criteria
weights is well known practice (Gifun & Karydas, 2010), the author deemed that expending
additional effort would be unnecessary to prove validity. Although consensus was not
achieved the stakeholders accepted the weights as shown in Figure 1.
The stakeholders unanimously agreed that the HRRO methodology represented a highly
reliable complex organization in terms of its ability to anticipate, resist, and recover from
disasters. Stating that the HRRO model could and should be customized for different
organizations, e.g. criteria, definitions, or weights, the stakeholders affirmed that the model is
generalizable.
4.4 Post initial workshop
During the period between the first and second workshop the author developed a draft
version of the constructed scales and survey forms in anticipation of stakeholder review
and consensus, as well as the weights associated with the constructed scales. This draft
version of the entire methodology was produced for the purpose of demonstrating the
HRRO methodology and eliciting opinion during the second workshop.
42
Constructed scales
The constructed scale below each criterion of the hierarchical tree is directly related to a
corresponding survey form, i.e. for every response given on a survey form there is a
corresponding constructed scale level which in turn is directly related by way of a criterion
weight and utility set by the stakeholders to a global weight. The global weight is calculated
by multiplying the utility of the selected level by the criterion weight (Karydas & Gifun,
2006; Li et al., 2009; Weil & Apostolakis, 2001). The survey forms will be discussed in
greater detail below. An example of a constructed scale used in the HRRO methodology is
shown in Figure 2. All of the constructed scales function in a similar manner, i.e. the level
selected is the one where the range shown in the description matches the score resulting from
the applicable survey form. For example, if the score resulting from the safety culture survey
form was 50 it would fall within the range of 37 < Score ≤ 55 and yield a global weight of
9.4. The range divisions within the descriptions provided in the safety culture and
organizational learning, quality improvement, and flexibility constructed scales were from the
developers of each survey form; however corresponding utilities for other criteria were
proportioned according to the author’s expert judgment for demonstration purposes. In other
applications stakeholders would insert utilities that reflect organizational values and
objectives resulting from an analytic-deliberative process. The global weight is the product of
the utility in percent times the weight of the criteria from the hierarchical tree. For example,
Figure 2 shows the weight of the criterion for safety culture as 18.7, thus the global weight
for level 2 is 50% of 18.7 or 9.4. This means that 9.4% of a total global weight of 100 is
attributed to the organization describing itself as calculative with systems in place to manage
hazards in terms of safety culture. The authors’ departed from the use of global weights as
prescribed by the Analytic Hierarchy Process (AHP) (Saaty, 1980) that total to 1.00 because
workshop participants perceived them to imply high levels of accuracy.
43
Safety Culture (maximum criterion weight 18.7 out of 100 global) Summary level measure of 18 performance measures attained from scoring sheet provided by the Hearts and Minds safety program. Organizational safety culture entails compliance with standards, process safety competency, workforce involvement, stakeholder outreach, operating procedures, safe work practices, asset integrity and reliability, contractor management, training and performance assurance, management of change, operational readiness, conduct of operations, and emergency management.
Level Description Utility Global Weight
4
Generative - highest level of safety culture where the organization is informed regarding safety issues and possesses the highest levels of trust and accountability within. (73 < Score ≤ 90) 1.00 18.70
3 Proactive - safety leadership and values drive continuous improvement. (55 < Average Score ≤ 73) 0.75 14.00
2 Calculative - systems in place to manage hazards. (37 < Score ≤ 55) 0.50 9.40
1 Reactive - safety is important and much is done every time there is an accident. (19 < Score ≤ 37) 0.25 4.70
0
Pathological - lowest level of safety culture where the organization does not care about safety unless caught by way of an accident or regulatory violation (0 < Score ≤ 19) 0.00 0.00
Figure 2 – Example: Constructed Scale for Safety Culture, Based on Hearts and Minds
(Energy Institute, 2007)
The levels and definitions for the remaining twelve constructed scales were the result of
expert opinion by the author and stakeholder input to demonstrate the model but should be
redefined by an organization’s stakeholders when applied thereto. The reader will find all of
the constructed scales in Appendix F. The constructed scales should be based upon relevant
and valid checklists or survey instruments similar to those used for the criteria, safety culture
and organizational learning, quality improvement, & flexibility. For example, in the case
studies discussed in §6.1.3 reference is made to checklists used in process safety and property
damage applications.
Survey forms
Survey forms provide decision-makers with an entry point into the methodology. Each survey
form presents a set of statements or questions applicable to each of the criteria shown in the
hierarchical tree. The survey forms are linked directly to the constructed scales and could
take the form of a checklist. Figure 3 shows one survey form out of thirteen. All of the survey
44
forms are provided in Appendix G. While each form is different the basic concepts are
similar, the intent is for the stakeholder, using the applicable response options for each form,
to select the most appropriate rating corresponding to each question and statement. To assess
the organizations level of Safety culture the stakeholder would, for each question and
statement, place a numeral 1 in the box that best matches the stakeholder’s opinion. For
example if the stakeholder’s response for Benchmarking, trends and statistics, see Figure 3, is
Management worries about the cost of accidents and the company's position in the 'league
tables'. Statistics report the immediate causes of accidents; the stakeholder would place a
numeral 1 in the box directly below the statement. When responses have been provided for all
questions the columns are summed and then multiplied by a weighting factor provided by the
developers of the Hearts and Minds program. These products are then summed and the global
weight is determined by the level identified in the applicable constructed scale.
45
Ben
chm
arki
ng, t
rend
s an
d st
atis
tics
Ther
e is
com
pli-
ance
with
sta
tuto
ry
HS
E re
porti
ng b
ut
little
mor
e th
an
that
. Ben
chm
arki
ng
is o
nly
on fi
nanc
e an
d pr
oduc
tion.
Man
agem
ent w
or-
ries
abou
t the
cos
t of
acc
iden
ts a
nd
the
com
pani
es' p
o-si
tion
in th
e 'le
ague
ta
bles
'. S
tatis
tics
repo
rt th
e im
med
i-at
e ca
uses
of a
cci-
dent
s.
Ben
chm
arki
ng o
c-cu
rs o
n a
wid
e va
ri-et
y of
indu
stry
HS
E
data
. Man
ager
s di
spla
y lo
ts o
f dat
a pu
blic
ly th
roug
hout
th
e or
gani
zatio
n.
Ther
e is
focu
s on
cu
rrent
pro
blem
s th
at c
an b
e m
eas-
ured
obj
ectiv
ely
and
sum
mar
ized
us
ing
num
bers
.
Ben
chm
arki
ng is
ag
ains
t oth
ers
in
the
sam
e in
dust
ry
and
is d
riven
by
man
agem
ent -
"try
to
be
the
best
in
the
indu
stry
". L
ook
for l
eadi
ng in
dica
-to
rs, a
naly
ze
trend
s, u
nder
stan
d th
em, a
nd u
se
them
to a
dapt
stra
t-eg
y. E
xpla
in fi
nd-
ings
to s
uper
viso
rs.
Ben
chm
ark
outs
ide
the
indu
stry
, usi
ng
both
'h
ard'
(out
com
e)
and
'sof
t' (p
roce
ss)
mea
sure
s. A
ll le
v-el
s of
the
orga
niza
-tio
n ar
e in
volv
ed in
id
entif
ying
act
ion
poin
ts fo
r im
prov
e-m
ent.
Col
umn
Sum
0
0 0
0 0
Wei
ghtin
g F
acto
r 1
2 3
4 5
Wei
ghte
d C
olum
n S
um
0 0
0 0
0
Sco
re
0 0
Glo
bal W
eigh
t 0
Figu
re 3
– E
xam
ple:
Saf
ety
Cul
ture
Sur
vey
Form
Bas
ed o
n H
eart
s an
d M
inds
(Ene
rgy
Inst
itute
, 200
7)
46
During discussions following the initial workshop it became apparent that several criteria
matched up well with already proven models, thus they were included in the HRRO model
with no change in content but with some changes in format.
1. The criterion labeled safety culture is the Hearts and Minds safety program. The
survey forms associated with this criterion were extracted from Hearts and Minds
literature. The Hearts and Minds safety program was developed by Shell Exploration
and Production in 2002 and is based upon research with leading universities since
1986 (Energy Institute, n.d.)
2. The criterion organizational learning, quality improvement, and flexibility is assessed
by way of an organizational learning assessment tool developed by P. Kline and B.
Saunders and described in Ten Steps to a Learning Organization (Kline & Saunders,
1998). According to Kline and Saunders, research began in October, 1985 in major
U.S. companies including Kodak
3. The criteria; analysis, solution design, implementation, testing & acceptance, and
maintenance were derived directly from the Code of Practice for Business Continuity
Management by the British Standards Institution (British Standards Institute, 2006)
These models became the survey forms associated with three criteria within the HRRO
methodology. Survey forms for the remaining criteria were developed using knowledge
gained from the first workshop and by reflection upon the author’s experiences during the
development and operation of the prioritization methodology described in A Method for
the efficient prioritization of infrastructure renewal projects (Karydas & Gifun, 2006) and
the methodology described in Ranking the risks from multiple hazards in a small
community (Li et al., 2009).
Summary sheet
At the end of the process opposite the constructed scales is the summary sheet. The summary
sheet accepts the results calculated by way of the survey forms and displays the
corresponding aggregate score known as the HRRO index. Each survey form is linked to the
summary sheet and weighted according to stakeholder input. Table 9 displays the summary
sheet resulting from ratings by one assessor and shows rating for the criteria in terms of
global weight and the HRRO index, i.e. the sum of all ratings. The ratings for each criterion
are subtracted from the maximum possible for the criterion to determine the difference
47
between that which is desired, maximum possible global weight, and that which exists, rated
weight in terms of global weight, i.e. the larger the difference the greater the need for a
mitigation activity that targets the criterion. The priority column in Table 9 reflects this logic
and an explanation of the results is provided in §6.1.2.
HRRO Index 36.90
Criteria
Rated Weight in Terms of Global Weight
Maximum Possible Global Weight
Maximum Possible Weight -
Rated Weight
Priority Safety Culture 9.4 18.7 9.3 2 Organizational Learning, Quality Improvement, and Flexibility 10.5 21 10.5
1
Analysis 1.0 4.1 3.1 9 Solution Design 3.3 6.6 3.3 8 Implementation 0.0 7.1 7.1 4 Testing and Acceptance 1.1 4.4 3.3 8 Maintenance 0.8 3.3 2.5 10 Emergency / Incident Response and Business Recovery 5.4 10.7 5.3
5
Objectives and Strategic Direction 2.4 9.7 7.3 3 Policies, Rules, Regulations, and Operating Procedures 0.5 2 1.5
11
Decision-Making Process 1.3 5.2 3.9 6 Communication 1.2 4.7 3.5 7 Monetary & Non-Monetary Support 0.0 2.5 2.5 10
Table 9 – Stakeholder Summary Sheet – Assessor A
4.5 Second workshop
A second workshop was held to critique the applicability and usefulness of the HRRO
methodology by applying the methodology in a test environment using real organizations
familiar to the stakeholders and to elicit comments regarding its use. Since stakeholders’
schedules prohibited a group session the author prepared each stakeholder individually.
The following describes the process undertaken; whereas, the results are provided in
§6.1.2.
The HRRO methodology was tested by five people, two of which participated in the initial
workshop described earlier. To clearly distinguish stakeholders participating in the first
workshop from those participating in the second workshop the later will be referred to as
assessors. These individuals are in positions where they would be among the people called
48
upon to participate in assessing the level of HRRO-ness of their organizations. Each person
was presented with a digital copy of the model and given instructions to complete the survey
forms and to answer several questions. The assessors were asked to fill in responses in
context of the entire organization, not just the assessor’s department and reflect upon the
resulting numerical index. While specific numerical indices are important to the assessor and
future research, it is more important to the present research to learn whether the methodology
could be useful to the assessor’s organization and whether the index reflected the assessor’s
expectations, relatively. For example, if the assessor believes that the organization is deficient
in many areas and the assessor rated the organization accordingly, the HRRO index should be
low.
4.6 Chapter summary
This chapter described the process by which the HRRO methodology was developed. Two
stakeholder workshops were employed. The first was used to achieve consensus on criteria
definitions and weights presented in draft form while the second focused on achieving
acceptance of the entire methodology as a legitimate means to determine an organizations
level of vulnerability. Comments by the participants in the second workshop are provided in
§6.1.2. In the next chapter applications of the HRRO methodology are discussed.
49
Chapter 5 Application of the Highly Reliable Resilient
Organization methodology
The HRRO methodology provides the functionality to:
1. Assess the vulnerability state of an organization regarding its prerequisite criteria,
2. Estimate the potential impact of a disturbance in terms of prerequisite organizational
criteria,
3. Estimate the effect of a project or initiative under consideration to mitigate or
eliminate vulnerability in terms of prerequisite organizational criteria and use the
estimates to prioritize organizational improvement projects,
4. Estimate the effect of a project or initiative under consideration to mitigate or
eliminate vulnerability in terms of disturbances, infrastructures, and physical assets
and use the estimates for prioritization purposes, and;
5. Measure the success of all of the above
Each of these functions will be explained in greater detail within this chapter along with an
explanation of the use of the methodology in instances where the cost of risk avoidance is
included.
The output of the HRRO methodology is an index representing the stakeholder’s rating of the
survey questions where lower relative indices reflect more vulnerability. In instances where
multiple stakeholders are involved in the process each survey form response should be the
result of deliberation amongst stakeholders and reflect consensus therefrom. This index can
also function as the benefit term in the benefit-to-cost ratio in instances where the monetary
and non-monetary aspects of a risk should be considered together for the purpose of avoiding
a risk.
5.1 Application of processes
5.1.1 Baseline assessment
The assessment process is intended to determine the level of HRRO-ness of prerequisite
organizational criteria at anytime, preferably preemptively, i.e. before the realization of a
50
disturbance but it can be used correctively as well, i.e. following the realization of a
disturbance. The purpose of such assessments is to determine a baseline level of HRRO-ness
to which change can be compared. Figure 4 describes this process in the format of a
flowchart.
2. Determine HRRO Index via
Checklists
3. Level of HRRO-ness 4. B1. Complete
Checklists
Figure 4 - HRRO Process Flowchart for Baseline Assessment Purposes
The steps are explained as follows:
1. Complete checklists: The stakeholder(s) fill in the checklists associated with each of
the criteria shown on the HRRO hierarchical tree in Figure 1
2. Determine HRRO index via checklists: The checklist calculates an index based on the
weights shown on the hierarchical tree and the responses made by the stakeholder(s)
3. Level of HRRO-ness: The result of Step 2. Relative high levels of HRRO are preferred
over relative low levels
4. B: Connector to decision success measurement process
5.1.2 Estimate potential disturbance of prerequisite organizational criteria
To estimate the potential effect of a project or initiative intended to mitigate vulnerability
associated with prerequisite organizational criteria stakeholders respond to the survey form
questions as if the project or initiative had been implemented. This process is described in
Figure 5 as follows.
Figure 5 - HRRO Process Flowchart for Estimating Effect of Potential Disturbance of Prerequisite Organizational Criteria
2. Scenario Development 1. Disturbances
4. Determine HRRO Index via
Checklists6.B
5. Level of HRRO -ness
Given Implementation
3. Complete Checklists
51
The steps are explained as follows:
1. Disturbances: Identify credible potential disturbances and risks to the prerequisite
organizational criteria
2. Scenario development: Develop and describe scenarios using credible disturbances
3. Complete checklists: The stakeholder(s) fill in the checklists associated with each of
the criteria shown on the HRRO hierarchical tree in Figure 1 in context of each
scenario
4. Determine HRRO index via checklists: The checklist calculates an index based on the
weights shown on the hierarchical tree and the responses made by the stakeholder(s)
5. Level of HRRO-ness given implementation: The result of Step 5 where relative high
levels of HRRO are preferred over relative low levels
6. B: Connector to decision success measurement process
5.1.3 Prioritization of projects or initiatives to mitigate the potential disturbance of
prerequisite organizational criteria
The HRRO methodology provides the means for prioritization where the prioritization
process is intended to aid decision makers with the task of selecting organizational
improvement projects for funding and implementation by using the criteria shown in Figure
1, to determine the benefits that could be realized by implementing such projects or initiatives
and to bring into consideration the cost to do so. Refer to Figure 6 and the explanation of the
steps that comprise the process that immediately follows.
52
Figure 6 - HRRO Process Flowchart for Organizational Improvement Prioritization Purposes
1. Scenario development: Develop and describe scenarios using credible disturbances
associated with prerequisite organizational criteria, i.e. organizational improvement
projects or initiatives as identified by baseline assessments
2. Develop organizational improvement projects (scope & cost): Using the results of
baseline assessments and the scenarios developed in Step 1 identify where in the
organization vulnerability is unacceptable and develop organizational improvement
projects and initiatives to eliminate or mitigate such vulnerabilities. Develop project
scope statements and estimates
3. Identicalness of benefits: Benefits associated with projects are similar, e.g. the
selection of an accounting system out of several accounting system alternatives
(benefit is accurate and timely financial information) or the benefits are dissimilar,
53
e.g. different projects under selection consideration such as an accounting system
versus a risk identification and assessment methodology
4. For projects with similar benefits:
a. Determine life-cycle cost of each alternative: Use established methods to
calculate life-cycle cost
b. Select alternative with lowest life-cycle cost: Self explanatory; however,
selection could be modified by decision makers
c. Determine HRRO index selected alternative: Determine the HRRO index of
the selected alternative if not already known
5. For projects with dissimilar benefits:
a. Determine life-cycle cost: Determine life-cycle costs for each project or
initiative under consideration
b. Determine HRRO index all alternatives with dissimilar benefits: Determine
HRRO index of each alternative among those with dissimilar benefits
6. Calculate benefit-to-cost ratio: Calculate benefit-to-cost ratio (BCR) for each
organizational improvement project or initiative using HRRO index in numerator and
life-cycle cost in denominator. With all else equal, including results of deliberation,
projects or initiatives with higher BCRs should be selected and funded ahead of those
with lower BCRs as they represent the elimination or mitigation of more vulnerability
at a relatively lower cost. Refer to §5.2
7. A: Connector to balance of process
8. Preliminary prioritized list: List of organizational improvement projects or initiatives
in descending order of benefit-to-cost ratio
9. Deliberation & prioritization: discussion among stakeholders regarding preliminary
list and any required adjustments
10. Prioritized list: List of projects in order established in Step 8
11. Implementation: Funding and actual installation of projects or launch of initiatives
according to established priority
12. Determine HRRO index as implemented: Calculate HRRO index taking into
consideration Scope And Affect Of Implemented Projects
13. Level of HRRO-ness following implementation: The result of Step 12
14. B: Output to decision success measurement process
54
5.1.4 Estimate potential disturbance or impact to infrastructures and physical assets
The methodology needed to estimate the potential effect of a project or initiative intended to
mitigate vulnerabilities associated with infrastructures, physical assets, and disturbances not
related to prerequisite organizational criteria is similar, but not identical to, the methodology
needed to estimate effects on prerequisite organizational criteria. The criteria in this instance
include impact on people and environment, facility condition, external image, and
interruption of operation, thus the criteria in the HRRO methodology do not apply. For more
background information regarding this process please refer to the explanation related to MIT
at DRU in Appendix B and A Method for the efficient prioritization of infrastructure renewal
projects by Karydas and Gifun (Karydas & Gifun, 2006).
5.1.5 Prioritize projects or initiatives intended to mitigate vulnerabilities associated
with infrastructures, physical assets, and disturbances not related to prerequisite
organizational criteria
Prioritization of disturbance elimination and mitigation projects addressing physical assets
such as buildings and utility distribution systems should be evaluated and rated according to
the process described by Karydas and Gifun in A Method for the Efficient Prioritization of
Infrastructure Renewal Projects (Karydas & Gifun, 2006). In this instance the criteria of the
hierarchical tree address potential impacts on people, death or injury, impact on the
environment, loss of cost savings, intellectual property damage, physical property damage,
interruption time, complexity of contingencies, impact on external and internal image, and
programs affected by the project should the project not be implemented. This process is
shown in Figure 7 and is explained in the steps that immediately follow.
55
Figure 7 - Disturbance Elimination and Mitigation Project Prioritization Process
(Karydas & Gifun, 2006)
1. Potential projects: Represents the many sources of projects for funding and
implementation consideration
2. Initial sorting: A pre-screening process to increase effectiveness and efficiency and
minimize implementation delays by sorting projects into groups such as those that
must be implemented, those that should not be implemented, those of low cost that are
better handled within day-to-day operational entities, and those that should be
prioritized according to the methodology
3. Must do: Projects with compelling reasons for implementation without regard for rank
determined by prioritization process, e.g. a leadership directive, a major safety
problem, or a regulatory edict
4. Priority verification: If projects identified by Step 3 are believed to divert resources
from higher risk projects then rating these projects according to the prioritization
process could be useful in deliberations about potential risk to the organization with
those promoting projects identified by Step 3
5. Low cost items: Projects small enough in cost to be undertaken directly by the
organization’s operational entity, e.g. maintenance personnel
6. Must not do: Projects with compelling reasons not to be implemented, e.g. a project in
a building slated for demolition
7. Prioritization methodology: Determination of performance indices for each project
based upon assessor ratings and the hierarchy described in Karydas and Gifun
(Karydas & Gifun, 2006)
8. Initial list: A list of projects prioritized according to each project’s performance index
56
9. Validate: Deliberation process undertaken by assessors to validate or modify the
initial list
10. Final list: Prioritized project list approved for implementation
11. Implementation: Funding and physical installation of projects according to priority
established in Step 10
5.1.6 Implementation Decision Success Measurement Process
The success of vulnerability elimination and mitigation decisions can be determined by
assessing the organization following the implementation of a project or initiative and
comparing the result to the assessment made before implementation. That is if the result from
subtracting the HRRO index post implementation from the HRRO index prior to
implementation yields a positive number vulnerability had been lessened. However, if the
difference is negative vulnerability had been increased
A rough measure of economic effectiveness, actual or speculative, in context of
organizational sustainability regarding an organizational improvement decision can be
determined by the ratio shown in equation 1.
∑
∑
=
== T
tt
T
tt
P
FOS
0
0 (Eq.1)
where: OS = level of organizational sustainability, Ft = net profit in period t following implementation of mitigation projects or
initiatives, and Pt = net profit in period t prior to implementation of mitigation projects or
initiatives. T = Duration of period t.
The sustainability of an organization that implements organizational improvement projects
can be measured by the degree the risk avoided by implementation of the project affects the
net profit (net assets) of the organization. Thus the sum of improvement efforts undertaken by
an organization in a given time period enable it to sustain itself, if in the same time period,
the ratio of net profit following implementation over net profit prior to implementation equals
or exceeds 1 or does not sustain itself if the ratio is less than 1.
57
5.2 Prioritization: benefit-to-cost
The HRRO methodology can be used to prioritize potential mitigation projects and initiatives
preemptively by way of the HRRO index alone where the resulting index is determined by
speculation, i.e. by way of ratings given that the project or initiative is in place (Karydas &
Gifun, 2006). Therefore, the larger the index the more benefit to be derived. However, the
HRRO methodology is intended to aid decision makers with the task of selecting
organizational vulnerability elimination or mitigation projects for funding and
implementation by determining the benefits that could be realized by implementing such
projects or initiatives and to bring into consideration the cost to do so, i.e. the cost of risk
avoidance. The process enables the organization to make effective prioritization decisions
that include the monetary and non-monetary aspects of each over the life-cycle of the project
or initiative in a single benefit-to-cost ratio (BCR). In this methodology the benefit term of
the BCR is the HRRO index determined for the life-cycle of the benefit while the cost term is
the life-cycle cost of the project or initiative. The ratio of HRRO index, life-cycle over the
life-cycle cost includes a variation of the traditional benefit-to-cost ratio (ASTM
International, 2002) as provided by the AHP (Saaty, 1980). BCRs inform the deliberations
regarding selection and funding as they place all items under consideration in similar terms.
In this instance, all other aspects including results of deliberation equal, projects or initiatives
with higher BCRs should be selected and funded ahead of those with lower BCRs as they
represent the elimination or mitigation of more vulnerability at a relatively lower cost. Since
the use of BCR and its variations are well known in practice and in the literature a more
detailed explanation is not given nor was such functionality tested during stakeholder
workshops.
5.3 Chapter summary
Chapter 5 describes the several ways the HRRO methodology can be applied to
organizational situations regarding vulnerability and risk avoidance by way of a systematic
approach. The HRRO methodology produces a numerical index that enables the organization
to:
1. Assess vulnerability preemptively by way of scenarios, in terms of prerequisite
criteria, as a way to determine the proposed effect of a disturbance or the
implementation of a proposed mitigation project or initiative under consideration,
58
2. Assess the vulnerability of organizational prerequisite criteria correctively, i.e. post
impact to determine its effect on the organization,
3. Prioritize proposed vulnerability mitigation projects or initiatives, organizational
improvement and physical asset, using criteria determined by the organization’s
stakeholders, and;
4. Include the cost of risk avoidance with non-monetary criteria in benefit-to-cost
analyses
Validation of the HRRO methodology remains to be proven; however, it will be addressed in
Chapter 6.
59
Chapter 6 Analysis and Reflection
The intent of this chapter is to describe the validation processes undertaken during this
research and the author’s assessment of the research process.
6.1 Validity
To validate the research done within the scope of this paper the following were undertaken.
1. An examination of the models from which the HRRO methodology is derived, i.e.
validation by way of valid parts
2. Validation of the HRRO methodology by way of stakeholder feedback during
workshops
3. The retrospective application of the HRRO methodology in two case studies
4. Comparison of the HRRO model to a well validated risk quality benchmarking
algorithm
6.1.1 Validation: by way of valid parts
The HRRO methodology evolved from nine proven organizational models. Eight of the
models; High Reliability Organization, the Disaster Resistant University, the Resilient
Enterprise, Enterprise Risk Management, Risk-Based Process Safety, Reactor Oversight
Process, Hearts and Minds, and Business Continuity Planning have been in use for many
years thus considered valid.
DRU at MIT, one of the nine models, was validated by way of a deliberative process with a
diverse group of 50 stakeholders; consisting of members of the academy; administrative staff;
engineers, students, environment, health, and safety professionals, and police. Revisions were
made in response to feedback received during the many workshops. DRU at MIT was
presented to members of the senior administration and accepted. While the model used in
DRU at MIT is different than that used in the HRRO model (they are used for different
purposes) they are based upon fundamental research by Weil and Apostolakis (Weil &
Apostolakis, 2001) that had been adapted to and tested over several years. That is, DRU at
MIT is an adaptation by Apostolakis and Lemon (Apostolakis & Lemon, 2005) of the
60
research undertaken initially by Weil and Apostolakis and subsequently adapted by Karydas
and Gifun (Karydas & Gifun, 2006).
Within the DRU at MIT model and the HRRO methodology are prioritization methodologies
based on work that has been in use for several years by the author to prioritize infrastructure
renewal projects; to date 353 projects have been prioritized. A detailed explanation of the
implementation of the prioritization methodology is provided in Appendix H.
6.1.2 Validation: stakeholder feedback
The summary sheet, as shown in Table 9, serves two purposes 1) it displays the HRRO index
and the portion of the global weight contributed thereto by each criterion and 2) it displays
the difference between the global weights resulting from the assessment and their
corresponding maximum weights. Thus, the summary sheet provides a ranking of criteria in
order of greatest need for improvement. In the example shown in Table 9 the criterion
Organizational Learning, Quality Improvement, and Flexibility exhibits the larger difference
and is therefore is given first priority as the organization will benefit most by implementing
projects or initiatives that target organizational learning, quality improvement, and flexibility
activities. In most organizations multiple stakeholders will participate in the rating and
prioritization process where deliberation is recommended to resolve differences between
stakeholder ratings.
Table 10 shows the prioritized order of improvement opportunities for each assessor
according to the criteria, i.e. one of the results of the second workshop. Assessor responses
and calculated priorities are shown in Appendix E. Since the goal of the workshop was to
verify the HRRO methodology a final prioritized list of areas that could benefit from
improvement opportunities was not a necessary result for this research. Therefore,
stakeholder deliberation was not undertaken.
Because of confidentiality reasons the names of the organizations, the type of industry in
which they compete, location and geographical area, nor the names and affiliations of the
assessor’s will be disclosed. Assessors B, C, D, and E are from the same organization, where
Assessors C, D, and E are from the same department. Assessor A is from a different
organization but within the same industry as represented by B, C, D, and E. Both
organizations are very successful.
61
Priority by Assessor
Criteria A B C D E Safety Culture 2 3 5 5 3 Organizational Learning, Quality Improvement, and Flexibility 1 1 1 1 1 Analysis 9 7 7 7 8 Solution Design 8 6 6 8 6 Implementation 4 2 2 3 2 Testing and Acceptance 8 8 8 6 7 Maintenance 10 10 11 9 11 Emergency / Incident Response and Business Recovery 5 5 3 4 4 Objectives and Strategic Direction 3 4 4 2 5 Policies, Rules, Regulations, and Operating Procedures 11 12 13 11 13 Decision-Making Process 6 8 9 8 9 Communication 7 9 10 9 10 Monetary & Non-Monetary Support 10 11 12 10 12
Table 10 – Prioritized Criteria Improvement Opportunities from Second Workshop
(without deliberation)
Even without the benefit of deliberation Table 10 shows by way of the range of the priority
reported for each criterion by each assessor that several levels of consistency across the two
organizations and among Assessors B – E exist. The evidence suggests that had a full
deliberation process been undertaken higher levels of consistency would have been achieved.
The purpose of Table 10 in practice is to show areas where improvement opportunities can be
targeted; thus, the organization represented by Assessors B, C, D, and E and the organization
represented by Assessor A would benefit from implementing organizational improvement
projects and initiatives in the area of organizational learning, quality improvement and
flexibility.
The majority of the assessors stated that the resulting HRRO index matched their
expectations of their organizations. Equally important the assessors provided valuable
information regarding their experiences with the HRRO model by way of written responses
to questions, written comments, and comments offered during follow-up conversations. The
following are the questions asked of the assessors.
62
• How well did the resulting index match your expectations, i.e. how well does it reflect
your impression of the organization?
• Were there any criteria that you believe were missing? If yes, please identify those
that you feel should be added?
• Were there any criteria that you believe were superfluous? If yes please identify those
that you believe are unnecessary?
• Would you like to make other changes to the survey forms including text? If yes,
please identify the changes?
• Are there any additional comments you would like to offer? If yes, what are they?
A compilation of assessor responses offered during conversations with each assessor is
provided in Appendix I. Assessor A provided affirmative feedback but most interesting
though is the feedback offered by Assessors B, C, D, and E as they are employees of the
same organization.
Assessor B, by way of the responses shown, e.g. “Some responses didn’t in my mind match
[reserved to ensure anonymity] practices and I was not convinced that the answer I chose in
default was an accurate reflection of how things are done,” could be considered unqualified
to evaluate the assessor’s entire organization. However, in the author’s opinion the assessor’s
position belies such a conclusion. That is, Assessor B would be one of the individuals whose
day-to-day responsibilities would require participation. Therefore, the author speculates that
Assessor B is either uncomfortable with the use of decision support models or not accepting
of the attribute weights and definitions provided in the HRRO model as presented. Therefore,
this assessor’s comfort and ability to use the HRRO model would be greatly enhanced by
learning more about the principles upon which the model is founded and by participating in
the customization of the model for Assessor B’s organization.
Assessors C responded to all survey questions and several of the most interesting responses
are provided as follows. 1) Assessor C expressed regret in not participating in the weighting
exercises undertaken during the first workshop as such participation would have been useful
means to calibrate responses. 2) There is a need to customize the language of the survey
instrument to match the vocabulary used in the organization being surveyed. 3) A
fundamental question about who in an organization is qualified to complete the survey forms.
63
In the author’s opinion the persons in an organization qualified to fill out the survey forms are
those responsible for risk management and similar functions.
Assessor D provided affirmative feedback.
Assessor E provided thoughtful and detailed comments including the redundancy of several
attributes and the desire to include additional attributes. Referring to the survey forms there is
a conflict between Safety Culture, G Calculative, i.e. there is some on-the-job transfer of
training to other workers and in Organizational Learning, Quality Improvement, and
Flexibility, 10, i.e. there are formal and informal structures designed to encourage people to
share what they learn with their peers and the rest of the organization and 19, i.e. cross-
functional learning opportunities are expected and organized on a regular basis, so that
people understand the functions of others whose jobs are different, but of related importance.
That is sharing of knowledge acquired during training could be counted in both Safety
Culture and Organizational Learning, Quality Improvement, and Flexibility thus the author
should revise the text associated with Safety Culture. However, the text from organizational
learning will remain as written because one focuses on organizational structure while the
other focuses on the development and implementation of opportunities. The text should be
revised to explain the difference. Assessor E further states the need to include succession
planning as an attribute; however, the author believes that it would fit better within
Emergency Incident / Response and Business Continuity. Revisions should be made
accordingly.
The author does not agree with Assessor E’s comment made about the redundancy of
attributes regarding training resources, i.e. “I found some attributes to be slightly redundant,
for example cross-training and devotion to resources for training.” 1) Because in Safety
Culture G the text referring to how money is made available for training following an
incident refers to the quality of the organization in that it does not fund things unless required
or it feels the need to do so because of due diligence. 2) In Organizational Learning, Quality
Improvement, and Flexibility, 28 measures the provision of encouragement and resources for
people to become self directed learners while 30 refers to overall organizational strategy and
demonstrated support for a learning program.
Assessor E also indicates the need for adding attributes that measure employee understanding
of their role in building organizational resilience and how managers communicate these
64
expectations. The essence of this comment is already within the Governance branch of the
hierarchical tree; however, minor revision to the text is required to make it clear. Also
Assessor E poses the need for including financial planning elements that include contingency
plans and vulnerability to supply and service chains and like the previous comment the
existing model already captures the intent. Minor revisions are required to the text associated
with the attributes Emergency Incident / Response and Business Continuity and Analysis. The
shareholder comment is fundamental to this dissertation; explicit and demonstrative
shareholder and leadership involvement and responsibility in the area of organizational
vulnerability. As Assessor E suggests organization leaders and shareholders should be asked
directly their opinion whether or not the HRRO index matches their expectations and reflects
their impressions of the organization.
The following is a summary of the main themes derived from the comments.
• The instructions given to stakeholders should clearly indicate the boundaries of the
organization under evaluation, such as the entire organization or the stakeholder’s
department
• Stakeholders should participate in the weighting of the criteria and the development of
the constructed scales. This provides one with in-depth knowledge of the weights and
the definitions of attributes and constructed scale levels and enables the stakeholder to
accept the results
• The vocabulary used in the forms should be customizable to fit a specific organization
• The criteria provided in the HRRO model were considered appropriate; however
some revision should be considered
6.1.3 Validation: case studies
Two case studies were used to validate the HRRO model retrospectively that also provide
examples of applicability for the HRRO methodology. The HRRO criteria are compared to
recommendations provided in reports written by others of relevant and external events to
determine whether the HRRO model could have predicted the recommendations. The
comparison process begins with 1) the recommendation offered by the report, 2) the selection
of the HRRO criterion and HRRO survey form question that best matches the intent of the
recommendation, and 3) the means, including relevant standards and checklists, by which the
65
recommendation could have been predicted from deliberations amongst stakeholders using
the HRRO methodology. In practice the HRRO methodology will be used preemptively and
when doing so the following steps should be followed; 1) rate the criteria by responding to
the survey questions and 2) develop actionable recommendations by way of deliberation and
the use of relevant checklists, guidelines, standards such as Guidelines for Risk-Based
Process Safety by the Center for Chemical Process Safety (Center for Chemical Process
Safety, 2007) for criteria related to chemical processes, and industry-proven review
processes. The guidelines and standards could be different for different industries; therefore,
more applicable guidelines should be substituted where necessary.
The first case study has to do with a process accident that occurred on March 23, 2005 at the
BP refinery in Texas City, Texas in the United States of America while the second has to do
with a high-rise building fire that occurred on May 13, 2008 at Delft University of
Technology in The Netherlands.
Catastrophic process accident at BP Texas City refinery on March 23, 2005
The Baker Panel was formed following the accident of March 23, 2005 in response to a
recommendation by the U.S. Chemical Safety and Hazard Investigation Board that conducted
a thorough review of the company’s corporate safety culture, safety management systems,
and corporate safety oversight at its U.S. refineries (Baker et al., 2007). This case study will
focus on the recommendations of the Baker Panel and not specifically on the elements of the
accident. A brief account of the event follows.
On March 23, 2005, at 1:20 p.m., the BP Texas City Refinery suffered one of the worst
industrial disasters in recent U.S. history. Explosions and fires killed 15 people and injured
another 180, alarmed the community, and resulted in financial losses exceeding $1.5 billion.
The incident occurred during the startup of a process unit when a tower was overfilled;
pressure relief devices opened, resulting in a flammable liquid geyser from a stack that was
not equipped with a flare to burn it off. The release of flammables led to an explosion and
fire. All of the fatalities occurred in or near office trailers located close to the unit. A shelter-
in-place order was issued that required 43,000 people in the vicinity of the refinery to remain
indoors. Houses were damaged as far away as three-quarters of a mile from the refinery (U.S.
Chemical Safety and Hazard Investigation Board, 2007).
66
Table 11 shows a sample version of the recommendations of the Baker Panel alongside
applicable elements within the HRRO model and the means by which BP could have
predicted the recommendation preemptively.
Recommendations of Baker Panel HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions)
Suggested means by which recommendation could have resulted from HRRO methodology
Process Safety Leadership: The Board of Directors of BP, BP’s executive management, and other members of BP’s corporate management must provide effective leadership on and establish appropriate goals for process safety.
Objectives and strategic direction (1 )
Process safety culture, criterion with applicable performance measures within the risk-based process safety model (Center for Chemical Process Safety, 2007)
Table 11 – Comparison of Recommendations of Baker Panel Report (Baker et al., 2007)
and HRRO (Sample)
The complete version of Table 11 is located in Appendix J and shows fourteen
recommendations each of which match specific HRRO criteria and survey form questions.
The Baker Panel Report provides recommendations that matched nine of the thirteen HRRO
criteria at the performance measure level, refer to Figure 1. Four of the nine HRRO criteria
were matched twice and one recommendation matched that which would be the potential
benefit of the entire HRRO methodology when implemented, i.e. transform BP into a
recognized leader in process safety management. The Baker Panel Report did not provide
recommendations that specifically match the performance measures Organizational
Learning, Quality Improvement, and Flexibility; Analysis; Decision-Making Process; and
Communication.
High-rise building fire at Delft University of Technology on May 13, 2008
Three reports were reviewed, i.e. reports by the COT Institute for Security and Crisis
Management, Ernst & Young, and Interseco LTD. Reports by the COT Institute and Ernst &
Young were compared to applicable elements within the HRRO model that could have been
used by TU Delft to preemptively originate and implement the recommendations made in
67
each report. The report by Interseco LTD, coordinated by D. Bakker, does not offer
recommendations but provided considerable background information. A brief account of the
building fire event follows.
On May 13, 2008 a fire occurred in an academic building that was caused by a short circuit in
a coffee machine due to the intrusion of water caused by the failure of a poorly soldered
water pipe fitting. As the pipe fitting failure occurred during the long holiday weekend that
included Monday May 12th, 2008; flooding was extensive. Prior to the fire building
maintenance personnel discovered the flooding and removed electric plugs from wall outlets
in affected areas to protect equipment. However, the plug to a coffee machine on the sixth
floor was not removed because the machine was too heavy to move, thus not accessible.
Eventually a sufficient volume of water flowed into the machine and caused the short circuit
that led to the fire. The building was served by an internal fire hose system and firefighters
found insufficient water pressure because pressurization pumps were turned off and a valve
from a hydrant repair a few weeks earlier was not re-opened. When the problem was
discovered air within the pipes prevented the full flow of water. In the time required to
release the trapped air and provide water to the firefighters the fire had intensified and in fear
of their safety the firefighters were recalled from the building. A portion of the building
collapsed later in the day and eventually it was razed. The building was a total loss and much
of the contents were destroyed (Bakker, 2009; Berg van den, 2008; Delft University of
Technology, Marketing & Communication, 2008; Ernst & Young, 2009; Zannoni, Bos,
Engel, & Rosenthal, 2008). The property loss was €118.5 million (Delft University of
Technology, Marketing & Communication, 2009).
The COT Institute for Security and Crisis Management report entitled Fire at Architecture:
Evaluation of the Crisis Control and Licensing Around the Devastating Fire at the Faculty of
Architecture at TU Delft (Zannoni et al., 2008) was commissioned by the Delft municipality
and focused on municipal emergency responders external to TU Delft.
Table 12 shows a sample version of the recommendations of the COT Institute alongside
applicable elements within the HRRO model and the means by which TU Delft could have
predicted the recommendation preemptively.
68
Recommendations of COT Institute Report
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions)
Suggested means by which recommendation could have resulted from HRRO methodology
Develop clear plans for large fire safety improvement projects that also include phasing and monitoring
Solution design (1 ) Property loss prevention data sheet (FM Global, 2009a): 10-1 Pre-incident planning with the public fire service
Table 12 – Comparison of Recommendations of COT Institute for Security and Crisis
Management (Zannoni et al., 2008) and HRRO (Sample)
The complete version of Table 12 is located in Appendix K and shows nine recommendations
each of which match to specific HRRO criteria and survey form questions. The COT Institute
Report provides recommendations that matched three of the thirteen criteria at the
performance measure level, i.e. Analysis (once), Solution Design (once), and Emergency /
Incident Response & Business Recovery (seven times).
The Ernst & Young report, Evaluation Report: Crisis Management During Fire May 13,
2008 (Ernst & Young, 2009) was commissioned by Delft University of Technology and
GAB Robins, a provider of risk and claims management services and solutions to the
insurance and self-insured marketplace, for the purpose of fact finding.
Table 13 shows a sample version of the recommendations of Ernst & Young alongside
applicable elements within the HRRO model and the means by which TU Delft could have
come up with the recommendation preemptively. The complete version is located in
Appendix L and shows six recommendations each of which match to specific HRRO criteria
and survey form questions. The Ernst & Young Report provides recommendations that match
two of the thirteen criteria at the performance measure level, i.e. Analysis (once) and
Emergency / Incident Response & Business Recovery (five times).
69
Recommendations of Ernst & Young Report
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions)
Suggested means by which recommendation could have resulted from HRRO methodology
Scenario-based training at the strategic level of the organization:
From the learning gained from the fire develop and implement scenario-based training that engages the strategic level of the organization and incorporates worst case scenarios that include serious injury and death of occupants
Emergency / incident response and business recovery (2 )
Property loss prevention data sheet (FM Global, 2009a): 10-2 Emergency Response
Table 13 – Comparison of Recommendations of Ernst & Young (Ernst & Young, 2009)
and HRRO (Sample)
Conclusions from both case studies
From the complete comparison of recommendations for both case studies one can see that the
HRRO methodology can predict recommendations consistent with the Baker Panel report
with regard to the explosion at the BP refinery and the COT Institute and Ernst & Young
reports for the fire at the university in Delft. A shortcoming associated with the TU Delft case
study is that the COT Institute and Ernst & Young recommendations narrowly target fire
prevention and response activities and crisis management while the Baker Panel
recommendations broadly focus on organizational issues that could have prevented the
incident from occurring. Thus the TU Delft case study validates a part of the HRRO
methodology while the BP case study provides a greater level of validation
This result indicates that the HRRO methodology should be applied broadly to an
organization, as it was designed, and can be applied generally in similar applications;
however, the methodology should be customized for each application by the stakeholders
associated with the application.
70
6.1.4 Validation: comparison to an independent risk quality benchmarking algorithm
Assessors B, C, D, and E work within the same organization and since the score based on a
well validated widely-used location risk quality benchmarking algorithm model is known for
this organization, a comparison to the stakeholder’s HRRO index is warranted. The algorithm
is modeled on loss prevention engineering standards and experience gained over 175 years.
Its scores directly correlate to loss frequency and severity and can be used for prioritizing and
budgeting risk improvement opportunities. It uses a 100-point risk quality scale; where high
scores represent well-managed risks with a lower probability of loss and low scores represent
risks with a higher probability of loss. On average the low scores represent losses that are
eight times larger and occur four times more often than losses associated with high scores.
The score produced by the algorithm is apportioned as follows: 36% for fire and equipment
hazards, 30% for natural hazards, 19% for human element and other factors, and 15% for
inherent occupancy hazards. The score includes a measure of both inherent risk (that cannot
be changed), e.g. local climate, as well as risks that can be lessened by implementing
improvement recommendations, e.g. repair of a roof (FM Global, 2008; FM Global, 2009b).
The initial indices offered by Stakeholders B, C, D, and E were 53.4, 53.5, 50.6, and 70.4
respectively and the organization’s risk quality algorithm-based score was 52 1
2. Direct
comparison should not be undertaken because Stakeholders B, C, D, and E did not achieve
consensus on a single index as the complete deliberation process was not done, i.e. it was not
part of the stakeholders’ original scope of work. Also, statistical analyses regarding the
reliability of the stakeholders’ ratings are not necessary because two of the fundamental
principles embedded in the HRRO methodology are (MAUT) and the analytic-deliberative
process. Through the use of MAUT stakeholders establish their alignment with each other by
way of consensus on the attributes, i.e. their definitions and relative weights. In instances
where there may be a difference in opinion the deliberation process is triggered. In the end,
by way of consensus among the stakeholders a single reliable rating is produced.
Given the initial results one could predict that consensus would produce an index in the low
to mid 50s. Although inconclusive at this time further exploration of the alignment of the
HRRO methodology and the risk quality benchmarking algorithm model is warranted.
However, as enticing as it may be it is premature to draw broad conclusions regarding
2 The organization’s actual 2009 score of 41 was adjusted proportionally to 52 on a scale where 100 is the highest achievable score so that both can be compared properly.
71
alignment or use the risk quality benchmarking algorithm as sole means to support the
validity of the HRRO methodology.
6.2 Reflection
Looking back at the quality of the research in terms of the person who performs the research
and the decisions made during the research process provides commentary on the usefulness
and validity of the work. While the author believes that this reflection supports the validity of
this research and that the result is useful to organizations it is the reader who will finally
decide. During the term of the research many decisions were made and the theoretical,
practical, and personal implications of the major decisions are as follows.
The author’s primary criticism of this research is that the sample size was small and not all of
the functions of the methodology were tested with stakeholders in at least long duration
exercises that mimicked real organizations. To achieve the most convincing results the
stakeholders should have actually worked completely through the methodology from defining
and weighting criteria to measuring the success of implementation decisions. While it is easy
to conclude that one should involve an organization in many months of work in order to get
the research right, the practical implications of doing so were enormous. The stakeholders,
while interested in the present research, simply could not give more time than they did in
order to create a customized model for their organizations. The author empathizes with the
stakeholders because during the development of the prioritization functionality in which the
author was involved much was asked of and given by the stakeholders and they were fully
engaged participants looking for a way to improve project prioritization and funding
decisions (Karydas & Gifun, 2006). That said, the results of this research are useful and valid
as most of the components of the methodology have been tested extensively albeit external to
this research; particularly the application of the analytic-deliberative process, MAUT, AHP,
and the prioritization and benefit-to-cost functions. In the author’s opinion the only aspect of
the methodology that has not benefited from broad use over many years is the combination of
these components, the contribution of this research. Therefore, the benefit to be gained by a
protracted experiment notwithstanding the author decided that the stakeholders should be
subject to only as much work as to prove the value of the methodology.
The draft approach used to prompt reaction during workshops provided efficiency over
creating the material with the stakeholders starting with the very first word. In this instance
72
the stakeholders reacted favorably as they appreciated the value of the time saved. While the
author did not experience any difficulties with this approach one should recognize that some
organizations or people may not react as favorably as they could feel that a preconceived
solution was being forced.
In this research AHP was used only for its calculating functionality pertaining to pairwise
comparisons for criteria weighting. While AHP is a versatile decision support system MAUT
was used to provide the fundamental structure of the HRRO methodology. The reason being
two fold, 1) the author is familiar with MAUT in real applications and 2) the use of MAUT
avoids the criticism directed to AHP as a decision support system and in turn the HRRO
methodology. Among these criticisms is that the introduction of new alternatives can reverse
the rank of existing alternatives and that weights are elicited in AHP without reference to the
scales on which the criteria are measured (Goodwin & Wright, 2000). While careful attention
during the methodology development process can forestall or lessen the impact of the
problems to which the criticisms are founded, avoidance was preferred. In all workshop
instances where new criteria were introduced or where revisions were made such changes
were verified against the principles of MAUT regarding the desirable properties of the set of
criteria (attributes).
• Completeness: the number of criteria are sufficient to adequately indicate the degree
to which the overall objective is met,
• Operational: the set of criteria must be conclusive so that they help the decision maker
choose the best course of action,
• Decomposable: to reduce the inherent difficulties associated with complexity the
criteria can be broken down into smaller parts if necessary but not so far as to
diminish their importance
• Nonredundancy: the criteria should be defined to avoid the potential for double
counting, and:
• Minimum size: the set of criteria should be as small as possible to be efficient
(Keeney & Raiffa, 1993).
As expected, the literature review process undertaken throughout this research proved to be
invaluable as the information acquired thereby grounded the research by way of the successes
and failures of others. Unexpectedly though, the literature review process was one of the
73
author’s most valuable experiences personally as it provided information and the means to
acquire information that was directly transferable to the author’s current professional
activities.
6.3 Chapter Summary
The validity of the HRRO methodology, the primary subject of this chapter, was proven by
way of a discussion of the validity of its component parts, stakeholder feedback provided
during workshops, and a retrospective application of the methodology in two case studies. A
comparison was made to a well validated risk quality benchmarking algorithm but the results
were inconclusive. Also, the author provided a brief personal commentary on the research
process that highlights several strong aspects of the research experience and several
shortcomings.
74
75
Chapter 7 Conclusions and Recommendations
This chapter concludes this dissertation by providing the reader with responses to the
underlying research questions introduced at the beginning. A recapitulation of the
applicability of the HRRO methodology and a list of research opportunities discovered
during the term of this dissertation but because of reasons such as time limitations and scope
constraints were left undone.
7.1 Conclusions
This dissertation describes the development, design, and initial validation of a methodology,
the Highly Reliable Resilient Organization, which provides organizations the ability to
sustain their core functions by knowing their vulnerabilities to credible risks and taking
measures to eliminate, or if elimination is not possible or necessary, mitigate such risks. This
methodology is an analytic-deliberative process based on the principles of multi-attribute
utility theory that gives organization decision makers the means to assess risks and prioritize
solutions. Thus, it provides the means to determine the status of organizational vulnerability
and the ability to rank potential risk elimination and mitigation measures using organizational
values and costs. The methodology is an integration of the criteria common to nine
organizational models and stakeholders; therefore, considered prerequisite criteria for a
generic organization.
7.1.1 Response to research question 1
The HRRO methodology addresses the primary purpose of this research. The development of
the means for an organization to systematically identify and assess and either eliminate or
mitigate vulnerability by way of prerequisite organizational factors and cost. Much attention
was given to identifying and evaluating existing organizational models for the purpose of
incorporating an already known entity into the process. While all of the nine models are valid
within the conditions for which they were designed none were applicable to a generic
organization without considerable modification; thus the motivation to develop the HRRO
methodology. The HRRO methodology leverages the benefits of a consensus-based analytic-
deliberative decision-support process. It incorporates both monetary and non-monetary
76
factors into decisions regarding organizational prerequisites that in-turn position the
organization to make effective vulnerability elimination and mitigation decisions.
7.1.2 Response to research question 2
The HRRO methodology provides the means for an organization to prioritize vulnerability
mitigation or elimination projects or initiatives. The methodology provides a dimensionless
performance index based upon stakeholder’s responses to checklists relevant to criteria
related to organizational values. This index is a summary score representing expected
benefits associated with removing or mitigating organizational vulnerability and in most
instances will be used in combination with the cost required to remove or mitigate the
vulnerability in a benefit-to-cost ratio. In these instances benefits and costs are determined
over the life-cycle of the project or initiative that is being considered. Since this aspect of the
methodology is preemptive and speculative relatively larger values of benefit-to cost are
preferred as they represent the elimination or mitigation of more vulnerability at a relatively
lower cost than opportunities with relatively smaller benefit-to-cost ratios
7.1.3 The HRRO methodology as a solution
The HRRO methodology provides the organization with a solution. A consistent, systematic,
and customizable methodology that enables the organization to determine whether and to
what degree organizational structure enables the organization to effectively anticipate, resist,
and recover from system disturbances, to assess vulnerability; to compare relatively projects,
initiatives, and other opportunities in context of a pre-established set of organizational
objectives; and to prioritize the implementation of such projects, initiatives, and
opportunities.
A major benefit of the HRRO methodology is that one overarching methodology is used for
all of the applications resulting from this research whether it is to assess organizational
vulnerability, determine the benefit-to-cost ratio for initiatives and projects where a non-
monetary index represents benefit, and prioritize opportunities.
77
7.1.4 Applicability of the HRRO methodology
The HRRO methodology is generalizable in that it can be applied to any organization;
however, it is important to know that the criteria, criteria definitions, constructed, scales,
pairwise comparisons, and weights are specific to an organization. Thus organizational
decision makers should use the methodology as designed and customize it for their
organization. It is because of this designed-in necessity for customization that suggests that it
should not be used across entities within a parent organization or across multiple
organizations without scrutiny. If the model is used without calibrating it to a specific
organization by way of customization the results may not accurately reflect the values of the
organization.
7.1.5 Final reflection
This dissertation should not have been written. Many of the research papers and news stories
studied during its writing regarding accidents and organizational failures report of
extraordinary events in which people were killed and injured and organizations suffered
considerable financial loss. In many instances there was a level of awareness or a signal that
provided foreknowledge of a threat or functioned as a precursor of system degradation. The
fact that little attention has been given by executives to understanding risk management and
the implementation of vulnerability elimination or mitigation measures, §1.3, coupled with
the reality that societal trends regarding reliability will make things worse instead of better,
§2.1, the sustainability of organizations should be questioned. Of lesser magnitude the
literature tells of organizational leadership shortsightedness with regard to decisions that,
while not necessarily malignantly intended, result in less than ideal decisions.
The author entered this present academic and research journey in the early 2000s because of
the need to solve a prioritization problem in the professional arena. In the intervening ten
years the initial problem had been solved but the journey continued and in one sense has
come full circle back to the professional arena. This time though with a solution to a much
larger problem.
78
7.2 Recommendations for future research
During the process of this research opportunities were discovered that the authors chose not
to resolve. None of these opportunities, and in some cases deficiencies, alter the result of the
present research and when developed and incorporated will enhance future versions of the
HRRO model and the relevant body of knowledge.
During the workshop phase several suggestions for improving the methodology were offered.
These comments should be incorporated in a future version.
The HRRO methodology is valid in the context it was developed and tested, i.e. a
methodology to be used within an organization for relative comparisons. Thus, research
should be undertaken to:
1. Expand the mapping of vulnerabilities within organizations to reliability trends to
other combinations of trends and vulnerabilities
2. Validate the HRRO methodology with a larger sample size, i.e. complete intact teams
in organizations from different sectors
3. Develop the model for use across multiple entities (departments) within a single
organization. The authors suggest the following initial approach. Given that the
objectives across the entities are identical, i.e. characteristics such as criteria, weights,
and constructed scales, one could sum the individually calculated HRRO indices
according to each entity’s weight in proportion to the entire organization. Although
intuitive, development and testing is required
4. Determine its applicability across multiple organizations as a means for
benchmarking. The author speculates that because of the differences in organizations
and the requirement of decision maker involvement the acquisition of sufficient data
to attest to its universality could require five to ten years of research
5. Compare HRRO indices and risk quality benchmarking algorithm scores to ascertain
alignment over a larger sample and determine the benefit thereof
6. Examine the influence of cognitive bias at the leadership level on organizational
vulnerability
79
References
Accorsi, R., Zio, E., & Apostolakis, G. E. (1999). Developing utility functions for
environmental decision making. Progress in Nuclear Energy, 34(4), 387-411.
Apostolakis, G. E., & Lemon, D. M. (2005). A screening methodology for the identification
and ranking of infrastructure vulnerabilities due to terrorism. Risk Analysis, 25(2), 361-
376.
Arkes, H. R. (1986). Impediments to accurate clinical judgement and possible ways to
minimize their impact. In H. R. Arkes, & K. R. Hammond (Eds.), Judgement and decision
making: An interdisciplinary reader (pp. 582-592). Cambridge, UK: Cambridge
University Press.
ASIS International. (2009). Organizational resilience: Security, preparedness, and continuity
management systems - requirements with guidance for use (No. ASIS SPC.1-2009).
Alexandria, VA: ASIS International.
ASTM International. (2002). Standard practice for measuring benefit-to-cost and savings-to-
investment ratios for buildings and building systems (No. E964-02). West Conshohocken,
PA: ASTM International.
Baker, J. A., Bowman, F. L., Erwin, G., Gorton, S., Hendershot, D., Leveson, N., et al.
(2007). The report of the BP U.S. refineries independent safety review panel BP.
Bakker, D. (2009). Fire facts research faculty of architecture TU Delft (No. 30081174). The
Hague, The Netherlands: Interseco BV.
Bar-Yam, Y. (1997). Dynamics of complex systems: Studies in nonlinearity. Reading:
Addison-Wesley.
Berg van den, H. (2008, May 23). TU Delft had geen gebruiksvergunning [TU delft had no
user license]. NRC Handelsblad,
Bigley, G. A., & Roberts, K. H. (2001). The incident command system: High-reliability
organizing for complex and volatile task environments. Academy of Management Journal,
44(6), 1281-1299.
Brancato, C. K., Tonello, M., Hexter, E., & Newman, K. R. (2006). The role of U.S. corporate
boards in enterprise risk management (No. R-1390-06-RR). New York: The Conference
Board.
British Standards Institute. (2006). Business continuity management: Part 1: Code of practice
(No. BS 25999-1:2006). London: British Standards Institute.
80
Brombacher, A. C., de Graef, M. R., den Ouden, E., Minderhoud, S., & Lu, Y. (2001).
Invloed van trends op product ontwikkeling en op bedrijfszekerheid [influence of recent
developments on product development and on reliability of service]. In M. R. de Graef
(Ed.), Betrouwbaarheid van technische systemen: Anticiperen op trends (pp. 54-71). Den
Hague: Stichting Toekomstbeeld der Techniek.
Center for Chemical Process Safety. (2007). Guidelines for risk-based process safety.
Hoboken: John Wiley & Sons.
Clemen, J. T. (1996). Making hard decisions: An introduction to decision analysis (2nd ed.).
Pacific Grove: Brooks/Cole.
Cohen, M. D., & March, J. G. (1974). Leadership and ambiguity: The American college
president (2nd ed.). Boston: Harvard Business School Press.
Cohen, M. D., March, J. G., & Olsen, J. P. (1972). A garbage can model of organizational
choice. Administrative Science Quarterly, 17(1), 1-25.
Commission of the European Communities. (2005). Green paper on the European
programme for critical infrastructure protection (No. COM(2005) 576 final). Brussels:
Commission of the European Communities.
Committee of Sponsoring Organizations of the Treadway Commission. (2004). Enterprise
risk management - integrated framework. Retrieved Aug. 28, 2007, from
http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
Daugherty, K. (1997). Decision making style and its effect on morale. Retrieved Feb. 13,
2010, from http://leadershipmanagement.com/html-files/decision.htm
Delft University of Technology, Marketing & Communication. (2008). Faculty of
architecture in the media. Retrieved Apr 23, 2009, from
http://www.tudelft.nl/live/pagina.jsp?id=9cecdce4-09cc-4ca5-98b1-
95e2cea664b4&lang=en
Delft University of Technology, Marketing & Communication. (2009). Insurance settlement
reached for fire in the faculty of architecture. Retrieved Jun 26, 2009, from
http://www.tudelft.nl/live/pagina.jsp?id=9cecdce4-09cc-4ca5-98b1-
95e2cea664b4&lang=en
Division of Emergency Management. (2002). Case study - Kinston. Retrieved Jun. 12, 2007,
from http://www.dem.dcc.state.nc.us/Mitigation/case_kinston.htm
Elkins, D. (2005). Managing manufacturing and supply chain risks in global automotive operations.
Retrieved March 2, 2010, from http://mgt.ncsu.edu/pdfs/centers-initiatives/erm/Mar18-2005-
PPoint.pdf
81
Elliot, M. A. (2008). Analytic hierarchy process, pairwise comparison spreadsheet.
Unpublished.
Energy Institute. (n.d.). Hearts and minds program. Retrieved August 20, 2007, from
http://www.energyinst.org.uk/heartsandminds/index.cfm
Energy Institute. (2007). Winning hearts and minds. The Hague: Shell International
Exploration and Production.
Ernst & Young. (2009). Evaluatierapport: Evaluatie crisismanagement tijdens brand 13 Mei
2008 [Evaluation report: Crisis management during fire may 13, 2008] (No.
19665677/Adj/mvdl/09-0013). The Hague, The Netherlands: Ernst & Young.
Federal Emergency Management Agency. (2003). Building a disaster resistant university (No.
FEMA 443). Washington, D.C.: Federal Emergency Management Agency. Retrieved Feb.
2004 from http://www.fema.gov/institution/dru.shtm
Federal Highway Administration. (2007). Economic analysis primer. Retrieved Mar. 1, 2008,
from http://www.fhwa.dot.gov/infrastructure/asstmgmt/primer05.cfm
Felton, R., & Watson, M. (2002). U.S. director opinion survey on corporate governance 2002.
New York: McKinsey & Company.
Flood Insurance and Mitigation Division. (n.d.). Mitigation preliminary performance
assessment: Losses avoided during hurricane Isabel in North Carolina. Retrieved Jun. 16,
2007, from
http://www.dem.dcc.state.nc.us/Mitigation/Library/Success_Stories/Perf%20Assessment
%20NC%20Print.pdf
FM Global. (2007, Dec.). A piece of the framework. Reason, , 23-25.
FM Global. (2008, RiskMark rolls out enhancements. Reason, 12.
FM Global. (2009a). Property loss prevention data sheets. Retrieved Jan. 9, 2010, from
http://www.fmglobal.com/fmglobalregistration/Downloads.aspx
FM Global. (2009b). RiskMark overview. Retrieved Jan. 17, 2010, from
http://www.fmglobal.com/riskmark_assets/riskmark_overview.htm
Gates, S., & Hexter, E. (2005). From risk management to risk strategy (No. R-1363-05-RR).
New York: The Conference Board.
Ghosh, S. T., & Apostolakis, G. E. (2005). Organizational contributions to nuclear power
plant safety. Nuclear Engineering and Technology, 37(3), 207-220.
Gifun, J. F., & Karydas, D. M. (2010). Organizational attributes of highly reliable complex
systems. Quality Reliability Engineering International, 26(1), 53-62.
82
Gifun, J. F., Karydas, D. M., Brombacher, A. C., & Rouvroye, J. L. (Submitted for
publication). Resilience as a means to analyze business processes on the structure of
vulnerability.
Goodwin, P., & Wright, G. (2000). Decision analysis for management judgment (2nd ed.).
Chichester: John Wiley & Sons.
Haimes, Y. Y. (2009). On the definition of resilience in systems. Risk Analysis, 29(4), 498-
501.
Hayashi, A. M. (2001). When to trust your gut. Harvard Business Review, 79(2), 59-65.
International Risk Governance Council. (2006). White paper on managing and reducing
social vulnerabilities from coupled critical infrastructures. Geneva: International Risk
Governance Council.
Investorwords. (n.d.). Model. Retrieved May 9, 2009, from
www.investorwords.com/5662/model.html
Kansas, D. (2009). The wall street journal guide to the end of wall street as we know it (1st
ed.). New York: Collins Business.
Karydas, D. M., & Gifun, J. F. (2006). A method for the efficient prioritization of
infrastructure renewal projects. Reliability Engineering & System Safety, 91(1), 84-99.
Karydas, D. M., & Rouvroye, J. L. (2006). Vulnerability avoidance investment: A financial
justification of expenditures for the improved resilience of enterprises. Paper presented at
the Proceedings of the Eighth International Conference on Probabilistic Safety
Assessment and Management, New Orleans, Louisiana, (PSAM-0463). New York: ASME
Press.
Keeney, R. L., & Raiffa, H. (1993). Decisions with multiple objectives: Preferences and value
tradeoffs. Cambridge, U.K.: Cambridge University Press.
Kline, P., & Saunders, B. (1998). Ten steps to a learning organization (2nd ed.). Arlington:
Great Ocean Publishers.
Labaree, L. W., & Bell, W. J. (Eds.). (1956). Mr. Franklin, a selection from his personal
letters. New Haven: Yale University Press.
Latour, A. (2001, Jan 29). A blaze in Albuquerque sets off major crisis for cell-phone giants.
Wall Street Journal, pp. 1-8.
Li, H., Apostolakis, G. E., Gifun, J. F., VanSchalkwyk, W., Leite, S., & Barber, D. (2009).
Ranking the risks from multiple hazards in a small community. Risk Analysis, 29(3), 438-
456.
83
Massachusetts Institute of Technology. (2007). Multiple hazard mitigation planning (No.
DRU 04-02 (PDMC-DRU04-02MIT0000)). Cambridge, MA: Massachusetts Institute of
Technology.
McNamara, C. (n.d.). Basic definition of organization. Retrieved Oct. 21, 2007, from
http://www.managementhelp.org/org_thry/org_defn.htm
Merriam-Webster. (2009) Communication. Retrieved May 25, 2008, from
http://www.merriam-webster.com/dictionary/communication
Merriam-Webster. (2010). Predictable. Retrieved Jan. 17, 2010, from http://www.merriam-
webster.com/dictionary/predictable
Murthy, D. N. P., Rausand, M., & Osteras, T. (2008). Product reliability: Specification and
peformance. London: Springer-Verlag.
National Fire Protection Association. (2010). Standard on Disaster/Emergency management
and business continuity programs (NFPA 1600). Quincy: National Fire Protection
Association.
National Research Council. (1996). Understanding risk: informing decisions in a democratic
society. Washington, D.C.: National Academy Press.
Nickols, F. (2008). Making decisions like Ben Franklin: A job aid for decision-makers.
Retrieved November 8, 2009, from http://home.att.net/~nickols/distance.htm
Page, S. E. (2009). Understanding complexity. [Video/DVD] Chantilly, VA: The Teaching
Company.
Pate-Cornell, E., & Guikema, S. (2002). Probabilistic modeling of terrorist threats: A system
analysis approach to setting priorities among countermeasures. Military Operations
Research, 7(4), 5-20.
Patterson, S. A., & Apostolakis, G. E. (2007). Identification of critical locations across
multiple infrastructures for terrorist actions. Reliability Engineering & System Safety,
92(9), 1183-1203.
President's Commission on Critical Infrastructure Protection. (1997). Critical foundations:
Protecting America’s infrastructures. Washington, D.C.: President's Commission on
Critical Infrastructure Protection. Retrieved n.d. from
http://www.fas.org/sgp/library/pccip.pdf
PricewaterhouseCoopers. (2004). Managing risk, an assessment of CEO preparedness, 7th
annual global CEO survey. New York: PricewaterhouseCoopers.
Reason, J. (1990). Human error. Cambridge: Cambridge University Press.
Reason, J. (1997). Managing the risks of organizational accidents. Ashgate: Aldershot.
84
Ridge, T. (2004). National incident management system. Washington, D.C.: Department of
Homeland Security.
Ripley, A. (2005, Oct. 23). Hurricane Katrina: How the coast guard gets it right. Time, New
York: Time Inc.
Roberto, M. A. (2009). The art of critical decision making. [Video/DVD] Chantilly, Virginia:
The Teaching Company.
Saaty, T. L. (1980). The analytic hierarchy process: Planning, priority setting, resource
allocation. New York: McGraw-Hill.
Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002).
Schein, E. (1992). Organizational culture and leadership (2nd ed.). San Francisco: Jossey-
Bass.
Senge, P. M. (1990). The fifth discipline: The art & practice of the learning organization.
New York: Doubleday.
Sheffi, Y. (2005). The resilient enterprise: Overcoming vulnerability for competitive
advantage. Cambridge: MIT Press.
Solvay S.A. (n.d.). Towards sustainable development: Assessment and prospects 2008 - 2012.
Brussels: Solvay Sécrétariat Général. Retrieved Nov. 14, 2009 from
http://www.solvaysustainable.com/static/wma/pdf/1/3/8/3/7/RADD_GB_BD2.pdf
State Climate Office of North Carolina. (n.d.). History of hurricanes in North Carolina.
Retrieved Jun. 17, 2007, from http:www.nc-climate.ncsu.edu/climate/hurricane.php
Tonello, M. (2007). Emerging governance practices in enterprise risk management (No. R-
1398-07-WG). New York: The Conference Board.
Tonello, M., & Brancato, C. K. (2007). Corporate governance handbook 2007: Legal
standards and board practices (No. R-1405-07-RR). New York: The Conference Board.
Tversky, A., & Kahneman, D. (1974). Judgment under uncertainty: Heuristics and biases.
Science, 185(4157), 1124-1131.
U.S. Chemical Safety and Hazard Investigation Board. (2007). Investigation report, refinery
explosion and fire (No. 2005-04-1-TX). Washington, DC: U.S. Chemical Safety and
Hazard Investigation Board.
United States Geological Survey. (2005). Benefits of volcano monitoring far outweigh costs:
The case of Mount Pinatubo. Retrieved Jun. 11, 2007, from
http://pubs.usgs.gov/fs/1997/fs115-97/
United States Nuclear Regulatory Commission. (2001). Reactor oversight process, initial
implementation evaluation panel, final report (No. ADAMS ML011290025). Retrieved
85
Aug. 26, 2007 from
http://www.nrc.gov/NRR/OVERSIGHT/ROP/iiep_final_report050801.pdf
United States Nuclear Regulatory Commission. (n.d.). Comments on revised reactor oversight
process. Retrieved Aug. 25, 2007, from
http://www.nrc.gov/NRR/OVERSIGHT/ROP/ppepfinalreport.pdf
United States Nuclear Regulatory Commission. (2007a). Inspection procedures &
performance indicators by ROP cornerstone. Retrieved Dec. 2, 2007, from
http://www.nrc.gov/NRR/OVERSIGHT/ASSESS/cornerstone.html.
United States Nuclear Regulatory Commission. (2007b). Manual chapter 0305, operating
reactor assessment program. NRC inspection manual. Retrieved Jan. 23, 2008 from
http://www.nrc.gov/reading-rm/doc-collections/insp-manual/
United States Nuclear Regulatory Commission. (2007c). Detailed ROP description. Retrieved
Aug. 26, 2007, from http://www.nrc.gov/reactors/operating/oversight/rop-description.html
Verrico Associates. (1999). The Dow Chemical Company responsible care management
systems verification. Midland MI.: The Dow Chemical Company.
Weick, K. E., & Sutcliffe, K. M. (2001). Managing the unexpected: Assuring high
performance in an age of complexity. San Francisco: Jossey-Bass.
Weick, K. E., & Sutcliffe, K. M. (2007). Managing the unexpected: Resilient performance in
an age of uncertainty (2nd ed.). San Francisco: John Wiley & Sons.
Weil, R., & Apostolakis, G. E. (2001). A methodology for the prioritization of operating
experience in nuclear power plants. Reliability Engineering & System Safety, 74(1), 23-42.
Zannoni, M., Bos, J. G. H., Engel, K. E., & Rosenthal, U. (2008). Brand bij bouwkunde:
Evaluatie van de crisisbeheersing en vergunningverlening rond de verwoestende brand bij
de Faculteit Bouwkunde van de TU Delft [Fire at architecture: Evaluation of crisis
control and licensing around the devastating fire at the Faculty of Architecture building at
TU Delft]. The Hague, The Netherlands: COT Institute for Securities and Crisis
Management.
86
87
Appendix A Mapping of Vulnerabilities, General Motors to
Reliability Trends
Table 14 - Mapping of Vulnerabilities, General Motors (Elkins, 2003) to Reliability
Trends (Brombacher et al., 2001)
Legend: - indicates that selected vulnerability becomes more of an issue or gets worse, + indicates that selected vulnerability becomes less of an issue or gets better, and o indicates neutrality
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Debt & credit rating - -
Trend 2 - Negative interpretation of dynamical state of business by conservative financial markets result in less flexibility regarding debt. Trend 4 - Less government involvement results in increasing degradation of oversight, data collection capability, information transfer, and consistently applied controls
Health care & pension costs - +
Trend 1 - More expensive treatment costs to offset drug and diagnostic equipment development costs. Higher costs passed to employers therefore fewer funds available for other employee benefits, e.g. pensions. Trend 4 - Less government involvement increases competition in the marketplace and results in lower costs
Revenue management +
Increased network connectivity enables quicker movement of revenue and easy and fast verification
Uncompeti-tive cost structure o o o o
Not related to trends as poorly priced products and services will not be competitive
Asset valuation -
Increased need for municipal revenue to fund government globalization efforts results in inappropriate property valuation to provide cash
Liquidity / cash -
Negative interpretation of dynamical state of business results in less available cash and increased effort to liquidate
88
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Adverse changes in environmental regulations - -
Trend 1 - Increased availability of sophisticated technology increases discovery of contaminants at low levels and supports the desire by regulators to expand monitoring efforts and changes in regulations. Trend 4 - Less government involvement results in increasing degradation of oversight, data collection capability, information transfer, and consistently applied controls
Accounting / tax law changes - -
Trend 2 - Lawmaker’s negative interpretation of dynamical state of business encourages creation of laws. Increased costs to fund globalization in [un] under developed countries results in the need for developed countries to provide funding; therefore, changes in laws. Trend 4 - Less government involvement results in increasing degradation of oversight, data collection capability, information transfer, and consistently applied controls
Adverse changes in industrial regulations - -
Trend 2 - Increased unrest in business seen as opportunities for regulators. Trend 4 - Less government involvement results in increasing degradation of oversight, data collection capability, information transfer, and consistently applied controls
Fuel prices +
Less government involvement increases competition in the marketplace and results in lower costs
Currency & foreign exchange rate fluctuations -
Negative dynamics (real or perceived) in global business environment result in uncertainty and affect currency & foreign exchange rates
Currency inconvertibili-ty o o o o Not affected by trends
Economic recession - -
Trend 2 - Negative dynamics of organizations result in an organization more susceptible (fragile) to uncertainty and variability of economy. Trend 4 - Less government involvement results in increasing degradation of oversight, data collection capability, information transfer, and consistently applied controls
Financial markets instability -
Lean firms could have insufficient capacity to endure uncertainty due to changes in economy
89
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Interest rate fluctuations - -
Trend 2 - Lean firms could have insufficient capacity to endure uncertainty due to changes in economy. Trend 4 - Less government involvement results in increasing degradation of oversight, information transfer, and consistently applied controls
Shareholder activism -
Negative dynamics of organizations result in an organization more susceptible (fragile) to uncertainty and variability of economy
Credit default - Negative dynamics of organizations result in uncertainty thus credit difficult to get
Ethics -
Negative dynamics of organizations result in uncertainty and increase probability that an employee would commit an unethical act
Union relations, labor disagreements & contract frustrations -
Lean organizations with tightly coupled systems have less flexibility with regard to plans thus potential for tension in labor relations
Inadequate management oversight o o o o
Inadequate management not related to trends
Budget overruns or unplanned expenses o o o o Poor budget controls not related to trends
Supplier relations -
Lean organizations with tightly coupled systems are not flexible regarding supplier relationships
Dealer relations -
Lean organizations with tightly coupled systems are not flexible regarding dealer relationships
Ineffective planning o o o o Not trend related
Loss of intellectual property - -
Trend 1 - Increased potential for theft of intellectual property due to easy access to technology Trend 3 – Increasing dependence on technology provides more opportunities for theft of intellectual property
Customer demand seasonality & variability + More opportunities to sell product
90
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Corporate culture - -, +*
Trend 1 - With increased technology more people working alone. Trend 2 - More uncertainty in lean organizations result in employees becoming more protective of position *Trend 2 - Corporate culture becomes richer and more inclusive – new ideas
Program launch + -
Trend 1 - More technology results in more access to customers Trend 2 - Programs more difficult to launch globally
Product-market alignment “Gotta have products” o o o o Product desirability not affected by trends Technology decisions -
Ease of defaulting to new technology instead of appropriate technology
Joint venture / alliance relations -
Increased complexity with global and more remote, partners
Perceived quality -
Increased technology increases ability to communicate about quality
Product development process -, +* -, +*
Trend 1 - Increased technology negatively impacts quality and increases costs Trend 2 - Increased speed of development negatively impacts quality and increases costs *Trend 1 - Increased technology positively impacts quality and decreases costs *Trend 2 - Increased speed of development positively impacts quality and decreases costs
Product design & engineering -, +*
Trend 2 - Increased use of technology separates designer and engineer from product *Trend 2 - Increased technology enables higher quality engineering and design which yields higher quality product
Offensive advertising -
Increased globalization yields lack of awareness and misinterpretation of cultural norms
Timing of business decisions & moves - Globalization complicates process
Market Share battles -
Negative dynamics of organizations result in uncertainty and increase probability of market share disputes
Pricing & incentive wars o o o o Not trend related
91
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example) Attacks on brand loyalty -
Pervasiveness and availability of technology make cyber attacks easy
Mergers & industry consolidation +
Broadly used technology enhances ability for mergers and consolidations
New or foreign competitors - Globalization enhances competition
Public boycott & condemnation - -
Trend 1 – Increased technology provides the means to spread information to incite a boycott quickly and broadly Trend 2 – Negative perceptions or reality of business dynamics and globalization results in increased opportunities for exposure to condemnation
Negative media coverage - -
Trend 1 – Increased technology provides the means to spread negative media coverage quickly and broadly Trend 2 – Globalization results in increased opportunities for exposure to negative media
Foreign market protectionism - -
Trend 2 - Increased opportunities in global markets provide incentives for protectionism Trend 4 - Less government involvement results in increasing degradation of oversight, information transfer, and consistently applied controls
Harassment & discrimination - -
Trend 2 - Negative perception / reality of business dynamics increases uncertainty of future for employees, thus increased competition for fewer positions, racism, and xenophobia. Trend 4 - Increasing degradation of consistently applied controls
Embezzle-ment -, +* -
Trend 1 - Increased sophistication and availability of technology enables embezzlement by technological means Trend 3 – Increased dependency on technology results in increased number of available opportunities for embezzlement *Trend 1 - Increased sophistication and availability of technology improves security
Theft +
Increased sophistication and availability of technology result in higher quality security systems
Loss of key equipment +
Increased sophistication and availability of technology result in higher quality security systems
92
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Information management problems - -
Trend 1 - Increased technology results into more complexity and potential for problems Trend 2 - Globalization provides information managers with more responsibilities spread over larger distances
Accounting or internal control failures + -
Trend 1 - Increased technology results in sophisticated monitoring system Trend 2 - Increased business dynamics overwhelm employees ability to perform reliably and consistently
Health & safety violations - -
Trend 2 - Business dynamics provide excuses to ignore health and safety rules, regulations, and procedures. Trend 4 - Less government involvement results in increasing degradation of oversight, information transfer, and consistently applied controls
HR risks – key skill shortage, personnel turnovers -
Increased business dynamics increases competition for highly skilled employees
Vandalism -
Increased competition and negative business dynamics increases anger directed toward company in the form of vandalism
Government inquiries - +
Trend 2 - Increased business dynamics domestically and globally cause uncertainty by government oversight agencies, thus encourage increased scrutiny Trend 4 - Less government involvement resulting in fewer inquiries
Arson -
Increased competition and negative business dynamics increases anger directed toward company in the form of arson
Kidnapping - Increased competition resulting in kidnapping of key personnel
Extortion -
Increased competition and negative business dynamics increases anger directed toward company in the form of arson
Loss of key personnel -
Increased competition resulting in aggressive recruiting of key personnel by competitors
IT system failures (hardware, software, LAN, WAN) -
Complex technological systems provide opportunities for failure
93
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Computer virus / denial of service attacks - -
Trend 1 - Increased technology and easy access to technology provides opportunities for cyber crime Trend 3 – Increased dependency on technology provides the motivation to commit cyber crime
Workplace violence -
Negative business dynamics increases competition for highly skilled employees and the potential for violence
Operator errors / accidental -
Negative business dynamics decrease morale and divert attention from the job, thus operator errors likely
Loss of key supplier -
Increased competition resulting in aggressive contracting action by competitors
Warranty / product recall campaigns -,+*
Trend 1 - Increased technology adds system complexity so that when system malfunctions restoration or repair by the customer is difficult or impossible *Trend 1 - Increased technology enables the quick dispersal of warranty and recall notification
Restriction of access / egress -, +*
Trend 1 - Increased technology increases the occasions of spurious faults resulting in incorrect restriction commands *Trend 1 - Technology enables rapid changes to access / egress restriction protocols
Dealer distribution network failures - -
Trend 1 - Complex technological systems provide opportunities for failure Trend 2 - Globalization increases complexity
Logistics provider failure -
Lean organizations have little reserve to accommodate failures. Globalization increases complexity
Logistics route or mode disruptions -
Lean organizations have little reserve to accommodate failures. Globalization increases complexity
Service provider failures -
Lean organizations have little reserve to accommodate failures. Globalization increases complexity
Tier 1, 2, 3 …n supplier problems: financial trouble, quality “spills”, failure to deliver materials, etc. -
Negative business dynamics associated with suppliers cause organizations that depend upon the supplier to lose confidence and seek alternative sources
94
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Supplier bus interruption -
Lean organizations have little reserve to accommodate failures. Globalization increases complexity
Utilities failures, communications, electricity, water, power, etc. damage -, +* -
Trend 1 - Connectivity exposes utilities to attack. Technology provides single source of failure in electric system as technology requires electricity. Trend 4 - Less government involvement results in increasing degradation of oversight, information transfer, and consistently applied controls *Trend 1 - Increased technology provides improved equipment and monitoring and control systems
Property damage +
Technology provides improved research and development of building materials and improved system supervisory, failure, and trouble detection and alerting systems
Product liability o o o o Not related to trends
Loss of key facility -
Although not the cause for the loss of a key facility lean organizations suffer under such situation because they do no have sufficient reserve capacity to accommodate the loss
General liability o o o o Not related to trends Boiler or machinery explosion +
Increased technology presents improvements in control systems and detection and alarm systems
Building or equipment fire +
Increased technology presents improvements in detection and alarm systems
Deductible limits -
Negative perception / reality of business dynamics increases uncertainty of future for insurer, thus raise deductible
Land, water, atmospheric pollution + -
Trend 1 - Increased technology presents improvements in control and monitoring systems Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Tsunami + -
Trend 2 - Improved monitoring and alarm systems Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
95
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Wind damage + -
Trend 1 - Technology provides improved research and development of building materials and improved prediction, detection, and alerting systems Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Lightning strikes + -
Trend 1 - Technology provides improved prediction, detection, and alerting systems Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Building subsidence & sinkholes +
Increased technology to examine underlying soil and predict the possibility of subsidence and sinkholes
Building collapse o o o o Not related to trends
Worker’s compensation -
Less government involvement results in increasing degradation of oversight, information transfer, and consistently applied controls
Directors & officers liability o o o o Not related to trends 3rd party liability o o o o Not related to trends
Volcano eruption + -
Trend 1 - Increased technology to predict the possibility of eruption and provide sufficient warning Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Blizzard / ice storms + -
Trend 1 - Increased technology to predict storms and provide sufficient warning Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Heavy rain / thunderstorms + -
Trend 1 - Increased technology to predict storms and provide sufficient warning Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
96
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Hurricane / typhoon + -
Trend 1 - Increased technology to predict storms and provide sufficient warning Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Hail damage + -
Trend 1 - Increased technology to predict storms and provide sufficient warning Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Animal / insect infestation o o o o Not related to trends
Tornados + -
Trend 1 - Increased technology to predict storms and provide sufficient warning Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Disease / epidemic - - -
Trend 1 - Increased technology in transportation systems provides the means for the rapid and broad spread of disease Trend 2 - Globalization provides opportunities for exposure Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Wildfire + -
Trend 2 - Increased technology results in the development of effective fire fighting chemicals and equipment Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Terrorism / sabotage - Symbols of technology are attractive targets
Flooding + -
Trend 2 - Increased technology results in improved prediction, monitoring, and alerting systems Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Earthquake + -
Trend 1 - Increased technology to predict earthquakes and provide sufficient warning Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
97
Vulnerability Trend
1 Trend
2 Trend
3 Trend
4 Reason (example)
Severe hot / cold weather + -
Trend 2 - Increased technology results in improved prediction, monitoring, and alerting systems Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Geopolitical risks - -
Trend 2 - Globalization increases the probability of a risk occurring Trend 4 - Less government involvement results in increasing degradation of data collection capability, analysis, information transfer and consistently applied controls
Cargo losses o o o o Not related to trends Mold exposure +
Increased technology yields improved sampling and mitigation
Asbestos exposure +
Increased technology yields improved sampling and mitigation
98
99
APPENDIX B Existing models
The genesis of the HRRO methodology is a result of the following nine organizational
models; the High Reliability Organization (HRO), the Disaster Resistant University (DRU),
Massachusetts Institute of Technology’s version of the Disaster Resistant University model
(DRU at MIT), the Resilient Enterprise (RE), Enterprise Risk Management (ERM), Risk-
Based Process Safety (RBPS), Reactor Oversight Process (ROP), Hearts and Minds (H&M),
and Business Continuity Planning (BCP). These models were selected; however, others were
rejected as they were either similar enough to a model that was already selected that inclusion
would have resulted in duplication or for which little detail was available to fully describe the
model. Other models were rejected because they lacked the rigor and efficiency of the
analytic-deliberative process. For example intuition is a common means for making
judgments but was rejected because it does not provide a systematic, transparent, defendable,
or repeatable approach.
During the present research several organizational models were identified and evaluated to
ascertain whether each model, individually, could support the focus of this dissertation or
whether attributes of these models could be integrated into one model that could. The nine
models described below were culled from a longer list of models because of their inherent
multi-attributive structure, their actual or potential use generically, and other factors. These
other factors include the prominence of the model in the technical journals or business press,
the author’s personal experience with a particular model, recommendations offered by
experts in the field, the dissimilarity of the model when compared to the others under
consideration, and the diversity of application. The High Reliability Organization was
selected because of its prominence in the relevant technical journals and in the business press
but mostly because of its focus on vulnerability across many types of organizations. The
Disaster Resistant University (FEMA and MIT) was selected because of the author’s
knowledge about the Disaster Resistant University program and the attention given to both
physical assets and business continuity The Resilient Enterprise was included because of its
creator’s expertise in organizational resilience, the applicability of the subject to this
dissertation, and the timeliness surrounding the publishing of the book by the same name.
The Enterprise Risk Management model was selected because of its focus on business and
shareholder risk instead of risks associated with physical assets and natural hazards, i.e. it
was dissimilar in comparison to the others. Risk-Based Process Safety was included because
100
of its prominence in the chemical process industry and the attention brought to the chemical
process industry by recent news broadcasts reporting of large accidents such as the explosion
March 23, 2005 at British Petroleum’s plant in Texas City, Texas. Reactor Oversight Process
was selected because of its application of MAUT in a targeted application dissimilar to the
other models under consideration Hearts and Minds was considered for more detailed
examination because of the fame of its creator in the field of workplace safety and
particularly the models comprehensive focus on safety culture. Business Continuity Planning
was added to the list because of the author’s experience with business continuity and the
difficulties associated with its implementation and the subject’s prominence in news sources.
Comments will be offered addressing each models hierarchical structure or its ability to be
modified as such, its ability to be implemented, whether it can be used to determine whether
an organization possess the requisite attributes to become highly reliable and resilient, and its
suitability as a means to evaluate and assess the impact of a hazard preemptively and
correctively, i.e. post impact.
Each model will be described and analyzed by way of the following approach.
1. Description: A general explanation of the model will be created from information
extracted from literature disseminated by the creators of the model
2. Analysis: Each model will be evaluated according to its ability to be described as a
hierarchical tree whether it be described as such in the literature directly or whether
the hierarchical tree can be implied from the relevant literature
a. If the model can be described in terms of a hierarchical tree it must be
examined for compliance with the principles associated with multi-attribute
utility theory
b. If the model in its original state does not comply with the principles of MAUT
it must be modified
3. Discussion: The applicability of each model to generic use, its ability to be used as a
preemptive (prior to impact) or corrective (following impact) tool will be determined,
and each models strengths and weaknesses will be noted
101
B.1 The High Reliability Organization
Description
High reliability organizations (HRO) create a collective state of mindfulness that produces an
enhanced ability to discover and correct errors before they escalate into a crisis by the
application of the principles and practices that enable the organization to anticipate threats
with flexibility rather than rigidity. The five basic practices for developing mindfulness in
HROs as described in Managing the Unexpected by Weick and Sutcliffe can be divided in
two categories. The first three constitute strategies for preventing the unexpected to develop
to a major event, while the last two describe mitigating efforts once the unexpected strikes
(Karydas & Rouvroye, 2006; Weick & Sutcliffe, 2001; Weick & Sutcliffe, 2007). These
attributes are as follows:
• Preoccupation with failure: Encourage the reporting of errors and pay attention to
any failures. These lapses may signal possible weakness in other parts of the
organization. Too often, success narrows perceptions, breeds overconfidence in
current practices, and squelches opposing viewpoints. This leads to complacency
that in turn increases the likelihood unexpected events will go undetected and
develop into bigger problems. An organization that is ignorant about failure, its
location, genesis, and trajectory, is less mindful than it could be, thus more
vulnerable
• Reluctance to simplify interpretations: Analyze each occurrence without
preconceptions and take nothing for granted. Take a more complex view of
matters and look for disconfirming evidence that foreshadows unexpected
problems. Seek input from diverse sources, study minute details, discuss
confusing events and listen intently. Avoid combining details together or
attempting to normalize an unexpected event in order to preserve a preconceived
expectation. That is, systems should be simple enough to understand and manage
but not so simple that complex operations, interactions, and relationships are
obscured
• Sensitivity to operations: Pay serious attention to minute-to-minute operations and
be aware of imperfections in these activities. Strive to make ongoing assessments
and continual updates. Enlist everyone’s help in fine-tuning the workings of the
102
organization. Avert the accumulation of small events that can grow into bigger
problems
• Commitment to resilience: Cultivate the processes of resilience, intelligent
reaction and improvisation. Be mindful of errors that have occurred and take steps
to correct them before they worsen. Be prepared to handle the next unforeseen
event
• Deference to expertise: During troubled times, shift the leadership role to the
person or team possessing the greatest expertise and experience to deal with the
problem at hand. Provide them with the empowerment they need to take timely,
effective action. Avoid using rank and status as the sole basis for determining who
makes decisions when unexpected events occur
Excellence and reliability do not necessarily equate. For example, an organization may
produce the highest quality product in its business sector but not be able to weather
disruptions in its supply chains. Therefore, sales and income are limited by the organizations
ability to manufacture and deliver product during times when disruption occurs. On the other
hand, a company that produces an average quality product may do so reliably during times
when supply change disruptions are present. That is, the average quality producer could have
partnership agreements in-place with primary and back up suppliers of raw materials to get
priority access to materials during times of disruption and access to alternative sources
(Sheffi, 2005).
In Managing the Unexpected Weick and Sutcliffe propose that the HRO looks at all subsets
of the organization that could impact the reliability of the organization (Weick & Sutcliffe,
2001; Weick & Sutcliffe, 2007). Weick and Sutcliffe provide survey forms as a way to assess
the degree an organization is a HRO. The survey forms present attributes by way of
statements that when considered and scored enable an analyst to determine the organization’s
level of HRO-ness (Weick & Sutcliffe, 2001; Weick & Sutcliffe, 2007). The scope and intent
of each survey form is described below.
• A starting point for your organization’s mindfulness: Measures the degree of the
organization’s mindful infrastructure. Mindfulness is the combination of ongoing
scrutiny of existing expectations, continuous refinement and differentiation of
expectations based on newer experiences, willingness and capability to invent new
expectations that make sense of unprecedented events, a more nuanced appreciation
103
of context and ways to deal with it, and identification of new dimensions of context
that improve foresight and current functioning. It is the willingness of HROs to
organize in a complex manner that helps them deal with a complex world of the
unexpected.
• Assess your organization’s vulnerability to mindlessness: Assesses the organization’s
potential for mindlessness, i.e. its ability to probe into how often people come into
contact with the unexpected in their day-to-day activities, how strongly people expect
that things will go as planned, and how strong their tendencies are either to solve or to
ignore the disruptions that unexpected events produce. Instances of mindlessness
occur when people confront weak stimuli, powerful expectations, and strong desires
to see what they want to see.
• Assessing your organization’s tendency toward doubt, inquiry, and updating: Like the
preceding measure, this measure assesses the potential for mindfulness but in context
of the organizations tendency to doubt, inquire, or update.
• Assessing where mindfulness is most required: Measures the level by which an
organizational system is interactively complex and tightly coupled. That is the more
interactively complex and tightly coupled a system may be, the more mindful it
should be.
• Assessing your organization’s preoccupation with failure: An organization that is
ignorant about failure, its location, genesis, and trajectory, is less mindful than it
could be. Therefore, the present measure probes the degree to which the organization
has a healthy preoccupation with failure.
• Assessing your organization’s reluctance to simplify: Assesses the organization’s
capability to prevent simplification in order to improve the organization’s capacity for
mindfulness.
• Assessing your organization’s sensitivity to operations: A measure of how prepared
the organization is to avert the accumulation of small events that can grow into bigger
problems.
• Assessing your organization’s commitment to resilience: Resilience is about bouncing
back from errors and about coping with surprises in the moment, i.e. how well
prepared is the organization to manage the unexpected when it does happen.
• Assessing the deference to expertise in your organization: Effective HROs enact more
flexible decision-making processes when something goes wrong, i.e. they allow
104
decision making and problems to migrate to the person or team with the expertise in
that choice-problem combination.
Analysis
At first blush the survey forms provide one with the foundation of an hierarchical tree and the
means to represent degree of HRO-ness; however, while the forms provide a good starting
point, more detail is needed to convert the survey forms into a hierarchical tree. There are
some statements within the survey forms as provided that stand alone and some that are
similar, or similar enough, to be consolidated into one statement to avoid duplication. Most
importantly, the text accompanying the survey forms is more complete and provides detail
not captured in the forms. It is the author’s opinion that the text and forms should be
considered together; however, the text should be considered superior information. The
following shows the author’s method to create the attributes comprising the HRO hierarchical
tree in accordance with the principles of MAUT.
1. Consolidate similar statements within the same survey form. For example, within the
form that enables one to assess preoccupation with failure, the first four statements,
a. We focus more on our failures than our successes;
b. We regard close calls and near misses as a kind of failure that reveals potential
danger rather than as evidence of our success and ability to avoid disaster;
c. We treat near misses and errors as information about the health of our system
and try to learn from them; and,
d. We often update our procedures after experiencing a close call or near miss to
incorporate our new experience and enriched understanding, were simplified
as follows:
We focus on failures and regard and learn from close calls and near
misses as a kind of failure that reveals potential danger rather than as
evidence of our success and ability to avoid disaster
2. Consolidate similar statements across different survey forms, e.g. the statement that
emerged from step 1 was combined with a similar statement from the survey form
regarding reluctance to simplify. That is,
105
a. We focus on failures and regard and learn from close calls and near misses as
a kind of failure that reveals potential danger rather than as evidence of our
success and ability to avoid disaster; plus,
b. People generally prolong their analysis to better grasp the nature of the
problems that come up. When something unexpected happens people are more
concerned with listening and conducting a complete analysis of the situation
than with advocating for their view, were combined as follows:
Learn from experiences, including close calls and near misses. Make
adjustments when facts dictate, assumptions change, and as higher
quality and more complete information becomes available. Do so by
way of a complete and thorough analysis of each situation employing
the most quantifiable methods available and appropriate
3. The third step is to use the text to verify the consolidation process and identify the
attributes subordinate to the high-level attributes, such as preoccupation with failure
as shown in Figure 9.
4. Verify and define all attributes. Since the high level attributes, e.g. preoccupation with
failure were defined previously, the definitions for the subordinate attributes, derived
from Weick’s and Sutcliffe’s work, are as shown below. Within this step all attributes
are evaluated in context of the principles of MAUT, i.e. to make certain that there are
no redundancies and that no attribute is missing from the process. Conflicts among
attributes are surfaced and resolved at this time. The outcomes of this step are the
following definitions.
a. Vulnerability assessment: Embrace failure, describe that which should not fail
and how it can fail no matter how embarrassing the consequences might be,
e.g. the failure of a strategic objective. Ask three questions; what do people
count on, what do people expect from the things they count on, and in what
ways can the things people count on fail? Expectations as to acceptable levels
of risk and failure are broadly known
b. Potential disturbance sensing system: Systematically detect and anticipate the
potential for failures. Pay attention to weak signals of failures, such as
106
deviations from normal states over time, as they may be precursors to larger
failures.
c. In-depth critique of all systems and operations in context of potential realized
disturbances: Review and critique all systems and practices continuously to
maximize the probability that nothing has been ignored
d. Encouragement of divergent viewpoints: Divergence in viewpoints provides
the group with a broader set of assumptions and sensitivity to a greater variety
of inputs
e. Organizational culture: Being sensitive to operations is a unique way to
correct failures of foresight. The readiness to make large numbers of small
adjustments keeps errors from accumulating. The likelihood that any one error
will become aligned with another and interact with it in ways not previously
anticipated is reduced. Quantitative versus qualitative knowledge and context-
free formalization, (engineering) versus experience-based context bound
interventions, (operations) are equally important. Learn from close calls as
near misses are a kind of failure that reveals potential danger. People feel safe
enough to speak up and share information and question assumptions. Routine
work is anything but automatic.
f. Degree of separation between front line and management: Appraisal of the
degree to which leaders and managers maintain continuous contact with the
operating system or front line and the extent to which they are accessible when
important situations develop. The extent that there is ongoing group
interaction and information sharing about actual operations and workplace
characteristics
g. Flexibility and improvisation: A culture that adapts to changing demands.
Should problems occur, someone with the authority to act and necessary
resources are readily available. People are familiar with their jobs and
operations external to their own jobs. Work to create a climate that encourages
variety in people’s analyses of the organization’s technology and production
processes and establish practices that allow those perspectives to be heard and
to surface information not held in common
h. Training and support: Commitment to resilience is directly proportional to
learning, knowledge, and capability development. Expanding people’s general
knowledge and technical capabilities improves their abilities both to see
problems in the making and deal with them
107
i. Preparation for the unexpected: Anticipate possible failure modes. Resilience
is achieved through the use of expert networks, an extensive action repertoire,
and skills with improvisation. Commitment is also evident in a capacity to use
knowledge in unexpected ways. This capacity might be evident in informal
networks of people who self-organize to solve problems, in enthusiasm to
share expertise and novel solutions across unit boundaries, and in continual
investments in improving technical systems, procedures, reporting processes,
and employee attentiveness
j. Management of recovery efforts: HROs accept the inevitability of error and
shift attention from error prevention to error containment. That is, people deal
with surprises not only through anticipation, by weeding them out in advance,
but also through resilience, by responding to them as they occur. Resilience is
about bouncing back from errors and about coping with surprises in the
moment
k. Preemptive mitigation: Take action prior to the onset of a failure to prevent or
mitigate consequences. Please note that the text implies the need for
preemptive action but does not state the need specifically
l. Rewards, recognition, ownership, and accountability: Demonstration of
expertise being valued, regardless of rank within the organizational hierarchy.
People own problems until they are resolved. Encourage and reward error
reporting. Please note that the notion of rewarding people for reporting errors
was from the text associated with preoccupation with failure; however, the
author believed that it fit better in the present attribute
m. Clarity, awareness, and flexibility of decision-making processes and practices:
Decision making and problem resolution migrate to the person(s) most capable
to make the decision or resolve the problem. People within the organization
know the, person(s) with expertise, to call when something out of the ordinary
occurs.
Figure 8 shows the resulting hierarchical tree implied from the work of Weick and Sutcliffe.
108
Figure 8 - Implied HRO Hierarchical Tree
The hierarchical tree, once weights are assigned to each attribute will, 1) describe the current
HRO state of the organization, 2) provide the means to determine the potential effect of
organizational initiatives and projects under funding and implementation consideration, and
3) provides a measure of potential consequences associated with a hazard or threat; all in
terms of the organization values expressed by the criteria.
Discussion
The principles and practices of the high reliability organization as presented by Weick and
Sutcliffe are intended to be used preemptively, prior to the impact of an undesirable hazard or
threat. The hierarchical tree could be used to determine an organization’s current state of
HRO-ness; therefore, identify the areas where the organization should focus its mitigation
resources given that a higher level of HRO-ness is desired. For example, if an organization
chose to improve its score for the attribute labeled training they might consider several
109
improvement alternatives related to training. Of these alternatives the one that resulted in the
highest HRO index would be the alternative that would be implemented, all else being equal.
Also, the hierarchical tree could be used to diagnose impacts and provide the analyst with a
base level of HRO-ness at the time of the impact. Like the preemptive case above, target
areas for improvement can be identified. For example when the hierarchical tree is
completed, one using observation and other evidence could rate the organization’s ability to
learn from mistakes. Such a rating describes the organizations current state of HRO-ness in
context of its ability to learn from mistakes and illustrates an area for improvement if the
rating was lower than desired (Weick & Sutcliffe, 2001). Moreover the hierarchical tree
could be used correctively following a hazard event to prove the validity of the process and
evaluate initial prioritization assumptions and aid recalibration if necessary.
The hierarchical tree provides one with the means to rate each project against a pre-
established standard reflecting the ideals of the organization by way of the HRO index.
Following internal deliberations, using the indices as its basis, the organization would
prioritize projects ultimately selecting projects that maximize value to the organization. To
determine an index of a potential project one would rate the project in accordance with
performance measures that reflect pre-established levels of each attribute. An example of a
constructed scale associated with a performance measure is shown in Table 3 where the table
displays the performance measure for impact on people (Karydas & Gifun, 2006). In this
instance the constructed scale enables one to rate a project in terms of its potential impact on
people if the project was not undertaken (thus the use of disutility). For example, if one
believes that the implementation of a project would prevent the potential occurrence of long
term exposure to a contaminant, one would select level 2.
Level Description Disutility
3
Fatality or lethal exposure (single or multiple), e.g., roof collapse, falling brick masonry, and inhalation of arsine gas 1
2Major exposure with long term effects, e.g., lead poisoning 0.46
1Minor injury or exposure, e.g., broken arm or laceration 0.05
0 No personal injury 0
Constructed Scale - Impact on People
Table 15 - Impact on People
110
Weick and Sutcliffe imply that by assessing an organization by way of the survey forms; one
could determine the degree of HRO–ness of the organization. The conversion of the survey
forms into a hierarchical tree provides one with a higher level quantitative tool than that
which is provided by the survey forms alone.
While the concepts of the HRO will provide the basis for the proposed solution to achieve
this dissertation’ objective, modifications are necessary to eliminate shortcomings. The
author believes that,
1. Bona fide support and physical action to eliminate and mitigate hazards is not
specifically included in the survey forms and is only implied throughout the text; and,
2. The content and intent of the four attributes in addition to the five basic principles, is
important and should either be captured in additional basic principles or incorporated
within the five basic principles; the author chose the latter
B.2 Disaster Resistant University
Description
The Disaster Resistant University (DRU) program initiated in the United States by the
Federal Emergency Management Administration provides funding, planning guidance, and
Federal and Local government leadership support to applicant universities for the purpose of
assessing the vulnerability of the university campus to potential impacts from a multiple of
hazards, whether natural or human-induced. In this instance university is defined to include
all forms of institutions of higher learning. The program is described in FEMA publication
titled Building a disaster-resistant university. Depending upon the cause and magnitude of
the impact, members of a university’s community could be subject to death or injury and the
university’s academic and research programs and its physical assets and infrastructures, to
damage or total destruction. Along with the tragic result of death or injury, universities could
suffer losses such as faculty and student departures, decreases in research funding (the
Federal government funds $15 billion of research at American universities annually), and
increases in insurance premiums. These losses could have been substantially reduced or
eliminated through comprehensive pre-disaster planning and mitigation actions. Natural and
human-induced disasters represent a wide array of threats to the instructional, research, and
public service missions of higher education institutions. The DRU program provides planning
111
guidance to these institutions to identify risks, assess vulnerability, and develop hazard
mitigation plans (Federal Emergency Management Agency, 2003). The authors suggest that
the mere mechanics of the DRU vulnerability assessment and report writing process could
motivate university decision makers to become more aware of risks and their impact and to
see the benefits that could be gained by implementing projects to eliminate or mitigate risks.
Also, as risk eliminating or mitigating projects are implemented, talked about broadly, and
become more visible to the university’s community, the university’s culture will shift to
becoming more risk aware (Federal Emergency Management Agency, 2003). The attributes
of a DRU are as follows.
• Risk awareness: An organization’s ability to identify, assess vulnerability, estimate
consequences, and prioritize potential hazards
• Stakeholder engagement: The degree by which an organization communicates with
and involves internal and external service providers, including utility and municipal
government entities
• Preemptive intervention: Prioritization, funding, planning, and implementing hazard
mitigation efforts prior to the realization of the hazard. The degree mitigation efforts
are integrated with local, state, and Federal government entities
• Training: To develop individual and team competencies in risk awareness and
management
• Organizational Learning: The organization’s ability to learn from its experiences and
situations experienced by others and to make adjustments when facts dictate,
assumptions change, and when more complete information becomes available
Building a disaster-resistant university suggests a four step approach:
1. Organize resources: Identify and engage interested stakeholders and collect available
plans and documents. Develop a project plan that includes scheduled deliverables
2. Hazard identification and risk assessment: From the full complement of natural and
human-induced hazards, identify credible hazards to the university and assess the
university’s vulnerability thereto
3. Developing the mitigation plan: A comprehensive and updatable plan that draws from
and complements existing plans and is integrated with local and state jurisdictions and
reflects the unique mission and characteristics of the university
112
4. Adoption and implementation: Identifies the shift in focus from developing the plan to
taking action on the plan. Experience has shown that this can be difficult as
institutions face the consequences of changing operations and affecting the
university’s culture
Analysis
Although DRU documents do not show by way of a concise enumerated list the attributes
that distinguish a disaster resistant university from a university that does not resist disasters,
the following list was deduced from DRU publications and captures the essence of the DRU
program. A DRU is an academic institution that to protect its students, faculty, and staff and
sustain its education, research, and public service missions has supportive leadership and
processes in-place to:
• Perform risk assessment and analysis
o Identify and prioritize potential hazards
o Inventory campus assets
o Assess the institution’s vulnerability to potential hazards
o Estimate consequences
• Partner with stakeholders
o Engage stakeholders internal and external of the institution including utility
and municipal service providers
o Communicate frequently
• Intervene preemptively
o Prioritize, fund, plan, and implement hazard mitigation efforts
o Integrate mitigation efforts with local, state, and Federal government entities
• Provide training
• Learn from experiences and make adjustments when facts dictate, assumptions
change, and when more complete information becomes available
This bulleted list is easily transformed into a hierarchical tree as shown in Figure 9.
113
Figure 9 – Implied DRU Hierarchical Tree
Discussion
While DRU can be portrayed in the form of a hierarchical tree more work is needed to ensure
that it will perform effectively where implemented. To this end MIT built upon the work
done by FEMA, as shown in §B.3.
The DRU method would be more useful with attributes that are weighted relative to each
other in a manner that reflects the values of the organization for which it is being used. For
example, if an organization favors, by a factor of two, implementing hazard mitigation efforts
over conducting inventories of physical assets, implementing hazard mitigation efforts would
carry twice the weight of conducting inventories of physical assets in decisions. Weighted
scales reflecting the levels of each attribute would make the method more useful. With regard
to organizational preconditions attributes addressing safety and business related concerns are
not present.
114
B.3 DRU at MIT
Description
The DRU project at Massachusetts Institute of Technology (MIT) provides an application of
the objectives, principles, and practices of FEMA’s DRU program and considers such an
application necessary to become disaster resistant (Li et al., 2009).
The Massachusetts Institute of Technology (MIT) is potentially vulnerable to natural and
human induced hazards and threats and could suffer monetary losses, disruption to its
teaching and research mission, and expose students, employees, and guests to danger should
one of these hazards or threats occur. Pre-disaster planning and the implementation of the
results of such planning could prevent or mitigate the impact. In addition to satisfying the
requirements of the DRU program MIT developed a systematic methodology to assess, rank,
and manage multi-hazard risks. The methodology consisted of the following elements
(Massachusetts Institute of Technology, 2007).
1. Natural hazard identification;
2. Human-induced hazard identification;
3. Development of hazard screening criteria;
4. Delineation of infrastructures and key campus assets (macro-groups);
5. Identification of interdependencies;
6. Scenario development including initiating event, event trees, and consequences;
7. Generation of hierarchical trees, performance index, and expected performance index
8. Preliminary risk ranking;
9. Deliberation and final risk ranking; and,
10. Data validation
The concept of the macro-group refers to the often decentralized elements of a university’s
infrastructure and key assets that are aggregated into groups of similar character. Risks, their
analyses, and resulting mitigation activities are consistently applied to all of the entities that
comprise each macro-group (Patterson & Apostolakis, 2007). The campus consists of the
fourteen macro-groups listed below.
115
Mission Related
• Research and education offices
• Chemical-dominant laboratories
• Biological-dominant laboratories
• Animal-dominant laboratories
• Shared-facilities laboratories, e.g. an electron microscopy laboratory available
to all researchers
• Other laboratories
• Classrooms
Support and Services
• Medical center
• Administration offices
• Residential halls
• Athletic centers
Other Key Assets
• Central utility generation plant
• Research reactor
• Information technology (data and telephony) assets
The present application of MAUT was based upon fundamental work by Weil and
Apostolakis (Weil & Apostolakis, 2001) and further developed by Karydas & Gifun (Karydas
& Gifun, 2006) and Apostolakis & Lemon (Apostolakis & Lemon, 2005). The hierarchical
tree is shown in context of the entire framework, (within the large dashed line area between
Performance Measures and Performance Index), in Figure 10.
116
Figure 10 – DRU at MIT Framework (Li et al., 2009)
117
The attributes of the hierarchical tree are defined as follows.
• Impact on people: Death, injury and illness (excluding psychological impact) on
individuals. Major injuries are chronic injuries or acute injuries that require
hospitalization while minor injuries are acute injuries that do not require
hospitalization. This attribute is measured in terms of potential severity and number of
injuries
• Impact on the environment: Contamination of the environment where the degree of
impact is determined by the quantity of the chemical that could be released in context
of regulatory thresholds
• Physical property damage: The cost in dollars to restore the affected physical property
and contents (land, buildings, and equipment) were damage to occur
• Interruption of Institute academic activities and operations: The length of time needed
to restore academic activities and Institute operations (teaching and research) and
other supporting aspects such as work environment or living accommodations)
• Intellectual property damage: The degree of potential damage, (on a scale of no
damage to destruction of long-term experiments) on the affected intellectual and
intangible property
• Impact on external public image: The degree of negative image, that could be reported
by local, national, or international media, held by parents of prospective students,
granting agencies, donors, and regulatory agencies
• Impact on internal public image: The degree of negative image that could be held by
parents of existing students, students, faculty, staff, and other members of the MIT
community. This attribute is measured by the degree of adverse publicity generated
by verbal complaints, published negative articles, and petitions and demonstrations
• Program affected: The impact on the business, operation, employment, and objectives
of Institute programs (departments, laboratories, or centers) as measured by number
of employees and departments that could be affected
Analysis
The framework will not be fully examined within this dissertation; therefore, the reader is
encouraged to refer to Ranking the risks from multiple hazards in a small community (Li et
al., 2009) should more detailed information be required.
118
Discussion
A major learning from the MIT DRU project emerged from the preliminary risk ranking
process shown in Figure 11 within the dashed line area labeled scenario impact evaluation. In
this process, risk scenarios were rated by stakeholders and given an index reflecting the
rating. Each risk received two indices; one that did not include the probability of the scenario
event occurring, i.e. the Performance Index (PI) and the other that did, i.e. the Expected
Performance Index (EPI). Because of the low probabilities of the risks addressed in the
project, the EPI of such risks could be considered too low to be a concern. Thus for risks with
low probability of occurrence and high consequences the PI should be used. This means that
the decision-makers should include in their mitigation deliberations risks ranked by PI and
EPI. An example will be discussed in the section below on the applicability of the DRU
model as a preemptive or post impact event assessment tool
MIT’s DRU project resulted in several transferable opportunities, 1) a methodology to
describe a university in terms of its values regarding established criteria, understand potential
risks in context of the reality of the campus and to prioritize the implementation of such
opportunities using stakeholder value and technical analysis, 2) the concept of the macro-
group that can be applied to other universities with little adaptation and to other organizations
and small communities with a bit more, and 3) the value of ranking risks with and without the
probability of the risk scenario occurring.
The purpose of the DRU program is to provide universities with a framework to determine
the vulnerability of the university to potential hazards and threats so that the university is
better able to implement effective mitigation and protective measures. While the DRU
method was designed to be used preemptively MIT’s version can be used both preemptively
and correctively as described below.
Preemptive example: Consider the scenario of an uncontrolled fire. In this instance an
uncontrolled fire refers to a fire that takes place in a space that is intentionally not
protected by fire sprinklers. An example of the questions one should ask during
deliberation is; are the spaces around the un-sprinkled space served by fire sprinklers? If
yes, then the fire could be contained and the impact would be less than had the fire
occurred in a building that does not have fire sprinklers. If no, then more extensive
protective measures should be considered including the relocation of the hazard. The
119
point being that by understanding high consequence low probability events lower cost
mitigation possibilities could emerge (Li et al., 2009).
Corrective example: Given the hypothetical example of an occurrence of a high-
consequence / low-probability event, i.e. an uncontrolled fire where a fire suppression
system is not present within the room where the fire originated. In this example a building
system component exploded causing the death of two people and a fire. The room
housing the component was not protected by a sprinkler system as was permitted by local
regulators, albeit the balance of the building was. Although the doors to the room were
found open by responding firefighters and two fire sprinkler heads in an adjacent corridor
were activated, the fire was contained to the room.
One could determine the level of impact of each of the performance measures to
determine the index for the scenario. That is, the level selected for each performance
measure would be based upon the rater’s interpretation of an actual event not a fabricated
scenario. This process would be useful for comparing repair and future mitigation
opportunities to the impact of the hazard.
Given the example above, Table 16 shows the authors’ ratings using the performance
measures provided in Ranking the risks from multiple hazards in a small community (Li et
al., 2009). While considerable information was gathered from the aforementioned paper
the author’s expert judgment was used to complete the necessary information for the
purpose of this demonstration.
120
Performance
Measure (Global Weight)
Impact Disutility Weight (Global Weight ·
Disutility)
% of Performance
Index
Impact on people (0.295)
Two fatalities plus twenty five to thirty people taken to local hospitals for treatment and then released*
0.67 0.198 71.7
Impact on the environment (0.196)
Contaminant levels below regulatory reporting threshold*
0.04 0.008 2.8
Physical property damage (0.049)
Repairs made to damaged areas, equipment replaced, plus upgrades of several building systems required by local authorities. Estimated cost less than $10 million*
0.27 0.013 4.8
Interruption of Institute academic activities and operations (0.056)
Temporary accommodations readily available, say less than 1 week to restore operation*
0.06 0.003 1.2
Intellectual property damage (0.128)
Data not backed up when power to building interrupted. Worst case - work undertaken during morning of event probably lost*
0.05 0.006 2.3
Impact on external public image (0.083)
Event was reported by local media and on-line news outlets. Regulatory agencies conducted investigations*
0.57 0.047 17.2
Impact on internal public image (0.055)
No adverse publicity* 0 0 0
Program affected (0.138)
No impact* 0
0 0
Performance Index
0.276
* Expert judgment
Table 16 – Corrective Example Based Upon Li et al (Li et al., 2009)
121
Seventy two percent of the performance index is due to the performance measure, impact
on people and is attributed to the fatalities that occurred during the explosion and fire.
Clearly, in this example any risk mitigation project should be implemented to prevent the
explosion of building system components and fires from occurring.
Considering the attributes of the DRU, gleaned from FEMA documentation, as the basis for
ranking risks and making hazard mitigation decisions, one can readily see that there are no
duplicates and that the attributes represent the main facets of a decision. It is not known
whether most organizations would find the attributes presented as representative or sufficient
to make decisions, but MIT selected attributes that were based on the values of the MIT
community. The methodology used by MIT to develop the DRU Framework, including the
hierarchical tree was rigorous and included many checks for consistency, sensitivity of select
variables, and compliance with MAUT principles (Li et al., 2009).
B.4 Resilient Enterprise
Description
According to Yossi Sheffi, author of the Resilient Enterprise, the resilient enterprise (RE)
overcomes vulnerability for competitive advantage. The resilient enterprise requires that the
organization be a good learning organization, i.e. to fulfill the principles it must think beyond
its line of business and do more to understand its environment, develop relationships with
suppliers and employees, and develop its physical and organizational systems (Sheffi, 2005).
The principles of the resilient enterprise are:
• Organizing for action: Security and business continuity. The RE as much as it
prepares knows that it could be faced with a hazard or impact that may overpower it.
This does not mean that the company is worried that something is going to happen but
realistic to know that something could happen someday and by being prepared, the
impact could be lessened and the recovery time faster
• Assessing vulnerabilities: This principle requires that one should evaluate all of the
potential vulnerabilities and determine which credible events could happen, the
severity and likelihood of the event happening, and to take steps to prevent them from
occurring or to implement measures to diminish the potential impact
122
• Reducing the likelihood of disruptions: Early detection can influence the likelihood of
a disturbance by making the organization aware that action is needed, e.g. a
preventative maintenance inspection that discovers the early stage of a system failure.
Also, early detection can influence the potential impact of a disturbance as it could
provide sufficient time to implement measures to diminish the potential impact
• Collaborating for security: Like a citizen staffed neighborhood watch program, the
people who make up organizations are its sensory system. Many eyes, ears, and the
physical presence of people who choose to get involved can be deterrence to crime.
Also, employees who learn of potential disturbances that are credible and could
impact the organization and bring such information to the organization, could provide
the organization with sufficient time to implement measures to diminish the potential
impact
• Building in redundancies: Backup systems and surpluses. The goal is to provide
resources, backups, and redundancies for systems that are prioritized in order of
decreasing importance to the organization
• Designing resilient supply chains: Relationships with suppliers. While the
organization may be fully functional it may suffer disturbances in its supply chain that
could prevent or diminish the level of production to which it is capable. One way to
develop resilient supply chains is to develop relationships with suppliers before the
emergency, during the course of typical operations, so that if the supplier is impacted
in such a way that it is not able to produce enough parts for all of its customers, the
organization is in good enough stead to have priority access on the parts that it needs.
Another aspect is to develop relationships with several suppliers so that stock can be
purchased, perhaps at a higher price, but purchased nonetheless. Another possibility is
to stock critical components on site or to pre-purchase supplies so that there is always
a reserve of supplies available
• Investing in training and culture: People make organizations work and require training
to do so. Also, in order for the organization to be the best it must train its people in
understanding risks and the processes associated with removing risks, knowing about
the operation so that they can make suggestions for improvements. The people need to
know how to do their job well and must possess the skills to relay their concerns and
know when something is wrong
123
Analysis and Discussion
As written, the principles of the RE cannot be viewed directly and are too broadly defined to
be modified into in the form of an hierarchical tree but these principles and the examples
provided in the text can be used to create one. That is, as long as an organization is willing to
invest the time and effort to do so. While the Resilient Enterprise did not provide a fully
structured hierarchical tree it provided much to the development of the hierarchical tree that
will be introduced later in this dissertation.
B.5 Enterprise Risk Management
Description
Enterprise risk management (ERM), a result of the Sarbanes-Oxley Act of 2002 (Sarbanes &
Oxley, 2002), differs from the fragmented and compartmentalized risk management solutions
already in place in many organizations as it elevates risk discussions to a strategic level, it is a
fully supported top-down initiative, and it offers a holistic view of the enterprise to capture a
variety of risks throughout the firm. ERM supports organizational emphasis on strategy by
helping the organization find a better balance between loss-prevention, risk mitigation, and
risk taking efforts (Tonello, 2007). ERM is an approach to identifying and evaluating all
relevant risks an organization faces, aligning strategies with risk appetite, and perpetually
managing exposures so that the entity’s strategic plan is achievable (FM Global, 2007).
According to the 2004 report by the Committee of Sponsoring Organizations of the Treadway
Commission entitled Enterprise risk management – integrated framework, value is
maximized when an entity’s management sets strategy and objectives to achieve an optimal
balance between growth and return goals and related risks, and efficiently and effectively
deploys resources to achieve such objectives (Committee of Sponsoring Organizations of the
Treadway Commission, 2004).
The following capabilities, from Enterprise risk management – integrated framework, help
management achieve performance and profitability targets and prevent loss of resources.
ERM helps ensure effective reporting and compliance with laws and regulations, and helps an
organization avoid damage to its reputation and associated consequences.
124
• Aligning risk appetite and strategy: Risk appetite is considered when evaluating
strategic alternatives, setting related objectives, and developing the means and
methods to manage related risks
• Enhancing risk response decisions: A rigorous approach for identifying and
selecting among alternative risk responses – risk avoidance, reduction, sharing,
and acceptance
• Reducing operational surprises and losses: Enhanced capability to identify
potential events and establish responses, reducing surprises and associated costs or
losses
• Identifying and managing multiple and cross-enterprise risks: Enterprise risk
management facilitates effective response to interrelated impacts, and integrated
responses to multiple risks that could affect different parts of an organization
• Seizing opportunities: By considering a full range of potential events,
management is positioned to identify and proactively realize opportunities
• Improving deployment of capital: Robust risk information allows management to
effectively assess overall capital needs and enhance capital allocation
The ERM framework consists of three sets of factors, i.e. objectives, components, and
units. The four objectives are:
• Strategic: High-level goals, aligned with and supporting its mission
• Operations: Effective and efficient use of resources
• Reporting: Reliability of reporting
• Compliance: Compliance with applicable laws and regulations
Also, the framework consists of eight interrelated components or criteria:
• Internal environment: Encompasses the tone of an organization, and defines the
basis for how risk is viewed and addressed, including the organization’s risk
management philosophy and risk appetite, its integrity and ethical values, and the
environment in which they operate
• Objective setting: Objectives must exist before management can identify potential
events affecting their achievement. Therefore enterprise risk management ensures
that management has in place a process to set objectives and that chosen
125
objectives support and align with the organization’s mission and are consistent
with its risk appetite
• Event identification: Internal and external events affecting achievement of an
organization’s objectives must be identified and differentiated between risks and
opportunities. Opportunities are channeled back to management’s strategy or
objective setting processes
• Risk assessment: Risks are analyzed, considering likelihood and impact, as a basis
for determining how they should be managed. Risks are assessed on an inherent
and a residual basis
• Risk response: Management selects risk responses, avoiding, accepting, reducing,
or sharing risk and develops a set of actions to align risks with the organization’s
risk tolerances and risk appetite
• Control activities: Policies and procedures are established and implemented to
help ensure the risk responses are effectively carried out
• Information and communication: Relevant information is identified, captured, and
communicated in a form and timeframe that enables people to carry out their
responsibilities. Effective communication occurs within and across all levels of
the organizational hierarchy
• Monitoring: The entirety of enterprise risk management is monitored and
modifications are made as necessary. Monitoring is accomplished through
ongoing management activities, separate evaluations, or both
In addition the framework incorporates a third dimension, the organization and its
subsets, i.e. its subsidiaries, business units, divisions, and the combination thereof. ERM
is a multidirectional, iterative process where almost any component can and does
influence another. There is a direct relationship between the objectives, i.e. that which an
organization strives to achieve, and the components, i.e. that which is needed for an
organization to achieve its objectives. This three-dimensional matrix is depicted by the
cube shown in Figure 11 (Committee of Sponsoring Organizations of the Treadway
Commission, 2004).
126
Figure 11 – ERM Objectives, Components, and Units (Committee of Sponsoring
Organizations of the Treadway Commission, 2004)
Analysis and Discussion
ERM provides guidance for an organization to examine itself and determine the potential
impact of hazards for a specific scenario, preemptively. However, other than pointing one
toward areas where investigation or analysis should be undertaken a formal method is not
provided. Also, ERM is not based upon multi-attribute utility theory nor does it suggest a
hierarchy. Thus, it cannot be expressed as an hierarchical tree. However, ERM provides a
good foundation for the development of an hierarchical tree but the text does not provide
enough detail for one to be extracted there from.
127
While not part of this research it is interesting to note that the Sarbanes-Oxley Act had no
noticeable effect on the economic downturn in the fall of 2008. This regulation increased
oversight of the public accounting firms that oversee publicly traded companies’ balance
sheets and the amount of regulation of publicly traded companies. Many public companies
complained that Sarbanes-Oxley was too onerous because it required more paperwork and
more intensive internal control mechanisms. Many companies that went private following the
implementation of Sarbanes-Oxley cited the new rules as being the reason for leaving the
public markets. The shift in the number of public offerings from New York to London and
Hong Kong is attributed by some critics to be the result of Sarbanes-Oxley. A survey
undertaken in 2008 by BDO Seidman reported that 65% of technology company chief
financial officers said that the rules related to improved controls and processes had
strengthened their company. Some efforts were made to curtail Sarbanes-Oxley but such
efforts failed (Kansas, 2009).
B.6 Risk-Based Process Safety
Description
The Center for Chemical Process Safety (CCPS) was created by the American Institute of
Chemical Engineers in 1985 after the occurrence of chemical disasters in Mexico City,
Mexico and Bhopal, India. To promote process safety management excellence and
continuous improvement, CCPS developed risk-based process safety (RBPS) as a
comprehensive process safety management framework. RBPS is built upon four pillars;
commitment to process safety, understand hazards and risk, manage risk, and learn from
experience (Center for Chemical Process Safety, 2007). Note the similarity between the four
pillars in RBPS and Moody’s four pillars of risk management assessment; risk governance,
risk management, risk analysis and quantification, and risk infrastructure and intelligence
(Tonello, 2007).
Analysis
As can be seen in Figure 12 the hierarchical tree (partially shown) represents information
provided by CCPS in its book, Guidelines for Risk Based Process Safety. The four pillars are
divided into 20 elements which are then divided into 314 sub-elements and then 634
performance measures. Treating the framework as a hierarchical tree the constructed scales
128
below each performance measure would consist of a total of 2,058 levels (average of 3 per
performance measure).
Discussion
The RBPS framework is based on the principles of MAUT and provides a comprehensive
view of a process organization: however, its comprehensiveness renders both narrowly and
broadly focused applications unmanageable. However, RBPS functioned as a reference for
the development of the integrated model proposed by this dissertation.
129
Figure 12 – Hierarchical Tree (partially shown), Risk-based Process Safety
130
B.7 Reactor Oversight Process
Description
The reactor oversight process (ROP), a regulatory oversight process developed by the U.S.
Nuclear Regulatory Commission to achieve the agency’s four performance goals: 1) maintain
safety, 2) increase public awareness, 3) increase regulatory effectiveness and efficiency, and
4) reduce unnecessary regulatory burden. The ROP was tested by way of a pilot program in
1999 and then extended to all commercial reactors in 2000 (United States Nuclear Regulatory
Commission, 2001; United States Nuclear Regulatory Commission, n.d.). To achieve the
Agency’s goals the regulatory framework shown in Figure 13 was developed and consists of
three key performance areas: reactor safety, radiation safety, and safeguards. The NRC
evaluates plant performance by analyzing two distinct inputs: inspection findings resulting
from NRC's inspection program and performance indicators reported by the licensees.
Figure 13 – Reactor Oversight Process (United States Nuclear Regulatory Commission,
2007a)
Within each strategic performance area are cornerstones that reflect the essential safety
aspects of facility operation, i.e. initiating events, mitigating systems, barrier integrity,
emergency preparedness, public radiation safety, occupational radiation safety, and physical
protection. Licensee performance is measured by way of established performance indicators
131
where satisfactory licensee performance provides reasonable assurance that the facility is
being operated safely and that NRC’s safety mission is being accomplished.
Analysis
Performance indicators and inspection protocols exist for each of the cornerstones. For
example, the objective of the cornerstone labeled, initiating events, is to limit the frequency
of events that upset plant stability and challenge critical safety functions during shutdown as
well as power operations. If such an event was not properly mitigated, and if multiple barriers
were breached, a reactor accident could result which might compromise public health and
safety. Thus, licensees can reduce the likelihood of a reactor accident by maintaining a low
frequency of these initiating events. Heat sink performance is one of the twenty three
inspections required for this cornerstone. An example of the thresholds associated with the
initiating events, i.e. unplanned scrams, scrams with loss of normal heat removal, and
unplanned power changes is shown in Table 17 (United States Nuclear Regulatory
Commission, 2007a; United States Nuclear Regulatory Commission, 2007b).
Initiating Events Indicator
Thresholds* (White)
Increased Regulatory Response Band
(Yellow) Required Regulatory
Response Band
(Red) Unacceptable
Performance Band Unplanned Scrams > 3.0 > 6.0 > 25.0 Scrams with Loss of Normal Heat Removal
> 2.0 > 10.0 > 20.0
Unplanned Power Changes
> 6.0 N/A N/A
*A column for met objectives, i.e. those that would be colored green is not included
Table 17 – Performance Indicator, Initiating Events (United States Nuclear Regulatory
Commission, 2007a)
Affecting all aspects of safe operations are three cross cutting areas; human performance,
safety-conscious work environment, and problem identification and resolution. All of these
cross-cutting areas are related to organizational factors and processes. In Organizational
Contributions to Nuclear Power Plant Safety by Ghosh and Apostolakis organizational
failures were important contributors to the accidents at the Chernobyl and Three Mile Island
reactors in 1986 and 1979, respectively and organizational deficiencies continue to present
themselves in less severe incidents. These experiences underscore the importance of safety
132
culture and other organizational factors in the safe operation of nuclear power plants, and are
applicable to other high-risk industries. Nuclear power plant safety is affected by way of the
following mechanisms from operating experience:
• Organizational processes as they can contribute to common-cause failures of multiple
redundant components, e.g. deficient maintenance practices used on multiple
components
• Organizational processes and factors because they can contribute to common-cause
failures of diverse components
• Latent organizational weaknesses such as inadequate training
• The pervasiveness of safety culture where weaknesses therein could be revealed when
the system is challenged
• Organizational contributions to unreliability are not captured explicitly and could be
sources of uncertainty and incompleteness. Initiating events caused by plant personnel
actions during routine activities could be a source of incompleteness, as well
• Organizations and people provide a layer in the plant’s defense-in-depth scheme.
• Organizations that handle challenging situations are well-positioned to handle
challenging situations and may be better at averting accidents (Ghosh & Apostolakis,
2005)
The colors indicated in Table 17 represent the level of achievement for each criterion for both
the inspections and the performance indicators where green indicates performance within an
expected performance level in which the related cornerstone objectives are met; white
indicates performance outside an expected range of nominal utility performance but related
cornerstone objectives are still being met; yellow indicates related cornerstone objectives are
being met, but with a minimal reduction in safety margin; and red indicates a significant
reduction in safety margin in the area measured by that performance indicator (United States
Nuclear Regulatory Commission, 2007c).
Discussion
Although developed for a specific safety purpose the ROP provides a good example of the
application of MAUT and an example of modifications that can be done to hierarchical trees.
133
Since ROP is focused on safety in reactors it is not applicable, without expansion, to
generalized applications that include other aspects of the organization.
B.8 Hearts and Minds
Description
The Hearts and Minds safety program developed by Shell Exploration & Production and
based on fundamental research on organizations, errors, accidents, and safety culture by
James T. Reason and others focuses on the health, safety, and environmental aspects of the
organization (Energy Institute, 2007) (British Standards Institute, 2006).
Reason’s model, a description of the trajectory of an accident, is both simple and profound. It
is referred to as the Swiss cheese analogy where slices of Swiss cheese, representing layers of
defenses, are placed between the hazard and the impact of the hazard and it is when the holes
in the layered defenses line up, the impact of the hazard is realized. Ideally defenses would be
impenetrable; however, in reality each layer has weaknesses. In Reason’s model the
weaknesses, i.e. holes in the slices may be due to active failures, latent conditions, or both
and the defensive layers could represent the likes of organizational policies, practices, or
physical countermeasures. The system that produces the impact event consists of three levels;
organizational factors, local workplace factors, and unsafe acts. Organizational factors
include strategic decisions and generic organizational processes, e.g. forecasting, budgeting,
allocating resources, planning, scheduling, communicating, managing, and auditing.
Workplace factors (likely to promote unsafe acts) include undue time pressure, inadequate
tools and equipment, poor human-machine interfaces, insufficient training, under-staffing,
poor supervisor to worker ratios, low pay, low status, macho culture, unworkable or
ambiguous procedures, and poor communications. Local factors, combined with natural
human tendencies to produce unsafe acts, i.e. errors and violations committed by individuals
and teams at the human-system interface. According to Reason, large numbers of these
unsafe acts are made but only very few create holes in the defenses. For example, active
failures can create holes in defenses in at least two ways,1) front-line personnel may
deliberately disable certain defenses to achieve local operational objectives and 2) front-line
operators may fail in their role as the system’s most important lines of defense, e.g. wrong
diagnosis that leads to inappropriate recovery actions (Reason, 1990; Reason, 1997).
134
The performance of a health, safety, and environmental program depends upon the
organization’s culture to accept scrutiny of existing practices and policies and its ability to
learn from experience and institute change based upon those experiences. The program
consists of a set of training tools where participants identify local strengths, understand other
people’s perceptions and identify how commitment is turned into action, learn how to
manage change and support improvement processes and organizational change, understand
and mitigate risks, learn to make better risk-based decisions, manage rule-breaking, improve
the non-technical skills of supervisors, build on and support existing programs, and improve
driving behavior (Energy Institute, 2007). The program consists of two interrelated aspects;
1) An overall framework (high-level view) in the form of a ladder, see Figure 14,
representing levels of cultural maturity. Thus, the ladder provides the means to
measure progress on the organizational change continuum. The goal is to increase the
level of cultural maturity from pathological to generative while the process focuses on
three key elements: 1) personal responsibility - understanding and accepting what
should be done and know that which is expected, 2) individual consequences -
understand and accept that there is a fair system for reward and discipline, and 3)
proactive intervention - work safely as one is motivated to do the right things
naturally, not just because one is told to, and intervene and actively participate in
improvement activities
2) The processes and learning modules needed to facilitate change by developing the
skills, practices, expectations, and systems within the organization to preemptively
prevent and mitigate the occurrence and impact of accidents
135
Figure 14 - The Health Safety and Environment Culture Ladder (Energy Institute, 2007)
The literature associated with H&M clearly states that success is dependent upon leaders
being personally motivated to make a difference and that everyone involved, especially
senior managers, see the advantages and are prepared to commit to follow through. The
distinction between the skills needed by managers and supervisors is reflected in the H&M
training, i.e. one half of the modules are intended for managers while the other half are
intended for supervisors (Energy Institute, 2007).
Analysis
The hierarchical tree displayed in Figure 15 was extracted from printed H&M materials,
without textural modification (H&M literature does not display the model in the form of an
hierarchical tree). Furthermore, H&M does not provide relative weights for any of the
elements that form the hierarchical tree but provides sufficient detail to identify and define
impact categories such as leadership and commitment and performance measures such as
commitment level of workforce and level of care for colleagues. The distinction between
manager and supervisor is reflected in the hierarchical tree; performance measures associated
with management are above the horizontal line while those associated with supervision are
below the line.
136
Figure 15 - Hearts and Minds Hierarchical Tree
137
Not shown on the hierarchical tree are the constructed scales that provide one with the means
to quantify a particular performance measure. While constructed scales are not provided by
H&M, suitable level descriptions consistent with the progression of the ladder rungs shown in
Figure 15, are. For example the constructed scale for the attribute, is management interested
in communicating HSE issues with the workforce, would include the following levels:
• Pathological: Management only communicates Health, Safety, and Environment
(HSE) issues by telling workers not to cause problems
• Reactive: After incidents ‘flavor of the month’ HSE messages are passed down from
top management. Any interest gets less over time as things ‘get back to normal
• Calculative: Management shares a lot of information with workers and has frequent
HSE initiatives. Management does a lot of talking but is not really listening
• Proactive: There is a two-way process of communication about HSE issues in place.
Asking as well as telling goes on
• Generative: There is frequent and clear two-way communication about HSE issues in
which management gets more information back then they provide. Everyone knows
when there is an incident
Discussion
While relative weights of each attribute and level are not provided an organization choosing
to adopt H&M could establish such weights. Hearts and Minds can be expressed in a
hierarchical tree and incorporates the principles of MAUT as the criteria are both exhaustive
and conclusive. This hierarchical tree can be used in two ways, 1) vertically as a way to
express hierarchical nature of the organization and a score representing HSE culture and 2)
horizontally as a way to determine the quality of management and supervision by way of the
rating resulting from the performance measures associated with each. For the same reasons
expressed in the section on the HRO, the H&M hierarchical tree is applicable for use
preemptively and correctively.
A major shortcoming of H&M, when considering its applicability as a means to describe an
organization, is that it focuses on safety, health, and environmental issues and does not
address other functions of the organization directly. Therefore, prior to implementation in an
138
organization where a comprehensive view is desired, as in this dissertation, modification is
necessary.
B.9 Business Continuity Planning
Description
Business continuity planning (BCP), also referred to as business continuity management
(BCM), is a management and governance process that enables an organization 1) to identify
potential threats and predict the consequences of such threats should they be realized and 2)
to preemptively implement the means to eliminate or mitigate the impact of such threats and
quickly recover there from; all for the purpose of ensuring the continuity of core processes
(the delivery of critical products and services) by building organizational resilience. The key
elements of BCP as provided by the British Standards Institute are (British Standards
Institute, 2006):
• BCM program management: Management structure and practices that enable the
organization to establish and maintain its business continuity capability
• Understanding the organization: Understanding comes from information that
describes an organization’s critical products and the activities and resources necessary
for their delivery, identifying objectives and stakeholder obligations, identifying and
analyzing the impact and consequences associated with failures and threats, and
estimating recovery requirements
• Determining options: The preemptive evaluation of a range of strategies and tactical
options (solutions) to support response decisions that are based upon acquired data
and analysis and considers the resilience and countermeasure options already in place
• Developing and implementing a response: The creation of business continuity and
incident management plans and the implementation of measures to eliminate or
mitigate the likelihood of threats. Such measures include coordinated organization-
wide responses to the incident and the restoration of the organization’s activities
• Exercising, maintenance, auditing and self-assessment: The results generated by this
element enable the organization to demonstrate that its strategies, plans, and
equipment are reliable, effective, credible, and operational. The motive is to verify
139
that the organization can recover from an impact by making certain that plans,
training programs, and processes work
• Embedding BCM in the organization: Enables BCM to become part of the
organization’s core values and instills confidence in stakeholders in the ability of the
organization to cope with major disruptions
Analysis
The degree of effectiveness of a BCP program is dependent upon the level of importance and
support given by the organization’s leadership and the degree to which it is embedded within
its culture. Both the British Standards Institute in its Code for practice for business continuity
management and the National Fire Protection Association in NFPA1600 Standard on
disaster/emergency management and business continuity programs (National Fire Protection
Association, 2004) provide comprehensive and adaptable definitions and guidance for
establishing and maintaining an effective BCP; however, organizations can and should
customize the definitions of the key elements to match specific needs. The key elements
incorporate (British Standards Institute, 2006):
• Understanding
o The overall context within which the organization operates
o Organizational objectives and its core processes and critical products and
services
o Potential barriers and interruptions
o How the organization can continue to achieve its objectives given an
interruption
o The likely range of outcomes given that controls and mitigation strategies are
implemented
o The criteria by which incident and emergency response and business recovery
procedures are implemented
• Ensuring that all personnel understand their roles and responsibilities
• Building consensus and commitment to the implementation, deployment, and
exercising of business continuity
• Integrating BCP into the organization’s routine practices and culture
140
Discussion
BCP provides a structure that when followed, implemented, and supported should maximize
an organizations ability to recover quickly from disasters that it cannot avoid. BCP presents a
cyclical organizational process where the organization is expected to repeatedly pass through
the process and incorporate changed conditions or revisions due to shortcomings identified
during tests, exercises, or actual experiences as they occur. BCP is applicable in both
preemptive and corrective situations.
B.10 Rejected Models
While nine models were selected (explanations for each are provided in §B.1 – §B.9) those
rejected included several multi-attribute models that were simply similar enough to a model
that was already selected that inclusion would have resulted in duplication or for which little
detail was available to fully describe the model as prescribed by this dissertation. Other
models were rejected because they lacked the rigor and efficiency of the analytic-deliberative
process. Supporting the later cause for rejection several examples are provided below.
Pro and Con
The pro and con list, a list of arguments for and against a particular consideration, is used by
many decision-makers because it is systematic but was rejected because of its inherent lack of
rigor and quantification. The method requires the decision-maker to:
1. List the pros and cons
2. Estimate respective weights
3. Strike out offsetting pros and cons
4. Review non-offsetting pros and cons and make a decision
An important aspect of this process is that Step 4 should be given sufficient time, a day or
two, to make certain that nothing new occurs on either side that could influence the outcome.
The entire pro and con process is explained in a letter from Benjamin Franklin to Joseph
Priestley dated September 19, 1772 (Labaree & Bell, 1956). The explanation given by
Benjamin Franklin does not tell us how to weight each pro and con; however, refinements
have been made since to include the probability of the realization of a pro or con and a
141
numerical weight for each (Nickols, 2008). While quantification is an improvement the
process is not efficient as each time a decision is to be made a new set of pros and cons,
including probabilities and weights must be created
Responsible Care®
Dow Chemical’s Responsible Care (a registered service mark of the American Chemistry
Council) program was rigorously examined but rejected because the criteria were not
sufficiently described. While it appears that the model is comprehensive and could fulfill the
requisites of this dissertation the lack of available detail behind the criteria labels caused it to
be rejected. Literature indicates the existence of a set of open-ended questions; however, as
they were not available it is not know whether they would have provided the lacking detail
and caused the model to be selected. That said the Responsible Care program as described
captures the essence of the integrated model and is worthy of more explanation.
The structure of Responsible Care was developed in 1989 by the American Chemistry
Council, formerly the Chemical Manufacturers Association, is designed to evaluate five
management systems; 1) policy and leadership, 2) planning, 3) implementation, operation,
and accountability, 4) performance measurement and corrective action, and 5) management
review and reporting, by way of attributes and open-ended questions. The following outline
was extracted from a management system verification study by Verrico Associates in 1999
and shows the programs structure and hints at its potential (Verrico Associates, 1999).
1. Policy and leadership
a. Management and company commitment
b. Relevance of policies
c. Goals and objectives
d. Communications
e. Employee involvement and awareness
2. Planning
a. Assessment of hazards and risks
i. Product risk
ii. Process risk
iii. Distribution and transportation risk
b. Maintaining goals, objectives, and targets
142
c. Regulatory information
d. Resource allocation
e. Assessment of community and employee concerns
3. Implementation, operation, and accountability
a. Responsibility and accountability
b. Training programs
c. Operating and maintenance procedures
d. Emergency response plans
e. Transportation emergency response
f. Commercial partners
i. Carriers
ii. Contractors
iii. Customers
iv. Distributors
v. Suppliers
vi. Tollers
vii. Waste disposal contractors
viii. Waste reduction and groundwater protection programs
4. Performance measurement and corrective action
a. Tracking and investigation of emissions, releases, accidents, and incidents
b. Reviewing performance of commercial partners
i. Carriers
ii. Contractors
iii. Customers
iv. Distributors
v. Suppliers
vi. Tollers
vii. Waste disposal contractors
c. Audit of compliance
d. Measuring effectiveness of communications
5. Management review and reporting
a. Periodic review of objectives and policies
b. Reporting mechanism to stakeholders
c. Benchmarking
d. Performance management system for employees
143
Intuition
Intuition is a common means for making judgments but was rejected because it does not
provide a systematic, transparent, defendable, or repeatable approach. According to the
Harvard Business Review in an article titled When to trust your gut by Alden Hayashi various
management studies have found that executives rely on their intuition to solve complex
problems when logical methods (such as benefit-to-cost methods) are not applicable. Intuition
is often wrong and is exacerbated by the factors that prevent the realization of how faulty
intuition can be, i.e. cognitive bias (Hayashi, 2001).
Garbage Can Model
The Garbage Can model was developed in 1972 as a means to explain decision situations in
organizations:
1. That operate on a loose collection of ideas instead of a coherent structure; where the
organization discovers preferences through action more than it acts on the basis of
preferences,
2. That operate on the basis of trial-and-error procedures, the residue of learning from
accidents of past experience, and pragmatic inventions of necessity, and;
3. Where the audiences and decision makers for any particular kind of choice change
impulsively and unpredictably
These properties are particularly found in public, educational, and illegitimate organizations
and suggest that such organizations can be considered as collections of choices (garbage
cans) looking for problems, issues, and feelings looking for decision situations in which they
might be aired, solutions looking for issues to which they might be an answer, and decision
makers looking for work (Cohen, March, & Olsen, 1972). The Garbage Can model does not
do a good job of resolving problems; however, it does enable choices to be made and
problems to be resolved in organizations that posses the properties enumerated above (Cohen
& March, 1974).
As enticing and as interesting as it would be to include a model that describes organizational
choice within a university, the Garbage Can model does not employ a rigorous analytic-
deliberative process or support the purpose of this dissertation and is therefore rejected.
144
145
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Preo
ccu-
patio
n w
ith
failu
re
Enco
urag
e th
e re
porti
ng o
f erro
rs a
nd
pay
atte
ntio
n to
any
fa
ilure
s. T
hese
laps
es
may
sig
nal p
ossi
ble
wea
knes
s in
oth
er
parts
of t
he
orga
niza
tion.
Too
of
ten,
suc
cess
nar
row
s pe
rcep
tions
, bre
eds
over
conf
iden
ce in
cu
rrent
pra
ctic
es a
nd
sque
lche
s op
posi
ng
view
poin
ts. T
his
lead
s to
com
plac
ency
that
in
turn
incr
ease
s th
e lik
elih
ood
unex
pect
ed
even
ts w
ill g
o un
dete
cted
and
sn
owba
ll in
to b
igge
r pr
oble
ms.
H
RO1
11
HRO
1,
HRO
4, ∩
H
RO5
&
HRO
1,
HRO
2, &
H
RO3
HRO
1,
HRO
4, &
H
RO5 ∩
H
RO4
&
HRO
5N
/A
HRO
2 &
H
RO3 ∩
H
RO1,
H
RO2,
&
HRO
3
HRO
2 &
H
RO3 ∩
H
RO4
&
HRO
5N
/A
HRO
3,
HRO
4, &
H
RO5 ∩
H
RO1,
H
RO2,
&
HRO
3
HRO
3,
HRO
4, &
H
RO5 ∩
H
RO4
&
HRO
5N
/A
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
A
ppen
dix
C
Ana
lysi
s of M
odel
Dec
ompo
sitio
n an
d C
rite
ria
The
mes
Tabl
e 18
– H
igh
Rel
iabi
lity
Org
aniz
atio
n, A
naly
sis
of M
odel
Dec
ompo
sitio
n an
d C
rite
ria
Them
es
146
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Relu
ct-
ance
to
sim
plify
in
terp
reta
-tio
ns
Ana
lyze
eac
h oc
curre
nce
thro
ugh
fresh
eye
s an
d ta
ke
noth
ing
for g
rant
ed.
Take
a m
ore
com
plex
vi
ew o
f mat
ters
and
lo
ok fo
r dis
conf
irmin
g ev
iden
ce th
at
fore
shad
ows
unex
pect
ed p
robl
ems.
Se
ek in
put f
rom
div
erse
so
urce
s, s
tudy
min
ute
deta
ils, d
iscu
ss
conf
usin
g ev
ents
and
lis
ten
inte
ntly
. Avo
id
lum
ping
det
ails
to
geth
er o
r atte
mpt
ing
to n
orm
alize
an
unex
pect
ed e
vent
in
orde
r to
pres
erve
a
prec
once
ived
ex
pect
atio
n.
HRO
21
1Se
nsiti
vi-
ty to
op
era-
tions
Pay
serio
us a
ttent
ion
to m
inut
e-to
-min
ute
oper
atio
ns a
nd b
e aw
are
of im
perfe
ctio
ns
in th
ese
activ
ities
. St
rive
to m
ake
ongo
ing
asse
ssm
ents
and
co
ntin
ual u
pdat
es.
Enlis
t eve
ryon
e’s
help
in
fine
-tuni
ng th
e w
orki
ngs
of th
e or
gani
zatio
n.
HRO
31
11
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
147
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Com
mit-
men
t to
resi
lienc
eCu
ltiva
te th
e pr
oces
ses
of re
silie
nce,
inte
llige
nt
reac
tion
and
impr
ovis
atio
n. B
e m
indf
ul o
f erro
rs th
at
have
occ
urre
d an
d ta
ke
step
s to
cor
rect
them
be
fore
they
wor
sen.
Be
read
y to
han
dle
the
next
unf
ores
een
even
t. H
RO4
11
1
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
148
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Def
eren
ce
to
expe
rtise
Dur
ing
troub
led
times
, sh
ift th
e le
ader
ship
role
to
the
pers
on o
r tea
m
poss
essi
ng th
e gr
eate
st e
xper
tise
and
expe
rienc
e to
dea
l with
th
e pr
oble
m a
t han
d.
Prov
ide
them
with
the
empo
wer
men
t the
y ne
ed to
take
tim
ely,
ef
fect
ive
actio
n. A
void
us
ing
rank
and
sta
tus
as th
e so
le b
asis
for
dete
rmin
ing
who
mak
es
deci
sion
s w
hen
unex
pect
ed e
vent
s oc
cur.
HRO
51
11
32
33
20
Sets
HRO
1,
HRO
4,
&
HRO
5
HRO
2 &
H
RO3
HRO
3,
HRO
4,
&
HRO
5
HRO
1,
HRO
2, &
H
RO3
HRO
4, &
H
RO5
N/A
Num
ber o
f Crit
eria
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
149
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Risk
as
sess
-m
ent a
nd
anal
ysis
Iden
tify
and
prio
ritize
po
tent
ial h
azar
ds,
inve
ntor
y ph
ysic
al
asse
ts, a
sses
s vu
lner
abili
ties,
and
es
timat
e co
nseq
uenc
esD
RU1
11
DRU
4 &
D
RU5 ∩
D
RU1,
D
RU3,
&
DRU
4
DRU
4 &
D
RU5 ∩
D
RU5
N/A
DRU
1 &
D
RU3 ∩
D
RU1,
D
RU3,
&
DRU
4N
/AN
/A
DRU
2 &
D
RU4 ∩
D
RU1,
D
RU3,
&
DRU
4N
/A
DRU
2 &
D
RU4 ∩
D
RU2
Partn
erin
g w
ith s
take
-ho
lder
s
Freq
uent
co
mm
unic
atio
n an
d st
akeh
olde
r en
gage
men
t (in
tern
al
and
exte
rnal
)D
RU2
11
Pree
mp-
tive
Inte
rven
-tio
n
Impl
emen
t haz
ard
miti
gatio
n pr
ojec
ts a
nd
inte
grat
e m
itiga
tion
effo
rts w
ith
gove
rnm
ent e
ntiti
esD
RU3
11
Trai
ning
Trai
ning
DRU
41
11
Lear
ning
fro
m
expe
ri-en
ces
Org
aniza
tiona
l lea
rnin
gD
RU5
11
22
23
11
Sets
DRU
4 &
D
RU5
DRU
1 &
D
RU3
DRU
2 &
D
RU4
DRU
1,
DRU
3, &
D
RU4
DRU
5D
RU2
Num
ber o
f Crit
eria
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
Tabl
e 19
– D
isas
ter R
esis
tant
Uni
vers
ity, A
naly
sis
of M
odel
Dec
ompo
sitio
n an
d C
rite
ria T
hem
es
150
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Hea
lth,
safe
ty,
and
envi
ron-
men
t im
pact
Impa
ct o
n pe
ople
and
im
pact
on
envi
ronm
ent
MIT
11
1N
/AN
/AN
/AN
/AN
/A
MIT
1,
MIT
2, &
M
IT3
N/A
N/A
N/A
Econ
omic
im
pact
on
prop
erty
, ac
adem
ic,
and
inst
itute
op
erat
ions
Phys
ical
pro
perty
da
mag
e, in
terru
ptio
n of
in
stitu
te a
cade
mic
ac
tiviti
es a
nd
oper
atio
ns, a
nd
inte
llect
ual p
rope
rty
dam
age
MIT
21
1
Stak
e-ho
lder
im
pact
Impa
ct o
n ex
tern
al
publ
ic im
age,
impa
ct o
n in
tern
al p
ublic
imag
e,
and
prog
ram
s af
fect
edM
IT3
11
03
00
03
Sets
N/A
MIT
1,
MIT
2,
&
MIT
3N
/AN
/AN
/A
MIT
1,
MIT
2, &
M
IT3
Num
ber o
f Crit
eria
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
Tabl
e 20
– D
isas
ter R
esis
tant
Uni
vers
ity a
t MIT
, Ana
lysi
s of
Mod
el D
ecom
posi
tion
and
Cri
teri
a Th
emes
151
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Org
an-
izing
for
actio
n
Secu
rity
and
busi
ness
co
ntin
uity
. The
RE
as
muc
h as
it p
repa
res
know
s th
at it
cou
ld b
e fa
ced
with
a h
azar
d or
im
pact
that
may
ov
erpo
wer
it. T
his
does
not
mea
n th
at th
e co
mpa
ny is
wor
ried
that
som
ethi
ng is
go
ing
to h
appe
n bu
t re
alis
tic to
kno
w th
at
som
ethi
ng c
ould
ha
ppen
som
eday
and
by
bei
ng p
repa
red,
the
impa
ct c
ould
be
less
ened
and
the
reco
very
tim
e fa
ster
RE1
11
1
RE4
&
RE7 ∩
RE
1,
RE2,
RE
3,
RE4,
RE
5, &
RE
6N
/AN
/A
RE1,
RE
2,
RE3,
RE
4,
RE5,
&
RE6 ∩
RE
1,
RE2,
RE
3,
RE4,
RE
5,
RE6,
&
RE7
N/A
N/A
RE1
&
RE6 ∩
RE
1,
RE2,
RE
3,
RE4,
RE
5,
RE6,
&
RE7
N/A
N/A
Ass
ess-
ing
vuln
er-
abili
ties
This
prin
cipl
e re
quire
s th
at o
ne s
houl
d ev
alua
te a
ll of
the
pote
ntia
l vul
nera
bilit
ies
and
dete
rmin
e w
hat
cred
ible
eve
nts
coul
d ha
ppen
, the
sev
erity
an
d lik
elih
ood
of th
e ev
ent h
appe
ning
, and
to
take
ste
ps to
pr
even
t the
m fr
om
occu
rring
or t
o im
plem
ent m
easu
res
to
dim
inis
h th
e po
tent
ial
impa
ctRE
21
1
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
Tabl
e 21
– R
esili
ent E
nter
pris
e, A
naly
sis
of M
odel
Dec
ompo
sitio
n an
d C
rite
ria
The
mes
152
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Redu
c-in
g th
e lik
eli-
hood
of
disr
up-
tions
Early
det
ectio
n ca
n in
fluen
ce th
e lik
elih
ood
of a
dis
turb
ance
by
mak
ing
the
orga
niza
tion
awar
e th
at
actio
n is
nee
ded,
e.g
. a
prev
enta
tive
mai
nten
ance
in
spec
tion
that
di
scov
ers
the
early
st
age
of a
sys
tem
fa
ilure
. Als
o, e
arly
de
tect
ion
can
influ
ence
th
e po
tent
ial i
mpa
ct o
f a
dist
urba
nce
as it
co
uld
prov
ide
suffi
cien
t tim
e to
im
plem
ent m
easu
res
to
dim
inis
h th
e po
tent
ial
impa
ctRE
31
1
Colla
b-or
atin
g fo
r se
curi-
ty
Like
a c
itize
n st
affe
d ne
ighb
orho
od w
atch
pr
ogra
m, t
he p
eopl
e w
ho m
ake
up
orga
niza
tions
are
its
sens
ory
syst
em. M
any
eyes
, ear
s, a
nd th
e ph
ysic
al p
rese
nce
of
peop
le w
ho c
hoos
e to
ge
t inv
olve
d ca
n be
de
terre
nce
to c
rime.
A
lso,
em
ploy
ees
who
le
arn
of p
oten
tial
dist
urba
nces
that
are
cr
edib
le a
nd c
ould
im
pact
the
orga
niza
tion
and
brin
g su
ch
info
rmat
ion
to th
e or
gani
zatio
n, c
ould
pr
ovid
e th
e or
gani
zatio
n w
ith
suffi
cien
t tim
e to
im
plem
ent m
easu
res
to
dim
inis
h th
e po
tent
ial
impa
ctRE
41
11
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
153
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Build
ing
in
redu
n-da
ncie
s
Back
up
syst
ems
and
surp
luse
s. T
he g
oal i
s to
pro
vide
reso
urce
s,
back
ups
, and
re
dund
anci
es fo
r sy
stem
s th
at a
re
prio
ritize
d in
ord
er o
f de
crea
sing
impo
rtanc
e to
the
orga
niza
tion
RE5
11
Des
ign-
ing
resi
lient
su
pply
ch
ains
psu
pplie
rs. W
hile
the
orga
niza
tion
may
be
fully
func
tiona
l it m
ay
suffe
r dis
turb
ance
s in
its
sup
ply
chai
n th
at
coul
d pr
even
t it f
rom
pr
oduc
ing
or d
imin
ish
the
leve
l of p
rodu
ctio
n to
whi
ch it
is c
apab
le.
One
way
to d
evel
op a
re
silie
nt s
uppl
y ch
ains
is
to d
evel
op
rela
tions
hips
with
su
pplie
rs b
efor
e th
e em
erge
ncy,
dur
ing
the
cour
se o
f typ
ical
op
erat
ions
, so
that
if
the
supp
lier i
s im
pact
ed in
suc
h a
way
th
at it
is n
ot a
ble
to
prod
uce
enou
gh p
arts
fo
r all
of it
s cu
stom
ers,
th
e or
gani
zatio
n is
in
good
eno
ugh
stea
d to
ha
ve p
riorit
y ac
cess
on
the
parts
that
it n
eeds
. A
noth
er a
spec
t is
to
deve
lop
rela
tions
hips
w
ith s
ever
al s
uppl
iers
so
that
sto
ck c
an b
e pu
rcha
sed,
per
haps
at
a hi
gher
pric
e, b
ut
RE6
11
1Crite
ria b
y A
pplic
atio
nM
odel
Crit
eria
Set
sCr
iteria
by
Cate
gory
154
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Inve
st-in
g in
trai
ning
an
d cu
lture
Peop
le m
ake
orga
niza
tions
wor
k an
d re
quire
trai
ning
to d
o so
. Als
o, in
ord
er fo
r th
e or
gani
zatio
n to
be
the
best
it m
ust t
rain
its
peop
le in
un
ders
tand
ing
risks
an
d th
e pr
oces
ses
asso
ciat
ed w
ith
rem
ovin
g ris
ks,
know
ing
abou
t the
op
erat
ion
so th
at th
ey
can
mak
e su
gges
tions
fo
r im
prov
emen
ts. T
he
peop
le n
eed
to k
now
ho
w to
do
thei
r job
wel
l an
d m
ust p
osse
s th
e sk
ills
to re
lay
thei
r co
ncer
ns a
nd k
now
w
hen
som
ethi
ng is
w
rong
RE7
11
26
27
00
Sets
RE4
&
RE7
RE1,
RE
2,
RE3,
RE
4,
RE5,
&
RE6
RE1
&
RE6
RE1,
RE
2,
RE3,
RE
4,
RE5,
RE
6, &
RE
7N
/AN
/A
Num
ber o
f Crit
eria
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
155
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Inte
rnal
en
viro
n-m
ent
Enco
mpa
sses
the
tone
of
an
orga
niza
tion,
and
se
ts th
e ba
sis
for h
ow
risk
is v
iew
ed a
nd
addr
esse
d, in
clud
ing
the
orga
niza
tion’
s ris
k m
anag
emen
t ph
iloso
phy
and
risk
appe
tite,
its
inte
grity
an
d et
hica
l val
ues,
and
th
e en
viro
nmen
t in
whi
ch th
ey o
pera
teER
M1
11
ERM
1 &
ER
M7 ∩
ER
M1,
ER
M2,
ER
M3,
ER
M4,
ER
M5,
&
ERM
6N
/A
ERM
1 &
ER
M7 ∩
ER
M7
ERM
3,
ERM
4,
ERM
5, &
ER
M8 ∩
ER
M1,
ER
M2,
ER
M3,
ER
M4,
ER
M5,
&
ERM
6
ERM
3,
ERM
4,
ERM
5, &
ER
M8 ∩
ER
M8
N/A
ERM
2,
ERM
5, &
ER
M6 ∩
ER
M1,
ER
M2,
ER
M3,
ER
M4,
ER
M5,
&
ERM
6N
/AN
/A
Obj
ectiv
e se
tting
Obj
ectiv
es m
ust e
xist
befo
re m
anag
emen
t ca
n id
entif
y po
tent
ial
even
ts a
ffect
ing
thei
r ac
hiev
emen
t. Th
eref
ore
ente
rpris
e ris
k m
anag
emen
t ens
ures
th
at m
anag
emen
t has
in
pla
ce a
pro
cess
to
set o
bjec
tives
and
that
ch
osen
obj
ectiv
es
supp
ort a
nd a
lign
with
th
e or
gani
zatio
n’s
mis
sion
and
are
co
nsis
tent
with
its
risk
appe
tite
ERM
21
1
Mod
el C
riter
ia S
ets
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Tabl
e 22
– E
nter
pris
e R
isk M
anag
emen
t, A
naly
sis
of M
odel
Dec
ompo
sitio
n an
d C
rite
ria T
hem
es
156
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Even
t id
entif
ica-
tion
Inte
rnal
and
ext
erna
l ev
ents
affe
ctin
g ac
hiev
emen
t of a
n or
gani
zatio
n’s
obje
ctiv
es m
ust b
e id
entif
ied
and
diffe
rent
iate
d be
twee
n ris
ks a
nd
oppo
rtuni
ties.
O
ppor
tuni
ties
are
chan
nele
d ba
ck to
m
anag
emen
t’s s
trate
gy
or o
bjec
tive
setti
ng
proc
esse
sER
M3
11
Risk
as
sess
-m
ent
Risk
s ar
e an
alyz
ed,
cons
ider
ing
likel
ihoo
d an
d im
pact
, as
a ba
sis
for d
eter
min
ing
how
th
ey s
houl
d be
m
anag
ed. R
isks
are
as
sess
ed o
n an
in
here
nt a
nd a
resi
dual
ba
sis
ERM
41
1
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
157
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Risk
re
spon
se
Man
agem
ent s
elec
ts
risk
resp
onse
s,
avoi
ding
, acc
eptin
g,
redu
cing
, or s
harin
g ris
k an
d de
velo
ps a
set
of
act
ions
to a
lign
risks
w
ith th
e or
gani
zatio
n’s
risk
tole
ranc
es a
nd ri
sk
appe
tite
ERM
51
11
Cont
rol
activ
ities
Polic
ies
and
proc
edur
es a
re
esta
blis
hed
and
impl
emen
ted
to h
elp
ensu
re th
e ris
k re
spon
ses
are
effe
ctiv
ely
carri
ed o
utER
M6
11
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
158
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Info
rma-
tion
&
com
mun
i-ca
tion
Rele
vant
info
rmat
ion
is
iden
tifie
d, c
aptu
red,
an
d co
mm
unic
ated
in a
fo
rm a
nd ti
mef
ram
e th
at
enab
les
peop
le to
car
ry
out t
heir
resp
onsi
bilit
ies.
Ef
fect
ive
com
mun
icat
ion
occu
rs
with
in a
nd a
cros
s al
l le
vels
of t
he
orga
niza
tiona
l hi
erar
chy
ERM
71
1
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
159
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Mon
itor-
ing
The
entir
ety
of
ente
rpris
e ris
k m
anag
emen
t is
mon
itore
d an
d m
odifi
catio
ns a
re m
ade
as n
eces
sary
. M
onito
ring
is
acco
mpl
ishe
d th
roug
h on
goin
g m
anag
emen
t ac
tiviti
es, s
epar
ate
eval
uatio
ns, o
r bot
hER
M8
11
24
36
11
Sets
ERM
1 &
ER
M7
ERM
3,
ERM
4,
ERM
5,
&
ERM
8
ERM
2,
ERM
5,
&
ERM
6
ERM
1,
ERM
2,
ERM
3,
ERM
4,
ERM
5, &
ER
M6
ERM
8ER
M7
Num
ber o
f Crit
eria
Crite
ria b
y A
pplic
atio
nM
odel
Crit
eria
Set
sCr
iteria
by
Cate
gory
160
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Com
mit
to
proc
ess
safe
ty
Proc
ess
safe
ty c
ultu
re,
com
plia
nce
with
st
anda
rds,
pro
cess
sa
fety
com
pete
ncy,
w
orkf
orce
invo
lvem
ent,
and
stak
ehol
der
outre
ach
RBPS
11
11
RBPS
1 U
RB
PS1,
RB
PS2,
&
RBP
S3N
/AN
/A
RBPS
2,
RBPS
3,
& R
BPS4
U
RB
PS1,
RB
PS2,
&
RBP
S3
RBPS
2,
RBPS
3,
& R
BPS4
U
RBP
S4N
/A
RBPS
1 &
RB
PS3
U
RBPS
1,
RBPS
2,
& R
BPS3
N/A
N/A
Und
er-
stan
d ha
zard
s an
d ris
k
Proc
ess
know
ledg
e m
anag
emen
t and
ha
zard
iden
tific
atio
n an
d ris
k an
alys
isRB
PS2
11
Man
age
risk
Ope
ratin
g pr
oced
ures
, sa
fe w
ork
prac
tices
, as
set i
nteg
rity
and
relia
bilit
y, c
ontra
ctor
m
anag
emen
t, tra
inin
g an
d pe
rform
ance
as
sura
nce,
m
anag
emen
t of
chan
ge, o
pera
tiona
l re
adin
ess,
con
duct
of
oper
atio
ns, a
nd
emer
genc
y m
anag
emen
tRB
PS3
11
1
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
Tabl
e 23
– R
isk-
base
d Pr
oces
s Sa
fety
, Ana
lysi
s of
Mod
el D
ecom
posi
tion
and
Cri
teria
The
mes
161
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Lear
n fro
m
expe
ri-en
ce
Inci
dent
inve
stig
atio
n,
mea
sure
men
t and
m
etric
s, a
uditi
ng,
man
agem
ent r
evie
w
and
cont
inuo
s im
prov
emen
t, im
plem
enta
tion,
and
th
e fu
ture
RBPS
41
11
32
31
0
Sets
RBPS
1
RBPS
2,
RBPS
3,
&
RBPS
4
RBPS
1 &
RB
PS3
RBPS
1,
RBPS
2,
& R
BPS3
RBPS
4N
/A
Num
ber o
f Crit
eria
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
162
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Reac
tor
safe
ty
Initi
atin
g ev
ents
, m
itiga
ting
syst
ems,
ba
rrier
inte
grity
, em
erge
ncy
prep
ared
ness
ROP1
11
N/A
N/A
N/A
ROP1
, RO
P2, &
RO
P3 ∩
RO
P1,
ROP2
, &
ROP3
N/A
N/A
N/A
N/A
N/A
Radi
a-tio
n sa
fety
Publ
ic ra
diat
ion
safe
ty,
occu
patio
nal r
adia
tion
safe
tyRO
P21
1Sa
fe-
guar
dsPh
ysic
al p
rote
ctio
nRO
P31
10
30
30
0
Sets
N/A
ROP1
, RO
P2,
&
ROP3
N/A
ROP1
, RO
P2, &
RO
P3N
/AN
/A
Num
ber o
f Crit
eria
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
Tabl
e 24
– R
eact
or O
vers
ight
Pro
cess
, Ana
lysi
s of
Mod
el D
ecom
posi
tion
and
Cri
teri
a T
hem
es
163
Tabl
e 25
– H
eart
s an
d M
inds
, Ana
lysi
s of
Mod
el D
ecom
posi
tion
and
Cri
teri
a T
hem
es
Cr
iteria
by
Cate
gory
Cr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
Crite
ria
Def
initi
on
Criteria Nu mber
Culture
Risk Management
Governance
Pree mptive
Correct ive
Both
Culture ∩ Pree mp -tive
Culture ∩ Correc-tive
Culture ∩ Both
Risk Management ∩ Preemptive
Risk Management ∩ Correct ive
Risk Management ∩ Both
Governance ∩ Pre-emptive
Governance ∩ Cor-rective
Governance ∩ Both
Lead
er-
ship
and
co
mm
it-m
ent
Man
agem
ent i
nter
-es
ted
in c
omm
uni-
catin
g H
SE is
sues
w
ith th
e w
orkf
orce
, re
war
ds fo
r goo
d H
SE p
erfo
rman
ce,
and
com
mitm
ent
leve
l of w
orkf
orce
an
d le
vel o
f car
e fo
r co
lleag
ues
H&
M1
1 1
N/A
H&
M3
&
H&
M7
U
H&
M6,
H
&M
7,
&
H&
M8
H&
M3
&
H&
M7
U
H&
M2,
&
H
&M
3
H&
M4
&
H&
M6
U
H&
M1,
H
&M
4 &
H
&M
5
H&
M4
&
H&
M6
U
H&
M6,
H
&M
7,
&
H&
M8
N/A
H&
M1,
H
&M
2,
H&
M3,
H
&M
5,
H&
M7,
&
H
&M
8 U
H
&M
1,
H&
M4,
&
H
&M
5
H&
M1,
H
&M
2,
H&
M3,
H
&M
5,
H&
M7,
&
H
&M
8 U
H
&M
6,
H&
M7,
&
H
&M
8
H&
M1,
H
&M
2,
H&
M3,
H
&M
5,
H&
M7,
&
H
&M
8 U
H
&M
2 &
H
&M
3
Polic
y an
d st
ra-
tegi
c ob
jec-
tives
Caus
e (w
ho) o
f acc
i-de
nts
in th
e ey
es o
f m
anag
emen
t and
ba
lanc
e be
twee
n H
SE a
nd p
rofit
abil-
ity
H&
M2
1
1
164
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Org
aniza
-tio
n,
resp
onsi
-bi
litie
s,
reso
urce
s,
stan
dard
s,
and
doc.
Cont
ract
or
man
agem
ent,
size
and
st
atus
of H
SE
depa
rtmen
t, an
d w
orke
rs in
tere
st
com
pete
ncy
/ tra
inin
gH
&M
31
11
Haz
ards
an
d ef
fect
m
anag
e-m
ent
Wor
k pl
anni
ng
incl
udin
g pe
rmit
to
wor
k an
d jo
urne
y m
anag
emen
t and
wor
k si
te jo
b sa
fety
H&
M4
11
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
165
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Plan
ning
an
d pr
oce-
dure
sPu
rpos
e of
pro
cedu
res
H&
M5
11
Impl
emen
-ta
tion
and
mon
itorin
g
Inci
dent
/ ac
cide
nt
repo
rting
, inv
estig
atio
n an
d an
alys
is, h
azar
d an
d un
safe
act
repo
rts,
chec
king
HSE
on
a da
y-to
-day
bas
is, a
fter
acci
dent
feed
back
, and
fe
el o
f HSE
mee
tings
H&
M6
11
Aud
itA
udits
and
revi
ews
H&
M7
11
1
Revi
ewBe
nchm
arki
ng, t
rend
s,
and
stat
istic
sH
&M
81
12
26
33
2
Sets
H&
M3
&
H&
M7
H&
M4
&
H&
M6
H&
M1,
H
&M
2,
H&
M3,
H
&M
5,
H&
M7,
&
H
&M
8
H&
M1,
H
&M
4,
&
H&
M5
H&
M6,
H
&M
7,
&
H&
M8
H&
M2,
&
H
&M
3
Num
ber o
f Crit
eria
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
166
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Ana
lysi
s
Impa
ct a
naly
sis,
thre
at
anal
ysis
, im
pact
sc
enar
ios,
and
re
cove
ry re
quire
men
t do
cum
enta
tion
BCP1
11
N/A
N/A
N/A
BCP1
, BC
P2,
BCP3
, BC
P4, &
BC
P5N
/AN
/AN
/AN
/AN
/A
Solu
tion
desi
gn
Iden
tify
mos
t cos
t ef
fect
ive
disa
ster
re
cove
ry s
olut
ion
to
dete
rmin
e th
e cr
isis
m
anag
emen
t com
man
d st
ruct
ure,
the
loca
tion
of a
sec
onda
ry w
ork
site
, tel
ecom
mun
icat
ion
arch
itect
ure
betw
een
prim
ary
and
seco
ndar
y w
ork
site
s, d
ata
repl
icat
ion
met
hodo
logy
bet
wee
n pr
imar
y an
d se
cond
ary
wor
k si
tes,
the
appl
icat
ion
and
softw
are
requ
ired
at
the
seco
ndar
y w
ork
site
, and
the
type
of
phys
ical
dat
a re
quire
men
ts a
t the
se
cond
ary
wor
k si
teBC
P21
1
Mod
el C
riter
ia S
ets
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Tabl
e 26
– B
usin
ess
Con
tinui
ty P
lann
ing,
Ana
lysi
s of
Mod
el D
ecom
posi
tion
and
Crit
eria
The
mes
167
Crite
riaD
efin
ition
Criteria Number
Culture
Risk Management
Governance
Preemptive
Corrective
Both
Culture ∩ Preemptive
Culture ∩ Corrective
Culture ∩ Both
Risk Management ∩
Preemptive
Risk Management ∩
Corrective
Risk Management ∩
Both
Governance ∩ Preemptive
Governance ∩ Corrective
Governance ∩ Both
Impl
emen
-ta
tion
Exec
utio
n of
the
desi
gn
elem
ents
iden
tifie
d in
th
e so
lutio
n de
sign
ph
ase
BCP3
11
Test
ing
and
orga
niza
-tio
nal
acce
pt-
ance
Cris
is c
omm
and
/ em
erge
ncy
oper
atio
ns
team
act
ivat
ion
test
ing,
ef
fect
tran
sfer
from
pr
imar
y to
sec
onda
ry
wor
k si
tes
and
seco
ndar
y to
prim
ary
wor
k si
tes
BCP4
11
Mai
nte-
nanc
e
Thre
e pe
riodi
c ac
tiviti
es; 1
) in
form
atio
n up
date
and
te
stin
g, 2
) tes
ting
and
verif
icat
ion
of te
chni
cal
solu
tions
, and
3)
test
ing
and
verif
icat
ion
of o
rgan
izatio
n re
cove
ry p
roce
dure
sBC
P51
10
50
50
0
Sets
N/A
BCP1
, BC
P2,
BCP3
, BC
P4,
& B
CP5
N/A
BCP1
, BC
P2,
BCP3
, BC
P4, &
BC
P5N
/AN
/A
Num
ber o
f Crit
eria
Crite
ria b
y Ca
tego
ryCr
iteria
by
App
licat
ion
Mod
el C
riter
ia S
ets
168
Table 27 – Decomposition of Models to Extract Criteria Themes
Criteria Number Definition
Primary Themes Sub-Themes
Culture ∩ Preemptive
HRO1
Encourage the reporting of errors and pay attention to any failures. These lapses may signal possible weakness in other parts of the organization. Too often, success narrows perceptions, breeds overconfidence in current practices and squelches opposing viewpoints. This leads to complacency that in turn increases the likelihood unexpected events will go undetected and snowball into bigger problems.
Culture & Risk Management
Safety Culture, Analysis, & Testing
DRU4 Training Culture Organizational Learning
RE4
Like a citizen staffed neighborhood watch program, the people who make up organizations are its sensory system. Many eyes, ears, and the physical presence of people who choose to get involved can be deterrence to crime. Also, employees who learn of potential disturbances that are credible and could impact the organization and bring such information to the organization, could provide the organization with sufficient time to implement measures to diminish the potential impact
Culture & Risk Management
Safety Culture, Analysis, Testing, & Maintenance
ERM1
Encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed, including the organization’s risk management philosophy and risk appetite, its integrity and ethical values, and the environment in which they operate
Culture, Risk Management, & Governance
Analysis, Solution Design, Objectives, Strategy, Policy, & Rules
RBPS1
Process safety culture, compliance with standards, process safety competency, workforce involvement, and stakeholder outreach
Culture & Governance
Safety Culture, Policy, Regulations, & Rules
169
Criteria Number Definition
Primary Themes Sub-Themes
Culture ∩ Corrective
HRO4
Cultivate the processes of resilience, intelligent reaction and improvisation. Be mindful of errors that have occurred and take steps to correct them before they worsen. Be ready to handle the next unforeseen event.
Culture & Risk Management
Organizational Learning, Flexibility, Analysis, Emergency Response, Implementation
HRO5
During troubled times, shift the leadership role to the person or team possessing the greatest expertise and experience to deal with the problem at hand. Provide them with the empowerment they need to take timely, effective action. Avoid using rank and status as the sole basis for determining who makes decisions when unexpected events occur.
Culture & Governance
Organizational Learning, Decision-Making, and Policy
DRU5 Organizational learning Culture Organizational Learning
H&M7 Audits and reviews Risk Management
Testing & Maintenance
Culture∩ Both
ERM7
Relevant information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Effective communication occurs within and across all levels of the organizational hierarchy Governance Communication
H&M3
Contractor management, size and status of HSE department, and workers interest competency / training
Culture & Governance
Safety Culture, Organizational Learning, & Policy
170
Criteria Number Definition
Primary Themes Sub-Themes
Risk Management ∩ Preemptive
HRO2
Analyze each occurrence through fresh eyes and take nothing for granted. Take a more complex view of matters and look for disconfirming evidence that foreshadows unexpected problems. Seek input from diverse sources, study minute details, discuss confusing events and listen intently. Avoid lumping details together or attempting to normalize an unexpected event in order to preserve a preconceived expectation.
Risk Management Analysis
HRO3
Pay serious attention to minute-to-minute operations and be aware of imperfections in these activities. Strive to make ongoing assessments and continual updates. Enlist everyone’s help in fine-tuning the workings of the organization.
Risk Management & Governance
Analysis, Maintenance & Management Support
DRU1
Identify and prioritize potential hazards, inventory physical assets, assess vulnerabilities, and estimate consequences
Risk Management Analysis
DRU3 Implement hazard mitigation projects and integrate mitigation efforts with government entities
Risk Management & Governance
Implementation & Management Support
RE1
Security and business continuity. The RE as much as it prepares knows that it could be faced with a hazard or impact that may overpower it. This does not mean that the company is worried that something is going to happen but realistic to know that something could happen someday and by being prepared, the impact could be lessened and the recovery time faster
Risk Management
Testing, Maintenance, Emergency Response
RE2
This principle requires that one should evaluate all of the potential vulnerabilities and determine what credible events could happen, the severity and likelihood of the event happening, and to take steps to prevent them from occurring or to implement measures to diminish the potential impact
Risk Management
Analysis & Implementation
RE3
Early detection can influence the likelihood of a disturbance by making the organization aware that action is needed, e.g. a preventative maintenance inspection that discovers the early stage of a system failure. Also, early detection can influence the potential impact of a disturbance as it could provide sufficient time to implement measures to diminish the potential impact
Risk Management Analysis
171
Criteria Number Definition
Primary Themes Sub-Themes
RE4
Like a citizen staffed neighborhood watch program, the people who make up organizations are its sensory system. Many eyes, ears, and the physical presence of people who choose to get involved can be deterrence to crime. Also, employees who learn of potential disturbances that are credible and could impact the organization and bring such information to the organization, could provide the organization with sufficient time to implement measures to diminish the potential impact Culture
Safety Culture, Analysis, Testing, & Maintenance
RE5
Backup systems and surpluses. The goal is to provide resources, backups, and redundancies for systems that are prioritized in order of decreasing importance to the organization
Culture & Governance
Testing, Maintenance, Management Support
RE6
Relationships with suppliers. While the organization may be fully functional it may suffer disturbances in its supply chain that could prevent it from producing or diminish the level of production to which it is capable. One way to develop a resilient supply chains is to develop relationships with suppliers before the emergency, during the course of typical operations, so that if the supplier is impacted in such a way that it is not able to produce enough parts for all of its customers, the organization is in good enough stead to have priority access on the parts that it needs. Another aspect is to develop relationships with several suppliers so that stock can be purchased, perhaps at a higher price, but purchased nonetheless. Another possibility is to stock critical components on site or to pre-purchase supplies so that there is always a reserve of supplies available Governance Policy & Procedure
ERM3
Internal and external events affecting achievement of an organization’s objectives must be identified and differentiated between risks and opportunities. Opportunities are channeled back to management’s strategy or objective setting processes
Risk Management & Governance
Analysis, Solution Design, & Objectives
ERM4
Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis
Risk Management Analysis
ERM5
Management selects risk responses, avoiding, accepting, reducing, or sharing risk and develops a set of actions to align risks with the organization’s risk tolerances and risk appetite
Risk Management
Solution Design, Implementation, & Maintenance
172
Criteria Number Definition
Primary Themes Sub-Themes
RBPS2 Process knowledge management and hazard identification and risk analysis
Culture & Risk Management
Organizational Learning, & Analysis
RBPS3
Operating procedures, safe work practices, asset integrity and reliability, contractor management, training and performance assurance, management of change, operational readiness, conduct of operations, and emergency management
Culture & Risk Management
Safety Culture, Organizational Learning, & Emergency Response
ROP1 Initiating events, mitigating systems, barrier integrity, emergency preparedness
Risk Management
Analysis, Solution Design, & Emergency Response
ROP2 Public radiation safety, occupational radiation safety Culture Safety Culture
ROP3 Physical protection Culture & Risk Management
Safety Culture & Implementation
H&M4 Work planning including permit to work and journey management and work site job safety Culture Safety Culture
BCP1 Impact analysis, threat analysis, impact scenarios, and recovery requirement documentation
Risk Management Analysis
BCP2
Identify most cost effective disaster recovery solution to determine the crisis management command structure, the location of a secondary work site, telecommunication architecture between primary and secondary work sites, data replication methodology between primary and secondary work sites, the application and software required at the secondary work site, and the type of physical data requirements at the secondary work site
Risk Management Solution Design
BCP3 Execution of the design elements identified in the solution design phase
Risk Management Implementation
BCP4
Crisis command / emergency operations team activation testing, effect transfer from primary to secondary work sites and secondary to primary work sites
Risk Management
Emergency Response
BCP5
Three periodic activities; 1) information update and testing, 2) testing and verification of technical solutions, and 3) testing and verification of organization recovery procedures
Risk Management
Testing & Maintenance
173
Criteria Number Definition
Primary Themes Sub-Themes
Risk Management ∩ Corrective
ERM8
The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both
Risk Management
Testing & Maintenance
RBPS4
Incident investigation, measurement and metrics, auditing, management review and continuous improvement, implementation, and the future
Culture, Risk Management, & Governance
Safety Culture, Analysis, & Management Support
H&M6
Incident / accident reporting, investigation and analysis, hazard and unsafe act reports, checking HSE on a day-to-day basis, after accident feedback, and feel of HSE meetings
Culture, Risk Management, & Governance
Safety Culture, Analysis, & Procedures
Risk Management ∩ Both
MIT1 Impact on people and impact on environment
Culture, Risk Management, & Governance
Safety Culture, Analysis, Implementation, Emergency Response, Policy, & Management Support
MIT2
Physical property damage, interruption of institute academic activities and operations, and intellectual property damage
Culture, Risk Management, & Governance
Safety Culture, Analysis, Implementation, Emergency Response, Policy, & Management Support
MIT3 Impact on external public image, impact on internal public image, and programs affected
Risk Management & Governance
Analysis, Implementation, Emergency Response, Policy, & Management Support
Governance ∩ Preemptive
HRO3
Pay serious attention to minute-to-minute operations and be aware of imperfections in these activities. Strive to make ongoing assessments and continual updates. Enlist everyone’s help in fine-tuning the workings of the organization.
Risk Management & Governance
Analysis, Maintenance, & Management Support
DRU4 Training Culture Organizational Learning
174
Criteria Number Definition
Primary Themes Sub-Themes
RE1
Security and business continuity. The RE as much as it prepares knows that it could be faced with a hazard or impact that may overpower it. This does not mean that the company is worried that something is going to happen but realistic to know that something could happen someday and by being prepared, the impact could be lessened and the recovery time faster
Risk Management
Testing, Maintenance, & Emergency Response
RE6
Relationships with suppliers. While the organization may be fully functional it may suffer disturbances in its supply chain that could prevent it from producing or diminish the level of production to which it is capable. One way to develop a resilient supply chains is to develop relationships with suppliers before the emergency, during the course of typical operations, so that if the supplier is impacted in such a way that it is not able to produce enough parts for all of its customers, the organization is in good enough stead to have priority access on the parts that it needs. Another aspect is to develop relationships with several suppliers so that stock can be purchased, perhaps at a higher price, but purchased nonetheless. Another possibility is to stock critical components on site or to pre-purchase supplies so that there is always a reserve of supplies available Governance Policy & Procedure
ERM2
Objectives must exist before management can identify potential events affecting their achievement. Therefore enterprise risk management ensures that management has in place a process to set objectives and that chosen objectives support and align with the organization’s mission and are consistent with its risk appetite
Risk Management & Governance
Analysis, Objectives, Policy, Procedures, & Management Support
ERM5
Management selects risk responses, avoiding, accepting, reducing, or sharing risk and develops a set of actions to align risks with the organization’s risk tolerances and risk appetite
Risk Management & Governance
Solution Design, Implementation, & Management Support
ERM6
Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out Governance
Implementation, Policy, Procedures, & Management Support
175
Criteria Number Definition
Primary Themes Sub-Themes
RBPS1
Process safety culture, compliance with standards, process safety competency, workforce involvement, and stakeholder outreach
Culture & Governance
Safety Culture, Policy, Regulation, & Rules
RBPS3
Operating procedures, safe work practices, asset integrity and reliability, contractor management, training and performance assurance, management of change, operational readiness, conduct of operations, and emergency management
Culture & Risk Management
Safety Culture, Organizational Learning, & Emergency Response
H&M1
Management interested in communicating HSE issues with the workforce, rewards for good HSE performance, and commitment level of workforce and level of care for colleagues
Culture & Governance
Safety Culture, Policy, Rules, & Management Support
H&M5 Purpose of procedures Governance Procedures Governance ∩ Corrective
HRO4
Cultivate the processes of resilience, intelligent reaction and improvisation. Be mindful of errors that have occurred and take steps to correct them before they worsen. Be ready to handle the next unforeseen event.
Culture & Risk Management
Organizational Learning, Policy, & Decision-Making
HRO5
During troubled times, shift the leadership role to the person or team possessing the greatest expertise and experience to deal with the problem at hand. Provide them with the empowerment they need to take timely, effective action. Avoid using rank and status as the sole basis for determining who makes decisions when unexpected events occur.
Culture & Governance
H&M7 Audits and reviews Risk Management
Testing & Maintenance
H&M8 Benchmarking, trends, and statistics Risk Management
Analysis, Testing, & Maintenance
Governance ∩ Both
DRU2 Frequent communication and stakeholder engagement (internal and external) Governance Communication
H&M2
Cause (who) of accidents in the eyes of management and balance between HSE and profitability
Culture, Risk Management, & Governance
Safety Culture, Analysis, Policy, & Decision-Making
H&M3
Contractor management, size and status of HSE department, and workers interest competency / training
Culture & Governance
Safety Culture, Organizational Learning, & Policy
176
Table 28 - Summary: Criteria Number by Theme
Safety Culture
Analysis
Testing
Organizational L
earning
Maintenance
Solution Design
Objectives
Strategic Direction
Policy
HRO1, RE4,
RBPS1, H&M3,
RE4, RBPS3, ROP2, ROP3, H&M4, RBPS4, H&M6, MIT1, MIT2,
RBPS1, RBPS3, H&M1, H&M2, H&M3
HRO1, RE4,
ERM1, HRO4, HRO2, HRO3, DRU1, RE2, RE3, RE4,
ERM3, ERM4, RBPS2, ROP1, BCP1,
RBPS4, H&M6, MIT1, MIT2, MIT3, HRO3, ERM2, HRO4, H&M8, H&M2
HRO1, RE4,
H&M7, RE1, RE4, RE5,
BCP5, ERM8, RE1,
H&M7, H&M8
DRU4, ERM1, HRO4, HRO5, DRU5, H&M3, RBPS2, RBPS3, DRU4, RBPS3, HRO4, HRO5, H&M3
RE4, H&M7, HRO3, RE1, RE4, RE5,
ERM5, BCP5, ERM8, HRO3, RE1,
H&M7, H&M8
ERM1, ERM3, ERM5, ROP1, BCP2, ERM5
ERM1, ERM3, ERM2 ERM1
ERM1, RBPS1, HRO5, H&M3,
RE8, MIT1, MIT2, MIT3, RE6,
ERM2, ERM6, RBPS1, H&M1, HRO5, H&M2, H&M3
Themes
177
Rules
Regulation
Flexibility
Em
ergency R
esponse
Implem
entation
Decision-M
aking
Com
munication
Managem
ent Support
Procedures
ERM1, RBPS1, RBPS1, H&M1
RBPS1, RBPS1
HRO4, HRO4
HRO4, RE1,
RBPS3, ROP1, BCP4, MIT1, MIT2, MIT3, RE1,
RBPS3, HRO4
HRO4, DRU3, RE2,
ERM5, ROP3, BCP3, MIT1, MIT2, MIT3, ERM5, ERM6, HRO4
HRO5, HRO5, H&M2
ERM7, H&M1, DRU2
HRO3, DRU3, RE5,
RBPS4, MIT1, MIT2, MIT3, HRO3, ERM2, ERM5, ERM6, H&M1
RE6, H&M6,
RE6, ERM2, ERM6, H&M5
Themes
178
179
Appendix D Materials distributed to stakeholders to prepare for
workshop no. 1
Workshop
Assessing the Highly Reliable Disaster Resistant Organization 2
3
Bermuda Conference Room - NE49
June 16, 2008
1:00 PM to 3:00 PM
Joseph F. Gifun, P.E.
(617) 253-4740
Introduction
The purpose of this workshop is to elicit feedback from local experts on an emerging
organization model named the Highly Reliable Disaster Resistant Organization (HRDRO).
HRDRO and its associated research is founded upon the premise; organizations that
effectively anticipate, resist, and recover from disasters and system disturbances follow
successful practices that embody high reliability, disaster resistance, and business resilience.
The HRDRO was derived from the integration of several organizational models; the High
Reliability Organization, the Disaster Resistant University, the Resilient Enterprise,
Enterprise Risk Management, Risk-Based Process Safety, Reactor Oversight Process, Hearts
and Minds, and Business Continuity Planning.
3 Former name for the methodology currently known as the Highly Reliable Resilient Organization
180
The result of this research to date is a hierarchical object tree model based on analytic-
deliberative principles that would assist organizations to:
1. Preemptively determine whether or not, and to what extent, the organization is poised
to effectively anticipate, resist, and recover from disasters and system disturbances
and identify the areas in which improvements should be made
2. Diagnostically examine the results of an impact of a disaster or system disturbance on
an organization to determine whether or not, and to what extent, the organization
anticipated, resisted, and recovered from such an impact and identify the areas in
which improvements should be made
Workshop Preparation
To prepare for the workshop, participants are encouraged to complete (or do as much as one
can) the following three tasks.
1. Please review the hierarchical tree, text and Figure [17] 1a or [18] 1b, and comment
upon its completeness, i.e., does it contain the right criteria to determine the level of
an organization’s HRDRO-ness? If no, what revisions would you make?
2. Please review the definitions of the criteria and state your level of agreement. If you
do not agree with the essence of the text that accompanies each definition please
suggest changes. If you suggested a new criterion in 1 above please provide a
definition. Complete grammatically correct sentences are not necessary – bullets are
just fine. Please focus on concepts and do not take the time to wordsmith.
3. Please think about the relative weights of the criteria. Time will be devoted to this
during the workshop
The intent of the following hypothetical event scenario is to enable workshop participants to
focus attention on each task in a consistent way as it provides a real-world context.
181
Hypothetical Event Scenario
Following two weeks of temperatures well below freezing a large diameter water main broke
in the vicinity of a research university in a dense urban setting. The break occurred during the
mid afternoon of a weekday when the university was fully operational. Much time was
required to secure the flow of water as adjacent valves were found to be inoperable causing a
complete loss of water pressure throughout the campus and adjoining areas of the city for
what ended up to be several hours. Thus, no potable or fire suppression water was available
during this time. In addition policy misunderstandings prohibited incident command staff
from transmitting a message by way of the university web page and telephone to all students
and staff that “hot work” must cease unless doing so would result in greater risk. During this
time when no water pressure was available a fire occurred in a laboratory located on an upper
floor of a high rise building.
HRDRO Hierarchical Tree
The hierarchical tree, Figures [16] 1a and [17] 1b employs a conventional vertical
hierarchical format. The output of the hierarchical tree is a numerical index that represents
the degree of compliance with the criteria and is employed preemptively, diagnostically, and
as the means for the prioritization of alternatives, as follows.
1. In a preemptive application the numerical index is used to determine the
organization’s current degree of HRDRO, i.e. a numerical index of greater value
represents a greater level of HRDRO. Moreover, the index enables one to see the
organization’s strengths and organizational areas that are in need of improvement.
The intent of examining the organization preemptively is to prevent, or at the very
least mitigate, the impact of disasters or system disturbances
2. Diagnostically the use of the index is similar to the preemptive application except that
it is used after the impact of a disaster or system disturbance
3. The index enables the comparison and ranking of alternatives against a set of pre-
established criteria. For example, several alternatives are identified during the
preemptive application above, the index for each is determined, and the course of
action with the most attractive index is implemented (corrective)
182
As the hierarchical tree supports an analytic-deliberative process the raw calculated indices
must be deliberated upon in order to determine final ranking.
183
Figure [16] 1a – HRDRO Hierarchical Tree (Max score = 1.00)
184
Figure [17] 1b – HRDRO Hierarchical Tree (Max score = 100)
185
Verification of Criteria Definitions
The following definitions, or fragments thereof, of the criteria shown in Figures [17]
1a and [18] 1b are to be considered preliminary and subject to scrutiny and revision
by workshop participants.
1. Culture - a basic set of assumptions that defines what those within the
organization pay attention to, what things mean, and how to react emotionally
to what is going on, and what actions to take in various kinds of situations
(Edgar Schein, 1992, Organizational Culture and Leadership, Jossey-Bass, 2nd
Ed, p. 22) [(Schein, 1992)].
2. Risk Management – organizational principles, practices, and structures that
enable an organization to manage uncertainty to either eliminate or mitigate
the realization and expansion of potential consequences
3. Governance – relates to decisions that define expectations, grant power, or
verify performance. It consists either of a separate process or of a specific part
of management or leadership processes. In the case of a business, governance
relates to consistent management, cohesive policies, processes, [practices and
procedures, authority] and [financial and operational] decision-rights for a
given area of responsibility.
4. Safety – The condition of being protected against [unacceptable levels of]
physical, social, spiritual, financial, political, emotional, occupational,
psychological, educational or other types or consequences of failure, damage,
error, accidents, harm or any other event which could be considered non-
desirable. This can take the form of being protected from the event or from
exposure to something that causes health or economical losses. It can include
protection of people or of possessions Organizational safety culture entails
compliance with standards, process safety competency, workforce
involvement, stakeholder outreach, operating procedures, safe work practices,
asset integrity and reliability, contractor management, training and
186
performance assurance, management of change, operational readiness, conduct
of operations, and emergency management.
5. Organizational Learning – describes an organization that actively creates,
captures, transfers, and mobilizes knowledge to enable it to adapt to a
changing environment. The disciplines of the learning organization are
Systems Thinking, Personal Mastery Mental Models Building Shared Vision
and team Learning and can be thought of on three distinct levels; practices
(what you do), principles (guiding ideas and insights), and essences (the state
of being of those with high levels of mastery in the discipline) (Senge, P. M.
(1990) The Fifth Discipline: The Art & Practice of The Learning
Organization, Doubleday, New York) [(Senge, 1990)].
Systems Thinking: A conceptual framework, a body of knowledge to make
full patterns clearer, and to help one how to change them effectively.
Personal Mastery: The discipline of continually clarifying and deepening our
personal vision, of focusing our energies, of developing patience, and of
seeing reality objectively. An organization’s commitment to and capacity for
learning can be no greater than the commitment to and capacity for learning of
its members
Mental Models: Deeply ingrained assumptions, generalizations, or even
pictures or images that influence how we understand the world and how we
take action.
Building Shared Vision: The practice of shared vision involves the skills of
unearthing shared “pictures of the future” that foster genuine commitment and
enrollment rather than compliance.
Team Learning: The discipline of team learning starts with dialogue, the
capacity of members of a team to suspend assumptions and enter into a
genuine thinking together. The discipline of dialogue also involves learning
how to recognize the patterns of interaction in teams that undermine learning.
Unless teams can learn, the organization cannot learn
Development of scenarios for internal training exercises, problems, mistakes,
errors, and failures are considered learning opportunities, solutions include
187
root cause and latent contributors, all personnel associated with the problem,
mistake, error, or failure regardless of rank participate in after action reviews
6. Flexibility – Decision making and problem resolution migrate quickly to the
person(s) most capable to make the decision or resolve the problem. People
within the organization know the, person(s) with expertise to contact when
something out of the ordinary occurs. An organization that embodies
flexibility adapts to changing demands and should problems occur, someone
with the authority to act and necessary resources are readily available. People
are familiar with their jobs and operations external to their own jobs and work
to create a climate that encourages variety in people’s analyses of the
organization’s technology and production processes and establish practices
that allow those perspectives to be heard and to surface information not held in
common (Weick, K. E. and Sutcliffe, K. M. Managing the Unexpected:
Assuring High Performance in an Age of Complexity. San Francisco: Jossey-
Bass, 2001 [(Weick & Sutcliffe, 2001)]. Weick, K. E. and Sutcliffe, K. M.
Managing the Unexpected: Resilient Performance in an Age of Uncertainty
(2nd ed.). San Francisco: John Wiley & Sons, 2007 [(Weick & Sutcliffe,
2007)].
7. Planning & Preparation – summary criterion, business continuity planning
a Analysis – the employment of impact analysis, threat analysis, impact
scenarios, and other analytic tools and methods to assess the current
and potential state of the organization (Business continuity planning.
b Solution Design – the means to identify the most cost effective
disaster recovery solution and determine the crisis management
command structure, the location of a secondary work site,
telecommunication architecture between primary and secondary work
sites, data replication methodology between primary and secondary
work sites, the application and software required at the secondary work
site, and the type of physical data requirements at the secondary work
site
c Implementation – execution of the design elements identified in the
solution design phase
188
d Testing & Acceptance – the means to ascertain the effectiveness of
the crisis command / emergency operations team including the
effective transfer from primary to secondary work sites and secondary
to primary work sites
e Maintenance – the conduction of periodic activities; 1) information
update and testing, 2) testing and verification of technical solutions,
and 3) testing and verification of organization recovery procedures
8. Emergency / Incident Response – an emergency is a situation which poses
an immediate risk to health, life, property or environment. Most emergencies
require urgent intervention [emergency / incident response] to prevent a
worsening of the situation, although in some situations, mitigation may not be
possible and agencies may only be able to offer palliative care for the
aftermath. Whilst some emergencies are self evident (such as a natural disaster
which threatens many lives), many smaller incidents require the subjective
opinion of an observer (or affected party) in order to decide whether it
qualifies as an emergency. The precise definition of an emergency, the
agencies involved and the procedures used, vary by jurisdiction, and this is
usually set by the government, whose agencies (emergency services) are
responsible for emergency planning and management. In order to be defined
as an emergency, the incident should be one of the following:
a Immediately threatening to life, health, property or environment.
b Have already caused loss of life, health detriments, property damage or
environmental damage
c Have a high probability of escalating to cause immediate danger to life,
health, property or environment
Whilst most emergency services agree on protecting human health, life and
property, the environmental impacts are not considered sufficiently important
by some agencies. This also extends to areas such as animal welfare, where
some emergency organizations cover this element through the 'property'
definition, where animals which are owned by a person are threatened
(although this does not cover wild animals). This means that some agencies
189
will not mount an 'emergency' response where it endangers wild animals or
environment although others will respond to such incidents (such as oil spills
at sea which pose a threat to marine life). The attitude of the agencies involved
is likely to reflect the predominant opinion of the government of the area.
Personnel who respond to emergencies either to mitigate impacts directly or to
work with or pass on information to emergency responders, e.g. local fire
service and internal personnel responsible for decisions regarding the control
of emergencies from onset to conclusion and the development of emergency
response and management procedures and training opportunities.
9. Objectives & Strategic Direction – A Strategy is a long term plan of action
designed to achieve a particular goal, most often "winning". Strategy is
differentiated from 0tactics or immediate actions with resources at hand by its
nature of being extensively premeditated, and often practically rehearsed.
Strategies are used to make the problem easier to understand and solve.
10. Policies, Rules, Regulations, & Operating Procedures – A policy is a
deliberate plan of action to guide decisions and achieve rational outcome(s).
The term may apply to government, private sector organizations and groups,
and individuals. Presidential executive orders, corporate privacy policies, and
parliamentary rules of order are all examples of policy. Policy differs from
rules or law. While law can compel or prohibit behaviors (e.g. a law requiring
the payment of taxes on income) policy merely guides actions toward those
that are most likely to achieve a desired outcome. Policy or policy study may
also refer to the process of making important organizational decisions,
including the identification of different alternatives such as programs or
spending priorities, and choosing among them on the basis of the impact they
will have. Policies can be understood as political, management, financial, and
administrative mechanisms arranged to reach explicit goals.
A procedure is a specification of series of actions, acts or operations which
have to be executed in the same manner in order to always obtain the same
result in the same circumstances (for example, emergency procedures). Less
190
precisely speaking, this word can indicate a sequence of activities, tasks, steps,
decisions, calculations and processes, that when undertaken in the sequence
laid down produces the described result, product or outcome. A procedure
usually induces a change.
Regulation can be considered as legal restrictions promulgated by government
authority. One can consider at least two levels in democracies -- legislative
acts, and implementing specifications of conduct imposed sanction (as a fine).
This administrative law or implementing regulatory law is in contrast to
statutory or case law.
Rule - a formal and widely-accepted statement, fact, definition, or
qualification, an informal but widely accepted norm, concept, truth, definition,
or qualification.
Policies are clearly written, broadly distributed, and reflect organization
mission. There is a consistent organization-wide understanding, acceptance,
and application of policies, processes, and practices. All policies are easily
understood, clearly written, published, and consistently applied and enforced.
The basis for policies and the decision processes employed during their
development is published and broadly known. Personnel are able to question
policies without retaliation and the organization’s level of acceptable risk is
well know by all personnel
11. Decision-Making Process – transparent analytic deliberative processes and
methods are used where appropriate. Risks are considered, even for decisions
that may appear quite mundane by asking questions such as, what will happen
next. The probability of the occurrence of credible risks and hazards are
considered. All policies are easily understood, clearly written, published, and
consistently applied and enforced. The basis for policies and the decision
processes employed during their development is published and broadly
known. Personnel are able to question policies without retaliation. The
organization’s level of acceptable risk is well know by all personnel
191
12. Monetary & Non-Monetary Support – Organization-wide policies and
practices that overtly support action, e.g. risk assessment and analysis,
implementation of projects, and funding of initiatives to eliminate and mitigate
risks. Budget set-asides for risk identification, assessment, elimination, and
mitigation. Action or deliberate inaction by the organization closely matches
that which the organization had said, displayed, and published and provides a
measure of the organization’s level of support. Support includes resources
such as money, people, time, and materials. Budgets include reserves for
vulnerability assessments and mitigation projects. Levels of support are
established by risk management methods
13. Communication – An act or instance of transmitting information, e.g. verbal
or written messages. A process by which information is exchanged between
individuals through a common system of symbols, signs, or behavior. A
system (as of telephones) for communicating. A technique for expressing
ideas effectively (as in speech). The technology of the transmission of
information (as by print or telecommunication) (Merriam-Webster, 2009)
Movement of information quickly with no constraints as to rank and the
person with information has the obligation to pass it on. Information regarding
imminent and potential risks, whether brief or detailed, is distributed
throughout the organization
Open and established process to engage stakeholders in solutions and open
relationships with regulators and other authorities
Elicitation of Criteria Weights
Preliminary relative weights are provided for the criteria shown in Figures [17] 1a and
[18] 1b. The two versions provide the workshop participant with a choice as some
people find it easier to work with whole numbers. Figure [17] 1a provides relative
weights with a maximum total of 1.00 while Figure [18] 1b provides relative weights
with a maximum total of 100. All other aspects of the figures are identical.
192
193
A
sses
sors
G
loba
l Wei
ghts
by
As-
A
B
C
D
E
Attr
ibut
e A
B
C
D
E
Max
. Po
ssi-
ble
Wei
ght
Max
. Po
ssib
le
Wei
ght
- W
eigh
t A
Pr
iorit
y A
Max
. Po
ssib
le
Wei
ght
- W
eigh
t B
Pr
iorit
y B
Max
. Po
ssib
le
Wei
ght
- W
eigh
t C
Pr
iorit
y C
Max
. Po
ssib
le
Wei
ght
- W
eigh
t D
Pr
iorit
y D
Max
. Po
ssib
le
Wei
ght
- W
eigh
t E
Prio
rity
E Sa
fety
Cul
ture
9.
4 14
14
14
18
.7
18.7
9.
3 2
4.7
5 4.
7 4
4.7
4 0.
0 11
O
rgan
izat
iona
l Lea
rnin
g, Q
ualit
y Im
prov
emen
t, an
d Fl
exib
ility
10
.5 1
0.5
10.5
10.
5 10
.5
21
10.5
1
10.5
1
10.5
1
10.5
1
10.5
1
Ana
lysi
s 1
1 2.
1 1
2.1
4.1
3.1
9 3.
1 6
2.0
9 3.
1 6
2.0
5 So
lutio
n D
esig
n 3.
3 1.
7 3.
3 5
5 6.
6 3.
3 8
4.9
4 3.
3 6
1.6
9 1.
6 6
Impl
emen
tatio
n 0
0 1.
8 1.
8 3.
6 7.
1 7.
1 4
7.1
2 5.
3 2
5.3
3 3.
5 2
Test
ing
and
Acc
epta
nce
1.1
2.2
1.1
1.1
3.3
4.4
3.3
8 2.
2 9
3.3
6 3.
3 5
1.1
9 M
aint
enan
ce
0.8
1.7
1.7
0.8
1.7
3.3
2.5
10
1.6
10
1.6
10
2.5
7 1.
6 6
Emer
genc
y / I
ncid
ent R
espo
nse
and
Busi
ness
5.
4 5.
4 8
5.4
8 10
.7
5.3
5 5.
3 3
2.7
7 5.
3 3
2.7
3 O
bjec
tives
and
Stra
tegi
c D
irect
ion
2.4
9.7
4.9
2.4
7.3
9.7
7.3
3 0.
0 13
4.
8 3
7.3
2 2.
4 4
Polic
ies,
Rul
es, R
egul
atio
ns, a
nd O
pera
ting
Pro-
0.5
1 1
1 1.
5 2
1.5
11
1.0
12
1.0
12
1.0
12
0.5
10
Dec
isio
n-M
akin
g Pr
oces
s 1.
3 2.
6 1.
3 3.
9 3.
9 5.
2 3.
9 6
2.6
7 3.
9 5
1.3
10
1.3
7 Co
mm
unic
atio
n 1.
2 2.
4 2.
4 2.
4 3.
5 4.
7 3.
5 7
2.3
8 2.
3 8
2.3
8 1.
2 8
Mon
etar
y &
Non
-Mon
etar
y Su
ppor
t 0
1.3
1.3
1.3
1.3
2.5
2.5
10
1.2
11
1.2
11
1.2
11
1.2
8
HRR
O In
dex
36.9
53.
5 53
.4 5
0.6
70.4
10
0
App
endi
x E
A
sses
sor
resp
onse
s and
pri
ority
Tabl
e 29
– A
sses
sor R
espo
nses
and
Prio
rity
194
195
APPENDIX F Constructed scales
Figure 18 – HRRO Constructed Scales
Note: Constructed scales are for demonstration and testing purposes only and they should be developed in the context of the organization in which they are to be used.
Safety Culture
Summary level measure of 18 performance measures attained from scoring sheet provided by the Hearts and Minds safety program. Organizational safety culture entails compliance with standards, process safety competency, workforce involvement, stakeholder outreach, operating procedures, safe work practices, asset integrity and reliability, contractor management, training and performance assurance, management of change, operational readiness, conduct of operations, and emergency management.
Level Description Utility Global Weight
4
Generative - highest level of safety culture where the organization is informed regarding safety issues and possesses the highest levels of trust and accountability within. (73 < Score ≤ 90) 100 18.7
3 Proactive - safety leadership and values drive continuous improvement. (55 < Average Score ≤ 73) 75 14.0
2 Calculative - systems in place to manage hazards. (37 < Score ≤ 55) 50 9.4
1 Reactive - safety is important and much is done every time there is an accident. (19 < Score ≤ 37) 25 4.7
0
Pathological - lowest level of safety culture where the organization does not care about safety unless caught by way of an accident or regulatory violation (0 < Score ≤ 19) 0 0
196
Organizational Learning, Quality Improvement, and Flexibility Summary level measure of 10 performance measures from the assessment tool provided in Ten Steps to a Learning Organization by Peter Kline and Bernard Saunders. A term that describes an organization that actively creates, captures, manages, transfers, and mobilizes knowledge to enable it to adapt to changing demands.
Level Description Utility Global Weight
4
The organization exhibits the qualities of organizational learning and quality improvement to a very great extent. (4 < Average Score ≤ 5) 100 21.0
3
The organization exhibits the qualities of organizational learning and quality improvement to a great extent. (3 < Average Score ≤ 4) 75 15.8
2
The organization exhibits the qualities of organizational learning and quality improvement to a moderate extent. (2 < Average Score ≤ 3) 50 10.5
1
The organization exhibits the qualities of organizational learning and quality improvement to a slight extent. (1 < Average Score ≤ 2) 25 5.3
0
The organization does not exhibit, or does so poorly, the qualities of organizational learning and quality improvement. (0 < Average Score ≤ 1) 0 0.0
Analysis
The employment of risk, vulnerability, and threat analysis, impact scenarios, and other analytic tools and methods to assess the current and potential state of the organization.
Level Description Utility Global Weight
4
The organization uses analytical tools and methods to assess the current and potential state of the organization to a very great extent. (4 < Average Score ≤ 5) 100 4.1
3
The organization uses analytical tools and methods to assess the current and potential state of the organization to a great extent. (3 < Average Score ≤ 4) 75 3.1
2
The organization uses analytical tools and methods to assess the current and potential state of the organization to a moderate extent. (2 < Average Score ≤ 3) 50 2.1
1
The organization uses analytical tools and methods to assess the current and potential state of the organization to a slight extent. (1 < Average Score ≤ 2) 25 1.0
0
The organization does not, or to a minimal level, use analytical tools and methods to assess the current and potential state of the organization. (0 < Average Score ≤ 1) 0 0.0
197
Solution Design
The means to identify and develop the most cost effective risk mitigation and disaster and crisis recovery solutions (including crisis management command structure).
Level Description Utility Global Weight
4
The organization identifies and develops cost effective risk mitigation and crisis recovery solutions to a very great extent. (4 < Average Score ≤ 5) 100 6.6
3
The organization identifies and develops cost effective risk mitigation and crisis recovery solutions to a great extent. (3 < Average Score ≤ 4) 75 5.0
2
The organization identifies and develops cost effective risk mitigation and crisis recovery solutions to a moderate extent. (2 < Average Score ≤ 3) 50 3.3
1
The organization identifies and develops cost effective risk mitigation and crisis recovery solutions to a slight extent. (1 < Average Score ≤ 2) 25 1.7
0
The organization does not identify or develop cost effective risk mitigation and crisis recovery solutions or does so minimally. (0 < Average Score ≤ 1) 0 0.0
Implementation
Execution of risk mitigation and disaster and crisis recovery solutions that emerge from the solution design phase.
Level Description Utility Global Weight
4 The organization funds and executes designed solutions to a very great extent. (4 < Average Score ≤ 5) 100 7.1
3 The organization funds and executes designed solutions to a great extent. (3 < Average Score ≤ 4) 75 5.3
2 The organization funds and executes designed solutions to a moderate extent. (2 < Average Score ≤ 3) 50 3.6
1 The organization funds and executes designed solutions to a slight extent. (1 < Average Score ≤ 2) 25 1.8
0
The organization does not, or poorly, funds or executes risk mitigation and disaster recovery solutions. (0 < Average Score ≤ 1) 0 0.0
198
Testing and Acceptance
The means to detect potential disturbances and ascertain the effectiveness and acceptance of plans and processes.
Level Description Utility Global Weight
4
The organization detects potential disturbances and determines the effectiveness and acceptance of risk mitigation plans and solutions to a very great extent. (4 < Average Score ≤ 5) 100 4.4
3
The organization detects potential disturbances and determines the effectiveness and acceptance of risk mitigation plans and solutions to a great extent. (3 < Average Score ≤ 4) 75 3.3
2
The organization detects potential disturbances and determines the effectiveness and acceptance of risk mitigation plans and solutions to a moderate extent. (2 < Average Score ≤ 3) 50 2.2
1
The organization detects potential disturbances and determines the effectiveness and acceptance of risk mitigation plans and solutions to a slight extent. (1 < Average Score ≤ 2) 25 1.1
0
The organization does not, or minimally, detects potential disturbances or determines the effectiveness and acceptance of risk mitigation plans and solutions. (0 < Average Score ≤ 1) 0 0.0
Maintenance
Periodic; 1) information updating and testing, 2) testing and verification of technical solutions, and 3) testing and verification of organization recovery procedures.
Level Description Utility Global Weight
4
The organization tests and updates its systems, solutions, and procedures to a very great extent. (4 < Average Score ≤ 5) 100 3.3
3 The organization tests and updates its systems, solutions, and procedures to a great extent. (3 < Average Score ≤ 4) 75 2.5
2
The organization tests and updates its systems, solutions, and procedures to a moderate extent. (2 < Average Score ≤ 3) 50 1.7
1 The organization tests and updates its systems, solutions, and procedures to a slight extent. (1 < Average Score ≤ 2) 25 0.8
0
The organization does not test or update its systems, solutions, and procedures or if it does so, it is done minimally. (0 < Average Score ≤ 1) 0 0.0
199
Emergency / Incident Response and Business Recovery An emergency is a situation that possesses an immediate risk to health, life, property, reputation, the environment, and finances. Business recovery is interested in the organization's ability to self-restore following an incident.
Level Description Utility Global Weight
4
The organization responds to emergencies and incidents and incorporates business recovery methods and practices to a very great extent. (4 < Average Score ≤ 5) 100 10.7
3
The organization responds to emergencies and incidents and incorporates business recovery methods and practices to a great extent. (3 < Average Score ≤ 4) 75 8.0
2
The organization responds to emergencies and incidents and incorporates business recovery methods and practices to a moderate extent. (2 < Average Score ≤ 3) 50 5.4
1
The organization responds to emergencies and incidents and incorporates business recovery methods and practices to a slight extent. (1 < Average Score ≤ 2) 25 2.7
0
The organization does not, or poorly responds to emergencies / incidents or employ business recovery methods and practices. (0 < Average Score ≤ 1) 0 0.0
Objectives and Strategic Direction
A strategic direction is a long term plan of action designed to achieve an objective, i.e. a specific goal
Level Description Utility Global Weight
4
The organization broadly promotes and supports the establishment and use of strategic objectives to a very great extent. (4 < Average Score ≤ 5) 100 9.7
3
The organization broadly promotes and supports the establishment and use of strategic objectives to a great extent. (3 < Average Score ≤ 4) 75 7.3
2
The organization broadly promotes and supports the establishment and use of strategic objectives to a moderate extent. (2 < Average Score ≤ 3) 50 4.9
1
The organization broadly promotes and supports the establishment and use of strategic objectives to a slight extent. (1 < Average Score ≤ 2) 25 2.4
0
The organization does not, or poorly promote or support the establishment and use of strategic objectives. (0 < Average Score ≤ 1) 0 0.0
200
Policies, Rules, Regulations, and Operating Procedures Deliberate plans of action to guide decisions and achieve rational outcomes by way of adherence to laws, rules, regulations, and operational requirements.
Level Description Utility Global Weight
4
The organization uses formal methods to guide decisions and actions and adheres to laws, rules, regulations, and operational requirements to achieve rational outcomes to a very great extent. (4 < Average Score ≤ 5) 100 2.0
3
The organization uses formal methods to guide decisions and actions and adheres to laws, rules, regulations, and operational requirements to achieve rational outcomes to a great extent. (3 < Average Score ≤ 4) 75 1.5
2
The organization uses formal methods to guide decisions and actions and adheres to laws, rules, regulations, and operational requirements to achieve rational outcomes to a moderate extent. (2 < Average Score ≤ 3) 50 1.0
1
The organization uses formal methods to guide decisions and actions and adheres to laws, rules, regulations, and operational requirements to achieve rational outcomes to a slight extent. (1 < Average Score ≤ 2) 25 0.5
0
The organization does not use formal methods to guide decisions and actions and minimally complies with laws, rules, regulations, and operational requirements. (0 < Average Score ≤ 1) 0 0.0
201
Decision-Making Process Transparent fact-based analytic deliberative processes and methods for making judgments or reaching conclusions are used where appropriate.
Level Description Utility Global Weight
4
The organization uses formal methods to guide decisions and actions and adheres to laws, rules, regulations, and operational requirements to achieve rational outcomes to a very great extent. (4 < Average Score ≤ 5) 100 5.2
3
The organization uses formal methods to guide decisions and actions and adheres to laws, rules, regulations, and operational requirements to achieve rational outcomes to a great extent. (3 < Average Score ≤ 4) 75 3.9
2
The organization uses formal methods to guide decisions and actions and adheres to laws, rules, regulations, and operational requirements to achieve rational outcomes to a moderate extent. (2 < Average Score ≤ 3) 50 2.6
1
The organization uses formal methods to guide decisions and actions and adheres to laws, rules, regulations, and operational requirements to achieve rational outcomes to a slight extent. (1 < Average Score ≤ 2) 25 1.3
0
The organization does not use formal methods to guide decisions and actions and minimally complies with laws, rules, regulations, and operational requirements. (0 < Average Score ≤ 1) 0 0.0
Communication
An act or instance of exchanging information, e.g. verbal or written messages.
Level Description Utility Global Weight
4 The organization communicates effectively internally and externally to a very great extent. (4 < Average Score ≤ 5) 100 4.7
3 The organization communicates effectively internally and externally to a great extent. (3 < Average Score ≤ 4) 75 3.5
2 The organization communicates effectively internally and externally to a moderate extent. (2 < Average Score ≤ 3) 50 2.4
1 The organization communicates effectively internally and externally to a slight extent. (1 < Average Score ≤ 2) 25 1.2
0 The organization does not communicate well internally or externally. (0 < Average Score ≤ 1) 0 0.0
202
Monetary & Non-Monetary Support
Organization-wide policies and practices that overtly support action, e.g. risk assessment and analysis, implementation of projects, and funding initiatives to eliminate and mitigate risks.
Level Description Utility Global Weight
4
The organization supports projects and initiatives that eliminate and mitigate risks to a very great extent. (4 < Average Score ≤ 5) 100 2.5
3
The organization supports projects and initiatives that eliminate and mitigate risks to a great extent. (3 < Average Score ≤ 4) 75 1.9
2
The organization supports projects and initiatives that eliminate and mitigate risks to a moderate extent. (2 < Average Score ≤ 3) 50 1.3
1
The organization supports projects and initiatives that eliminate and mitigate risks to a slight extent. (1 < Average Score ≤ 2) 25 0.6
0
The organization does not overtly support projects or initiatives to eliminate or mitigate risks or if it does, it does so minimally. (0 < Average Score ≤ 1) 0 0.0
203
Safe
ty C
ultu
re (S
ourc
e: H
eart
s an
d M
inds
)
Inst
ruct
ions
: F
or e
ach
of th
e 18
sta
tem
ents
/ qu
estio
ns In
sert
a 1
in th
e bo
x be
low
the
desc
riptio
n in
whi
ch y
ou m
ost
agre
e
Safe
ty C
ultu
re
Pa
thol
ogic
al
Re
activ
e
Calc
ulat
ive
Pr
oact
ive
G
ener
ativ
e
A
Is m
anag
emen
t int
eres
ted
in
com
mun
icat
ing
heal
th,
safe
ty, a
nd e
nviro
nmen
t (H
SE
) iss
ues
with
the
wor
k-fo
rce?
Man
agem
ent o
nly
com
mun
icat
es
HS
E is
sues
by
tell-
ing
wor
kers
not
to
caus
e pr
oble
ms
Afte
r inc
iden
ts
'flav
or o
f the
mon
th'
HS
E m
essa
ges
are
pass
ed d
own
from
to
p m
anag
emen
t. A
ny in
tere
st g
ets
less
ove
r tim
e as
th
ings
get
'bac
k to
no
rmal
'.
Man
agem
ent
shar
es a
lot o
f in-
form
atio
n w
hith
w
orke
rs a
nd h
as
frequ
ent H
SE
ini-
tiativ
es. M
anag
e-m
ent d
oes
a lo
t of
talk
ing
but i
s no
t re
ally
list
enin
g.
Ther
e is
a tw
o-w
ay
proc
ess
of c
omm
u-ni
catio
n ab
out H
SE
is
sues
in p
lace
. A
skin
g as
wel
l as
telli
ng g
oes
on.
Ther
e is
freq
uent
an
d cl
ear t
wo-
way
co
mm
unic
atio
n ab
out H
SE
issu
es
in w
hich
man
age-
men
t get
s m
ore
info
rmat
ion
back
th
an th
ey p
rovi
de.
Eve
ryon
e kn
ows
whe
n th
ere
is a
n in
cide
nt.
App
endi
x G
Su
rvey
form
s
Figu
re 1
9 –
HR
RO
Sur
vey
Form
s
204
B
Com
mitm
ent l
evel
of w
ork-
forc
e an
d le
vel o
f car
e fo
r co
lleag
ues
"Who
car
es a
s lo
ng
as w
e do
n't g
et
caug
ht?"
Indi
vidu
-al
s lo
ok a
fter t
hem
-se
lves
.
Look
out
for y
our-
self'
is th
e ru
le.
Pub
lic s
tate
men
ts
abou
t car
ing
for
colle
ague
s ar
e m
ade
just
afte
r ac-
cide
nts
by b
oth
man
agem
ent a
nd
wor
kfor
ce. T
his
emph
asis
fade
s aw
ay a
fter a
per
iod
of g
ood
HS
E p
er-
form
ance
.
Man
agem
ent's
in-
crea
sing
aw
are-
ness
of t
he c
osts
of
failu
re s
prea
ds
dow
n th
e or
gani
za-
tion.
Peo
ple
know
w
hat t
o sa
y ab
out
HS
E, b
ut d
o no
t al
way
s co
mpl
etel
y do
wha
t the
y ta
lk
abou
t.
The
wor
kefo
rce
feel
s pr
oud
of th
eir
HS
E p
erfo
rman
ce
and
wan
ts to
do
bette
r. P
eopl
e ca
re
for o
ther
peo
ple
and
the
envi
ron-
men
t.
Leve
ls o
f com
mit-
men
t and
car
e ar
e ve
ry h
igh
at a
ll le
v-el
s. T
hey
are
driv
en b
y em
ploy
-ee
s w
ho s
how
pas
-si
on a
bout
livin
g up
to
thei
r hig
h pe
r-so
nal s
tand
ards
. It'
s se
en a
s a
fam
ily
trage
dy if
som
eone
ge
ts h
urt.
C
Wha
r are
the
rew
ards
of
good
HS
E p
erfo
rman
ce?
No
rew
ards
are
gi
ven
or e
xpec
ted
for g
ood
HS
E p
er-
form
ance
- st
ayin
g al
ive
is re
war
d en
ough
. The
re a
re
ofte
n pu
nish
men
ts
for f
ailu
re.
Ther
e ar
e pu
nish
-m
ents
for p
oor
HS
E p
erfo
rman
ce.
Rew
ardi
ng b
ehav
-io
r is
not c
omm
on.
Bon
uses
are
re-
duce
d w
hen
ther
e ar
e ac
cide
nts.
Goo
d H
SE
per
-fo
rman
ce is
sai
d to
be
ver
y im
porta
nt.
Saf
ety
awar
ds s
uch
as T
-shi
rts o
r bas
e-ba
ll ha
ts a
re m
ade.
Th
ere
are
safe
ty
com
petit
ions
and
qu
izes
. Inc
iden
t ra
tes
are
used
w
hen
calc
ulat
ing
bonu
ses.
Goo
d H
SE
per
-fo
rman
ce is
re-
war
ded
and
cons
id-
ered
in p
rom
otio
n re
view
s. S
taff
ap-
prai
sal i
s ba
sed
on
carry
ing
out t
he
right
pro
cess
es a
s w
ell a
s (n
ot) h
avin
g in
cide
nts.
Rec
ogni
tion
of
good
HS
E p
erfo
rm-
ance
is s
een
as
bein
g hi
gh v
alue
. G
ood
perfo
rman
ce
mot
ivat
es p
eopl
e w
ithou
t the
m n
eed-
ing
extra
rew
ards
.
205
D
Who
cau
ses
acci
dent
s in
the
eyes
of m
anag
emen
t?
Indi
vidu
als
are
blam
ed, a
nd it
is
belie
ved
that
acc
i-de
nts
are
a pa
rt of
th
e jo
b. T
hose
di-
rect
ly in
volv
ed in
ac
cide
nts
are
held
re
spon
sibl
e fo
r th
em.
Ther
e ar
e at
tem
pts
to re
mov
e 'a
ccid
ent
-pro
ne' i
ndiv
idua
ls.
It is
bel
ieve
d th
at
acci
dent
s ar
e of
ten
just
bad
luck
. Man
-ag
emen
t con
side
rs
the
low
er le
vels
of
the
orga
niza
tion
to
caus
e th
e pr
ob-
lem
s.
Faul
ty m
achi
nery
, po
or m
aint
enan
ce
and
peop
le a
re
seen
as
caus
es o
f in
cide
nts.
The
se
are
atte
mpt
s to
re
duce
exp
osur
e to
ha
zard
s. A
ccid
ents
ar
e bl
amed
on
'the
syst
em'.
Man
agem
ent l
ooks
at
the
who
le H
SE
sy
stem
, inc
ludi
ng
proc
esse
s an
d pr
o-ce
dure
s w
hen
con-
side
ring
acci
dent
ca
uses
. The
y ad
mit
that
man
agem
ent
mus
t tak
e so
me
of
the
blam
e.
Bla
me
is n
ot a
n is
sue.
Man
agem
ent
acce
pts
resp
onsi
-bi
lity
whe
n as
sess
-in
g w
hat t
hey
per-
sona
lly c
ould
hav
e do
ne to
rem
ove
unde
rlyin
g ca
uses
. Th
ey ta
ke a
bro
ad
view
of H
SE
, loo
k-in
g at
the
over
all
inte
ract
ion
of s
ys-
tem
s an
d pe
ople
.
E
Bal
ance
bet
wee
n H
SE
and
pr
ofita
bilit
y
Mak
ing
mon
ey is
th
e on
ly c
once
rn.
HS
E is
see
n as
co
stin
g m
oney
, and
th
e on
ly im
porta
nt
issu
e is
avo
idin
g ex
tra c
osts
.
Sav
ing
mon
ey b
y co
st-c
uttin
g is
im-
porta
nt, b
ut m
oney
is
spe
nt to
mak
e th
e H
SE
impr
ove-
men
ts n
eces
sary
to
com
ply
with
lega
l re
quire
men
ts. C
on-
tinui
ng o
pera
tions
is
prio
rity
num
ber
one.
It is
not
cle
ar h
ow
HS
E a
nd p
rofit
abil-
ity a
re b
alan
ced.
Li
ne s
pend
s m
ost
of it
s tim
e on
op-
erat
iona
l iss
ues.
Li
ne m
anag
ers
know
how
to s
ay
the
right
thin
gs, b
ut
do n
ot a
lway
s do
w
hat t
hey
say
they
sh
ould
do,
esp
e-ci
ally
if it
cos
ts
mon
ey.
The
com
pany
trie
s to
mak
e H
SE
the
top
prio
rity,
whi
le
unde
rsta
ndin
g th
at
HS
E c
ontri
bute
s to
m
akin
g pr
ofits
. The
co
mpa
ny is
qui
te
good
at c
ombi
ning
pr
ofita
bilit
y an
d H
SE
, and
acc
epts
de
lays
to g
et c
on-
tract
s up
to s
tan-
dard
in te
rms
of
HS
E.
Man
agem
ent b
e-lie
ves
that
HS
E
mak
es m
oney
so
bala
ncin
g H
SE
and
m
akin
g go
od p
rofit
s is
a n
on-is
sue.
The
co
mpa
ny's
pla
ns
incl
ude
time
and
reso
urce
s to
get
co
ntra
ctor
s up
to
stan
dard
in te
rms
of H
SE
.
206
F C
ontr
acto
r man
agem
ent
Con
trac
tors
are
ex-
pect
ed to
get
the
job
done
with
min
imum
ef
fort
and
expe
nse.
H
SE
pro
blem
s ar
e en
tirel
y th
e re
spon
-si
bilit
y of
the
con-
tract
or.
Con
trac
tor
HS
E
man
agem
ent b
e-co
mes
impo
rtant
af
ter a
n in
cide
nt.
The
mos
t im
porta
nt
issu
e w
hen
sele
ct-
ing
a co
ntra
ctor
is
pric
e, b
ut p
oor
safe
ty p
erfo
rman
ce
has
cons
eque
nces
fo
r cho
osin
g co
n-tra
ctor
s.
Con
trac
tors
hav
e to
m
eet e
xten
sive
pre
-qu
alifi
catio
n re
quire
-m
ents
, bas
ed o
n qu
estio
nnai
res
and
stat
istic
s.H
SE
sta
n-da
rds
are
low
ered
if
no c
ontr
acto
r mee
ts
the
requ
irem
ents
. C
ontr
acto
rs h
ave
to
get u
p to
a s
tand
ard
usin
g th
eir o
wn
re-
sour
ces.
Con
trac
tor p
re-
qual
ifica
tion
re-
quire
s pr
oof t
hat
ther
e is
a w
orki
ng
HS
E-m
anag
emen
t sy
stem
. The
re a
re
join
t com
pany
-co
ntra
ctor
HS
E e
f-fo
rts a
nd th
e co
m-
pany
hel
ps w
ith c
on-
tract
or tr
aini
ng.
No
com
prom
ises
ar
e m
ade
for c
on-
tract
or H
SE
cap
abil-
ity. S
olut
ions
to H
SE
pr
oble
ms
are
foun
d to
geth
er w
ith c
on-
tract
ors.
Pos
tpon
e-m
ent o
f the
job
until
H
SE
requ
irem
ents
ar
e m
et is
acc
epte
d.
G
Com
pete
ncy
/ tra
inin
g - a
re
wor
kers
inte
rest
ed?
Wor
kers
don
't m
ind
exch
angi
ng a
har
sh
wor
king
env
iron-
men
t for
a c
oupl
e of
ho
urs
train
ing
off t
he
job.
HS
E tr
aini
ng is
se
en a
s a
nece
s-sa
ry e
vil; t
hey
at-
tend
trai
ning
whe
n it
is re
quire
d by
law
.
Trai
ning
is a
imed
at
the
pers
on -
"if w
e ca
n ch
ange
thei
r at
titud
es e
very
thin
g w
ill b
e al
right
". A
fter
an in
cide
nt s
ome
extra
mon
ey is
m
ade
avai
labl
e fo
r sp
ecifi
c tra
inin
g pr
o-gr
amm
es, b
ut th
e ef
fort
decr
ease
s ov
er ti
me.
Com
pete
nce
mat
ri-ce
s ar
e pr
esen
t and
lo
ts o
f sta
ndar
d tra
inin
g is
giv
en.
Kno
wle
dge
acqu
ired
on c
ours
es is
te
sted
. Em
ploy
ees
are
keen
to s
how
th
ey h
ave
atte
nded
al
l the
nec
essa
ry
cour
ses.
The
re is
so
me
on-th
e-jo
b tra
nsfe
r of t
rain
ing
to o
ther
wor
kers
.
Lead
ersh
ip fu
lly a
c-kn
owle
dges
the
im-
porta
nce
of te
sted
sk
ills
on th
e jo
b. T
he
wor
kfor
ce is
pro
ud
to d
emon
stra
te th
eir
skill
s in
on-
the-
job
asse
ssm
ent.
Som
e tra
inin
g ne
eds
are
iden
tifie
d by
the
wor
kpla
ce.
Inte
r-pe
rson
al s
kills
ar
e as
impo
rtant
as
tech
nica
l kno
wl-
edge
. Com
pete
nce
deve
lopm
ent i
s se
en a
s a
neve
r en
ding
pro
cess
. The
w
orkf
orce
ask
s fo
r tra
inin
g an
d fo
rms
an in
tegr
al p
art o
f th
e pr
oces
s.
207
H
Wha
t is
the
size
/ st
atus
of
the
HS
E d
epar
tmen
t?
If th
ere
is a
n H
SE
de
partm
ent i
t con
-si
sts
of o
ne p
erso
n or
a s
mal
l sta
ff in
th
e H
R d
epar
t-m
ent.
The
HS
E d
epar
t-m
ent i
s sm
all a
nd
has
little
pow
er. I
t is
see
n as
a c
aree
r de
ad-e
nd a
nd
once
in it
is h
ard
to
get o
ut. T
he s
taff
is
alw
ays
on c
all b
ut
usua
lly v
ery
muc
h in
the
back
grou
nd.
The
HS
E d
eoar
t-m
ent i
s se
en a
s a
polic
e fo
rce.
HS
E p
ositi
ons
are
give
n to
peo
ple
with
goo
d ba
ck-
grou
nds
who
can
't be
pla
ced
else
-w
here
. Th
e H
SE
de
partm
ent i
s la
rge
with
som
e st
atus
an
d po
wer
, mai
nly
anal
yzin
g st
atis
-tic
s. T
he H
SE
m
anag
er re
ports
to
a m
anag
er re
port-
ing
to th
e m
anag
-
HS
E is
see
n as
an
impo
rtant
job,
gi
ven
to h
igh
flier
s.
HS
E a
dvic
e is
ap-
prec
iate
d by
the
line.
All
seni
or p
eo-
ple
in o
pera
tions
m
ust h
ave
HS
E
expe
rienc
e. T
he
HS
E m
anag
er re
-po
rts d
irect
ly to
the
man
agin
g di
rect
or
of th
e co
mpa
ny.
HS
E re
spon
sibi
li-tie
s ar
e di
strib
uted
th
roug
hout
the
com
pany
. If t
here
is
an
HS
E d
epar
t-m
ent i
t is
smal
l but
po
wer
ful h
avin
g eq
ual s
tatu
s w
ith
othe
r de
partm
ents
.
I
Wor
k pl
anni
ng in
clud
ing
perm
it to
wor
k (P
TW) a
nd
jour
ney
man
agem
ent
Ther
e is
no
HS
E
plan
ning
and
littl
e pl
anni
ng o
vera
ll.
Wor
k pl
anni
ng
conc
entr
ates
on
the
quic
kest
and
ch
eape
st c
ompl
e-tio
n of
the
job.
HS
E p
lann
ing
is
base
d on
wha
t w
ent
wro
ng in
the
past
. The
re is
an
info
rmal
wor
k pl
an-
ning
pro
cess
fo-
cuse
d on
man
ag-
ing
the
time
take
n fo
r a jo
b.
Ther
e is
a lo
t of
emph
asis
on
haz-
ard
anal
ysis
and
pe
rmit
to w
ork.
Th
ere
is li
ttle
use
of fe
edba
ck fr
om
inci
dent
s to
im-
prov
e pl
anni
ng.
Peo
ple
belie
ve th
at
'the
syst
em' w
orks
w
ell a
nd w
ill p
re-
vent
inci
dent
s.
Wor
k an
d H
SE
is
sues
are
inte
-gr
ated
in p
lann
ing.
P
lans
are
follo
wed
th
roug
h an
d th
ere
is s
ome
eval
uatio
n of
the
effe
ctiv
e-ne
ss o
f the
pla
n-ni
ng b
y su
perv
i-so
rs a
nd li
ne m
an-
agem
ent.
Ther
e is
a th
or-
ough
pla
nnin
g pr
oces
s w
ith b
oth
antic
ipat
ion
of
prob
lem
s an
d re
-vi
ew o
f the
pro
c-es
s. E
mpl
oyee
s ar
e tr
uste
d to
do
mos
t pla
nnin
g.
Ther
e is
less
pa-
per,
mor
e th
inki
ng,
and
the
plan
ning
pr
oces
s is
wel
l kn
own
and
dis-
208
J W
ork-
site
job
safe
ty te
ch-
niqu
es
Wor
k-si
te jo
b sa
fety
tech
niqu
es
are
not u
sed.
"Lo
ok
out f
or y
ours
elf".
Afte
r acc
iden
ts a
st
anda
rd w
ork-
site
ha
zard
man
age-
men
t tec
hniq
ue is
br
ough
t in.
The
re is
lit
tle s
yste
mat
ic
use
of s
uch
tech
-ni
ques
afte
r the
ir in
itial
intro
duct
ion.
A c
omm
erci
ally
av
aila
ble
job
safe
ty
tech
niqu
e is
intro
-du
ced
to m
eet t
he
requ
irem
ents
of t
he
man
agem
ent s
ys-
tem
. Hav
ing
this
te
chni
que
lead
s to
lit
tle a
ctio
n. N
um-
bers
of r
epor
ts a
re
used
to s
how
that
th
e sy
stem
is w
ork-
ing.
Job
safe
ty a
naly
-si
s / j
ob s
afet
y ob
-se
rvat
ion
tech
-ni
ques
are
ac-
cept
ed b
y th
e w
orkf
orce
as
bein
g in
thei
r ow
n in
ter-
est.
They
thin
k th
ese
met
hods
are
st
anda
rd p
ract
ice.
W
orke
rs a
nd s
u-pe
rvis
ors
tell
each
ot
her
abou
t haz
-ar
ds.
Job
safe
ty a
naly
sis
as a
wor
k-si
te h
az-
ard
man
agem
ent
tech
niqu
e is
ofte
n re
vised
usi
ng a
de
fined
pro
cess
.
K
Wha
t is
the
purp
ose
of p
ro-
cedu
res?
The
com
pany
m
akes
HS
E p
roce
-du
res
only
whe
n re
ally
nec
essa
ry.
They
are
see
n as
lim
iting
peo
ple'
s ac
tiviti
es in
ord
er to
av
oid
law
suits
or
harm
to a
sset
s.
The
purp
ose
of
HS
E p
roce
dure
s is
to
pre
vent
indi
vid-
ual i
ncid
ents
from
ha
ppen
ing
agai
n.
They
are
ofte
n w
rit-
ten
in re
spon
se to
ac
cide
nts
and
thei
r ov
eral
l effe
ct m
ay
not b
e co
nsid
ered
in
det
ail.
Ther
e ar
e m
any
HS
E p
roce
dure
s,
serv
ing
as 'b
arie
rs'
to p
reve
nt in
ci-
dent
s. S
ome
HS
E
proc
edur
es a
re
repl
aced
by
train
-in
g an
d co
mpe
-te
ncy
requ
ire-
men
ts.
HS
E p
roce
dure
s sp
read
bes
t pra
c-tic
e bu
t are
see
n as
occ
aisi
onal
ly
inco
nven
ient
by
a co
mpe
tent
wor
k-fo
rce.
Effo
rts a
re
mad
e to
rem
ove
rule
s an
d pr
oce-
dure
s th
at a
re h
ard
to fo
llow
.
Ther
e is
trus
t in
empl
oyee
s th
at
they
can
reco
gniz
e s i
tuat
ions
whe
re
the
rule
s sh
ould
be
chal
leng
ed. N
on-
com
plia
nce
to H
SE
pr
oced
ures
goe
s th
roug
h cl
early
de-
fined
cha
nnel
s.
Pro
cedu
res
are
cont
inuo
usly
re-
fined
for e
ffici
ency
.
209
L In
cide
nt /
acci
dent
repo
rting
, in
vest
igat
ion
anal
ysis
Man
y in
cide
nts
are
not r
epor
ted.
Inve
s-tig
atio
n on
ly ta
kes
plac
e af
ter a
ser
i-ou
s ac
cide
nt.
Ana
lyse
s do
not
co
nsid
er h
uman
fa
ctor
s no
r go
be-
yond
lega
l req
uire
-m
ents
. The
prio
rity
is to
pro
tect
the
com
pany
and
its
prof
its.
Ther
e is
an
info
r-m
al re
porti
ng s
ys-
tem
and
inve
stig
a-tio
n of
inci
dent
s is
ai
med
onl
y at
im-
med
iate
cau
ses,
w
ith a
pap
er tr
ail t
o sh
ow a
n in
vest
iga-
tion
has
take
n pl
ace.
Inve
stig
atio
n fo
cuse
s on
find
ing
who
is g
uilty
. The
re
is li
ttle
syst
emat
ic
follo
w u
p an
d pr
evi-
ous
sim
ilar e
vent
s ar
e no
t con
side
red.
Ther
e ar
e in
cide
nt
inve
stig
atio
n pr
oce-
dure
s pr
oduc
ing
lots
of d
ata
and
actio
n ite
ms,
but
op
portu
nitie
s to
ad
dres
s th
e re
al
issu
es a
re o
ften
mis
sed.
Fol
low
-up
conc
entr
ates
on
loca
l iss
ues.
Re-
med
ial a
ctio
ns c
on-
cent
rate
on
train
ing
and
proc
edur
al
solu
tions
.
Ther
e ar
e tra
ined
in
cide
nt in
vest
iga-
tors
, with
sys
tem
-at
ic fo
llow
-up
to
chec
k th
at re
quire
d ch
ange
s ha
ve
take
n pl
ace
and
been
mai
ntai
ned.
R
epor
ts a
re s
ent
out c
ompa
ny-w
ide
to s
hare
the
les-
sons
lear
ned.
Th
ere
is li
ttle
crea
-tiv
ity in
find
ing
how
th
e un
derly
ing
is-
sues
cou
ld a
ffect
th
e bu
sine
ss.
Inve
stig
atio
n an
d an
alys
is is
driv
en
by a
goo
d un
der-
stan
ding
of h
ow
acci
dent
s ha
ppen
. Is
sues
are
iden
ti-fie
d by
agg
rega
ting
info
rmat
ion
from
a
wid
e ra
nge
of in
ci-
dent
s. F
ollo
w u
p is
sy
tem
atic
, to
chec
k th
at c
hage
occ
urs
and
is m
aint
aine
d.
210
M
Haz
ard
and
unsa
fe a
cts
re-
porti
ng
Ther
e ar
e no
haz
-ar
d or
uns
afe
act
repa
irs.
Rep
ortin
g of
haz
-ar
ds a
nd u
nsaf
e ac
ts is
sim
ple
and
fact
ual.
Focu
s is
on
dete
rmin
ing
who
or
wha
t cau
sed
the
situ
atio
n. T
he c
om-
pany
doe
s no
t tra
ck
wha
t act
ions
are
ta
ken
afte
r rep
orts
ar
e su
bmitt
ed.
Haz
ard
and
unsa
fe
act r
epor
ts fo
llow
a
fixed
form
at fo
r ca
tego
rizat
ion
and
docu
men
tatio
n of
ob
serv
atio
ns. T
he
num
ber o
f rep
orts
is
wha
t cou
nts.
The
co
mpa
ny r
equi
res
com
plet
ed fo
rms
with
out b
lank
sp
aces
. Man
age-
men
t set
s go
als
base
d on
the
num
-be
r of r
epor
ts
mad
e.
Haz
ard
and
unsa
fe
act r
epor
ting
look
s fo
r 'w
hy' r
athe
r tha
n ju
st 'w
hat'
or 'w
hen'
. Q
uick
sub
mis
sion
of
rep
orts
is n
orm
al.
Man
agem
ent s
ets
goal
s fo
r qua
lity
of
repo
rts a
nd fo
llow
up
of r
ecom
men
da-
tions
.
All
leve
ls o
f the
or-
gani
zatio
n ac
tivel
y ac
cess
and
use
the
info
rmat
ion
gene
r-at
ed b
y ha
zard
and
un
safe
act
repo
rts
in th
eir d
aily
wor
k.
N
Wha
t hap
pens
afte
r an
acc
i-de
nt?
Is th
e fe
edba
ck lo
op
bein
g cl
osed
?
Afte
r an
acci
dent
th
e fo
cus
is o
n th
e em
ploy
ees
invo
lved
an
d th
ey a
re o
ften
fired
. Th
e pr
iorit
y is
to
lim
it da
mag
e an
d ge
t bac
k to
pro
duc-
tion.
Line
man
agem
ent
is a
nnoy
ed b
y 's
tupi
d' a
ccid
ents
. A
fter a
n ac
cide
nt
inve
stig
atio
n re
-po
rts a
re n
ot
pass
ed u
p th
e lin
e if
it ca
n be
avo
ided
. W
arni
ng le
tters
are
se
nt b
y m
anag
e-m
ent.
Wor
kfor
ce re
port
thei
r ow
n in
cide
nts
but m
aint
ain
dis-
tanc
e w
ith c
ontr
ac-
tor i
ncid
ents
. Top
m
anag
emen
t get
an
gry
whe
n th
ey
hear
of a
n in
cide
nt -
"wha
t doe
s th
is d
o to
our
stat
istic
s?"
Man
agem
ent i
s di
ssap
oint
ed b
ut
asks
abo
ut th
e w
ell-
bein
g of
thos
e in
-vo
lved
. Inv
estig
a-tio
n fo
cuse
s on
un-
derly
ing
caus
es
and
the
resu
lts a
re
fed
back
to th
e su
-pe
rvis
ory
leve
l.
Top
man
agem
ent i
s se
en a
mon
gst t
he
peop
le in
volv
ed
dire
ctly
afte
r an
inci
dent
. Th
ey s
how
pe
rson
al in
tere
st in
in
divi
dual
s an
d th
e in
vest
igat
ion
proc
-es
s. E
mpl
oyee
s ta
ke a
ccid
ents
in-
volv
ing
othe
rs p
er-
sona
lly.
211
O
Who
che
cks
HS
E o
n a
day-
to-d
ay b
asis
?
Ther
e is
no
form
al
syst
em fo
r che
ck-
ing
for H
SE
pro
b-le
ms
on a
dai
ly
basi
s. In
divi
dual
s ar
e su
ppos
ed to
ta
ke c
are
of th
em-
selv
es.
Ther
e is
relia
nce
on o
utsi
de e
xper
ts
to s
pot p
robl
ems.
S
uper
ficia
l che
cks
are
perfo
rmed
by
line
supe
rvis
ion
/ m
anag
emen
t whe
n th
ey a
re v
isiti
ng,
mos
tly a
fter i
nci-
dent
s or
inef
ficie
n-ci
es. T
here
is n
o fo
rmal
sys
tem
for
follo
w-u
p.
Site
act
ivitie
s ar
e re
gula
rly c
heck
ed
by th
e lin
e fo
r HS
E
issu
es, b
ut n
ot o
n a
daily
bas
is. I
nspe
c-tio
ns a
im to
che
ck
that
pro
cedu
res
are
bein
g fo
llow
ed.
Sup
ervis
ors
en-
cour
age
wor
k te
ams
to c
heck
H
SE
for t
hem
-se
lves
. Man
ager
s do
ing
wal
k-ro
unds
ar
e se
en a
s si
n-ce
re. I
nter
nal c
ross
-insp
ectio
ns, i
.e.
betw
een
com
pany
de
partm
ents
, tak
e pl
ace
invo
lvin
g m
anag
ers
and
su-
perv
isor
s.
Eve
ryon
e ch
ecks
fo
r HS
E h
azar
ds,
look
ing
out f
or
them
selv
es a
nd
thei
r wor
k-m
ates
. S
uper
visor
insp
ec-
tions
are
larg
ely
unne
cess
ary.
P
How
do
HS
E m
eetin
gs fe
el?
HS
E m
eetin
gs, i
f th
ey h
appe
n, a
re
seen
as
a w
aste
of
time.
The
y ar
e ru
n by
the
boss
or a
su
perv
isor
, and
are
fe
lt to
be
a fo
rmal
-ity
. Con
vers
atio
n of
ten
turn
s to
spo
rt or
car
s.
HS
E m
eetin
gs a
re
poor
ly a
ttend
ed
and
unpo
pula
r w
ith
the
wor
kfor
ce.
They
pro
vide
op-
portu
nitie
s to
bla
me
peop
le fo
r inc
iden
ts
and
form
a s
tan-
dard
resp
onse
to
an a
ccid
ent.
Tool
-bo
x m
eetin
gs m
ay
be d
omin
ated
by
non-
wor
k is
sues
.
HS
E m
eetin
gs a
re
seen
as
stan
dard
pr
actic
e bu
t offe
r lim
ited
inte
ract
ion
betw
een
supe
rvi-
sors
and
wor
kfor
ce.
The
regu
lar s
ched
-ul
ed m
eetin
gs a
re
high
ly s
truct
ured
. To
olbo
x m
eetin
gs
arer
un o
n a
stric
t ag
enda
.
HS
E m
eetin
gs fe
el
like
a ge
nuin
e fo
-ru
m fo
r int
erac
tion
acro
ss th
e co
m-
pany
. At l
ower
lev-
els
all m
eetin
gs a
re
HS
E m
eetin
gs a
nd
are
used
to id
entif
y pr
oble
ms
befo
re
they
occ
ur.
HS
E m
eetin
gs c
an
be c
alle
d by
any
em
ploy
ee, t
akin
g pl
ace
in a
rel
axed
at
mos
pher
e, w
ith
man
ager
s at
tend
-in
g by
invit
atio
n.
Tool
box
mee
tings
ar
e sh
ort a
nd fo
-cu
sed
on e
nsur
ing
ever
yone
is p
re-
pare
d fo
r an
y pr
ob-
lem
s th
at m
ight
ar
ise.
212
Q
Aud
its a
nd r
evie
ws
Ther
e is
unw
illin
g co
mpl
ianc
e w
ith
stat
utor
y H
SE
in-
spec
tion
requ
ire-
men
ts. A
udits
are
m
ainl
y fin
anci
al.
HS
E a
udits
are
un-
stru
ctur
ed a
nd o
c-cu
r onl
y af
ter m
ajor
ac
cide
nts.
Peo
ple
acce
pt H
SE
au
dits
as
ines
cap-
able
, esp
ecia
lly
afte
r ser
ious
or f
a-ta
l acc
iden
ts. T
here
is
no
sche
dule
for
audi
ts a
nd re
view
s,
as th
ey a
re s
een
as
a pu
nish
men
t.
Ther
e is
a re
gula
r, sc
hedu
led
HS
E
audi
t pro
gram
. It
conc
entr
ates
on
know
n hi
gh h
azar
d ar
eas.
Man
ager
s ar
e ha
ppy
to a
udit
othe
rs, b
ut b
eing
au
dite
d is
less
wel
-co
me.
Aud
its a
re
stru
ctur
ed in
term
s of
man
agem
ent
syst
ems.
Ther
e is
an
exte
n-si
ve a
udit
prog
ram
in
clud
ing
cros
s-au
ditin
g w
ithin
the
orga
niza
tion.
Man
-ag
emen
t and
su-
perv
isor
s re
aliz
e th
at th
ey m
ay n
ot
be b
est a
ble
to
judg
e an
d w
elco
me
outs
ide
help
. Aud
its
are
seen
as
posi
-tiv
e ev
en th
ough
th
ey a
re p
ainf
ul.
HS
E a
spec
ts a
re
inte
grat
ed in
the
audi
t sys
tem
that
ru
ns s
moo
thly
with
go
od fo
llow
up.
Th
ere
is c
ontin
uous
in
form
al s
earc
hing
fo
r non
-obv
ious
pr
oble
ms,
with
out
-si
de h
elp
whe
n it
is
need
ed. A
udits
fo-
cus
on b
ehav
iors
as
wel
l as
hard
-w
are
and
syst
ems.
213
R
Ben
chm
arki
ng, t
rend
s an
d st
atis
tics
Ther
e is
com
plia
nce
with
sta
tuto
ry H
SE
re
porti
ng b
ut li
ttle
mor
e th
an th
at.
Ben
chm
arki
ng is
on
ly o
n fin
ance
and
pr
oduc
tion.
Man
agem
ent w
or-
ries
abou
t the
cos
t of
acc
iden
ts a
nd th
e co
mpa
ny's
' pos
ition
in
the
'leag
ue ta
-bl
es'.
Sta
tistic
s re
-po
rt th
e im
med
iate
ca
uses
of a
ccid
ents
.
Ben
chm
arki
ng o
c-cu
rs o
n a
wid
e va
ri-et
y of
indu
stry
HS
E
data
. Man
ager
s di
s-pl
ay lo
ts o
f dat
a pu
blic
ly th
roug
hout
th
e or
gani
zatio
n.
Ther
e is
focu
s on
cu
rrent
pro
blem
s th
at c
an b
e m
eas-
ured
obj
ectiv
ely
and
sum
mar
ized
usi
ng
num
bers
.
Ben
chm
arki
ng is
ag
ains
t oth
ers
in th
e sa
me
indu
stry
and
is
driv
en b
y m
an-
agem
ent -
"try
to b
e th
e be
st in
the
in-
dust
ry".
Loo
k fo
r le
adin
g in
dica
tors
, an
alyz
e tre
nds,
un-
ders
tand
them
, and
us
e th
em to
ada
pt
stra
tegy
. Exp
lain
fin
ding
s to
sup
ervi
-so
rs.
Ben
chm
ark
outs
ide
the
indu
stry
, usi
ng
both
'h
ard'
(out
com
e) a
nd
'sof
t' (p
roce
ss)
mea
sure
s. A
ll le
vels
of
the
orga
niza
tion
are
invo
lved
in id
en-
tifyi
ng a
ctio
n po
ints
fo
r im
prov
emen
t.
Col
umn
Sum
0
0 0
0 0
Wei
ghtin
g F
acto
r 1
2 3
4 5
Wei
ghte
d C
olum
n S
um
0 0
0 0
0
Sco
re
0 0
Glo
bal W
eigh
t 0
214
Org
aniz
atio
nal L
earn
ing,
Qua
lity
Impr
ovem
ent,
and
Flex
ibili
ty (S
ourc
e: T
en S
teps
to
a Le
arni
ng O
rgan
izat
ion
by P
eter
Klin
e &
B
erna
rd S
aund
ers)
Res
pons
e op
tions
: 1 =
Not
at a
ll 2
= To
a s
light
ex-
tent
3
= To
a m
oder
ate
exte
nt
4 =
To a
gre
at e
x-te
nt
5 =
To a
ver
y gr
eat e
xten
t
Org
aniz
atio
nal L
earn
ing,
Qua
lity
Im-
prov
emen
t, an
d Fl
exib
ility
Ass
ess-
ing
Your
Le
arni
ng
Cul
ture
Pro
mot
e th
e P
osi-
tive
Mak
e th
e W
ork-
plac
e Sa
fe fo
r Th
inki
ng
Rew
ard
Risk
-ta
king
Hel
p P
eopl
e Be
com
e Be
tter
Re-
sour
ces
for
each
O
ther
Put
Le
arni
ng
Pow
er to
W
ork
Map
Out
th
e V
sion
Brin
g th
e Vi
sion
to
Life
Con
nect
th
e S
ys-
tem
s
Get
the
Sho
w o
n th
e Ro
ad
1
Peo
ple
feel
free
to s
peak
thei
r m
inds
abo
ut w
hat t
hey
have
le
arne
d. T
here
is n
o fe
ar, t
hrea
t or
repe
rcus
sion
for d
isag
reei
ng o
r di
ssen
ting.
2
Mis
take
s m
ade
by in
divi
dual
s or
de
partm
ents
are
turn
ed in
to c
on-
stru
ctiv
e le
arni
ng o
rgan
izat
ions
.
3
Ther
e is
a g
ener
al fe
elin
g th
at it
's
alw
ays
poss
ible
to fi
nd a
bet
ter
way
to d
o so
met
hing
.
4
Mul
tiple
vie
wpo
ints
and
ope
n pr
o-du
ctiv
e de
bate
s ar
e en
cour
aged
an
d cu
ltiva
ted.
5
Exp
erim
enta
tion
is e
ndor
sed
and
cham
pion
ed, a
nd is
a w
ay o
f do-
ing
busi
ness
.
215
6
Mis
take
s ar
e cl
early
vie
wed
as
posi
-tiv
e gr
owth
opp
ortu
nitie
s th
roug
hout
th
e sy
stem
.
7
Ther
e is
will
ingn
ess
to b
reak
old
pa
ttern
s in
ord
er to
exp
erim
ent w
ith
diffe
rent
way
s of
org
aniz
ing
and
man
agin
g da
ily w
ork.
8
Man
agem
ent p
ract
ices
are
inno
va-
tive,
cre
ativ
e, a
nd p
erio
dica
lly ri
sk-
taki
ng.
9 Th
e qu
ality
of w
ork
life
in o
ur o
r-ga
niza
tion
is im
prov
ing.
10
Ther
e ar
e fo
rmal
and
info
rmal
stru
c-tu
res
desi
gned
to e
ncou
rage
peo
ple
to s
hare
wha
t the
y le
arn
with
thei
r pe
ers
and
the
rest
of t
he o
rgan
iza-
tion.
11
The
orga
niza
tion
is p
erce
ived
as
desi
gned
for
prob
lem
-sol
ving
and
le
arni
ng.
12
Lear
ning
is e
xpec
ted
and
enco
ur-
aged
acr
oss
all l
evel
s of
the
orga
ni-
zatio
n: m
anag
emen
t, em
ploy
ees,
su
perv
isio
n, u
nion
, sto
ckho
lder
s,
cust
omer
s.
13
Peo
ple
have
an
over
view
of t
he o
r-ga
niza
tion
beyo
nd th
eir s
peci
alty
an
d fu
nctio
n, a
nd a
dapt
thei
r wor
k-in
g pa
ttern
s to
it.
14
"Les
sons
lear
ned"
ses
sion
s ar
e co
nduc
ted
so a
s to
pro
duce
cle
ar,
spec
ific
and
perm
anen
t stru
ctur
al
and
orga
niza
tiona
l cha
nges
.
216
15
Man
agem
ent p
ract
ices
, ope
ra-
tions
, pol
icie
s an
d pr
oced
ures
that
be
com
e ob
sole
te b
y hi
nder
ing
the
cont
inue
d gr
owth
of p
eopl
e an
d th
e or
gani
zatio
n ar
e re
mov
ed a
nd
repl
aced
with
wor
kabl
e sy
stem
s an
d st
ruct
ures
.
16
Con
tinuo
us im
prov
emen
t is
ex-
pect
ed a
nd tr
eate
d re
cept
ivel
y.
17
Ther
e ar
e cl
ear
and
spec
ific
ex-
pect
atio
ns o
f eac
h em
ploy
ee to
re
ceiv
e a
spec
ified
num
ber
of
hour
s of
trai
ning
and
edu
catio
n an
nual
ly.
18
Wor
kers
at a
ll le
vels
are
spe
cifi-
cally
dire
cted
tow
ards
rele
vant
and
va
luab
le tr
aini
ng a
nd le
arni
ng o
p-po
rtuni
ties
- ins
ide
and
outs
ide
the
orga
niza
tion.
19
Cro
ss-fu
nctio
nal l
earn
ing
oppo
rtu-
nitie
s ar
e ex
pect
ed a
nd o
rgan
ized
on
a r
egul
ar b
asis
, so
that
peo
ple
unde
rsta
nd th
e fu
nctio
ns o
f oth
ers
who
se jo
bs a
re d
iffer
ent,
but o
f re
late
d im
porta
nce.
20
Mid
dle
man
ager
s ar
e se
en a
s ha
v-in
g th
e pr
aryi
m r
ole
in k
eepi
ng th
e le
arni
ng p
roce
ss ru
nnin
g sm
ooth
ly
thro
ugho
ut th
e or
gani
zatio
n.
21
The
unex
pect
ed is
vie
wed
as
an
oppo
rtuni
ty fo
r lea
rnin
g.
22
Peo
ple
look
forw
ard
to im
prov
ing
thei
r ow
n co
mpe
tenc
ies
as w
ell a
s th
ose
of th
e w
hole
or g
aniz
atio
n.
217
23
The
syst
ems,
stru
ctur
es, p
olic
ies
and
proc
edur
es o
f the
org
aniz
atio
n ar
e de
sign
ed to
be
adap
tive,
flex
i-bl
e, a
nd r
espo
nsiv
e to
inte
rnal
and
ex
tern
al s
timul
i.
24
Pre
sent
ly, e
ven
if th
e en
viro
nmen
t of
the
orga
niza
tion
is c
ompl
icat
ed,
chao
tic, a
nd a
ctiv
e, n
ever
thel
ess
it is
not
on
over
load
.
25
Ther
e is
a h
ealth
y, m
anag
eabl
e le
vel o
f stre
ss th
at a
ssis
ts in
pro
-m
otin
g le
arni
ng.
26
Con
tinuo
us im
prov
emen
t is
prac
-tic
ed a
s w
ell a
s pr
each
ed.
27
The
diffe
renc
e be
twee
n tr
aini
ng/
educ
atio
n an
d le
arni
ng is
cle
arly
un
ders
tood
. (Tr
aini
ng a
n ed
ucat
ion
can
be s
o co
nduc
ted
that
no
lear
n-in
g ta
kes
plac
e.)
28
Peo
ple
are
enco
urag
ed a
nd p
ro-
vide
d th
e re
sour
ces
to b
ecom
e se
lf-di
rect
ed le
arne
rs.
29
Ther
e is
a fo
rmal
, on-
goin
g ed
uca-
tion
prog
ram
to p
repa
re m
iddl
e m
anag
ers
in th
eir n
ew r
oles
as
teac
hers
, coa
ches
and
lead
ers.
30
Rec
ogni
tion
of y
our o
wn
lear
ning
st
yle
and
thos
e of
co-
wor
kers
is
used
to im
prov
e co
mm
unic
atio
n an
d ov
er-a
ll or
gani
zatio
nal l
earn
ing.
31
Man
agem
ent i
s se
nsiti
ve to
lear
n-in
g an
d de
velo
pmen
t diff
eren
ces
in
thei
r em
ploy
ees,
real
izin
g th
at p
eo-
ple
lear
n an
d im
prov
e th
eir s
itua-
tions
in m
any
diffe
rent
way
s.
218
32
Ther
e is
suf
ficie
nt ti
me
sche
dule
d in
to p
eopl
e's
prof
essi
onal
cal
enda
rs
to s
tep
back
from
day
-to-d
ay o
pera
-tio
ns a
nd r
efle
ct o
n w
hat i
s ha
ppen
-in
g in
the
orga
niza
tion.
33
Ther
e is
dire
ctio
n an
d re
sour
ce a
l-lo
catio
n pl
anne
d to
brin
g ab
out
mea
ning
ful a
nd la
stin
g le
arni
ng.
34
Team
s ar
e re
cogn
ized
and
re-
war
ded
for t
heir
inno
vativ
e an
d pa
radi
gm b
reak
ing
solu
tions
to
35
Man
ager
s ha
ve c
onsi
dera
ble
skill
s fo
r gat
herin
g in
form
atio
n an
d de
vel-
opin
g th
eir a
bilit
ies
to c
ope
with
de
man
ding
and
cha
ngin
g m
anag
e-m
ent s
ituat
ions
.
36
Man
ager
s en
able
thei
r sta
ffs to
be-
com
e se
lf-de
velo
pers
, and
lear
n ho
w to
impr
ove
thei
r per
form
ance
.
Col
umn
Sum
0
0 0
0 0
0 0
0 0
0 N
umbe
r of
Pos
sibl
e R
espo
nses
10
11
15
13
14
19
6
9 9
7 A
vera
ge
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
0.0
Ave
rage
Sco
re
0.0 0
Glo
bal W
eigh
t 0
219
Response options: 1 = Not at all 2 = To a slight extent 3 = To a moderate extent 4 = To a great extent 5 = To a very great extent
Analysis
Enter Response
Below
1
Formal organizational practices and support systems in place to identify potential risks and vulnerabilities including costs associated with lost production and business interruption, collateral costs, increased insurance premiums, drop in market share, and transportation costs.
2
The organization analyzes the potential impact from both external and internal risks preemptively and post impact and does so frequently.
3 Quantitative and qualitative methods and analytical tools are used where appropriate.
4
Deliberate effort is expended to determine whether small disturbances and failures, latent problems, or combinations thereof could credibly propagate or magnify.
Column Sum 0 Analysis Average Score 0.0 Global Weight 0
220
Solution Design
Enter Response
Below
1
Formal analytic deliberative decision support models, that take into consideration potential credible risks, non-monetary factors, organizational values, and monetary-based methods such as life cycle costing and benefit cost ratio, are used regularly to optimize solutions and select opportunities for implementation.
2
The organization's crisis management command structure is compatible with and operates according to principles set forth by the National Incident Management System (NIMS).
Column Sum 0 Average Score 0.0 Global Weight 0
Implementation
Enter Response
Below
1
Designed solutions are executed preemptively according to organization-wide priorities derived by transparent and defendable analytic-deliberative risk-based methods.
2
Risk mitigation and business continuity budget funds are set aside annually and according to organization-wide priorities.
Column Sum 0 Average Score 0.0 Global Weight 0
221
Testing and Acceptance
Enter Response
Below
1
System performance measures of primary and enabling systems/processes are sampled frequently and plotted against pre-established and widely known performance standards.
2
Socio-political and climatic events and external systems controlled by others (supply chain & competitors) that could credibly impact the system are monitored frequently and systematically.
3
Formal organizational practices and support systems in place to gather data from individuals, organizational systems, and external sources.
4 Small failures are tracked as they could be precursors to large failures.
5
Departures from standards and information regarding disturbances are investigated immediately and passed on to others for analysis. It is the obligation of every person, no matter their rank, to report potential system disturbances or hazards.
6 Data is archived and accessible for long-term investigations.
Column Sum 0 Average Score 0.0 Global Weight 0
222
Maintenance
Enter Response
Below
1
Comprehensive examinations of all critical systems, operations, and infrastructures and their interdependencies are undertaken in accordance with organization-wide values.
2
Examinations take place no more than one year apart and are scheduled so that there is time to complete the installation, including testing, of a countermeasure before it is needed. That is, if a countermeasure is intended to mitigate a season driven hazard the countermeasure should be installed prior to the next season.
3 Latent problems are surfaced and evaluated.
4
Experiences are collected as events unfold by comparing plans to actual results and feeding learning back into the operation continuously so that changes can be made quickly.
5
Formal after action reviews (AAR) are initiated within 24 hours of the cessation of the event. Evaluation, planning, and implementation of findings begins soon after AAR is completed. Funding for independent studies following major accidents is available.
6
Evaluation, design, planning, and implementation of findings begins soon after the AAR is completed.
Column Sum 0 Average Score 0.0 Global Weight 0
223
Emergency / Incident Response and Business Recovery
Enter Response
Below
1
Roles, hierarchy, responsibilities, span of control, back-up supplies, methods, and production sites, available resources, procedures, mass notification processes, staffing rules and regulations, supplementary call-in and vendor staff acquisition processes, resource allocation and reallocation processes are clearly defined and broadly known and understood.
2
Emergency / incident response and business recovery systems are tested by way of credible scenario-based drills that mimic real emergencies and recovery opportunities.
3
Relevant information is readily and effectively passed to and from external responders, i.e. local fire and police services, and business recovery assistance entities, internal and external, when situations dictate.
4
Funding is available from internal and readily acquirable external (insurance) sources to respond and recover from emergencies and incidents. For example, for the repair or replacement of damaged or destroyed equipment, rental of temporary equipment, repairs made to buildings, off-site assets, compensation for internal personnel, contractor costs, lost time, fire and emergency medical services, health monitoring, fines, court costs, costs to neighbors, loss of exports and increased imports, and lost tax revenue.
5
Emergencies and incidents are quickly stabilized and the site is quickly protected. Evacuation and support systems, environmental cleanup, decontamination, and restoration, and temporary accommodations and facilities are quickly implemented.
6 Training and refresher training is comprehensive and conducted frequently.
Column Sum 0 Average Score 0.0 Global Weight 0
224
Objectives and Strategic Direction
Enter Response
Below
1
Organizational strategic objectives are clearly articulated and broadly disseminated and known.
2 Strategic objectives are created by way of input from a diverse group of employees.
3 A system is in place to measure performance against objectives.
Column Sum 0 Average Score 0.0 Global Weight 0
Policies, Rules, Regulations, and Operating Procedures
Enter Response
Below
1
Organization mission, policies, and procedures are clearly written, broadly available, and consistently applied throughout the organization.
2
The organization analyzes the potential impact from both external and internal risks preemptively and does so frequently.
3 Updates are made when required and quickly disseminated.
4 Performance is measured against compliance.
5 Policies and procedures are created by way of input from a diverse group of employees.
Column Sum 0 Average Score 0.0 Global Weight 0
225
Decision-Making Process
Enter Response
Below
1
The decision-making process is widely known and is consistently applied. All personnel clearly know how decisions will be made for given circumstances and their place in the process, e.g. the decision-making process for emergencies is different than the decision-making process for non-emergencies; however, each person knows the process that is in-place at any time.
2 All personnel know the bounds of their decision authority.
3 Decision processes are transparent and defendable.
4 Analytical methods are used in the decision-making process where appropriate.
5
Risks are considered, even for decisions that may appear quite mundane by encouraging personnel to ask questions such as, what could happen next.
Column Sum 0 Average Score 0.0 Global Weight 0
226
Communication
Enter Response
Below
1
The person (s) with information has the obligation to pass it on to those who need it or in a better position to respond. The flow of information is not impeded by rank or affiliation, e.g. customer.
2
A proactive system exists for informing stakeholders, e.g. personnel, customers, abutters, and the surrounding community and for eliciting, receiving and responding to concerns there from.
3 Managers and supervisors seek opportunities to reinforce communication concepts and practices.
4
Managers and supervisors monitor a variety of information sources to gain confidence that critical messages are communicated.
5
Multiple, secure, and anonymous means exist for all to report potential hazards and provide input on operations and safety policies, issues, and needs without fear of retaliation.
6 Management promptly responds to customer and personnel concerns.
7
Communication processes and practices are reviewed frequently with personnel during basic orientation and other training.
Column Sum 0 Implementation Average Score 0.0 Global Weight 0
227
Monetary and Non-Monetary Support
Enter Response
Below
1
The organization seeks out opportunities to prevent the impact of, or mitigate if prevention not possible, a hazard or disturbance by putting into place protective measures or implementing modifications prior to the onset of a hazard or disturbance. Preemptive intervention applies to physical constructions as well as changes and additions to organizational processes.
2
Practices in place, and part of the core business, to accept a recommended and prioritized list of projects, adjust if necessary, and make final decision whether and to which level each project is funded, staffed, and given other resources, and to do so in context of the entire organization.
3
Countermeasure and mitigation project funds are established on an annual basis as a separate line item that cannot be easily used for other purposes.
Column Sum 0 Testing and Acceptance Average Score 0.0 Global Weight 0
228
229
Appendix H Prioritizing infrastructure renewal projects in MIT
Department of Facilities
H.1 Intent
The purpose of the following is to substantiate by example the process used to develop the
HRRO model introduced in this dissertation, i.e. describe the project management process
that led to the development of a decision support methodology, stakeholder engagement and
involvement, the evolution of the model since its inception, and lessons learned. If the reader
desires a detailed technical discussion please refer to A method for the efficient prioritization
of infrastructure renewal projects by D. Karydas and J. Gifun (Karydas & Gifun, 2006).
H.2 Process design and management
Two paths were defined and followed during process design and thereafter. One called for the
education of stakeholders in the principles and practices used in the decision sciences,
particularly, multi-attribute utility theory and the analytic hierarchy process. The other
engaged the stakeholders in the construction and operation of the model that would
eventually enable the stakeholders to select infrastructure renewal projects for funding.
Throughout every phase of the project, D. Karydas and J. Gifun, facilitator’s, used a straw-
man proposal approach, i.e., draft versions of methods and documents were presented to the
stakeholders for their reaction on an iterative basis. This approach was used as the
facilitators’ believed it would achieve a result quicker than starting from the beginning
without a draft proposal. The facilitators’ believed that it did so without sacrificing
stakeholder buy-in and creativity. Along with several ad hoc meetings between stakeholder
and facilitator, the stakeholders participated in four workshops and one meeting devoted to
benchmarking. Table 30 shows the chronology of the project.
230
Date Purpose Content September 14, 2000 – February 9, 2001
Project development
• Engage sponsor • Test concepts with select people and select
stakeholders • Develop draft of infrastructure renewal
process and vet with stakeholders on individual basis
• Develop materials for workshops February 9, 2001 1st workshop
for Facilities’ stakeholders
• Introduction • AHP tutorial by D. Karydas & J. Gifun • Research and applications by G. Apostolakis • Model description • Define and develop objectives • Rank objectives
March 2, 2001 2nd workshop • Pairwise comparisons of impact categories and 1st round of pairwise comparisons of performance measures
March 20, 2001 3rd workshop • Introduce and review draft definitions of impact categories and performance measure labels
• Develop constructed scales • Continue pairwise comparisons
March 29, 2001 Stakeholder homework
• Review material and accept or revise constructed scales
• Pairwise comparisons individual effort May 4, 2001 4th workshop • Review constructed scales and continue
pairwise comparisons May 4, 2001 – June 29, 2006
Model development completion
• Final draft • Complete, fine tune model
May 10, 2001 Benchmark • Benchmark methodology against projects ranked without methodology
July 16, 2001 Develop environmental parameters
• Brief environmental lawyer and seek assistance to develop environmental constructed scales
August 21, 2001 5th Workshop • Introduce Expert Choice© computer application
• Test methodology with real projects
Table 30 – Chronology
H.3 Stakeholder engagement
On February 9, 2001, MIT Department of Facilities (DoF) conducted its first workshop with
a stakeholder group whose primary purpose was to achieve consensus on funding decisions
for building infrastructure renewal projects. The stakeholders were selected based upon their
231
job responsibilities and knowledge in disciplines, such as, finance, utilities and electrical
engineering, architecture, building operations, civil and structural engineering, space
planning, and mechanical engineering. Stakeholder’s external to DoF, with expertise in the
environmental sciences and public relations, were sought out; however, both were not able to
participate due to prior commitments. This project was sponsored by the Director of Facilities
and lead by two co-facilitators.
H.4 Lessons learned
Many of the lessons learned were discussed in A method for the efficient prioritization of
infrastructure renewal projects and the following represent those that have been realized
since.
• To date 353 projects have been prioritized by the methodology
• Progress during development stage required more time than originally thought as
concepts were foreign to many stakeholders; however, while stakeholders did not
fully understand the theoretical underpinnings of the methodology the concepts made
sense
• Stakeholders perceived that an index represented by a decimal less than 1 was
unimportant and falsely precise thus the weights were adjusted to produce a score in
whole numbers less than 100
232
233
AB
CD
EQ
uest
ions
36.9
53.5
53.4
50.6
70.4
How
wel
l did
the
resu
lting
in
dex
mat
ch y
our
expe
ctat
ions
, i.e
. how
wel
l do
es it
refle
ct y
our
impr
essi
on o
f the
or
gani
zatio
n?Th
e in
dex
is lo
wer
than
an
ticip
ated
but
acc
urat
e.
Som
e re
spon
ses
didn
't in
m
y m
ind,
mat
ch [r
eser
ved]
pr
actic
es a
nd I
was
not
co
nvin
ced
that
the
answ
er
I cho
se in
def
ault
was
an
accu
rate
refle
ctio
n of
how
th
ings
are
don
e.
I do
not k
now
, sin
ce I
did
not p
artic
ipat
e in
the
wei
ghtin
g ex
erci
ses
I do
not k
now
how
to c
alib
rate
m
y re
spon
se. T
he p
erso
n fil
ling
out t
he fo
rm m
ust b
e cl
ear a
s to
the
orga
niza
tiona
l lev
el th
ey
are
eval
uatin
g, i.
e de
partm
ent o
r ent
ire
orga
niza
tion
- I tr
ied
to g
et
an o
vera
ll av
erag
e.
If I h
ad to
gue
ss th
ese
inde
xes
from
ane
cdot
al
and
my
expe
rienc
es
cont
rast
ing
[rese
rved
] pr
ogra
m to
oth
ers
I kno
w
are
bette
r and
are
wor
se,
I'd s
ay th
ese
inde
xes
are
appr
opria
te -
they
met
my
expe
ctat
ions
wel
l.
The
Saf
ety
Cul
ture
sco
re
seem
s a
bit h
ighe
r tha
n ex
pect
ed w
hile
the
rem
aini
ng in
dexe
s fa
irly
para
llele
d m
y im
pres
sion
- w
e ha
ve a
ccom
plis
hed
a fe
w th
ings
but
stil
l hav
e a
way
s to
go
and
risk
anal
ysis
nee
ds to
be
inst
itutio
naliz
ed.
Wer
e th
ere
any
attri
bute
s th
at y
ou fe
el w
ere
mis
sing
? If
yes,
ple
ase
iden
tify
thos
e th
at y
ou fe
el
shou
ld b
e ad
ded?
No
Thes
e ar
e th
e at
tribu
tes
or
ques
tions
I st
rugg
led
with
: O
rgan
izat
iona
l Lea
rnin
g,
Qua
lity
Impr
ovem
ent,
and
Flex
ibili
ty; T
estin
g an
d A
ccep
tanc
e; a
nd
Ben
chm
arki
ng T
rend
s,
and
Sta
tistic
s. In
mos
t ca
ses,
I w
as n
ot fa
mili
ar
with
the
proc
esse
s or
pr
actic
es in
pla
ce (o
r the
fu
llest
ext
ent o
f suc
h pr
actic
es) a
nd b
elie
ve th
at
wha
teve
r is
in p
lace
is n
ot
cons
iste
ntly
pra
ctic
ed.
No
Giv
en th
e re
sour
ces
we
do
have
, are
we
spen
ding
our
m
oney
wis
ely?
Thi
s is
not
ex
plic
it bu
t I th
ink
is
actu
ally
cov
ered
in
impl
emen
tatio
n, o
bjec
tives
an
d st
rate
gic
dire
ctio
n.
But
prio
ritiz
atio
n of
av
aila
ble
reso
urce
s is
the
only
exp
licit
thin
g I t
hink
co
uld
be a
dded
.
I fou
nd s
ome
of th
e at
tribu
tes
to b
e sl
ight
ly
redu
ndan
t, fo
r exa
mpl
e cr
oss-
train
ing
and
devo
tion
to re
sour
ces
for
train
ing.
Wha
t I d
o no
t re
call
seei
ng w
as a
re
fere
nce
to w
heth
er o
r no
t the
org
aniz
atio
n ha
s es
tabl
ishe
d cl
ear
succ
essi
on p
lann
ing
stra
tegi
es.
Asse
ssor
and
HR
RO
Inde
x
Tabl
e 31
– C
ompi
latio
n of
Ass
esso
r Fee
dbac
k
App
endi
x I
Com
pila
tion
of a
sses
sor f
eedb
ack
234
AB
CD
EQ
uest
ions
36.9
53.5
53.4
50.6
70.4
Wer
e th
ere
any
attri
bute
s th
at y
ou fe
ll w
ere
supe
rfluo
us?
If ye
s pl
ease
id
entif
y th
ose
that
you
fell
are
unne
cess
ary?
No
Thes
e ar
e th
e at
tribu
tes
or
ques
tions
I st
rugg
led
with
: O
rgan
izat
iona
l Lea
rnin
g,
Qua
lity
Impr
ovem
ent,
and
Flex
ibili
ty; T
estin
g an
d A
ccep
tanc
e; a
nd
Ben
chm
arki
ng T
rend
s,
and
Sta
tistic
s. In
mos
t ca
ses,
I w
as n
ot fa
mili
ar
with
the
proc
esse
s or
pr
actic
es in
pla
ce (o
r the
fu
llest
ext
ent o
f suc
h pr
actic
es) a
nd b
elie
ve th
at
wha
teve
r is
in p
lace
is n
ot
cons
iste
ntly
pra
ctic
ed.
No
No,
eve
ryth
ing
is re
leva
nt.
As
for s
uper
fluou
snes
s, I
wou
ld s
ay it
's m
ore
like
redu
ndan
cy. S
ee if
you
ca
n co
nsol
idat
e th
e cr
oss-
train
ing
ques
tions
and
add
a
few
item
s lik
e em
ploy
ees
unde
rsta
nd
thei
r rol
e in
bui
ldin
g or
gani
zatio
nal r
esili
ence
an
d m
anag
ers
clea
rly
com
mun
icat
e th
ese
expe
ctat
ions
.
Wou
ld y
ou li
ke to
mak
e ot
her c
hang
es to
the
surv
ey fo
rms
incl
udin
g te
xt?
If ye
s, p
leas
e id
entif
y th
e ch
ange
s?
Cus
tom
ize
voca
bula
ry to
m
ake
the
surv
ey m
ore
appl
icab
le to
the
orga
niza
tion.
Mak
e cl
ear
the
orga
niza
tiona
l bo
unda
ries
the
asse
ssor
is
to c
onsi
der w
hen
fillin
g ou
t th
e fo
rms.
Cus
tom
ize
the
text
to
refle
ct m
y or
gani
zatio
n.
Yes
, cus
tom
ize
lang
uage
[v
ocab
ular
y] to
rela
te to
m
y or
gani
zatio
n. S
urve
y fo
rm S
afet
y C
ultu
re,
ques
tion
E a
ddre
sses
pr
ofita
bilit
y; th
eref
ore,
how
w
ould
a n
on-p
rofit
or
gani
zatio
n re
spon
d? In
m
y op
inio
n a
for p
rofit
firm
is
mor
e co
nsci
ous
abou
t sa
fety
bec
ause
it re
late
s to
th
e bo
ttom
line
; the
refo
re,
revi
se v
ocab
ular
y. A
lso,
so
me
of th
e qu
estio
ns
wer
e m
ore
spec
ific
to
man
ufac
turin
g.
Oth
er th
an th
is is
a v
ery
beta
GU
I and
that
I am
al
read
y a
safe
ty
prof
essi
onal
, I th
ink
the
ques
tions
ask
ed a
re n
ot
lead
ing
and
are
very
ap
prop
riate
. Th
is to
ol,
with
pro
per c
onte
xt a
dded
an
d pr
ovid
ed, I
thin
k co
uld
mak
e an
exc
elle
nt a
nd
usef
ul to
ol fo
r man
y pa
rts
of a
n or
gani
zatio
n- la
bor,
man
agem
ent,
tech
nica
l re
sour
ces,
fina
ncia
l pe
rson
nel,
all p
arts
of t
he
orga
niza
tion.
A c
oupl
e of
ele
men
ts
shou
ld b
e ad
ded
to th
e fin
anci
al p
lann
ing
elem
ent;
the
orga
niza
tion
has
cont
inge
ncy
plan
s in
pla
ce
to d
eal w
ith a
n ex
tend
ed
busi
ness
dis
rupt
ion
and
the
orga
niza
tion
has
anal
yzed
sup
ply
and
serv
ice
chai
ns fo
r vu
lner
abili
ties
and
has
iden
tifie
d m
itiga
ting
fact
ors.
Thi
s m
ay p
rovi
de
an a
dditi
onal
laye
r of
drilld
own
in th
e em
erge
ncy
prep
arad
ness
sec
tion.
Asse
ssor
and
HR
RO
Inde
x
235
AB
CD
EQ
uest
ions
36.9
53.5
53.4
50.6
70.4
Are
ther
e an
y ad
ditio
nal
com
men
ts y
ou w
ould
like
to
offe
r?
App
lyin
g th
e re
sults
in th
e or
gani
zatio
n is
ess
entia
l fo
r suc
cess
.
I may
be
light
on
expe
rienc
e an
d/or
kn
owle
dge
for s
ome
of th
e ar
eas
of in
tere
st, w
hich
w
ould
incl
ude
prof
essi
onal
de
velo
pmen
t out
side
of
the
offic
es in
whi
ch I
wor
k,
requ
ired
train
ing,
pe
rform
ance
-bas
ed
appr
aisa
ls, a
nd li
nger
ing
influ
ence
/less
ons
lear
ned
and
new
pra
ctic
es
follo
wed
pos
t inc
iden
t or
near
inci
dent
.
Reg
ardi
ng th
e 1
- 5 s
cale
s I w
ould
hav
e lik
ed to
se
lect
a le
vel b
etw
een
the
who
le n
umbe
rs. H
ow d
o yo
u de
term
ine
who
in a
n or
gani
zatio
n is
qua
lifie
d to
fil
l out
thes
e fo
rms?
I thi
nk th
e sh
areh
olde
r is
sue
need
s to
be
addr
esse
d as
thos
e dr
ivin
g fin
anci
al a
nd in
vest
men
t pl
anni
ng n
eed
som
e un
ders
tand
ing
of th
e co
mpo
nent
s of
or
gani
zatio
nal r
esilie
nce.
A
sk o
rgan
izat
ion
lead
ers
and
shar
ehol
ders
dire
ctly
w
heth
er o
r not
the
HR
RO
in
dex
mat
ches
thei
r ex
pect
atio
ns a
nd re
flect
s th
eir i
mpr
essi
ons
of th
e or
gani
zatio
n.
Asse
ssor
and
HR
RO
Inde
x
236
237
Appendix J Comparison of recommendations from Baker Panel report and HRRO
Table 32 – Comparison of Recommendations from Baker Panel Report (Baker et al., 2007) and HRRO
Recommendations of Baker Panel (Baker et al., 2007)
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions provided in Appendix G)
Suggested means by which recommendation could have resulted from HRRO methodology
Process Safety Leadership: The Board of Directors of BP, BP’s executive management, and other members of BP’s corporate management must provide effective leadership on and establish appropriate goals for process safety.
Objectives and strategic direction (1 )
Process safety culture, criterion with applicable performance measures within the risk-based process safety model (Center for Chemical Process Safety, 2007)
Commitment must be demonstrated by articulating a clear message and by matching the message with policies and actions
Monetary and non-monetary support (1)
Process safety culture, criterion with applicable performance measures within the risk-based process safety model
Integrated and Comprehensive Process Safety Management System:
Develop a comprehensive process safety management system that systematically and continuously identifies, reduces, and manages process safety risk
Solution design (1) Process safety culture, criterion with applicable performance measures within the risk-based process safety model
Implement an integrated comprehensive process safety management system that systematically and continuously identifies, reduces, and manages process safety risk
Implementation (1) Implementation, criterion with applicable performance measures within the risk-based process safety model
238
Recommendations of Baker Panel (Baker et al., 2007)
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions provided in Appendix G)
Suggested means by which recommendation could have resulted from HRRO methodology
Process Safety Knowledge and Expertise:
Develop and implement a system to ensure that all personnel of all levels including executive management posses an appropriate level of process safety knowledge and expertise
Safety (G) Process safety competency, criterion with applicable performance measures within the risk-based process safety model
Process Safety Culture: Involving relevant stakeholders develop a positive trusting, and open process safety culture within each U.S. refinery
Emergency / incident response and business recovery (3)
Stakeholder outreach, criterion with applicable performance measures within the risk-based process safety model
Clearly Defined Expectations and Accountability for Process Safety:
Clearly define expectations and strengthen accountability for process safety performance at all levels in executive management and in the refining managerial and supervisory reporting line
Policies, rules, regulations, and operating procedures (1)
Process safety culture, criterion with applicable performance measures within the risk-based process safety model
Support for Line Management: Provide more effective and better coordinated process safety support for the U.S. refining line
Monetary and non-monetary support (1)
Process safety culture, criterion with applicable performance measures within the risk-based process safety model
239
Recommendations of Baker Panel (Baker et al., 2007)
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions provided in Appendix G)
Suggested means by which recommendation could have resulted from HRRO methodology
Leading and Lagging Performance Indicators for Process Safety:
Develop an integrated set of leading and lagging performance indicators for monitoring process safety performance by refining line and executive management. Work with U.S. Chemical Safety and Hazard Investigation Board and industry, labor organizations, other governmental agencies, and other agencies to develop a consensus set of leading and lagging indicators for process safety management in the refining and chemical processing industries
Testing and acceptance (1)
Process safety culture, criterion with applicable performance measures within the risk-based process safety model
Implement an integrated set of leading and lagging performance indicators for monitoring process safety performance by refining line and executive management. Work with U.S. Chemical Safety and Hazard Investigation Board and industry, labor organizations, other governmental agencies, and other agencies to develop a consensus set of leading and lagging indicators for process safety management in the refining and chemical processing industries
Implementation (1) Process safety culture, criterion with applicable performance measures within the risk-based process safety model
240
Recommendations of Baker Panel (Baker et al., 2007)
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions provided in Appendix G)
Suggested means by which recommendation could have resulted from HRRO methodology
Maintain and periodically update an integrated set of leading and lagging performance indicators for monitoring process safety performance by refining line and executive management. Work with U.S. Chemical Safety and Hazard Investigation Board and industry, labor organizations, other governmental agencies, and other agencies to develop a consensus set of leading and lagging indicators for process safety management in the refining and chemical processing industries
Maintenance (1 – 6) Process safety culture, criterion with applicable performance measures within the risk-based process safety model
Process Safety Auditing: Establish and implement an effective system to audit process safety performance at U.S. refineries
Safety (Q) Auditing, criterion with applicable performance measures within the risk-based process safety model
241
Recommendations of Baker Panel (Baker et al., 2007)
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions provided in Appendix G)
Suggested means by which recommendation could have resulted from HRRO methodology
Board Monitoring: BP’s Board should monitor the implementation of the recommendations of the Panel and for a period of at least five years engage an independent monitor to report annually to the Board on BP’s progress in implementing the Panel’s recommendations. BP should also report publicly on recommendation implementation progress and ongoing process safety performance
Objectives and strategic direction (3)
Auditing, criterion with applicable performance measures within the risk-based process safety model
Industry Leader: From the lessons learned from the Panel’s report transform BP into a recognized industry leader in process safety management
A potential result due to implementing the HRRO program but not measured specifically therein
N/A
242
243
Appendix K Comparison of recommendations from COT
Institute for Security and Crisis Management
report and HRRO
Table 33 – Comparison of Recommendations from COT Institute for Security and Crisis Management (Zannoni et al., 2008) and HRRO
Recommendations of COT Institute Report (Zannoni et al., 2008)
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions provided in Appendix G)
Suggested means by which recommendation could have resulted from HRRO methodology
Develop clear plans for large fire safety improvement projects that also include phasing and monitoring
Solution design (1 ) Property loss prevention data sheet (FM Global, 2009a): 10-1 Pre-incident planning with the public fire service
Consult with municipal fire department regarding route taken to access and means to fight fire
Emergency / incident response and business recovery (1 & 3)
Property loss prevention data sheet: 10-1 Pre-incident planning with the public fire service
Review procedures for large office buildings including procedures for alarm and communication
Emergency / incident response and business recovery (1 )
Property loss prevention data sheet: 10-1 Pre-incident planning with the public fire service
Use procedures for large office buildings including procedures for alarm and communication to develop training exercises
Emergency / incident response and business recovery (2 )
Property loss prevention data sheet: 10-1 Pre-incident planning with the public fire service
Provide sufficient designated space for incident response coordination team
Emergency / incident response and business recovery (1 )
Property loss prevention data sheet: 10-1 Pre-incident planning with the public fire service
244
Recommendations of COT Institute Report (Zannoni et al., 2008)
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions provided in Appendix G)
Suggested means by which recommendation could have resulted from HRRO methodology
Develop clear understanding of expectations regarding conditions under which the fire department would fight a fire within a building when it is known that no people are inside
Analysis (2) Property loss prevention data sheet: 10-1 Pre-incident planning with the public fire service
Distribute learning to relevant departments and agencies throughout region
Emergency / incident response and business recovery (3)
Property loss prevention data sheet: 10-1 Pre-incident planning with the public fire service
Develop means to provide emergency responders information regarding particular vulnerabilities
Emergency / incident response and business recovery (3)
Property loss prevention data sheet: 10-1 Pre-incident planning with the public fire service
Conduct crisis scenario-based exercises
Emergency / incident response and business recovery (2)
Property loss prevention data sheet: 10-2 Emergency Response
245
Appendix L Comparison of recommendations from Ernst and
Young report and HRRO
Table 34 – Comparison of Recommendations from Ernst & Young (Ernst & Young, 2009) and HRRO
Recommendations of Ernst & Young Report (Ernst & Young, 2009)
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions provided in Appendix G)
Suggested means by which recommendation could have resulted from HRRO methodology
Scenario-based training at the strategic level of the organization
From the learning gained from the fire develop and implement scenario-based training that engages the strategic level of the organization and incorporates worst case scenarios that include serious injury and death of occupants
Emergency / incident response and business recovery (2 )
Property loss prevention data sheet (FM Global, 2009a): 10-2 Emergency Response
Crisis management task force Develop a crisis management task force formed from the senior management level of TU Delft. The chairperson and members of the task force must be knowledgeable of the specific risks to TU Delft. The task force should engage those with diverse knowledge of the fire, security, or risk management.
Emergency / incident responses and business recovery (1)
Property loss prevention data sheet: 10-2 Emergency Response
246
Recommendations of Ernst & Young Report (Ernst & Young, 2009)
HRRO Criteria and Survey Form Questions that Best Match Recommendation. (Letters or numerals in parenthesis that follow criteria refer to applicable survey form questions provided in Appendix G)
Suggested means by which recommendation could have resulted from HRRO methodology
The task force should focus on the first three steps of the six step crisis management preparation process
1. Identification of potential causes of crises
2. Identification, development, and analysis of scenarios
Analysis (1) Property loss prevention data sheet: 10-2 Emergency Response
3. Formation of the crisis management organization
4. Provide training and exercises
5. Produce necessary documentation
6. Implement a review and quality improvement process
Emergency / incident response and business recovery (2 )
Property loss prevention data sheet: 10-2 Emergency Response
Develop and implement a crisis management project group responsible for implementing the requirements of the task force
Emergency / incident response and business recovery (2 )
Property loss prevention data sheet: 10-2 Emergency Response
Learning and improvement Develop and implement processes and incorporate and monitor the recommended improvements by way of the crisis management process
Emergency / incident response and business recovery (2 )
Property loss prevention data sheet: 10-2 Emergency Response
247
Curriculum vitae
Joseph F. Gifun was born in Chelsea, Massachusetts United States of America, on March 7,
1952. In May 1974 he received the degree of Bachelor of Science in Civil Engineering from
Lowell Technological Institute in Lowell, Massachusetts and in January 2003 he received the
degree of Master of Science from Suffolk University in Boston, Massachusetts in adult and
organizational learning. In May 2004 Mr. Gifun began doctoral work in complex systems in
the department of Industrial Design, Eindhoven University of Technology.
The doctoral work, in addition to this dissertation, resulted in several papers that have been
presented at international conferences, published in various international journals, or both.
The works not cited in this dissertation are:
D. M. Karydas and J. F. Gifun, “A methodology to assess and mitigate operational
vulnerabilities due to aging water utility system infrastructures,” in Proceedings of the
Eighth International Conference on Probabilistic Safety Assessment and Management,
New Orleans, 2006, p. 277.
J. F. Gifun and S. M. Leite, “Ranking multi-hazard risks: a methodology for risk-
informed decision-making,” Conference on Campus Safety, Health and Environmental
Management, St. Louis, 2008.
Mr. Gifun is a registered professional civil engineer in the Commonwealth of Massachusetts.
He has been employed by the Massachusetts Institute of Technology (MIT) for twenty five
years in several capacities within the Department of Facilities where he is currently Assistant
Director of Engineering. Prior to coming to MIT, he worked as a civil engineer in a public
mass transportation agency and consulting firm.