Framework Investment Planning Performance Management Risk Management Strategy Deployment
Waging War on Mediocrity

Operations Risk Management

 

Key Operational Practice

photo-1499019963077-ab9127ab95961.jpg

 OBJECTIVE 

 

The objective of the operational risk management practice is to provide the structure and clarity required to identify, analyze, decide and act on mitigative actions for significant risks to avoid undesirable consequences and safeguard operational business objectives.

Operational leaders should ask and answer these risk management questions about their organization:

  1. What significant risks are worth actively managing in our operations?

  2. What is the aggregate risk we are carrying and how is it changing?

  3. What is our organization’s shared risk tolerance and how do we know we’re acting within it?

  4. How much risk must we mitigate to prove due diligence, avoid major operational incidents and achieve our business goals?

  5. What resources must we allocate to mitigate the required risk?

Operational Risk Management is a key decision-intensive practice that provides awareness of the organization’s risks and assurance its resources are diligently applied to defend against the consequences of undesired events.

VALUE 

 

In operations within asset-intensive organizations, risk is what has not yet been realized as undesirable impacts to cost, performance, safety, environmental or reputation. Our operations are very complex and dynamic – so are the risks our organizations face.

The quality and completeness to which the operational risk questions above are asked and answered will go a long way in determining the success of the organization to effectively manage its risk and avoid undue value leakage from its risk-informed decisions and actions.

A structured operational risk management framework sets the expected behaviors, principles and practices required to preserve and protect potential value. The framework should reduce the time required to perform the activities and be judicious in allocating resources to control risks.

We don’t manage actual risk but our perception of risk. We manage what we know and allow for our uncertainties. We utilize the best knowledge available but seek to understand when more knowledge to reduce our uncertainties is useful to support our decisions.

Have a clear understanding of what qualifies as an operational risk. Not all issues are problems; not all problems are risks. Realized risks can impact the business plan and require deliberate decisions and allocation of resources.

People don’t naturally understand or assess uncertainty yet are overconfident in their ability to do so. People can be calibrated to improve their performance to consistently make better risk-informed decisions. Only those who are calibrated and demonstrate a good track record of experience should be allowed to make risk assessments and decisions.

A common tolerance for risk must be shared throughout operations. This tolerance helps decision-makers decide on how much and where risk is acceptable. There should be a separate tolerance for financial versus safety and other risks consequence categories.

Managing risk means you can make a good decision and still have a bad outcome. The organization’s culture should make this expectation acceptable. What’s important is that the organization yields more better decisions than it would have otherwise and better than its peers or competitors.

The degree of value leakage in your operational risk management can vary, but it is there if you know where to look and worth going after with only a modest investment in your people and some simple purpose-built tools. A leading operations risk management practice can mean the difference between mediocrity and top-quartile operational performance.

1.jpg

PRINCIPLES 

 

Our principles are consistent with guidance from ISO 31000 Risk Management family of standards but tailored to asset-owning organizations in industrial or infrastructure sectors.

Integrated – Risk management must be integrated with other practices within an operational management system. Yet, the risk management perspective in our operations should remain visible.

Systematic – A systematic method of identifying risk items will assure a more comprehensive and complete set of risks worth managing are known to the organization and actively managed, rather than exception-based identification.

Customized – The organization should set boundaries on the types of risks to be managed. Operational risk types may include: health safety & environmental, stakeholder compliance, commercial, supply-chain & logistics, business process & procedural, process safety, asset performance and costs, physical & cyber-security, people resources and human-factors, etc.

Inclusive – Risks must be transparent and made visible to the organization and all potentially affected stakeholders. Employees and contractors should have input into operational risk management through communication and consultation. Engage all stakeholders to take ownership of the risks and controls.

Dynamic – Persistent and arising risks are all dynamic. Management of risks must be iterative and timely in response to the natural and forced changes in risk profile. The effectiveness of stated safeguards must be assured periodically.

Best Available Knowledge – Risks will utilize best available knowledge from data and evidence as well as judgement from expert opinion sources. That knowledge must consider both what is known and what uncertainties around that knowledge. The framework must be able to integrate these diverse knowledge sources to enable good decisions.

Human/Cultural – Risks should consider the limitations of human and cultural factors including human error. The organization must have a shared common understanding of risk tolerance which should separate financial tolerance from other consequences like safety.

Continuous Improvement – The risk management practice will be self-evaluated and audited for performance, assure compliance and identify opportunities for improvement.

 PRACTICE 

 

A leading operational risk management framework should have the following features and characteristics:

Risk Identification – Competent qualified and experienced practitioners with a proven track record will identify, assess, evaluate and analyze risk. A systematic method of identifying all risks worth managing, rather than identifying risks by exception. Record risk items on a visible risk registry that documents the entire risk management process. One or more fit for purpose risk registries may be utilized. The largest operational risks will be escalated to the corporate Enterprise Risk Management (ERM) practice.

Risk Analysis – Leading problem solving and decision-making (PSDM) practice should be applied to managing all risk items utilizing the A3 method. Best available knowledge is used from data/evidence and expert judgement sources. Risks should be assessed utilizing a fully quantitative approach. Safety related risks must show their ALARP/SFAIRP homework.

Risk Evaluation – The uncertainty around a risk assessment must be expressed and factored into decision-making. Identify mitigative actions that are both technically feasible and worth implementing. All capital items must be listed on the risk register and each item must have at least one option using O&M expense, not capital resources.

Risk Treatment – Treatment options may include: avoid risk, take on more risk, address risk source, change the probability, alter the consequence, share the risk, or retain the risk. The tolerability for risk should be shared and applied consistently across the organization. There is a different tolerance and duty of care with safety/environmental than with financial or other consequence categories. Decisions should be made by a competent leader at the lowest level of the organization congruent with both accountability and authority.

Risk Monitoring & Review – Execute approved actions directly, or put into business plans for execution with links to the risk registry. The status of all open mitigative decisions, actions and exceptions must be tracked to completion. Visibility into operational risk are provided via predefined reports and dashboards with automatic workflows and notifications as needed.

Risk Recording & Reporting – Detect and manage changes in the cumulative overall risk profile quickly as a feed forward influence index on future cost and performance.

19.jpg

MORE INFORMATION 

 

Operational Risk Management Playbook

Operational Risk Management Workshop