SEARCH

The Center for Chemical Process Safety (CCPS) recently published a monograph that provides insights for managing Process Safety during the COVID-19 pandemic and other similar crises. It incorporates input from many CCPS member company representatives. It is organized by the RBPS elements and human factors impact is addressed in multiple areas. The top three elements of highest importance are: Process Safety Culture, Asset Integrity & Reliability and Management of Change. Occupational safety and health aspects are not the focus in this document. You can download this monograph using this link CCPS also has published a BowTie for Covid-19 analysis which you can also find here #managedsafety #covid

Increasingly, companies are adopting continuous improvement driven by several methodologies that include LEAN and AGILE. However, the overarching driver is the desire to achieve continuous delivery of value. These approaches fundamentally change how a business operates and impacts all aspects of the value chain including the processes that support them such as productivity and compliance programs. Production processes have moved towards continuous flow by applying LEAN principles. IT has done the same by combining development and deployment (ie. DEVOPS) to support continuous delivery. However, compliance for the most has lagged behind and still functions using the old factory model using an audit-fix cycle which is too slow to keep up with continuous change. A major contributor to why companies haven not taken a proactive approach to compliance is that they do not know exactly where they are going with their compliance. The lack of clear and concise goals makes it difficult to select strategies and to measure effectiveness. In fact, most companies do not even measure the cost of compliance. However, even knowing the cost, without goals you cannot know if you are over or under investing. To properly establish goals you need to first define your compliance obligations and this means specifying: outcomes - what you want to accomplish, objectives - how you intend to accomplish them, risks - what are the threats and opportunities to meeting objectives and achieving outcomes, critical to compliance - evidence of compliance measures of performance - ability to achieve system objectives measures of compliance - key compliance results or indicators critical to compliance success measures of effectiveness - progress towards program outcomes Compliance obligations serve to properly align programs, systems and processes and makes it possible to apply proactive strategies to continuously meet them. Defining compliance obligations increases the certainty compliance can be met, but as importantly, that compliance outcomes are advanced on a continuous basis. Continuous value requires continuous improvement which requires continuous compliance . #ContinuousImprovement #continuouscompliance

The purpose of a compliance management system is to maintain state which is achieved through consistency, reduction of variation, and achieving objectives. However, the purpose of a compliance management program is to change the state or condition with respect to compliance outcomes. This is achieved by adjusting the underlying systems to improve performance and maintain a higher standard. Continually advancing performance is required to meet "persistent achievement" obligations specified by performance / outcome-based regulations and standards. In order to continually advance quality, safety, environmental and regulatory outcomes there are 4 changes you must continually make: Re-orient policies to support continual advancement of outcomes Re-calibrate values to match the outcomes that will be achieved Re-engineer systems to create the capabilities needed to reach new performance targets Re-align processes to achieve compliance objectives #continuousimprovement

The administration problem is primarily that of reducing uncertainty within the organizational system (Organizational Strategy, Structure, and Process - 1978). Solving it involves more than simply rationalizing systems and processes already developed (uncertainty reduction); it also involves formulating and implementing those processes which will enable the organization to continue to advance outcomes. This necessarily impacts how risk & compliance systems are implemented. For managed compliance programs (i.e. safety, quality, environmental, regulatory) to be effective they must align with the specific goals, objectives, and strategies of the organization. These will be different based on each organizational type: Defender, Prospector, and Analyzer. Each type will also influence your approach to meeting obligations. Any mismatches in systems architecture will end up hindering the advancement of both business and compliance outcomes. Which organizational type best matches your business posture? Does your approach to risk & compliance align with this posture? #effectivecompliance #grc #managedrisk #managedsafety

Risk-based thinking is at the center of recent changes to compliance standards, guidelines, and regulations. One of the areas where risk-based thinking is being applied is within the operations of a business. This is the domain of operational risk management which is defined as: "The risk of direct or indirect loss due to inadequate or failed internal processes, people and systems, or from external events." – Basel II This definition comes from the financial and insurance sector although is still useful for other industries as operational risk management continues to gain traction there. However, this definition is likely to change as trends to include positive risk increase (ex. ISO 31000). Whether risks are negative or positive, an important step in any risk-based approach is the identification of the risks themselves. This requires (among other things) an understanding of where risks come from. Knowing the sources can help not only to identify risks but also how best to manage them. It is possible to think about these sources in relationship to operational systems and processes. These relationships can be classified as: extrinsic, intrinsic and emerging. For the purpose of this article, the following compliance systems model (introduced in a previous article ) will be used. Although, in principle, these definitions can apply to each component of any process or system. Extrinsic Risk These are risks that are external to the system that affect the underlying processes and activities. These risks may be introduced due to changes (shown in red in the above model) to: scope, critical to compliance requirements, resources, funding, strategies, best practices and program controls that are placed on the system. Risks may also come from other external sources that have been identified at the corporate level. A significant source of system risks arises because of changes, it is therefore important to have an effective management of change process to identify these risks and manage them. This is even more critical when the system is vulnerable to emerging risks. Intrinsic Risk These risks are inherent in the process and activities. These may be in the form of latent or active failure modes, gaps in capabilities, uncertainties in work plans, or process variability. There are two common approaches to identify and treat these kinds of risks: Risk Assessment – as part of an initial or periodic assessment, levels of risk are calculated for each activity or place were value is added. Steps can then be taken to decrease the uncertainties or minimize or exploit the consequences to better achieve the desired system objectives. These assessments assume a relatively static process where risks are not changing often. Risk-Based Process – this approach includes an embedded risk screening at the front end to determine which path to take given the level of risk associated with either the work to produce the output or the output itself. Separate work streams based on the level of risk can accelerate cycle times and also ensure that the appropriate amount of rigor (ex. further risk assessment) are applied when needed. This technique is used frequently when using stage-gate methodologies such as for: projects, change and design processes; and is effective to identify emerging risks as assessments are done each time the process is initiated. Emerging Risk These are risks that are developing or changing as a system evolves. These are often the most difficult to identify and to understand. Emerging risks can be classified as: Newly created risks Newly identified or noticed risks Changes to such things as likelihood, severity, causes, consequences, and control effectiveness for existing risks Periodic risk assessments are useful to update risk profiles to take into consideration emerging risks. Risks identified using the risk-based process, mentioned previously, can also be used to update the system risk profile so that they can be monitored. Knowing where risks come from can ensure that appropriate triggers are created so that risks are appropriately identified, managed, and effectively treated. As companies continue to change at an increasing rate to improve their business processes it is essential that risk-based approaches keep up. Conducting risk assessments periodically may not be enough. However, embedding them inside processes will enable companies to stay on top of new and emerging risks so they can stay proactive. #riskmanagement #grc #managedsafety

Those who have been following me might be aware of my presentations on demystifying risk entitled, Lord of The Risks – Defeating the Dragon of Uncertainty. In these presentations we follow the adventures of a team of individuals that go on an adventure to complete a mission of strategic importance. They have never worked together before and some have never been on an adventure. Their mission will require that they leave the world of the Shire, a place where they know everyone, how things work, and where life is predictable – it is a world of certainty. However, they must now take a step out into the a world that they don't fully understand, they don't know how things work, and both threats and opportunity are unpredictable – it is a world of uncertainty. And it is this uncertainty that creates the opportunity for risk. It’s a dangerous business, walking out one’s front door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” While not fully understanding the risks ahead our team agree to go on the adventure because the stakes are too high not too. The Ring of Value that was forged in the Valley of Capabilities has been lost and if not recovered may end up at Mount Doom where value is destroyed. Their mission objective is to find the Ring of Value and take it to the Mountain of Better Outcomes along the value stream. Fortunately, with the help of a wizard (aka risk manager) our team was successful in fighting the Dragon of Uncertainty and reclaimed the Ring of Value. We catch up with our team as their journey continues... Lord of the Risks - The Two Towers: Productivity and Compliance The Fellowship of the Ring of Value have just decided to pass through the gate of pro-activity and are making progress towards the Mountain of Better Outcomes along the value stream when they come across someone they recognize but have not seen for a while. The Wizard who had previously helped them now greets them: "I come back to you now, at the turn of your intention. One stage of your journey is over, another begins. To make progress towards your destination you must be mindful of the ever watchful eyes of The Two Towers: Productivity and Compliance. Keep both in your gaze at all times and don't by any means look at only one and avoid the other." The leader of the fellowship puzzled by what the wizard had just said, replied: " you have not changed, my friend, you still speak in riddles." The wizard apologized for speaking in Riskish and explained, this time in English, more about The Two Towers and how the towers will help them achieve their mission. "Because even the very wise cannot see all things" The Two Towers: Productivity and Compliance The two towers were constructed in recent years to guide you through the valley of capabilities (otherwise known as the Value Chain) along the value stream. Here is a map so that you can find your way: Each tower has its own purpose to help ensure that the Ring of Value reaches the Mountain of Better Outcomes. They also have different strategies and tools to help you contend with the dragons of uncertainty: Aleatory and Epistemic. What you must always remember is to keep both towers in sight and never look at only one at the expense of the other. The Tower of Productivity - Use only what you need You must only use the resources you need to ensure you have enough to reach your destination. This tower will help you eliminate waste, and improve your productivity so that you reach your destination with room to spare which is called margin, which is the best way to contend with the Aleatory Dragon. The strategy most often used by the Tower of Productivity is something that is known as LEAN. Here the Ring of Value will be pulled through the value stream which will surface hidden artifacts that are slowing you down. The people of this tower call these artifacts waste and you will be wise to eliminate as many of these as you can manage. Learn from these folk for their practices and tools will help you with what lies ahead that you cannot predict. However, you must remember that the two towers work together and so you must be ever mindful to use your gains wisely. Some of your gains must be allocated to the Tower of Compliance to strengthen your defenses to defeat the Epistemic Dragon. The Tower of Compliance - Your defenses must hold Your standards, systems, processes, and controls must not fail to protect the the Ring of Value as you move through the value stream. The Tower of Compliance will help you buy down risk by creating lines of defense against the Epistemic Dragon. The folk in the Tower of Compliance are known to use what is known as RISK MANAGEMENT and they are fond of the BowTie Analysis. They will look to your goals and objectives to identify prevention and recovery controls (your defenses) to increase the certainty of completing your mission. Make sure that you know what your objectives are otherwise their strategies will be less effective. You must ensure your defenses are sufficient and strong enough to hold. To strengthen them and broaden your coverage you will need to make alliances with Safety, Quality, Security, Environmental, and Regulatory folk. Some of them have not worked together for many years if at all. However, you will find that they will unite and fight together under the banner of "risk reduction" which is a goal they all have in common. One last thing, there is more at risk than you realize. Your defenses must not only protect the Ring of Value , they must also protect the fellowship, the people of the value stream, and the Valley of Capabilities otherwise you will not make it to the Mountain of Better Outcomes . The Wizard Rides North Some of the fellowship did not understand and were not sure of what the Wizard had just told them. There were some who wished that this mission had not been given to them and that the wizard had not come. The Wizard hearing their murmurs picked up his staff, stood up and said, " So do all who work in highly-regulated, high-risk industries, but that is not for them to decide. All we have to decide is what to do with the time that is given us. There are other forces at work in this world, besides cost reduction and loss prevention. Remember, the people of the value stream will need you, use only what is absolutely necessary and make sure your defenses hold and promise me that you will keep both towers in your gaze at all times and don't by any means look at only one and avoid the other." The wizard then called his horse as he spoke once more to the fellowship: I have heard news about a different kind of dragon, one that has not been seen in these parts for some time, the Dragon of Opportunity. I ride north to learn more about this dragon. Look to my coming, at first light, on the fifth day. At Dawn, Look to the East." And with that the Wizard rode off leaving the fellowship in the Valley of Capabilities between the Two Towers: Productivity and Compliance planning their next part of their journey keeping in mind what the Wizard had just told them about LEAN and RISK MANAGEMENT. Note: Any reference to The Lord of The Rings by J.R.R Tolkien or related works is used under Fair Use License for the purpose of education and learning. #managedsafety #riskmanagement #leanmanagement

Risk scores are commonly used to support risk-based decisions and are usually derived from a semi-quantitative analysis of the underlying risk factors to produce a single value such as: low, medium, and high. This value is subsequently applied to the ranking of options or as a trigger for additional actions and as such can be extremely helpful to support decision making. However, if not implemented correctly, they can introduce vulnerabilities that expose companies to unnecessary and avoidable risk. In a recent discussion on LinkedIn, a person wrote about a situation where risk scores were used. With their permission, I have included an excerpt from that discussion: "A firm with an IS0 27001 certification had both a gap with risk evaluation and risk estimation unrealized by the external auditor. First, its vendor risk management process held that firms with services that cost more need more oversight than firms with services that cost less. This is fine until one looked at why a service might cost less. In this case, the service requests for vulnerability patching a corporate firewall were costing less because they had been skipped for three years. Falsely, the system reported the firewall service was lower risk because it cost less -- in this case too little for the firm’s best interests. Next, risk computations themselves were done in a manner that sounded good but was mathematically flawed. By adding a score for Confidentiality to Integrity to Availability it was possible to rank the security needs of a service, product, software or vendor. But by adding rather than multiplying it became possible for 70% or more of all risks to all have the score of medium. Summing risk indicators presumes statistical independence that was not truly present. The result is a bell curve with 70% of the answers for any combination of inputs resulting in a medium risk score. " This story helps serve to illustrate potential problems with the improper use of risk assessments, scores and ranking. Here are 5 key problems: 1. Outcomes were not validated The resultant scores were not validated to ensure that they would produce the appropriate outcomes. In addition, incorporating the other criteria: confidentiality, integrity, availability; in the calculation was not implemented correctly and may in fact not be statistical valid as mentioned in the excerpt. The decision to create a single-value score (most likely to facilitate the decision making process) contributed to unintended outcomes. 2. Risk scores were not calibrated Risk scores were not calibrated and aligned with the risk attitude (appetite and tolerance) of the organization. There are two aspects to this: (1) the scores themselves need to generate the right distribution of outcomes based on the inputs, and (2) the use of the score must be consistent with the risk attitude of the organization. For example, choosing a high risk option even if it was free would not be acceptable if the risk tolerance for the organization is low. 3. Using single-variable scores produced sub-optimal results Choosing a set of options using single-variable ranking (ex. a resultant score between 0 and 10) can often lead to a less than optimal selection. The primary concern is that a single value is not always sufficient to differentiate the available options. This appears in other domains such as choosing the optimal portfolio of: projects, investments, or process improvement initiatives. Issues with using single-variable ranking are well documented and there are solutions to overcome them. Among these include using: real options, efficient frontiers, multi-attribute ranking, and others. Often just using a matrix of value against risk is enough to produce a more optimal result. 4. Using risk scores in an automated process may be vulnerable to the " Automation Bias " As risk-based thinking becomes more embedded in the organization it is likely to also become more embedded in the decision support systems. Although, not specifically stated in the above scenario, it is possible that the resultant risk score was used (or could be) to automatically select the vendor. The automation bias is defined as, "the propensity for humans to favor suggestions from automated decision-making systems and to ignore contradictory information made without automation, even if it is correct." Automating the selection process may result in: (1) decision makers abdicating their responsibility for the decision to a computer system, and (2) leaning too much on a score to inform them as to the appropriate decision to make. For those who work in the safety field know, you cannot delegate safety (or decisions about it) to a computer system. 5. Using risk scores may not be ethical Decision support systems use numerical values which is some ways are no different from risk scores. However, in the case of the majority of these systems, they address situations of certainty where decision analysis is effective and can be mechanized in terms of moral rules and conditions. When this is done, responsibility (and possibly accountability) is abdicated to a computer system. Doing so might be appropriate accept for when decisions involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules. If the risk can be completely eliminated by removing the hazard then rule-based decisions might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice. Organizations should not transfer accountability for ethical decisions to an algorithm or a decision support system. Research is on-going and there may be at some point the possibility of implementing ethical subroutines that can be appropriately regulated. However, as of this point in time these do not exist and regulatory accountability is a human one. In the example above, the decision to pick a lower cost (although higher risk) option should be made by a person who can ensure that the decision aligns with the company's ethical standards and guidelines. #riskmanagement

The risk and compliance problem: Companies are too reactive. Prescriptive policies, standards and regulations do not adequately protect against loss or ensure value creation. High consequence risk rarely occur due to a failure of a single activity but instead occur because of an alignment of vulnerabilities across multiple activities (i.e. systemic risk). The capabilities needed to manage systems is different than managing individual processes where results are limited to the sum of the parts. To keep up at the speed that risk becomes a reality companies cannot wait for audit findings to make improvements. The solution: Companies must be more proactive. Policies, standards and regulations need to and are transitioning to performance and outcome-based designs (e.g. vision zero) Meeting performance and outcome-based obligations will require a holistic and integrative approach that goes beyond process improvement to focus on system effectiveness. Capabilities must include managing interdependencies between and across functions to unleash performance where results are the product of the interactions. Continuous improvement will be driven by the presence of uncertainty not only the presence of problems. When companies adopt a proactive approach to risk & compliance they will have a competitive advantage because most others will not. And if they become good at it they will be unstoppable. #grc #effectivecompliance #riskmanagement

The concept of resilience is gaining traction particularly among those in highly-regulated, high-risk industries. In an ever changing regulatory landscape resilience is seen as a means to stay ahead of the regulatory curve, avoid costly disruption, and withstand adverse events should they occur. This sounds similar to the objectives of risk management. At one level one can consider resilience as an outcome of effective risk management in the same way as quality products, and safe working conditions are an outcome of effective quality and safety programs. Resilience is also a capability which serves as a defense against the effects of uncertainty in support of existing risk & compliance programs including: quality, safety, environment, and regulatory objectives. Resilience perhaps is more focused on recovery rather than preventive measures. Should resiliency become a program of its own and have its own standards similar to quality, safety and environmental objectives or should it be added to existing risk & compliance programs? What do you think? #riskmanagement

In response to increasing and often overlapping requirements from standards and regulatory bodies, many companies are looking to integrated and proactive approaches to manage all their obligations, reduce risk, and increase stakeholder trust. Each management system serves as a layer of defense against unwanted events such as: loss of containment, injury, regulatory violation, non-conformance, and others.  A Bow-Tie Analysis can be an effective tool to ensure that you are not over or under investing with respect to risk controls.  It also helps you identify metrics to monitor and track the effectiveness of your overall compliance program. #riskmanagement #managedsafety

Everything happens in the presence of uncertainty so make sure your process plan is a risk-adjusted plan. #riskmanagement

The adoption of ANSI / API Recommended Practice 1173 - Pipeline Safety Management Systems will help improve overall pipeline safety. However, adapting to these new practices can be challenging after years of using systems and procedures embedded across the organization. Applying LEAN principles can help to visualize the entire process through value stream mapping so that sources of process and information waste can be removed before addressing new compliance measures. Download our presentation that looks at how lean principles can be applied to managing change within the RP1173 framework. #leanmanagement