Implementing Critical Risk Management for SIF/Hi-Potential/Material Events is tough.
I have been a part of a number of risk and safety framework shifts in BHP, then in consulting, and it’s not an easy endeavor.
This week, I had a conversation this week with David Jenkins (https://www.linkedin.com/in/david-jenkins-0ba8a310/) about a number of things, but one thing that stood out from our common experience is the journey that organizations have to go on to really shift risk culture and re-jig systems to be more risk-based.
One of the fundamentals to CRM is that it is focused on the operational risks that are most impactful for the enterprise – for an Oil and Gas operator offshore, those things are more like: ship collisions with facilities, helicopter crashes, blow-outs, etc. where an event can reshape the company.
There are a few complexities to watch out for as companies expand the materiality definition to include fatality events:
The framework can collide with traditional safety compliance systems that have long been in place
Controls are not all created equal, but this can take some re-wiring for an organization that has been conditioned to think permits and inspections are of utmost importance. In some places, the most heralded HSE processes don’t pass the control test, much less be classified as critical controls. Are they important? Yes! Are they critical? No, they just support something critical. The whole benefit of the program is to point out what’s critical.
A good example of this is “fall from heights” risk that comes from the hazard of working off of fixed ladders. Someone not falling relies on two things – the ladder staying stable and the person staying in contact with the ladder. Whether you do or don’t do the inspection, it doesn’t matter, those two things will remain true. There are probably elements on the inspection that require a check of a critical control, but the inspection is just a tool. The basic fundamentals of working off of ladders are why we still have so many ladder fatalities – maintaining stability and contact with the ladder are highly human reliant. Critical controls for ladders in this instance would probably suggest fall protection and ladder design. Ladder inspections may still be required, but knowing what really matters should shape the tool.
Moving to proactively testing controls is a burden on the organization, it’s going to take a commitment from the top down
Traditional HSE systems involve HSE checking compliance – CRM for single fatality risks requires a HOP style Leadership Engagement/Leader Learning Program and blends it with an Operational Risk Management program. It’s a framework that highlights the most impactful things to verify, but also needs to be designed to consider the systems and organizational factors that surround the control environment.
Don’t underestimate the work of Broad Brush Hazard and Risk Assessments/ Haz-Id, Bow-ties, defining controls/critical controls, and building the engagement program before jumping into to doing more control verifications.
Checking on compliance dot-points will only get you so far. The hard yards are actually in the first few assessments that challenge the overly human centric control environments that may need to be bolstered. Control effectiveness testing and verification are just checks on whatever’s been controls the business have implemented to reduce risk likelihood or consequence.
Assess resilience as much as risk
One of the things that came up over and over in Bow-Tie sessions is “we can only take credit for the preventative controls on the left side of the bow-tie”. This suggests it’s paramount to reduce the likelihood of the risk event occurring – however, it fully over-rationalizes control reliability and prevention. Regardless of how robust and reliable the preventative controls may be, all systems are reliant on humans in some way, shape, or form. Resilience requires fore-thought and planning. The right side of a bow-tie is as important, if not as important than the left. We should be checking on the critical mitigative controls with as much robustness as preventative controls.
This is the tip of the iceberg for CRM, so for more CRM, ORM, or ERM insights, shoot me a message.
Check out more about services and offerings here: Nova Path
Written by: Justin Abshire, MSIE, MBA, PMP, CSP, Founder, Industrial Engineer, Operational Risk & Resilience Executive
Leave a Reply