The Hidden Value of Good Risk Management

Dec 4, 2019 3:05:10 PM

Profits, revenues and dollars shouldn't be the only way businesses measure success and risks.

How do you measure the success of a project?

Too often we get caught up in assigning a hard dollar value on projects that save or make the business money. In our industry, if a project doesn't have a tangible cost benefit to the business, it is very hard to justify.

At Bluefield, we often find that our projects provide value in the form of identifying risks, not how many dollars we saved our clients in OPEX or being able to justify CAPEX costs.

Often, these risks are missed by the people who own, operate and maintain their assets. Sure, you might physically own the asset, but are you also owning the risks? Are you even aware the risks?

So how do you turn the culture around?

Bluefield often identifies hazards whose consequences can't be measured with money.

How much does a human life cost? How much does an oil spill devastate an ecosystem? Why is the company name being tarnished in the media? You simply can't put monetary figures on risks that become incidents.

In one project Bluefield completed in recent years, we served as a third-party auditor for a critical asset class in a client's supply chain. We unearthed several hundred risks with the potential to cause fatalities, mass environmental damage, negative media coverage in the community, or significant production downtime. We aren't exaggerating when we say several hundred.

The client was understandably shaken but took immediate action to prioritise the risks and apply controls with our assistance. We applied their own risk management policies and assisted by providing extra resources to both build or fix the missing controls and to verify they were in place.

We didn't come in with a magic wand. We used the tools the company already had - their own risk management policies and tools.

How did it get to that stage? It was the culture and the complacency in the team. Shockingly, some of the risks we identified had been known for 6 years. 6 years.

Here's the kicker - a few people knew about the risks and documented them "sometimes", but no one owned the risks so it just became "those things that have always been like that."

We consider the client extremely lucky that all the holes in the Swiss cheese didn't line up to cause an incident.

Risk Management is about being proactive

Too often we come across groups who don't treat risk assessments like the tools they are - to identify and control risks. To proactively stop incidents, not reactively pick up the pieces.

There's a misconception in this day and age of constant process and paperwork assessing risks against a set of likelihood and consequence definitions are yet another tick-and-flick exercise to make the higher ups and safety reps happy.

This is well and truly not the case. It’s about deciding what we are prepared to accept and what we are not.

Each company and industry has different ways of assessing and controlling risks. You might hear the term risk appetite thrown about in meetings.

Risk appetite is simply the level of risk deemed acceptable by a business before or after controls are applied. The mining industry in Australia is very good at rating risks, often with qualitative numbers and easy to understand language. A business might specify that risks with scores over a certain number (likelihood x consequence = risk score) are not desirable. Whereas risk scores under a certain number that can be managed appropriately are described as within appetite.

Would your business have the appetite to allow incompetent workers to perform your day-to-day works? Probably not, but let's rephrase:

Would your business have the appetite to allow poor risk management? Again, probably not. Yet time and time again, we find groups of people in our industry who treat risk management as a chore and not as the tool it should be.

If you find risks keep getting missed within your own business, we suggest you invest in building a culture of proactive risk management in your teams. Get back to the basics and make it clear why risk management is so important.

Accepting risks that "have just always been like that" is unacceptable in any industry.

You need to know that you can   because every single team member thoroughly understands how to identify and control risks, and not treat risk management as another paperwork chore.

Own Your Risks

They key to good risk management practices is identifying risks early, transparently and through different sets of eyes. If you know of an elephant in the room, why try and dance your way around it? Identify it, document it, get to the point, get it out in the open, and work out how to tame it.

Photo from Unsplash

No one person can manage risks; we all have different views and backgrounds on how we approach things, so getting lots of coverage and buy-in is critical in identifying and managing risks. The value of early and timely stakeholder management has been written about in the past.

This also leads onto ownership of risks. No one person can manage, yet alone identify all active risks in any given context. Larger risks within a business should be owned by specific people, not just assigned to groups. Especially in large industries where workforces are changing constantly and with the complexities of rosters and shifts.

We have dedicated supervisors and managers managing teams of people in our industry, so why not have dedicated risk owners?

Take Control

Managing risk is also about implementing controls. Having appropriate controls in place requires good judgement, understanding, management and ownership.

The hierarchy of controls should always be referred to when choosing controls. Selecting controls should also be taken seriously, as sometimes controls can be inappropriate or introduce even more risks.

Do your homework when choosing controls, consult others within the business to seek opinions and make sure the controls are actually in place. Go back to lessons learned and see how similar situations were managed in the past or even at other sites.

Good risk management is more than assessing likelihood, consequence and applying controls. Good risk management is being brutally honest with what can go wrong, having common visibility, and ensuring ownership of the controls are in place.