Risk-based planning is a familiar concept for most companies. Many business leaders realize that the right operational risk management (ORM) system helps to lower operating and auditing costs, reduce operating loss, increase customer and staff satisfaction, optimize insurance coverage and premiums, and promote compliance with regulatory requirements. Also, the operational discipline cultivated as part of an effective ORM system allows leaders to maintain consistency and reliability while maximizing efficiencies throughout their manufacturing and production processes.
But recognizing the importance of risk management doesn’t always translate to having an effective strategy or system in place. Adopting a strategic approach to ORM can ensure the optimization of resources while maximizing risk reduction. Not all ORM strategies are the same, nor should they be. Organizations must develop a strategy that complements their business model and operations. This requires a solid understanding of the specific risks they face, as well as the people they employ, and then fully integrating the system into the company’s day-to-day operations.
Risk Is Not Universally Defined
Figure 1: Finding the sweet spot for operational risk. © 2016 DuPont
Risk is assessed by evaluating the potential for incidents along with the degree of impact they could have on an organization should they occur. That means enterprises face a wide spectrum of potential risks, ranging from high frequency/low severity risks to low frequency/high severity risks, and everything in between. The range of risks may vary between one company and another depending upon several factors, such as physical location, prevailing culture, competency and operating discipline. Given the wide range of potential risks and a limit on the resources that a company can devote to risk management, it makes sense to adopt a strategy that assigns appropriate effort to potential risks. There is no one-size-fits-all approach to mitigating the risks a company faces, and it is simply not practical to address all risks with the same level of intensity.
Companies have had success adopting what DuPont Sustainable Solutions (DSS) refers to as a “differentiated risk” approach. This strategy ensures that appropriate effort and resources are expended based on the specific risk profile of the industry and business in which a company operates. This results not only in optimal risk management for an organization, but also ensuring value for the investment, giving companies a competitive advantage in their business sector (see Figure 1). Successful ORM lies in identifying, evaluating and controlling losses and differentially managing associated risks.
Understanding the Human Element to Risk
Despite the well-intentioned efforts around risk management systems and organizational work processes, incidents can still happen. That’s because people design, operate and maintain an organization’s assets, fleets, and equipment -- and people aren’t perfect. DuPont’s research shows that 82% of incidents within the workplace can be attributed to poor decision-making. One way to reduce incidents is to understand what influences employees’ decision making.
Companies can enhance safety performance in particular by understanding the behavioral characteristics of their workers. Employees make decisions based on what they think and feel. There is also a social context that factors into decision making, which includes the social norms and unwritten rules that influence an individual’s or team’s behavior. Understanding mindsets and behaviors can help companies create a performance culture that can achieve superior results. Often, the impact these behavioral contexts has on outcomes is significantly undervalued.
Integration is Essential
When managing operational risks, it is tempting to assign only technical solutions to problems or risks that arise. However, an exclusive focus on worker and process safety elements is inadequate. And while companies that actually consider behavioral impacts on incidents and focus on managing and reducing risk rather than simply driving compliance to systems or procedures are the most effective, neither technical solutions nor behavioral solutions alone are sufficient to fully address operational risks.
Figure 2: Integrated Approach to Managing Operational Risk. © 2016 DuPont
What is optimal is an integrated approach (see Figure 2) that addresses all the elements of a successful ORM system:
- Managing Processes defines the vision, sets the strategy and tactics, translates this into key performance indicators at all levels of the organization, monitors performance and sets up the organizational structure to support the processes.
- A sound Technical Model defines hazards and losses, assesses the associated risks and provides standards and procedures for mitigating risk.
- Capabilities Engine seeks to educate and provide employees, not only with the technical knowledge, but also with the ideal values, attitudes and beliefs that will engage and motivate them. It requires clearly communicating expectations and accountability, and encouraging teamwork and collaboration.
- Mindsets & Behaviors ensure a company’s commitment to reducing risk is driven and reinforced by active participation of corporate leadership through coaching, motivation and ownership of results. Leaders must understand how individual employees behave, think and feel, and how that drives their decisions. This leadership style is cascaded from executive leadership to the critical level of first-line leadership. Tapping into the entire organization’s motivation and problem-solving capabilities results in an approach supported throughout the company.
This integrated approach allows companies to protect their people, their assets and ultimately, their bottom line.
The Goal – Cultural Maturity
For an organization to perform at the highest levels in the context of risk management, each and every employee, from the C-suite to the shift worker, must possess a commitment to operations that go beyond merely reacting to incidents to actively preventing them. Achieving this cultural maturity is the true measure of the strength and effectiveness of a company’s integrated management system.
When DuPont experienced a plateau in corporate safety performance in the early 1990s, then-Chairman and CEO Ed Woolard commissioned a study that found the maturity of the safety culture at DuPont had a direct impact on safety performance (as measured by total recordable injuries). This relationship came to be illustrated in the DuPont Bradley Value Curve™.
Figure 3: DuPont Bradley Value Curve™. © 2016 DuPont
In the last two years, our experience with clients has shown that companies that have evolved toward a more mature risk culture of interdependence reap the dual benefits of reduced incidents and improved productivity. They are able to mitigate risks while maximizing opportunities for sustainable value creation. They also are able to allocate appropriate time, attention and resources to deliver improved performance.
Based on these findings, we’ve developed the DuPont Bradley Value Curve™ that adds the Dimension of operational excellence and provides a more holistic picture of the impact cultural maturity can have on productivity (see Figure 3).
Seven Steps to a Successful Operational Risk Management Program
Today, companies that want to deploy an effective ORM program face a number of headwinds. In recent years, rapid shifts have occurred in the operational landscape of many organizations, particularly those in the industrial sector. Companies are now more global than ever with larger and more complex supply chains. They need to manage an expanding list of regulatory requirements, and the explosion in social media means their activities are scrutinized more closely than ever before.
Most notably, it is increasingly difficult in today’s environment for organizations to secure adequate funding necessary to ensure their ORM strategy continues as an ongoing program. Research recently conducted for DSS by independent consulting firm Verdantix found roughly two out of every three organizations (65%) claimed lack of available budget was a significant barrier to securing funding for ORM programs.
Based on this research, in which 75 senior leaders across eight industry sectors spanning 10 countries were interviewed to determine their perceptions of ORM strategies within their organizations, DSS recommends seven steps companies should follow to implement a successful ORM program:
- Secure approval and leadership at the corporate level. This is a critical first step. An ORM program will only be truly effective if it is championed at the very top of the organization. Roughly eight out of 10 companies (79%) say that accountability for risk management is assigned at the corporate level, according to the research conducted for DSS.
- Introduce risk accountability across the organization. Employees across every level of the enterprise need to be trained to incorporate risk-based thinking into their day-to-day activities and be held accountable for risks within their immediate area of control. Alarmingly, more than one-third (38%) of companies say that shop-floor employees are currently not held accountable for risk management.
- Agree to timely risk assessments. Risk assessments help ensure companies comply with new requirements and keep risk management a top priority. The frequency of these audits should be determined by the unique characteristics of each company and its operational footprint. According to the research done for DSS, 92% of firms are conducting risk assessments on at least an annual basis. Reviewing and revising an organizations’ risk assessment on a regular basis allows the company to keep the risk profile up-to-date and to incorporate any relevant changes (economic, geopolitical, technology, workforce).
- Quantify and prioritize risks. Managing an optimized ORM program requires that risks are quantified in terms of probability and severity, and calculated in terms of the costs and benefits of mitigating a risk versus allowing the risk to remain as is. This enables mitigation efforts to be targeted most effectively.
- Establish appropriate metrics and key performance indicators to monitor and assess performance. This is one of the most important steps in a successful ORM program. It enables companies to ensure the appropriate effort and resources are expended based on the specific risk profile of the business. The research conducted for DSS shows a number of firms are already aware of the importance of this step and are supplementing the development of their metrics with advice from outside sources.
- Implement consistent, well-documented and cost-effective controls. Such control measures are necessary to actively mitigate identified priority risks. While nearly all companies (98%) feel they already have adequate controls already in place, only about one in four (27%) considered them cost-effective, suggesting an opportunity for them to identify better options for managing and controlling identified risks.
- Reinforce the importance of risk management through regular communications. Establishing a regular timetable of communication on ORM performance is an effective way of maintaining engagement on the subject. Communications should be tailored to specific levels and functions of the organization to address different priorities and focus areas.
Developing effective ORM programs to successfully mitigate risk should be a priority in today’s competitive business environment. It requires that companies not only structure a program that is unique to their business operations and engrained into the day-to-day activities of every employee at every level of the organization, but also that enterprises make an ongoing commitment to ORM despite the many challenges they currently face. Companies that adopt a long-term view and take the necessary steps to implement ongoing ORM programs today will reap the benefits of a safer and more successful organization in the future.
Article was originally published on Industry Week