Sign up to receive updates

Blog

< When does an operational risk become strategic?
14.09.2015 14:30 Age: 3 yrs
Category: Blog

Plus ça change, plus c’est la même chose


"The chapter of knowledge is very short, but the chapter of accidents is a very long one" (Lord Chesterfield, 1753).

It's 25 years since the Piper Alpha disaster off the north-east coast of Scotland when 167 people died in one of the UK's worst industrial disasters. As a result, regulatory oversight for the safety of offshore installations was moved to the UK Health and Safety Executive, the Safety Case regime was introduced for high-risk activities and, subsequently, safety management systems became popular.

International standards on risk and management systems are proliferating. ISO 31000 Risk management - Principles and guidelines (with an AS/NZS prefix for readers in Australia and New Zealand) was published in 2009 and provided the first internationally agreed approach to risk that was not sector-, industry- or risk-specific. Indeed, the scope to the standard says it can be used in any industry, for any risk.

International standards on quality and environmental management systems have been available for many years and a compliance management system standard is near completion. Why do we need all these standards?

A full answer to that question might be quite long but a short answer is that different interest groups have promoted their own, quite valid, world views - so much depends on how you frame a question. Thus, the question: "how do we improve the quality of our goods or services?" might lead to the answer "through a quality management system". Or the question: "how do we ensure compliance with legislation and codes?" might lead to the answer "through a compliance management system".

However, a risk-based approach might ask: "what risks associated with goods and services are we exposed to?" or "what risks associated with legislation and codes are we exposed to?". In each case the answer might result in changes other than implementation of a specific form of management system.
Assessing compliance-related risks could lead to re-engineering activities so that non-compliance is less likely and risks become acceptable. Or redesigning a chemicals manufacturing process could avoid quality- or environment-related risks. Adopting a risk-based approach and not taking an environmental or quality management system approach may have led ICI to develop the Leading Concept Ammonia technology in 1984 and so reduce production costs and environmental emissions.

A further reason for taking a risk-based approach is that management systems must be audited to give assurance to stakeholders (eg, management, the board, regulators) that the management system is delivering the expected results. Following the Esso Longford gas plant explosion in Australia in 1998, it was found the safety management system was deficient and, in turn, the audits of the safety management system were deficient (Longford Royal Commission, 1999). Thus, the management system response to a perceived need in turn requires assurance the management system is working as intended. And in some situations, the statutory external auditors may rely on the management system audits.

So, rather than simply adopt new management systems, we need to apply the hierarchy of treatment options (set out in note 1 to the definition of risk treatment in AS/NZS ISO 31000) to any risks evaluated as unacceptable. My experience as a consultant and when running risk management training courses shows the need to apply the hierarchy three times to each risk evaluated as unacceptable. This helps break down preconceptions and open up ideas that could provide a big-picture solution rather than just imposing another management system.

Rather than see risks narrowly as quality-, environment- or safety-related I think it preferable to see risks as having many causes of events (including changes of a particular set of circumstances) and many consequences. In other words, no single management system will address all of the components of a given risk. This opens us up to the simple but powerful idea that, "In short, all management is risk management" (Crockford, 2005).

In 1974 Drucker wrote "The main goal of a management science must be to enable business to take the right risk. Indeed, it must be to enable business to take greater risks - by providing knowledge and understanding of alternative risks and alternative expectations; by identifying the resources and efforts needed for desired results against expectations, thereby providing means for early correction of wrong or inadequate decisions" (Drucker, 1974).

Quality, environmental and safety management systems focus on unacceptable aspects of business-as-usual risks and so enable executive management to focus on the bigger, more strategic picture. But it can be argued such systems work against evolutionary change and lead to the need for more painful revolutionary changes.

A risk-based approach means the higher the risk the more attention management must give to detail. This may be where a documented management system should be applied - to the reduction of the effect of uncertainty on objectives (ie, risk as defined in ISO 31000).

This is not the place to explore the lack of solid evidence for management systems. Suffice to say, they may be of value when management at all levels takes an active and positive interest in how well the objectives of, firstly, the organisation; and, secondly, the management system, are being achieved. Both should be aligned and both require adequate resources; otherwise a management system can be a fig leaf, mere tokenism, that will result in worse consequences in the longer term.

In 1995 the collapse of a viewing platform at Cave Creek in New Zealand killed 14 people and injured four others. Judge Noble (1995) was commissioned to investigate and report to Parliament on the resources given to the Department of Conservation. Judge Noble found one primary cause and six secondary causes of the collapse. For one of the secondary causes he wrote:

"In recent years New Zealand has been regarded as an international leader in certain areas of innovative reform. It is one thing, however, to pass innovative and forward-thinking legislation; it is another thing altogether to provide the resources to make it work. When the legislature creates statutory duties for which it is responsible, it must give the lead by ensuring that its own agency is adequately resourced to carry out those very duties".

It's about 25 months since the Pike River coal mine disaster in New Zealand when 29 men died. The then Department of Labour was subsequently found to have lacked the resources needed by a 21st century regulatory agency. As a result, the regulatory agency and legislation are being changed and there is much bustling about in government agencies with attempts to write legislation and codes that will help prevent another Esso Longford, Pike River, Piper Alpha, Cave Creek or similar disaster here. That new legislation may require the development of management systems but, unless those systems are genuinely risk-based, the new legislation may be in vain.

"Those who cannot remember the past are condemned to repeat it" (Santayana, 1905).

References
Crockford, G. N. (2005). The Changing Face of Risk Management. Geneva Papers on Risk & Insurance - Issues & Practice, 30(1), 5-10.

Drucker, P. F. (1974). Management: tasks, responsibilities, practices. New York: Harper & Row.

Longford Royal Commission. (1999). The Esso Longford Gas Plant Accident (Report). Melbourne, Australia: Government Printer,
Letter from Lord Chesterfield to S. Dayrolles. (16 February 1753) in "Miscellaneous Works" vol. 2 Maty M (ed) (1778) no. 79.

Noble, G. (1995). Commission of Inquiry into the Collapse of a Viewing Platform at Cave Creek, near Punakaiki on the West Coast. Wellington, NZ: Department of Internal Affairs.

Santayana, G. (1905). The Life of Reason (Vol. 1, Introduction).


Talk to us form

talk to us page form